Azure-Sentinel/Playbooks/Update-VIPUsers-Watchlist-f...
Benjamin Kovacevic 59cb3804e6 Update-VIPUsers-Watchlist-from-AzureAD-Group 2022-03-20 22:49:23 +00:00
..
images Update-VIPUsers-Watchlist-from-AzureAD-Group 2022-03-20 22:49:23 +00:00
VIPUsersTemplate.csv Update-VIPUsers-Watchlist-from-AzureAD-Group 2022-03-20 22:49:23 +00:00
azuredeploy.json Update-VIPUsers-Watchlist-from-AzureAD-Group 2022-03-20 22:49:23 +00:00
readme.md Update-VIPUsers-Watchlist-from-AzureAD-Group 2022-03-20 22:49:23 +00:00

readme.md

Update-VIPUsers-Watchlist-from-AzureAD-Group

author: Benjamin Kovacevic

This playbook will sync members of existing/new Azure AD VIP group to the Microsoft Sentinel VIP Users watchlist. Playbook runs once per day, and if new VIP users are added to the Azure AD group, they will be added to the Microsoft Sentinel VIP Users watchlist with the first playbook run.
In the second part of the playbook, it is checking are all members of Azure Sentinel VIP Users watchlist still members of the Azure AD VIP group. If we detect discrepancies, the user will be deleted from the watchlist.

Full deployment instruction is available on Tech Community blog - https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/update-microsoft-sentinel-vip-users-watchlist-from-azure-ad/ba-p/3100184

Prerequisites

First we need to create the watchlist from the VIP Users template. Since we cannot upload empty template, there must be one user in the CSV file. Best case is to use one of the users from your tenant so that you don't receive any errors.
https://github.com/Azure/Azure-Sentinel/blob/master/Playbooks/Update-VIPUsers-Watchlist-from-AzureAD-Group/VIPUsersTemplate.csv

If we already dont have VIP security group in Azure AD, we need to create one and add members. Please note that only members are synced to VIP watchlist! Once when we have it created, we need to copy Azure AD group Object ID from Overview pane. We will need it in the deployment.

Next step is to create a Service Principal so that we can assign “Log Analytics Reader” RBAC role to the workplace where Microsoft Sentinel is.


Quick Deployment

Deploy to Azure Deploy to Azure Gov

Post-deployment

When you deploy, you will need to make sure system-assigned identity is enabled, and we need to assign Microsoft Sentinel Contributor role (Microsoft Sentinel Reader and Responder roles cannot update the watchlist). To do so, choose Identity blade under Settings of the Logic App.

Now you need either to assign User Administrator role in Azure AD or to grant following API permissions to the managed identity:

Microsoft Graph API Permissions Playbook connection
GET /groups/{id} GroupMember.Read.All,
Group.Read.All,
Directory.Read.All,
Group.ReadWrite.All,
Directory.ReadWrite.All
HTTP - Get Group details
GET /groups/{id}/members GroupMember.Read.All,
Group.Read.All,
GroupMember.ReadWrite.All,
Group.ReadWrite.All,
Directory.Read.All
HTTP - Get VIP Azure AD Group Members
GET /users/{id or userPrincipalName} User.Read.All,
User.ReadWrite.All,
Directory.Read.All,
Directory.ReadWrite.All
HTTP - does user have SID
POST /groups/{id}/checkMemberGroups GroupMember.Read.All,
Group.Read.All,
Directory.Read.All,
Directory.ReadWrite.All
HTTP - check is the Watchlist user still member of Azure AD group

To assign Microsft Graph API permissions, first you will have to connect to Azure AD PowerShell module - https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0#connect-to-your-directory
After login, run the following code replacing the managed identity object ID. You can find the managed identity object ID on the Identity blade under Settings for the Logic App.

$MIGuid = "<Enter your managed identity guid here>"
$MI = Get-AzureADServicePrincipal -ObjectId $MIGuid

$GraphAppId = "00000003-0000-0000-c000-000000000000"
$PermissionName1 = "User.Read.All"
$PermissionName2 = "User.ReadWrite.All"
$PermissionName3 = "GroupMember.ReadWrite.All"
$PermissionName4 = "GroupMember.Read.All"
$PermissionName5 = "Group.Read.All"
$PermissionName6 = "Directory.Read.All"
$PermissionName7 = "Group.ReadWrite.All"
$PermissionName8 = "Directory.ReadWrite.All"

$GraphServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$GraphAppId'"
$AppRole1 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName1 -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId `
-ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole1.Id

$AppRole2 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName2 -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId `
-ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole2.Id

$AppRole3 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName3 -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId `
-ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole3.Id

$AppRole4 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName4 -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId `
-ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole4.Id

$AppRole5 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName5 -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId `
-ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole5.Id

$AppRole6 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName6 -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId `
-ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole6.Id

$AppRole7 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName7 -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId `
-ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole7.Id

$AppRole8 = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName8 -and $_.AllowedMemberTypes -contains "Application"}
New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId `
-ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole8.Id

Open the playbook in edit mode to authorize connections.

  • Azure Monitor Logs - 'Run query and list results - if user is in VIP watchlist' - using service principal
  • Azure Monitor Logs - 'Run query and list results - Get VIP Watchlist members' - using service principal

Go back to Overview page of the playbook and click on Enable to enable the playbook.

It will run automatically first time.

Troubleshooting

  • Make sure that all API permissions and user/application roles are assigned.
  • Make sure that Logic App connectors are authorized with correct identity
  • If using user identity, make sure that user has needed permissions

Screenshots

Playbook
playbook screenshot