Detection of identity-based risks using Azure AD Identity Protection and Graph API

Github repository : https://github.com/ashishmgupta/AzureADIdentityProtection

image

What is Azure AD Identity Protection?
Identity Protection is a tool in Azure AD that allows organizations to accomplish three key tasks:

  • Automate the detection and remediation of identity-based risks.
  • Investigate risks using data in the portal.
  • Export risk detection data to third-party utilities for further analysis.

Identity Protection identifies risks in the following classifications:

Risk Detection Type Description
Atypical travel Sign in from an atypical location based on the user’s recent sign-ins.
Anonymous IP address Sign in from an anonymous IP address (for example: Tor browser, anonymizer VPNs).
Unfamiliar sign-in properties Sign in with properties we‘ve not seen recently for the given user.
Malware linked IP address Sign in from a malware linked IP address
Leaked Credentials This risk detection indicates that the user’s valid credentials have been leaked
Azure AD threat intelligence Microsoft’s internal and external threat intelligence sources have identified a known attack pattern

Source :https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection

Note : Azure AD Identity Protection is fully available in the Azure AD Premium P2 only.

In this blog post, we will focus on detection of the above identity based risks.

There are two steps :
1) From Azure Portal, setup the Application (with a token) with configured permissions to read data from Identity Protection.
2) Python script to use Graph API with the above OAuth token to access the Identity protection data to ingest in your SIEM tool.

Setting up the application in the Azure portal
Azure Active Directory > App Registrations > New Registration

image

Give the application a name.

image

Add API permissions.
API Permission > Add a permission

image

Click Microsoft Graph

image

Since we want the logs from an application instead for a user, select Application permission.

image

Now, there are three API and we need specific permissions for them to access data via Graph API.

API Name Details Permission Needed
Sign Ins Allows query Graph API for information on Azure AD sign-ins with specific properties related to risk state, details and level AuditLog.ReadAll
Directory.ReadAll
Risky Users Gets users identified by identity protection as risky users. IdentityRiskyUser.ReadAll
Risk Detections Gets both risky users and sign-in linked risk detections and associated information identityRiskEvents.ReadAll

Above API permissions need to be set under Microsoft Graph as shown below.

image image
image image

The Global Administrator of your tenant needs to grant admin consent for the permissions you added.
You should contact them for this and get the consent granted.

image

Create a new client secret.

Certificate and Secrets > New Client Secret

image

image

A secret is automatically generated and can be copied.

image

Python script to use Graph API to pull Identity Protection data
Below is the screenshot of of a section of the python code which uses the ClientId, Client Secret and the tenant domain to get the OAuth token and then uses the OAuth token to query the Microsoft Graph API to get the identity protection data in the JSON format for both risky users and risky detection.

Full source code is located here :
https://github.com/ashishmgupta/AzureADIdentityProtection

The code also retries in case of the number of requests crosses the threshold (HTTP 429 Too many requests).

image

Hope this post helps you implementing and querying the Azure Identity Protection data in your organization.
Please feel free to ask questions in the comments sections below.

, , ,

  1. Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Random Thoughts

The World as I see it

Simple Programmer

Making The Complex Simple

Ionic Solutions

Random thoughts on software construction, design patterns and optimization.

Long (Way) Off

A tragic's view from the cricket hinterlands

%d bloggers like this: