Merge pull request #1317 from TheHive-Project/msentra-id-improvements-1

MSEntraID - Additional Analyzers & Responders + Improvements

analyzers/MSEntraID/MSEntraID_GetDirectoryAuditLogs.json

@@ -0,0 +1,52 @@
+{
+    "name": "MSEntraID_GetDirectoryAuditLogs",
+    "version": "1.0",
+    "author": "nusantara-self, StrangeBee",
+    "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+    "license": "AGPL-V3",
+    "description": "Pull Microsoft Entra ID directory audit logs for a user within the specified timeframe.",
+    "dataTypeList": ["mail"],
+    "command": "MSEntraID/MSEntraID.py",
+    "baseConfig": "MSEntraID",
+    "config": {
+        "service": "getDirectoryAuditLogs"
+    },
+    "configurationItems": [
+        {"name": "tenant_id",
+        "description": "Microsoft Entra ID Tenant ID",
+        "type": "string",
+        "multi": false,
+        "required": true
+        },
+        {"name": "client_id",
+        "description": "Client ID/Application ID of Microsoft Entra ID Registered App",
+        "type": "string",
+        "multi": false,
+        "required": true
+        },
+        {"name": "client_secret",
+        "description": "Secret for Microsoft Entra ID Registered Application",
+        "type": "string",
+        "multi": false,
+        "required": true
+        },
+        {"name": "lookup_range",
+        "description": "Check for Directory Audit Logs in the last X days. Should be between 1 and 31 days.",
+        "type": "number",
+        "multi": false,
+        "required": false,
+        "defaultValue": 7
+        },
+        {"name": "lookup_limit",
+        "description": "Display no more than this many Directory Audit Logs.",
+        "type": "number",
+        "multi": false,
+        "required": false,
+        "defaultValue": 12
+        }
+    ],
+    "registration_required": true,
+    "subscription_required": true,
+    "free_subscription": false,
+    "service_homepage": "https://www.microsoft.com/security/business/identity-access/microsoft-entra-id"
+}

analyzers/MSEntraID/MSEntraID_GetManagedDevicesInfo.json

@@ -0,0 +1,38 @@
+{
+    "name": "MSEntraID_GetManagedDevicesInfo",
+    "version": "1.0",
+    "author": "nusantara-self, StrangeBee",
+    "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+    "license": "AGPL-V3",
+    "description": "Get Microsoft Intune Managed Device(s) Details from hostname or mail",
+    "dataTypeList": ["mail", "hostname"],
+    "command": "MSEntraID/MSEntraID.py",
+    "baseConfig": "MSEntraID",
+    "config": {
+        "service": "getManagedDevicesInfo"
+    },
+    "configurationItems": [
+        {"name": "tenant_id",
+        "description": "Microsoft Entra ID Tenant ID",
+        "type": "string",
+        "multi": false,
+        "required": true
+        },
+        {"name": "client_id",
+        "description": "Client ID/Application ID of Microsoft Entra ID Registered App",
+        "type": "string",
+        "multi": false,
+        "required": true
+        },
+        {"name": "client_secret",
+        "description": "Secret for Microsoft Entra ID Registered Application",
+        "type": "string",
+        "multi": false,
+        "required": true
+        }
+    ],
+    "registration_required": true,
+    "subscription_required": true,
+    "free_subscription": false,
+    "service_homepage": "https://www.microsoft.com/security/business/identity-access/microsoft-entra-id"
+}

analyzers/MSEntraID/MSEntraID_GetSignIns.json

@@ -8,6 +8,9 @@
     "dataTypeList": ["mail"],
     "command": "MSEntraID/MSEntraID.py",
     "baseConfig": "MSEntraID",
+    "config": {
+        "service": "getSignIns"
+    },
     "configurationItems": [
         {"name": "tenant_id",
         "description": "Microsoft Entra ID Tenant ID",

analyzers/MSEntraID/MSEntraID_GetUserInfo.json

@@ -0,0 +1,65 @@
+{
+    "name": "MSEntraID_GetUserInfo",
+    "version": "1.0",
+    "author": "nusantara-self, StrangeBee",
+    "url": "https://github.com/TheHive-Project/Cortex-Analyzers",
+    "license": "AGPL-V3",
+    "description": "Get information about the user from Microsoft Entra ID, using the mail",
+    "dataTypeList": ["mail"],
+    "command": "MSEntraID/MSEntraID.py",
+    "baseConfig": "MSEntraID",
+    "config": {
+        "service": "getUserInfo"
+    },
+    "configurationItems": [
+        {"name": "tenant_id",
+        "description": "Microsoft Entra ID Tenant ID",
+        "type": "string",
+        "multi": false,
+        "required": true
+        },
+        {"name": "client_id",
+        "description": "Client ID/Application ID of Microsoft Entra ID Registered App",
+        "type": "string",
+        "multi": false,
+        "required": true
+        },
+        {"name": "client_secret",
+        "description": "Secret for Microsoft Entra ID Registered Application",
+        "type": "string",
+        "multi": false,
+        "required": true
+        },
+        {
+            "name": "params_list",
+            "description": "list of query params to get User information",
+            "type": "string",
+            "multi": true,
+            "required": true,
+            "defaultValue": [
+                "businessPhones",
+                "givenName",
+                "surname",
+                "userPrincipalName",
+                "displayName",
+                "jobTitle",
+                "mail",
+                "mobilePhone",
+                "officeLocation",
+                "department",
+                "accountEnabled",
+                "onPremisesSyncEnabled",
+                "onPremisesLastSyncDateTime",
+                "onPremisesSecurityIdentifier",
+                "proxyAddresses",
+                "usageLocation",
+                "userType",
+                "createdDateTime"
+            ]
+        }
+    ],
+    "registration_required": true,
+    "subscription_required": true,
+    "free_subscription": false,
+    "service_homepage": "https://www.microsoft.com/security/business/identity-access/microsoft-entra-id"
+}