-
Notifications
You must be signed in to change notification settings - Fork 16
/
DangerousAPIPermissionConsented.yaml
69 lines (68 loc) · 3.27 KB
/
DangerousAPIPermissionConsented.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
id: c44269aa-9879-42d9-a8f4-56a93bb8c6ac
name: Dangerous API permission consented
version: 1.0.3
kind: Scheduled
description: |
One or more high priv API permission were granted to an application.
Check if this is really necessary and otherwise remove the permissions
severity: High
queryFrequency: 31m
queryPeriod: 31m
triggerOperator: gt
triggerThreshold: 0
tactics:
- Persistence
query: |-
let DangerousAPIPermissions = dynamic({
"9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8": "RoleManagement.ReadWrite.Directory -> Directly promote any user to global admin",
"06b708a9-e830-4db3-a914-8e69da51d44f": "AppRoleAssignment.ReadWrite.All -> Grant RoleManagement.ReadWrite.Directory, then promote to global admin",
"1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9": "Application.ReadWrite.All -> Act as another entity e.g. a global admin user"
});
AuditLogs
| where OperationName == "Add app role assignment to service principal"
| where Result =~ "success"
| mv-expand TargetResources
| where TargetResources.displayName == "Microsoft Graph"
| mv-expand TargetResources.modifiedProperties
| where TargetResources_modifiedProperties.displayName == "AppRole.Id"
// This permission was not part of this application before
| where isnull(TargetResources_modifiedProperties.oldValue)
// The new permission is part of the dangerous API permissions
| extend NewAPIPermission = trim('"', tostring(TargetResources_modifiedProperties.newValue))
| extend PotentialImpact = DangerousAPIPermissions[NewAPIPermission]
| where isnotempty(PotentialImpact)
| extend UserAgent = iff(AdditionalDetails[0].key == "User-Agent", tostring(AdditionalDetails[0].value), "")
| extend ServicePrincipalDisplayName = parse_json(tostring(parse_json(tostring(TargetResources.modifiedProperties))[6].newValue))
| extend ServicePrincipalObjectID = parse_json(tostring(parse_json(tostring(TargetResources.modifiedProperties))[5].newValue))
| extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))
| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: false
reopenClosedIncident: false
lookbackDuration: 5h
matchingMethod: AllEntities
groupByEntities: []
groupByAlertDetails: []
groupByCustomDetails: []
eventGroupingSettings:
aggregationKind: SingleAlert
alertDetailsOverride:
alertDescriptionFormat: "A high impact Graph API permission was granted to an application.\n\nThe granted API permission was {{PotentialImpact}} \n\nPlease verify if this API permission is needed by this application and if so make sure to add it to the watchlist \"HighRiskApps\""
alertDynamicProperties: []
customDetails:
ServicePrincipalId: ServicePrincipalObjectID
ServicePrincipal: ServicePrincipalDisplayName
AddedPermission: NewAPIPermission
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: InitiatingUserOrApp
- entityType: IP
fieldMappings:
- identifier: Address
columnName: InitiatingIpAddress
suppressionDuration: 5h
suppressionEnabled: false