Skip to content

Accelerynt-Security/AS-Revoke-Azure-AD-User-Session-From-Incident

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

16 Commits
 
 
 
 
 
 

Repository files navigation

AS-Revoke-Entra-ID-User-Session-From-Incident

Author: Accelerynt

For any technical questions, please contact info@accelerynt.com

Deploy to Azure Deploy to Azure Gov

This playbook is intended to be run from a Microsoft Sentinel Incident. It will look up the Azure AD users associated with the incident account entities and revoke their sessions. A comment noting the affected users will be added to the Incident.

RevokeUserSession_Demo_1

RevokeUserSession_Demo_2

Requirements

The following items are required under the template settings during deployment:

  • A Microsoft Azure Active Directory app registration with admin consent granted for "User.ReadWrite.All" in the "Microsoft Graph" API
  • An Azure key vault secret containing your app registration client secret

Setup

Create an App Registration

Navigate to the Microsoft Azure Active Directory app registration page: https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade

Click "New registration".

RevokeUserSession_App_Registration_1

Enter "AS-Revoke-Entra-ID-User-Session-From-Incident" for the name, all else can be left as is. Click "Register"

RevokeUserSession_App_Registration_2

Once the app registration is created, you will be redirected to the "Overview" page. Under the "Essentials" section, take note of the "Application (client) ID", as this will be needed for deployment.

RevokeUserSession_App_Registration_3

Next, you will need to add permissions for the app registration to call the Microsoft Graph API revokeSignInSessions endpoint. From the left menu blade, click "API permissions" under the "Manage" section. Then, click "Add a permission".

RevokeUserSession_App_Registration_4

From the "Select an API" pane, click the "Microsoft APIs" tab and select "Microsoft Graph".

RevokeUserSession_App_Registration_5

Click "Application permissions", then paste "User.ReadWrite.All" in the search bar. Click the option matching the search, then click "Add permission".

RevokeUserSession_App_Registration_6

Admin consent will be needed before your app registration can use the assigned permission. Click "Grant admin consent for (name)".

RevokeUserSession_App_Registration_7

Lastly, a client secret will need to be generated for the app registration. From the left menu blade, click "Certificates & secrets" under the "Manage" section. Then, click "New client secret".

RevokeUserSession_App_Registration_8

Enter a description and select the desired expiration date, then click "Add".

RevokeUserSession_App_Registration_9

Copy the value of the secret that is generated, as this will be needed for Create an Azure Key Vault Secret.

RevokeUserSession_App_Registration_10

Create an Azure Key Vault Secret

Navigate to the Azure key vaults page: https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults

Navigate to an existing key vault or create a new one. From the key vault overview page, click the "Secrets" menu option, found under the "Settings" section. Click "Generate/Import".

RevokeUserSession_Key_Vault_1

Choose a name for the secret, such as "AS-Revoke-Entra-ID-User-Session-From-Incident--App-Registration-Client-Secret", and enter the client secret copied in the previous section. All other settings can be left as is. Click "Create".

RevokeUserSession_Key_Vault_2

Once your secret has been added to the vault, navigate to the "Access policies" menu option. Leave this page open, as you will need to return to it once the playbook has been deployed. See Granting Access to Azure Key Vault.

RevokeUserSession_Key_Vault_3

Deployment

To configure and deploy this playbook:

Open your browser and ensure you are logged into your Microsoft Sentinel workspace. In a separate tab, open the link to our playbook on the Accelerynt Security GitHub repository:

https://github.com/Accelerynt-Security/AS-Revoke-Azure-AD-User-Session-From-Incident

Deploy to Azure Deploy to Azure Gov

Click the "Deploy to Azure" button at the bottom and it will bring you to the custom deployment template.

In the Project Details section:

  • Select the "Subscription" and "Resource Group" from the dropdown boxes you would like the playbook deployed to.

In the Instance Details section:

Towards the bottom, click on "Review + create".

RevokeUserSession_Deploy_1

Once the resources have validated, click on "Create".

RevokeUserSession_Deploy_2

The resources should take around a minute to deploy. Once the deployment is complete, you can expand the "Deployment details" section to view them. Click the one corresponding to the Logic App.

RevokeUserSession_Deploy_3

Granting Access to Azure Key Vault

Before the Logic App can run successfully, the key vault connection created during deployment must be granted access to the key vault storing your app registration client secret.

From the key vault "Access policies" page, click "Create".

RevokeUserSession_Key_Vault_Access_1

Select the "Get" checkbox under "Secret permissions", then click "Next".

RevokeUserSession_Key_Vault_Access_2

Paste "AS-Revoke-Entra-ID-User-Session-From-Incident" into the principal search box and click the option that appears. If the app registration also appears, select the option that does not match the Application (client) ID of your app registration. Click "Next" towards the bottom of the page.

RevokeUserSession_Key_Vault_Access_3

Navigate to the "Review + create" section and click "Create".

RevokeUserSession_Key_Vault_Access_4

Microsoft Sentinel Contributor Role

After deployment, you will need to give the system assigned managed identity the "Microsoft Sentinel Contributor" role. This will enable the Logic App to add comments to Incidents. Navigate to the Log Analytics Workspaces page and select the same workspace the playbook is located in:

https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.OperationalInsights%2Fworkspaces

Select the "Access control (IAM)" option from the menu blade, then click "Add role assignment".

RevokeUserSession_Add_Contributor_Role_1

Select the "Microsoft Sentinel Contributor" role, then click "Next".

RevokeUserSession_Add_Contributor_Role_2

Select the "Managed identity" option, then click "Select Members". Under the subscription the Logic App is located, set the value of "Managed identity" to "Logic app". Next, enter "AS-Revoke-Entra-ID-User-Session-From-Incident", or the alternative playbook name used during deployment, in the field labeled "Select". Select the playbook, then click "Select".

RevokeUserSession_Add_Contributor_Role_3

Continue on to the "Review + assign" tab and click "Review + assign".

RevokeUserSession_Add_Contributor_Role_4

About

Revoke Entra ID user sessions from Microsoft Sentinel incidents

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published