stackoom
  简体   繁体   中英

how can I get more details about security alert received vie Microsoft Security Graph API?

 原文  2022-01-07 11:46:13       security/ microsoft-graph-api/ azure-ad-graph-api/ msgraph

Question

I'm using Security Graph API to get alerts into SIEM. And some of the alerts I get have very little amount of details. Here is the example, with some information edited, but all fields are present:

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#security/alerts/$entity",
    "id": "df59a25b7179858f9d891672dee4e4a48b718fe9271e6867b20a998463b1a703",
    "azureTenantId": "a2c874c8-XXXX-XXXX-XXXX-fXXX56f81134",
    "azureSubscriptionId": null,
    "riskScore": null,
    "tags": [],
    "activityGroupName": null,
    "assignedTo": null,
    "category": "AnomalousToken",
    "closedDateTime": null,
    "comments": [],
    "confidence": null,
    "createdDateTime": "2022-01-05T20:52:18Z",
    "description": "Anomalous token indicates that there are abnormal characteristics in the token such as token duration and authentication from unfamiliar IP address",
    "detectionIds": [],
    "eventDateTime": "2022-01-04T12:26:36.1726686Z",
    "feedback": null,
    "incidentIds": [],
    "lastEventDateTime": null,
    "lastModifiedDateTime": "2022-01-05T22:47:28.909877Z",
    "recommendedActions": [],
    "severity": "medium",
    "sourceMaterials": [],
    "status": "newAlert",
    "title": "Anomalous Token",
    "vendorInformation": {
        "provider": "IPC",
        "providerVersion": null,
        "subProvider": null,
        "vendor": "Microsoft"
    },
    "alertDetections": [],
    "cloudAppStates": [],
    "fileStates": [],
    "hostStates": [],
    "historyStates": [],
    "investigationSecurityStates": [],
    "malwareStates": [],
    "messageSecurityStates": [],
    "networkConnections": [],
    "processes": [],
    "registryKeyStates": [],
    "securityResources": [],
    "triggers": [],
    "userStates": [
        {
            "aadUserId": "7b9b7027-XXXX-XXXX-bXXX-1XXXXXXX9e7",
            "accountName": "NicXXX.XXXXX",
            "domainName": "XXX.co.uk",
            "emailRole": "unknown",
            "isVpn": null,
            "logonDateTime": "2022-01-04T12:26:36.1726686Z",
            "logonId": null,
            "logonIp": "102.11.1.15",
            "logonLocation": "Accra, Greater Accra, GH",
            "logonType": null,
            "onPremisesSecurityIdentifier": null,
            "riskScore": null,
            "userAccountType": null,
            "userPrincipalName": "NicXXX.XXXXX@XXX.co.uk"
        }
    ],
    "uriClickSecurityStates": [],
    "vulnerabilityStates": []
}

In short, the only information I can see is that the user generated some "anomalous token" from some specific IP. But I'd like to see the hostname used, what were the token details, why it was anomalous, etc.
I can see similar alerts almost empty about failed authentication attempts (azure AD), suspicious mail forwarding rule creation (Exchange), etc - all without significant details. How can I get them? Or perhaps - how should I reconfigure the Graph or data sources, to allow Graph to get access to the details?

1 answers

solution1
 0  2022-01-12 07:20:50

I tried to reproduce your issue and I am also not getting the detailed information about token and hostname. Hope you are also getting partial content: 206 error .

If successful, this method returns a 200 OK response code and an alert object in the response body. A 206-error code indicates that one or more of the bulk actions failed when it was federated out to its provider. The response will contain success/error data from the individual providers for each threat intelligence indicator. For more information you can follow this Microsoft Document.

在此处输入图像描述

I read several Microsoft documents and found that Anomalous Token comes under sign in risk detection. A sign-in risk represents the probability that a given authentication request isn't authorized by the identity owner.

These risks can be calculated in real-time or calculated offline using Microsoft's internal and external threat intelligence sources including security researchers , law enforcement professionals, security teams at Microsoft , and other trusted sources.

Anomalous Token Detection Type is offline.This detection indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location. This detection covers Session Tokens and Refresh Tokens.

ANOMALOUS TOKEN DETECTION plan is communicated by Microsoft in July 2021

Anomalous token detection is now available in Azure AD Identity Protection. This feature can detect that there are abnormal characteristics in the token such as time active and authentication from unfamiliar IP address.

So from the above conclusion would suggest you to raise a Microsoft support request , I think They can help to route to security team in Microsoft.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Microsoft Graph - How to get associated files with the security alert "Unusual volume of file deletion" How can I get more debugging info about the Symfony2 security system? How can I fix this GitHub security alert? Cakephp get details about security component error Microsoft Graph - How to test the /Security/Alerts webhook Security alert - how to fix? Security questions about applications and API Microsoft Graph Security Alerts. Problem with status MISP to Microsoft Graph Security Script - Not working API security question: SSL or more?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM