forked from briandelmsft/SentinelAutomationModules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
GrantPermissions.ps1
177 lines (152 loc) · 9.89 KB
/
GrantPermissions.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
# Required PowerShell modules:
# - MgGraph to grant MSI permissions using the Microsoft Graph API
# - Az grant permissons on Azure resources
# To install the pre-requisites, uncomment the following two lines:
# Install-Module Microsoft.Graph.Applications -Scope CurrentUser -Force
# Install-Module -Name Az.Resources -Scope CurrentUser -Repository PSGallery -Force
#Requires -Modules Microsoft.Graph.Applications, Az.Resources
# Required Permissions
# - Azure AD Global Administrator or an Azure AD Privileged Role Administrator to execute the Set-APIPermissions function
# - Resource Group Owner or User Access Administrator on the Microsoft Sentinel resource group to execute the Set-RBACPermissions function
# Enter your tenant and subscrition details below:
$TenantId = ""
$AzureSubscriptionId = ""
$SentinelResourceGroupName = "" # Resource Group Name where the Sentinel workspace is
# If you have changed the default name of the logic apps, update the names below:
$AADLogicAppName = "Get-AADUserRisksInfo" # Name of the AAD Risks Logic App
$BaseLogicAppName = "Base-Module" # Name of the Base Module
$FileLogicAppName = "Get-FileInsights" # Name of the FileInsights Logic App
$KQLLogicAppName = "Run-KQLQuery" # Name of the KQL Query Logic App
$UEBALogicAppName = "Get-UEBAInsights" # Name of the UEBA Logic App
$OOFLogicAppName = "Get-OOFDetails" # Name of the OOF Logic App
$MDELogicAppName = "Get-MDEInsights" # Name of the MDE Logic App
$MCASLogicAppName = "Get-MCASInvestigationScore" # Name of the MCAS Logic App
$RelatedAlertsLogicAppName = "Get-RelatedAlerts" # Name of the Related Alerts Logic App
$RunPlaybookLogicAppName = "Run-Playbook" # Name of the Run-Playbook Logic App
$ScoringLogicAppName = "Calculate-RiskScore" # Name of the Risk Scoring Logic App
$TILogicAppName = "Get-ThreatIntel" # Name of the TI Logic App
$WatchlistLogicAppName = "Get-WatchlistInsights" # Name of the Watchlists Logic App
$SampleLogicAppName="Sample-STAT-Triage" #Name of the Sample Logic App
# Additional options
$LogicAppPrefix = "" # Adds a prefix to all Logic App names
#Check if modules are installed in case the script is ran interactively from an IDE
if ((Get-Module -ListAvailable -Name Microsoft.Graph.Applications) -eq $null) {
Write-Host "[-] Make sure the module Microsoft.Graph.Applications is installed. You can use the following command to install it: Install-Module Microsoft.Graph.Applications -Scope CurrentUser -Force" -ForegroundColor Red
return
} elseif ((Get-Module -ListAvailable -Name Az.Resources) -eq $null) {
Write-Host "[-] Make sure the module Az.Resources is installed. You can use the following command to install it: Install-Module -Name Az.Resources -Scope CurrentUser -Repository PSGallery -Force" -ForegroundColor Red
return
}
# Connect to the Microsoft Graph API and Azure Management API
Write-Host "[+] Connect to the Azure AD tenant: $TenantId"
Connect-MgGraph -TenantId $TenantId -Scopes AppRoleAssignment.ReadWrite.All, Application.Read.All | Out-Null
Write-Host "[+] Connecting to to the Azure subscription: $AzureSubscriptionId"
try
{
Login-AzAccount -Subscription $AzureSubscriptionId -Tenant $TenantId -ErrorAction Stop | Out-Null
}
catch
{
Write-Host "[-] Login to Azure Management failed. $($error[0])" -ForegroundColor Red
}
function Set-APIPermissions ($MSIName, $AppId, $PermissionName) {
Write-Host "[+] Setting permission $PermissionName on $MSIName"
$MSI = Get-AppIds -AppName $MSIName
if ( $MSI.count -gt 1 )
{
Write-Host "[-] Found multiple principals with the same name." -ForegroundColor Red
return
} elseif ( $MSI.count -eq 0 ) {
Write-Host "[-] Principal not found." -ForegroundColor Red
return
}
Start-Sleep -Seconds 1 # Wait in case the MSI identity creation tool some time
$GraphServicePrincipal = Get-MgServicePrincipal -Filter "appId eq '$AppId'"
$AppRole = $GraphServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains "Application"}
try
{
New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $MSI.Id -PrincipalId $MSI.Id -ResourceId $GraphServicePrincipal.Id -AppRoleId $AppRole.Id -ErrorAction Stop | Out-Null
}
catch
{
if ( $_.Exception.Message -eq "Permission being assigned already exists on the object" )
{
Write-Host "[+] $($_.Exception.Message)"
} else {
Write-Host "[-] $($_.Exception.Message)" -ForegroundColor Red
}
return
}
Write-Host "[+] Permission granted" -ForegroundColor Green
}
function Get-AppIds ($AppName) {
Get-MgServicePrincipal -Filter "displayName eq '$AppName'"
}
function Set-RBACPermissions ($MSIName, $Role) {
Write-Host "[+] Adding $Role to $MSIName"
$MSI = Get-AppIds -AppName $MSIName
if ( $MSI.count -gt 1 )
{
Write-Host "[-] Found multiple principals with the same name." -ForegroundColor Red
return
} elseif ( $MSI.count -eq 0 ) {
Write-Host "[-] Principal not found." -ForegroundColor Red
return
}
$Assign = New-AzRoleAssignment -ApplicationId $MSI.AppId -Scope "/subscriptions/$($AzureSubscriptionId)/resourceGroups/$($SentinelResourceGroupName)" -RoleDefinitionName $Role -ErrorAction SilentlyContinue -ErrorVariable AzError
if ( $Assign -ne $null )
{
Write-Host "[+] Role added" -ForegroundColor Green
} elseif ( $AzError[0].Exception.Message -like "*Conflict*" ) {
Write-Host "[+] Role already assigned"
} else {
Write-Host "[-] $($AzError[0].Exception.Message)" -ForegroundColor Red
}
}
#UEBA
Set-APIPermissions -MSIName $LogicAppPrefix$UEBALogicAppName -AppId "ca7f3f0b-7d91-482c-8e09-c5d840d0eac5" -PermissionName "Data.Read"
Set-RBACPermissions -MSIName $LogicAppPrefix$UEBALogicAppName -Role "Microsoft Sentinel Responder"
#OOF
Set-APIPermissions -MSIName $LogicAppPrefix$OOFLogicAppName -AppId "00000003-0000-0000-c000-000000000000" -PermissionName "MailboxSettings.Read"
Set-RBACPermissions -MSIName $LogicAppPrefix$OOFLogicAppName -Role "Microsoft Sentinel Responder"
#RelatedAlerts
Set-APIPermissions -MSIName $LogicAppPrefix$RelatedAlertsLogicAppName -AppId "ca7f3f0b-7d91-482c-8e09-c5d840d0eac5" -PermissionName "Data.Read"
Set-RBACPermissions -MSIName $LogicAppPrefix$RelatedAlertsLogicAppName -Role "Microsoft Sentinel Responder"
#MDE
Set-APIPermissions -MSIName $LogicAppPrefix$MDELogicAppName -AppId "00000003-0000-0000-c000-000000000000" -PermissionName "User.Read.All"
Set-APIPermissions -MSIName $LogicAppPrefix$MDELogicAppName -AppId "fc780465-2017-40d4-a0c5-307022471b92" -PermissionName "AdvancedQuery.Read.All"
Set-APIPermissions -MSIName $LogicAppPrefix$MDELogicAppName -AppId "fc780465-2017-40d4-a0c5-307022471b92" -PermissionName "Machine.Read.All"
Set-RBACPermissions -MSIName $LogicAppPrefix$MDELogicAppName -Role "Microsoft Sentinel Responder"
#MCAS
Set-APIPermissions -MSIName $LogicAppPrefix$MCASLogicAppName -AppId "05a65629-4c1b-48c1-a78b-804c4abdd4af" -PermissionName "investigation.read"
Set-RBACPermissions -MSIName $LogicAppPrefix$MCASLogicAppName -Role "Microsoft Sentinel Responder"
#Watchlists
Set-APIPermissions -MSIName $LogicAppPrefix$WatchlistLogicAppName -AppId "ca7f3f0b-7d91-482c-8e09-c5d840d0eac5" -PermissionName "Data.Read"
Set-RBACPermissions -MSIName $LogicAppPrefix$WatchlistLogicAppName -Role "Microsoft Sentinel Responder"
#Base module
Set-APIPermissions -MSIName $LogicAppPrefix$BaseLogicAppName -AppId "00000003-0000-0000-c000-000000000000" -PermissionName "User.Read.All"
Set-APIPermissions -MSIName $LogicAppPrefix$BaseLogicAppName -AppId "00000003-0000-0000-c000-000000000000" -PermissionName "Reports.Read.All"
Set-APIPermissions -MSIName $LogicAppPrefix$BaseLogicAppName -AppId "00000003-0000-0000-c000-000000000000" -PermissionName "RoleManagement.Read.Directory"
Set-RBACPermissions -MSIName $LogicAppPrefix$BaseLogicAppName -Role "Microsoft Sentinel Responder"
#File module
Set-APIPermissions -MSIName $LogicAppPrefix$FileLogicAppName -AppId "8ee8fdad-f234-4243-8f3b-15c294843740" -PermissionName "AdvancedHunting.Read.All"
Set-RBACPermissions -MSIName $LogicAppPrefix$FileLogicAppName -Role "Microsoft Sentinel Responder"
#KQL module
Set-APIPermissions -MSIName $LogicAppPrefix$KQLLogicAppName -AppId "ca7f3f0b-7d91-482c-8e09-c5d840d0eac5" -PermissionName "Data.Read"
Set-APIPermissions -MSIName $LogicAppPrefix$KQLLogicAppName -AppId "8ee8fdad-f234-4243-8f3b-15c294843740" -PermissionName "AdvancedHunting.Read.All"
Set-RBACPermissions -MSIName $LogicAppPrefix$KQLLogicAppName -Role "Microsoft Sentinel Responder"
#AADRisksModule
Set-APIPermissions -MSIName $LogicAppPrefix$AADLogicAppName -AppId "ca7f3f0b-7d91-482c-8e09-c5d840d0eac5" -PermissionName "Data.Read"
Set-APIPermissions -MSIName $LogicAppPrefix$AADLogicAppName -AppId "00000003-0000-0000-c000-000000000000" -PermissionName "User.Read.All"
Set-APIPermissions -MSIName $LogicAppPrefix$AADLogicAppName -AppId "00000003-0000-0000-c000-000000000000" -PermissionName "IdentityRiskyUser.Read.All"
Set-RBACPermissions -MSIName $LogicAppPrefix$AADLogicAppName -Role "Microsoft Sentinel Responder"
#TI
Set-APIPermissions -MSIName $LogicAppPrefix$TILogicAppName -AppId "ca7f3f0b-7d91-482c-8e09-c5d840d0eac5" -PermissionName "Data.Read"
Set-RBACPermissions -MSIName $LogicAppPrefix$TILogicAppName -Role "Microsoft Sentinel Responder"
#Triage-Content Sample
Set-RBACPermissions -MSIName $LogicAppPrefix$SampleLogicAppName -Role "Microsoft Sentinel Responder"
#Calculate-RiskScore
Set-RBACPermissions -MSIName $LogicAppPrefix$ScoringLogicAppName -Role "Microsoft Sentinel Responder"
#Run-Playbook
Set-RBACPermissions -MSIName $LogicAppPrefix$RunPlaybookLogicAppName -Role "Microsoft Sentinel Responder"
Write-Host "[+] End of the script. Please review the output and check for potential failures as they might not be terminating errors."