This is a short blog post on how to set up a Logic App to collect alerts from the Security Graph API and forward it to an external system, such as ITSM system / Teams or just an email distribution group (and using a Managed Identity to authenticate to the Security Graph API)

Just some short background information on the security graph API. This is a centralized API which all the Microsoft Security products such as Sentinel / Defender / will surface alerts. This will also include all security alerts from custom analytics rules within Azure Sentinel.

security_overview_diagram_1.png

NOTE: If you read more about the API and what kind of services that are integrated into the API here –> Use the Microsoft Graph Security API – Microsoft Graph v1.0 | Microsoft Docs

Now to be able to authenticate to the Security Graph API you need one of the following permissions.

SecurityActions.Read.All  securityActions (preview) GET
SecurityActions.ReadWrite.All  securityActions (preview) GET, POST
SecurityEvents.Read.All  alerts
 secureScores
 secureScoreControlProfiles
GET
SecurityEvents.ReadWrite.All  alerts
 secureScores
 secureScoreControlProfiles
GET, POST, PATCH
ThreatIndicators.ReadWrite.OwnedBy  tiIndicator (preview) GET, POST, PATCH, DELETE

Now if you want to assign System Managed Identity permissions to the Security Graph API you need to use CLI or API (not possible using the Portal)

Using a System Managed Identity means that you do not have to have a set of custom credentials to authenticate to the security graph, this is all taken care of by Azure. Now to get started.

1: Setup a Logic App with System Managed Identity

This can be done directly from the portal under the identity pane. (Not through Terraform yet) :/ Enable MSI and retrieve object id in azurerm_logic_app_workflow · Issue #2924 · terraform-providers/terraform-provider-azurerm (github.com)

2: Provide the Managed Identity with Security Graph API permissions

This needs to be done using Azure CLI/Powershell for instance. Note also that I’ve specified the permissions that I want which is SecurityEvents.Read to be able to only collect the security alerts. Then I need to collect the service principal ID under the Object ID here I reuse the one that I got when I configured the Managed System Identity. Then it will assign that Graph permission to the Managed Identity.

Connect-AzureAD

$graph = Get-AzureADServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'"
$groupReadPermission = $graph.AppRoles `
 | where Value -Like "SecurityEvents.Read.All" `
 | Select-Object -First 1

$msi = Get-AzureADServicePrincipal -ObjectId b2eb493c-4b4a-4267-b97f-1dbb6859b8fa

New-AzureAdServiceAppRoleAssignment -ObjectId $spid -PrincipalId $spid `
-ResourceId $GraphServicePrincipal.ObjectId -Id $AppRole.Id

3: Setup the Logic App to connect to the Security Graph

If have a playbook that then runs on a recurring schedule and using the Azure Security Graph API connects using a management identity. Using the built-in connector for Security Graph API.

When adding the integration, you need to determine that you need to use the managed identity.

You should also configure filters to only collect new alerts that are coming in. Here is the list of different attributes and filters that you can use to configure it –> Microsoft Graph Security – Connectors | Microsoft Docs and here is an example on what the JSON example looks like when returning it from Security Graph –> Get alert – Microsoft Graph v1.0 | Microsoft Docs

NOTE: The filters that you use here are the same ones that is used in the Graph API Explorer.

(Example) https://graph.microsoft.com/v1.0/security/alerts?$filter=&$top=5 

As an example, I only want new alerts from Azure Security Center I could filter the alerts based upon the following filter

vendorInformation/provider eq ‘ASC’ and Status eq ‘NewAlert’

4: Test the connection to verify 

Then save and take a test run through the designer. If you have any active alerts in Security API they should be returned in the body of the security graph activity.

5: Build the rest of the Logic App playbook according to what you need

Once you have these predefined activities in place you can start to build the rest of the playbook according to your needs either if it is to send a notification to Teams or ITSM tool.


0 Comments

Leave a Reply

Your email address will not be published.