Author: Jhonny Paulino, Nathan Swift
This Logic App will run weekly and create/update a Risky User watchlist with users from Microsoft Defender for cloud app with additional data for threatscore, information, and a url.
Prerequisites for the solution:
-
You must create a Azure AD Service Principal, record the AppId, tenantID, and create a secrets and record the secret. This service principal will be used in the solution to query the Defender for Cloud App /entities rest api
-
Be sure to add the following 'Microsoft Cloud App Security' Application Permissions to the created service principal discovery.read, investigation.read . Also be sure to grant admin consent to those application permissions.
Deploying the solution:
-
Add/Update the missing parameters in the ARM template deployment The Watchlist name will be also the alias name that you will use to query the data, for example
_GetWatchlist('cloudappriskyusers')
Post Deployment:
-
Manually check/update the Key Vault secret called 'cloudapplist' with the Azure AD Service Principal key
The Logic App as a Managed Service Indetity - MSI needs to have the following RBAC Roles:
-
Key Vault Secrets User on the deployed Key Vault resource. This is required for obtaining the AAD SPN secret key encrypted through Logic App.
-
Azure Sentinel Contributor Role on the Azure Sentinel Resource Group. This is required for deleting and updating the watchlist in Microsoft Sentinel.