如何获取有关通过 Microsoft Security Graph API 收到的安全警报的更多详细信息?
[英]how can I get more details about security alert received vie Microsoft Security Graph API?
问题描述
I'm using Security Graph API to get alerts into SIEM.
我正在使用 Security Graph API 将警报发送到 SIEM。 And some of the alerts I get have very little amount of details.我收到的一些警报的细节很少。 Here is the example, with some information edited, but all fields are present:这是示例,编辑了一些信息,但所有字段都存在:
{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#security/alerts/$entity",
"id": "df59a25b7179858f9d891672dee4e4a48b718fe9271e6867b20a998463b1a703",
"azureTenantId": "a2c874c8-XXXX-XXXX-XXXX-fXXX56f81134",
"azureSubscriptionId": null,
"riskScore": null,
"tags": [],
"activityGroupName": null,
"assignedTo": null,
"category": "AnomalousToken",
"closedDateTime": null,
"comments": [],
"confidence": null,
"createdDateTime": "2022-01-05T20:52:18Z",
"description": "Anomalous token indicates that there are abnormal characteristics in the token such as token duration and authentication from unfamiliar IP address",
"detectionIds": [],
"eventDateTime": "2022-01-04T12:26:36.1726686Z",
"feedback": null,
"incidentIds": [],
"lastEventDateTime": null,
"lastModifiedDateTime": "2022-01-05T22:47:28.909877Z",
"recommendedActions": [],
"severity": "medium",
"sourceMaterials": [],
"status": "newAlert",
"title": "Anomalous Token",
"vendorInformation": {
"provider": "IPC",
"providerVersion": null,
"subProvider": null,
"vendor": "Microsoft"
},
"alertDetections": [],
"cloudAppStates": [],
"fileStates": [],
"hostStates": [],
"historyStates": [],
"investigationSecurityStates": [],
"malwareStates": [],
"messageSecurityStates": [],
"networkConnections": [],
"processes": [],
"registryKeyStates": [],
"securityResources": [],
"triggers": [],
"userStates": [
{
"aadUserId": "7b9b7027-XXXX-XXXX-bXXX-1XXXXXXX9e7",
"accountName": "NicXXX.XXXXX",
"domainName": "XXX.co.uk",
"emailRole": "unknown",
"isVpn": null,
"logonDateTime": "2022-01-04T12:26:36.1726686Z",
"logonId": null,
"logonIp": "102.11.1.15",
"logonLocation": "Accra, Greater Accra, GH",
"logonType": null,
"onPremisesSecurityIdentifier": null,
"riskScore": null,
"userAccountType": null,
"userPrincipalName": "NicXXX.XXXXX@XXX.co.uk"
}
],
"uriClickSecurityStates": [],
"vulnerabilityStates": []
}
In short, the only information I can see is that the user generated some "anomalous token" from some specific IP.简而言之,我能看到的唯一信息是用户从某些特定的 IP 生成了一些“异常令牌”。 But I'd like to see the hostname used, what were the token details, why it was anomalous, etc.但我想查看使用的主机名、令牌详细信息、异常原因等。
I can see similar alerts almost empty about failed authentication attempts (azure AD), suspicious mail forwarding rule creation (Exchange), etc - all without significant details.我可以看到关于失败的身份验证尝试 (azure AD)、可疑邮件转发规则创建 (Exchange) 等的类似警报几乎是空的 - 所有这些都没有重要的细节。 How can I get them?我怎样才能得到它们? Or perhaps - how should I reconfigure the Graph or data sources, to allow Graph to get access to the details?或者也许 - 我应该如何重新配置 Graph 或数据源,以允许 Graph 访问详细信息?
1 个解决方案
解决方案1
0 2022-01-12 07:20:50
I tried to reproduce your issue and I am also not getting the detailed information about token and hostname.我试图重现您的问题,但我也没有获得有关令牌和主机名的详细信息。 Hope you are also getting partial content: 206 error .希望您也获得部分内容: 206 error 。
If successful, this method returns a 200 OK response code and an alert object in the response body.如果成功,此方法会在响应正文中返回200 OK响应代码和警报object。 A 206-error code indicates that one or more of the bulk actions failed when it was federated out to its provider. 206 错误代码表示一个或多个批量操作在联合到其提供者时失败。 The response will contain success/error data from the individual providers for each threat intelligence indicator.响应将包含来自各个提供商的每个威胁情报指标的成功/错误数据。 For more information you can follow this Microsoft Document.有关更多信息,您可以关注此Microsoft 文档。
I read several Microsoft documents and found that Anomalous Token comes under sign in risk detection.我阅读了几份 Microsoft 文档,发现异常令牌属于风险检测标志。 A sign-in risk represents the probability that a given authentication request isn't authorized by the identity owner.登录风险表示给定身份验证请求未经身份所有者授权的概率。
These risks can be calculated in real-time or calculated offline using Microsoft's internal and external threat intelligence sources including security researchers , law enforcement professionals, security teams at Microsoft , and other trusted sources.可以使用Microsoft 的内部和外部威胁情报来源(包括安全研究人员、执法专业人员、Microsoft 的安全团队和其他受信任的来源)实时或离线计算这些风险。
Anomalous Token Detection Type is offline.This detection indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location.
ANOMALOUS TOKEN DETECTION plan is communicated by Microsoft in July 2021 Microsoft 于 2021 年 7 月传达了异常令牌检测计划
Anomalous token detection is now available in Azure AD Identity Protection.
So from the above conclusion would suggest you to raise a Microsoft support request , I think They can help to route to security team in Microsoft.因此,从上述结论建议您提出Microsoft 支持请求,我认为他们可以帮助路由到 Microsoft 的安全团队。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.