Document toolboxDocument toolbox

Microsoft Identity And Access (Graph)

[ 1 Connect Microsoft Identity And Access (Graph) with Devo SOARD ] [ 2 Actions for Microsoft Identity And Access (Graph) ] [ 2.1 List Risk Detections ] [ 2.1.1 Input Field ] [ 2.1.2 Output ] [ 2.2 Get Risk Detection ] [ 2.2.1 Input Field ] [ 2.2.2 Output ] [ 2.3 List Risky Users ] [ 2.3.1 Input Field ] [ 2.3.2 Output ] [ 2.4 Get Risky User ] [ 2.4.1 Input Field ] [ 2.4.2 Output ] [ 2.5 Confirm Compromised Risky User ] [ 2.5.1 Input Field ] [ 2.5.2 Output ] [ 2.6 Dismiss Compromised Risky User ] [ 2.6.1 Input Field ] [ 2.6.2 Output ] [ 2.7 List User History ] [ 2.7.1 Input Field ] [ 2.7.2 Output ] [ 2.8 Get User History ] [ 2.8.1 Input Field ] [ 2.8.2 Output ] [ 2.9 List IP Named Location ] [ 2.9.1 Input Field ] [ 2.9.2 Output ] [ 2.10 Get IP Named Location ] [ 2.10.1 Input Field ] [ 2.10.2 Output ] [ 2.11 Update IP Named Location ] [ 2.11.1 Input Field ] [ 2.11.2 Output ] [ 3 Release Notes ]

Microsoft Identity And Access (Graph) is the gateway to access Azure Active Directory (Azure AD) resources to enable scenarios like managing administrator (directory) roles, inviting external users to an organization

Connect Microsoft Identity And Access (Graph) with Devo SOARD

  1. Navigate to Automations > Integrations.

  2. Search for Microsoft Identity And Access.

  3. Click Details, then the + icon. Enter the required information in the following fields.

  4. Label: Enter a connection name.

  5. Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.

  6. Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).

  7. Remote Agent: Run this integration using the Devo SOAR Remote Agent.

  8. Tenant ID: Tenant ID of the app created in Azure Active Directory.

  9. Client ID: Client ID of the app created in Azure Active Directory.

  10. Client Secret: Client secret of the app created in Azure Active Directory.

  11. After you've entered all the details, click Connect.

Note

These actions require "Azure AD Premium P1/P2 license".

Actions for Microsoft Identity And Access (Graph)

List Risk Detections

Get a list of the risk detection objects and their properties.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Custom OData query

Jinja-template for custom OData query to retrieve a list of alerts (Default is no filter). Example: riskState eq 'remediated'.

Optional

Number of messages to be fetched

Number of messages to be fetched. It'll override $top provided in "Custom OData query" (Default is 10 messages if it is not provided in "Custom OData query" also).

Optional

Output

json containing following items:

  • has_error: True/False

  • error: message/null

  • result: List of Risk Detections.

Get Risk Detection

Retrieve the properties and relationships of a risk detection object.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Risk Detection ID

Optional

Jinja-template for Unique identifier(id) of a risk detection object.

Example: {{risk_detection_id_column}}.

 

 

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Risk Detection.

List Risky Users

Get a list of the risky user objects and their properties.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Custom OData query

Jinja-template for custom OData query to retrieve a list of alerts (Default is no filter). e.g. riskState eq 'remediated'.

Optional

Number of messages to be fetched

Number of messages to be fetched. It'll override $top provided in "Custom OData query" (Default is 10 messages if it is not provided in "Custom OData query" also).

Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: List of Risky Users

Get Risky User

Retrieve the properties and relationships of a risky user object.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Risky User ID

Jinja-template for Unique identifier(id) of a risky user object.

 

Example: {{risky_user_id_column}}.

Optional

 

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Risky User

Confirm Compromised Risky User

Confirm one or more risky user objects as compromised. This action sets the targeted user's risk level to high.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Risky User Id's

Jinja-templated string containing comma separated risky user ids to confirm compromised.

 

Example: {{risky_user_id_column1}}, {{risky_user_id_column2}}.

Optional

 

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Success/Failure

Dismiss Compromised Risky User

Dismiss the risk of one or more risky user objects. This action sets the targeted user's risk level to none.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Risky User Id's

Jinja-templated string containing comma separated risky user ids to confirm compromised.

 

Example: {{risky_user_id_column1}}, {{risky_user_id_column2}}.

Optional

 

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Success/Failure

List User History

Get the risky user history items from the history navigation property.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Risky User ID

Jinja-template for Unique identifier(id) of a risky user object.

 

Example: {{risky_user_id_column}}.

Optional

 

History Item ID

Jinja-template for Unique identifier(id) of a history item object.

 

Example: {{history_item_id_column}}.

Optional

 

Custom OData query

Jinja-template for custom OData query to retrieve a list of alerts (Default is no filter). Example: riskState eq 'remediated'.

Optional

Number of messages to be fetched

Number of messages to be fetched. It'll override $top provided in "Custom OData query" (Default is 10 messages if it is not provided in "Custom OData query" also).

Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: List of User History

Get User History

Retrieve the properties and relationships of a risky user history item object

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Risky User ID

Jinja template for Unique identifier(id) of a risky user object. Example: {{risky_user_id_column}}.

Optional

Custom OData query

Jinja template for custom OData query to retrieve a list of alerts (Default is no filter).

 

Example: riskState eq 'remediated'.

Optional

 

Number of messages to be fetched

Number of messages to be fetched. It'll override $top provided in "Custom OData query" (Default is 10 messages if it is not provided in "Custom OData query" also).

Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: User History

List IP Named Location

Get a list of namedLocation objects.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Explode Results

Explode each result in a separate row. (Default is No)

Optional

Output

A JSON object containing multiple rows of result:

``` {json}{ "result": [ { "@odata.type": "#microsoft.graph.ipNamedLocation", "id": "0aab4fe7-d8ad-44cd-8c36-815fc0e82b24", "displayName": "1610469824546", "modifiedDateTime": "2022-04-11T07:20:08.871778Z", "createdDateTime": "2022-04-11T07:20:08.871778Z", "isTrusted": false, "ipRanges": [ { "@odata.type": "#microsoft.graph.iPv4CidrRange", "cidrAddress": "12.34.221.11/22" } ] }, { "@odata.type": "#microsoft.graph.ipNamedLocation", "id": "02e33bf8-c949-408e-950a-211b32223ce1", "displayName": "1610469824892", "modifiedDateTime": "2022-04-11T07:20:09.9641995Z", "createdDateTime": "2022-04-11T07:20:09.9641995Z", "isTrusted": false, "ipRanges": [ { "@odata.type": "#microsoft.graph.iPv4CidrRange", "cidrAddress": "12.34.221.11/22" } ] } ], "has_error": false, "error": null, "stdout": "", "stderr": "" }

## Create IP Named Location Create namedLocation objects. ### Input Field Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection. | Input Name | Description | Required | | :----------- | :--------------------------------------------------------------------------------------------------------------------------------------------------- | :------- | | Display Name | [Jinja-template](doc:jinja-template) for display name of IP named location | Required | | IP Ranges | [Jinja-template](doc:jinja-template) for IP ranges. For example:[{"@odata.type": "#microsoft.graph.iPv4CidrRange","cidrAddress": "12.34.221.11/22"}] | Required | | Is Trusted | [Jinja-template](doc:jinja-template) for is trusted (Default is False) | Optional | ### Output A JSON object containing multiple rows of result: ``` {json}{ "displayName": "0b56b98b-e814-4405-99da-7bae69cb30d2", "isTrusted": true, "@odata.type": "#microsoft.graph.ipNamedLocation", "has_error": false, "id": "0c57cd3d-45ed-438a-9f01-d8666843c139", "error": null, "createdDateTime": "2022-04-11T09:55:13.4968154Z", "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identity/conditionalAccess/namedLocations/$entity", "ipRanges": [ { "@odata.type": "#microsoft.graph.iPv4CidrRange", "cidrAddress": "12.34.221.11/22" } ], "modifiedDateTime": "2022-04-11T09:55:13.4968154Z" }

Get IP Named Location

Get namedLocation object.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

IP Named Location ID

Jinja-template for IP named location Id.

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: IP Named Location Object

``` {json}{ "result": { "@odata.type": "#microsoft.graph.ipNamedLocation", "id": "0aab4fe7-d8ad-44cd-8c36-815fc0e82b24", "displayName": "1610469824546", "modifiedDateTime": "2022-04-11T07:20:08.871778Z", "createdDateTime": "2022-04-11T07:20:08.871778Z", "isTrusted": false, "ipRanges": [ { "@odata.type": "#microsoft.graph.iPv4CidrRange", "cidrAddress": "12.34.221.11/22" } ] }, "has_error": false, "error": null, "stdout": "", "stderr": "" }

## Delete IP Named Location Delete namedLocation objects. ### Input Field Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection. | Input Name | Description | Required | | :------------------- | :------------------------------------------------------------- | :------- | | IP Named Location ID | [Jinja-template](doc:jinja-template) for IP named location Id. | Required | ### Output A JSON object containing multiple rows of result: ``` {json}{ "result": "Deleted successfully.", "error": null, "has_error": false }

Update IP Named Location

Update namedLocation objects.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

IP Named Location ID

Jinja-template for IP named location Id.

Required

Display Name

Jinja-template for display name of IP named location

Optional

IP Ranges

Jinja-template for IP ranges. For example:[{"@odata.type": "#microsoft.graph.iPv4CidrRange","cidrAddress": "12.34.221.11/22"}]

Required

Is Trusted

Jinja-template for is trusted (Default is False)

Optional

Output

A JSON object containing multiple rows of result:

{json}{ "result": "Updated successfully.", "error": null, "has_error": false }

Release Notes

  • v2.0.0 - Updated architecture to support IO via filesystem

  • v1.1.1 - Added 5 new actions: List IP NamedLocation, Create IP NamedLocation, Get IP NamedLocation, Update IP NamedLocation and Delete IP NamedLocation.