Microsoft Graph Identity and Access integration V2

[matt6697]

Contributing to Cortex XSOAR Content

Make sure to register your contribution by filling the contribution registration form

The Pull Request will be reviewed only after the contribution registration form is filled.

Status

• [x] In Progress
• [x] Ready
• [ ] In Hold - (Reason for hold)

Related Issues

None

Description

Added Microsoft Graph Identity and Access integration V2 with the following improvements:

• Improved issue naming and description according with https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks
• Added a new parameter to either keep Microsoft ID protection risk level as issue severity or override it
• Added a new msgraph-identity-audit-signin-event-get command to retrieve the sign-in event associated with a risk detection
• Added a new MSGraphIdentity.AuditLog.signIns context path reflecting object described in https://learn.microsoft.com/en-us/graph/api/resources/signin?view=graph-rest-1.0 to make sign-in event available in the context path.

Added 3 missing risk event types to Microsoft Graph Identity and Access Classifier keyTypeMap.

Added mapping for Mapped Event ID and Original Alert ID issue fields:

• Event ID field is required to enable playbooks to callback Entra ID to retrieve sign-in details.
• Original Entra ID Protection alert ID preserved in Original Alert ID field

Must have

• [x] Tests
• [x] Documentation

[content-bot]

Thank you for your contribution. Your generosity and caring are unrivaled! Make sure to register your contribution by filling the Contribution Registration form, so our content wizard @merit-maita will know the proposed changes are ready to be reviewed. For your convenience, here is a link to the contributions SLAs document.

[content-bot]

Hi @matt6697, thanks for contributing to the XSOAR marketplace. To receive credit for your generous contribution please follow this link.

[matt6697]

@aaron1535: Following our work on PR https://github.com/demisto/content/pull/41534, I created this new PR with MicrosoftGraphIdentityandAccessV2 integration which significantly improves issues naming and description according to Microsoft Entra ID Protection documentation. It also provides more flexibility for handling issue severity and adds a new msgraph-identity-audit-signin-event-getcommand to retrieve valuable sign-in information from Microsoft such as conditionnal access and device data. Would you mind to hava a look ?

[Benimanela]

Hi @matt6697, Thank you for your contribution! Please add release notes and update the version in the pack-metatad.json file.

[matt6697]

Hi @Benimanela

I'm expericicing the an error when trying to build the release note with demisto-sdk update-release-notes An error occurred while updating the release notes: yml file returned is not of type dict

Here is the full output of the command. Do you know how to get rid of this error and make demisto-sdk generate the release-note ?

demisto-sdk update-release-notes -i Packs/MicrosoftGraphIdentityandAccess -u major --console-log-threshold DEBUG
logger setup: calling_function='update_release_notes',console_threshold='DEBUG',file_threshold='DEBUG',path=None,initial=False
Using content path: /workspaces/content
Starting to update release notes.
Using content path: /workspaces/content
Using content path: /workspaces/content
Using content path: /workspaces/content
Using content path: /workspaces/content
Using content path: /workspaces/content
Using content path: /workspaces/content
Using content path: /workspaces/content
Using content path: /workspaces/content
Using content path: /workspaces/content
Using content path: /workspaces/content
Using content path: /workspaces/content
Using content path: /workspaces/content
Using content path: /workspaces/content
Using content path: /workspaces/content
Creating release notes is in progress... It may take about minute.
Changes were detected. Bumping MicrosoftGraphIdentityandAccess to version: 2.0.0
Loading content item from Packs/MicrosoftGraphIdentityandAccess/Integrations/MicrosoftGraphIdentityandAccessV2/MicrosoftGraphIdentityandAccessV2.yml
Parsing content item Packs/MicrosoftGraphIdentityandAccess/Integrations/MicrosoftGraphIdentityandAccessV2/MicrosoftGraphIdentityandAccessV2.yml
Parsed Integration:MicrosoftGraphIdentityandAccessV2
Detected model <class 'demisto_sdk.commands.content_graph.objects.integration.Integration'> for MicrosoftGraphIdentityandAccessV2.yml
Loading content item from /workspaces/content/Packs/MicrosoftGraphIdentityandAccess
Parsing Pack:MicrosoftGraphIdentityandAccess
Using content path: /workspaces/content
Successfully parsed Pack:MicrosoftGraphIdentityandAccess
An error occurred while updating the release notes: yml file returned is not of type dict

[matt6697]

@Benimanela, @aaron1535 : Pack version bumped to 2.0.0 and release note has been added to the PR. Would you mind to have a look ?

[matt6697]

@Benimanela : All pre-commit error fixed !

[matt6697]

@Benimanela : is everything ok on your side now ?

[matt6697]

@JudahSchwartz : Would you mind to have a look at this PR following @Benimanela approval as we are waiting for this V2 integration to improve Microsoft Entra risks detection in a production environment ?

[matt6697]

@JudahSchwartz , @MosheEichler : would you mind to have a look at this PR which improve Microsoft Entra ID protection alerts ingestion ?

[YuvHayun]

Hey @matt6697, I'll be the reviewer from @JudahSchwartz & @MosheEichler end. Thx for your contribution. We did handle some parts of the rebranding a few weeks ago in this pr. We've decided to do as little as possible changes and therefore we don't want too add a v2 for that purpose. Please edit your PR to modify the existing V1 integration with all changes related to the rebranding / all the improvments you've done as a part of this pr.

[matt6697]

@YuvHayun : thanks for the feedback. The main goal of this PR is to provide the right name and description for MS Entra Id protection alerts . Change of the alert name and description was viewed as a breaking change in PR https://github.com/demisto/content/pull/41534 . This is why I proposed a V2 of this integration. I will be happy to move this work in the current integration, but do we agree that the change of alert name and description can be done without releasing a V2 ?

[YuvHayun]

Hey @matt6697, I agree, this is indeed a BC. However, after consulting with our TPM team, this is a change we don't want to do atm. On one hand, we don't want to do it in the current integration as this is a BC. On the other hand, we don't think it's worth a V2 integration. I'll be happy to review the rest of your changes as part of the V1 integration once this is ready.

[matt6697]

@YuvHayun : would it be ok to change only issue description in v1 and keep issue name as it us (ugly) right now ?

[YuvHayun]

@matt6697 not sure what part do you mean exactly, you can leave it to the review and worst case, I'll ask you to change it.

[matt6697]

@YuvHayun : Everything has been moved to current integration (V1), except issue renaming. Could you review the changes and help me to get rid of the pre-commit error regarding docker image change in RN ?

[matt6697]

@YuvHayun : would you mind to have a look at the changes in integration v1 ?

[matt6697]

@YuvHayun : I just pushed the requested changes in your review

[matt6697]

@YuvHayun : Could we schedule a quick meeting tomorrow to go through the changes ? Could you send a meeting link ? (CET timezone)

[YuvHayun]

Hey @matt6697, will 10:30am CET work for you? https://paloaltonetworks.zoom.us/j/97119939773?pwd=rRw8AebWOHUVblcyKwqApxJrp1G7wr.1

[matt6697]

Ok, great : 10:30am-11h00am CET

[matt6697]

The new msgraph-identity-audit-signin-event-get command retrieves the following data from Microsoft Entra and adds it to context.

We nowget the name of the accessed ressource, the client app used, details of the device used for this sign-in attemps, and conditional access policies result.

appDisplayName	appliedConditionalAccessPolicies	clientAppUsed	conditionalAccessStatus	correlationId	deviceDetail	id	ipAddress	resourceDisplayName	status	userDisplayName	userPrincipalName
One Outlook Web		Browser	success	a827a979-0f8a-d5a5-bad8-4946db555c2e	deviceId: displayName: operatingSystem: Android browser: Firefox Mobile 145.0 isCompliant: false isManaged: false trustType:	60a26e7b-ffdb-4695-a5a6-4c63fee42700	188.214.158.36	Office 365 Exchange Online	errorCode: 50097 failureReason: Device authentication is required. additionalDetails: This is not an error - this is an interrupt that triggers device authentication when required due to a Conditional Access policy or because the application or resource requested the device ID in a token. This code alone does not indicate a failure on your users part to sign in. The sign in logs may indicate that the device authentication challenge was passed succesfully or failed.	Matt	[email protected]

I pushed AuditLog data in MSGraphIdentity object as this objet was previously used by the following commands in this integration:

• msgraph-identity-ca-policies-list -> MSGraphIdentity.ConditionalAccessPolicy
• msgraph-identity-directory-roles-list -> MSGraphIdentity.Role
• msgraph-identity-directory-role-members-list -> MSGraphIdentity.RoleMember

[github-actions[bot]]

Thank you for your contribution. Your external PR has been merged and the changes are now included in an internal PR for further review. The internal PR will be merged to the master branch within 3 business days.