-
Notifications
You must be signed in to change notification settings - Fork 53
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Entities Processing Module #84
Comments
🤯Less than 3 sec exec time for a 5 entities array, that's neet!! |
if(not(empty(item()['properties']?['upnSuffix'])), 'UPN', if(not(empty(item()['properties']?['aadUserId'])), 'AADId', if(not(empty(item()['properties']?['sid'])), 'ObjectSid', if(not(empty(item()['properties']?['ntDomain'])), 'SamAccountName', if(contains(item()['properties']?['accountName'], ',DC='), 'DistinguishedName', 'Unknown'))))) 👍 What about an optional path in the IP side to geo locate the IP :) or even more about the IP? That way, all other modules could leverage the data as opposed as quering additional services or even the TI table on their side. Or is that too much out of scope? Maybe another module that does just that? Geo locate, reputation score and add all that to tags or comments? Well that maybe already exists... It's late I do a lot of free associations... |
I love it, I think the geo location data in particular would be very helpful, it's easy to get and it is truly an enrichment of the entity. The threat intel I think would be best in its own module since we want to make sure those insights flow all the way back to the initial playbook... because if initial playbook -calls-> module -calls-> enrichment then which module would bring the TI back to the initial playbook to make a decision based on the TI? I think we'd still need a TI one to do this. |
one other thing about that if(), at first I did it in a variable inside a loop and then did the switch on the variable value but that resulted in needing to enable concurrency control to 1. So i changed it to put it in the select array before the loop, now 'switch'ing on the property in the array so I could remove the concurrency control and it sped up the execution |
@piaudonn the latest commit to the enrich_entities branch now adds Geo data to the IP entities. This introduces 2 dependencies
There is a limit of 100 queries/hr/account to the API which i think will be sufficient for most cases It also removes the requirement that the host entities have an dnsDomain included... now the entity will succeed and provide the host name regardless. The new return now looks like this:
|
To reduce the risk of hitting the API limit, I added a property to trigger to prompt for the Geo Data enrichment, so for modules that don't need it we can do everything else in the module minus pulling the geo data. |
Ok, one more thing 😄... building on the idea of enriching the IP, I added (c47522c) additional user enrichments (title, department, onPremisesSyncEnabled, etc) Since we're in AAD anyways, might as well get some extra properties. We can add more if needed and may be able to pull enough data that we can remove the need for User.Read.All on the modules that presently require it... not that it's a significant right, just may become redundant. |
Shall we share the vault then (like you suspected earlier) to use the Geo API? I guess we could also store the lookup result into a Storage Account table to avoid looking up the same IP multiple times in a certain amount of time. Or is that adding to much complexity? And what about getting an IsAADAdmin flag or something of the sort to denote a (permanent or not) privileged user? 🐇 🕳 ❓ |
No APi key is needed. We could cache results, would be fairly easy with table storage or similar but I think we can hold off on that for now |
I'll add the admin one for sure |
@piaudonn am i missing something or in the graph is there no way to pull admin roles by user? you have to do it by role? Also, haven't committed yet but I've added the users' managed into the enrichment |
Indeed, in my scripts doing these I first export the list of /roleManagement/directory/roleAssignments?`$filter=roleDefinitionId eq '62e90394-69f5-4237-9190-012177145e10' etc... and check if the user ID is in it. |
/roleManagement/directory/roleAssignments?$filter=principalId%20eq%20'0963f2f3-b647-43fd-b6be-8dd00f39419c'&$expand=roleDefinition Drop all the returned data except displayName?
|
@piaudonn ok, I'm merging the first version into main. additional api permission is required for the roles, it's in the powershell script and readme. I'm sure there's still work to do here but I think it's stable enough to start porting modules over to it. File an issues you see |
Build a shared module to handle entity processing to provide consistent results. This is particularly important for the account entity where UPN and/or Azure AD Id are not always included in the entity, but are needed by much of the automation.
Proposed sample return:
The text was updated successfully, but these errors were encountered: