Azure-Sentinel/Playbooks/Affected-Key-Credentials-CVE-2021-42306

Affected Key Credentials

This Playbook scans all key credentials in all apps/serviceprincipals in the specified tenant for credentials with property hasExtendedValue == true by calling Microsoft Graph and adds to Azure Sentinel Watchlist

https://msrc-blog.microsoft.com/2021/11/17/guidance-for-azure-active-directory-ad-keycredential-property-information-disclosure-in-application-and-service-principal-apis/

Author: Sreedhar Ande, Chi Nguyen, Ajeet Prakash

Register an application in Azure AD

1. Go to Azure Active Directory / App Registrations
2. Create New Registration
3. Call it "GraphAPItoAzureSentinel". Click Register.
4. Click API Permissions Blade.
5. Click Add a Permission.
6. Click Microsoft Graph.
7. Click Delegated Permissions
8. Check Application.Read.All, Application.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All, Directory.AccessAsUser.All.
9. Click Application Permissions
10. Check Application.Read.All, Application.ReadWrite.All, Directory.Read.All
11. Click Add permissions.
12. Click Certificates and Secrets blade.
13. Click New Client Secret.
14. Enter a description, select never. Click Add.
15. IMPORTANT. Click copy next to the new secret and paste it somewhere temporaily. You can not come back to get the secret once you leave the blade.
16. Copy the client Id from the application properties and paste it somewhere.
17. Also copy the tenant Id from the AAD directory properties blade.

Deployment

Post Deployment Steps

1. API connections are used to connect Logic Apps to SaaS services, such as Azure Sentinel