cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Azure Sentinel - Run Antivirus Scan using Logic App

HA13029
Copper Contributor

‎Feb 03 2024 02:52 AM

‎Feb 03 2024 02:52 AM

Azure Sentinel - Run Antivirus Scan using Logic App

Hello,
I have to integrate antivirus run scan into azure sentinel using playbook (template Run MDE Antivirus - Incident Trigger).
According to the prerequisites, I need to grant some permissions using powershell command.
"Run the following code replacing the managed identity object id. You find the managed identity object id on the Identity blade under Settings for the Logic App."

From the powershell, I enter the following command:
$MIGuid = '0fff8f4e-xxxx-xxxx-xxxx-xxxxxxxxxxxxx'
$MI = Get-AzureADServicePrincipal -ObjectId $MIGuid

I receive the following error message
Get-AzureADServicePrincipal: You must call the Connect-AzureAD cmdlet before calling any other cmdlets.

 

Any idea ?


PS: I'm not a developper...

 

Regards,

 

HA

1,120 Views
0 Likes
8 Replies
Reply
8 Replies
keenanbrooks

‎Feb 03 2024 04:01 AM - edited ‎Feb 03 2024 04:02 AM

‎Feb 03 2024 04:01 AM - edited ‎Feb 03 2024 04:02 AM

Re: Azure Sentinel - Run Antivirus Scan using Logic App

Hi,

In Powershell just run the command Connect-AzureAD, this will trigger a sign in prompt, sign in with the account that has the admin privs assigned to it. Once you have run the command, and signed in, copy and paste the pre-req code.

0 Likes
Reply
HA13029

‎Feb 03 2024 04:34 AM

‎Feb 03 2024 04:34 AM

Re: Azure Sentinel - Run Antivirus Scan using Logic App

Hi,

First, thanks a lot for your help.
A little bit better but another error message now...

PS /home/system> Connect-AzureAD
PS /home/system> $MIGuid = '0fff8f4e-xxxx-xxxx-xxxx-xxxxxxxxxxx'
PS /home/system> $MI = Get-AzureADServicePrincipal -ObjectId $MIGuid
PS /home/system> $MDEAppId = 'fc780465-2017-40d4-a0c5-307022471b92'
PS /home/system> $PermissionName = 'Machine.Scan'
PS /home/system> $MDEServicePrincipal = Get-AzureADServicePrincipal -Filter 'appId eq '$MDEAppId''
Get-AzureADServicePrincipal: A positional parameter cannot be found that accepts argument 'fc780465-2017-40d4-a0c5-307022471b92'.

Regards,

HA

0 Likes
Reply
keenanbrooks

‎Feb 03 2024 04:38 AM - edited ‎Feb 03 2024 04:44 AM

‎Feb 03 2024 04:38 AM - edited ‎Feb 03 2024 04:44 AM

Re: Azure Sentinel - Run Antivirus Scan using Logic App

Looks like '$MDEAppId'' in $MDEServicePrincipal should just be '$MDEAppId' delete one of the ' and try running it once more?

0 Likes
Reply
HA13029

‎Feb 03 2024 04:54 AM

‎Feb 03 2024 04:54 AM

Re: Azure Sentinel - Run Antivirus Scan using Logic App

Hello,
Thanks for your help.
I don't think it's the issue....
If I run the command 'Get-AzureADServicePrincipal', I got a list of AppId but none of them match the ID fc780465-2017-40d4-a0c5-307022471b92...

Regard,

HA
0 Likes
Reply
keenanbrooks

‎Feb 03 2024 05:05 AM - edited ‎Feb 03 2024 05:21 AM

‎Feb 03 2024 05:05 AM - edited ‎Feb 03 2024 05:21 AM

Re: Azure Sentinel - Run Antivirus Scan using Logic App

Hi,

I meant run all the code again from the prerequisites.

$MIGuid = 'Enter your managed identity guid here'

$MI = Get-AzureADServicePrincipal -ObjectId $MIGuid

$MDEAppId = 'fc780465-2017-40d4-a0c5-307022471b92'

$PermissionName = 'Machine.Scan'

$MDEServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$MDEAppId'"

$AppRole = $MDEServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains 'Application'}

New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId ` -ResourceId $MDEServicePrincipal.ObjectId -Id $AppRole.Id $PermissionName = 'Machine.Read.All'

$AppRole = $MDEServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains 'Application'}

New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId ` -ResourceId $MDEServicePrincipal.ObjectId -Id $AppRole.Id $PermissionName = 'Machine.ReadWrite.All'

$AppRole = $MDEServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains 'Application'}

New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId ` -ResourceId $MDEServicePrincipal.ObjectId -Id $AppRole.Id

I've made the fix I believe will resove your issue in the above code, before running that please do connect-azuread first, and make sure to enter your managed identity on the first line. To do that click into the playbook, select identity under settings, and copy and paste the Object ID. Make sure to keep the ' ' and enter the object ID in between.

0 Likes
Reply
HA13029

‎Feb 03 2024 08:14 AM

‎Feb 03 2024 08:14 AM

Re: Azure Sentinel - Run Antivirus Scan using Logic App

Hi,

PS /home/system> Connect-AzureAD
PS /home/system> $MIGuid = '0fff8f4e-xxxx-xxxxx-xxxx-xxxxxxxxxxxx'
PS /home/system> $MI = Get-AzureADServicePrincipal -ObjectId $MIGuid
PS /home/system> $MDEAppId = 'fc780465-2017-40d4-a0c5-307022471b92'
PS /home/system> $PermissionName = 'Machine.Scan'
PS /home/system> $MDEServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$MDEAppId'"
PS /home/system> $AppRole = $MDEServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains 'Application'}
PS /home/system> New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId ` -ResourceId $MDEServicePrincipal.ObjectId -Id $AppRole.Id $PermissionName = 'Machine.Read.All'
New-AzureADServiceAppRoleAssignment: A positional parameter cannot be found that accepts argument 'Machine.Scan'.
PS /home/system> $AppRole = $MDEServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains 'Application'}
PS /home/system> New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId ` -ResourceId $MDEServicePrincipal.ObjectId -Id $AppRole.Id $PermissionName = 'Machine.ReadWrite.All'
New-AzureADServiceAppRoleAssignment: A positional parameter cannot be found that accepts argument 'Machine.Scan'.
PS /home/system> $AppRole = $MDEServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains 'Application'}
PS /home/system> New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId ` -ResourceId $MDEServicePrincipal.ObjectId -Id $AppRole.Id
New-AzureADServiceAppRoleAssignment: Error occurred while executing NewServicePrincipalAppRoleAssignment
Code: Request_BadRequest
Message: Permission being assigned already exists on the object
RequestId: 0870e06a-e213-4266-9988-9cca542bf5e3
DateTimeStamp: Sat, 03 Feb 2024 16:11:01 GMT
Details: PropertyName - None, PropertyErrorCode - InvalidUpdate
HttpStatusCode: BadRequest
HttpStatusDescription: Bad Request
HttpResponseStatus: Completed

PS: I run the code twice...

Regards,

HA
0 Likes
Reply
best response confirmed by HA13029 (Copper Contributor)
keenanbrooks

‎Feb 03 2024 12:17 PM - edited ‎Feb 03 2024 12:30 PM

‎Feb 03 2024 12:17 PM - edited ‎Feb 03 2024 12:30 PM

Solution

Re: Azure Sentinel - Run Antivirus Scan using Logic App

Hey @HA01329.

So your managed identity will have Scan permissions now. There's an issue with the PowerShell and the $PermissionName variable (line 3) is what needs to be changed to fix the other two perm assignments.

My PowerShell isn't that good so we are going to take the noob way out. Run the code two more times and change line 3 from $PermissionName = 'Machine.Scan' to $PermissionName = 'Machine.Read.All' on run 1 and $PermissionName = 'Machine.ReadWrite.All' on run 2.

This will flag errors but when you view the managed identity it will then have all permissions required. I will probably get giggled at for the above but its a workaround until I look into PowerShell more!

(I had a quick look into the perms, and Machine.Scan should include the read perms anyway and Machine.ReadWrite.All shouldn't be needed as I don't believe the logic app includes tagging etc? So this logic app/playbook should now work without you running the code 2 more times for the extra perms, but to leave out any doubts and link with the prereqs I've included the work around anyway)

Have a good weekend :)

0 Likes
Reply
HA13029

‎Feb 04 2024 11:45 PM

‎Feb 04 2024 11:45 PM

Re: Azure Sentinel - Run Antivirus Scan using Logic App

Hi,

I followed your advices and add one more permissions (Alert.ReadWrite.All) and ... IT WORKS !!
The Logic app triggers AV scan on the target computer.
Many thanks for your help !!

Regards,

HA


0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by HA13029 (Copper Contributor)
keenanbrooks

‎Feb 03 2024 12:17 PM - edited ‎Feb 03 2024 12:30 PM

‎Feb 03 2024 12:17 PM - edited ‎Feb 03 2024 12:30 PM

Solution

Re: Azure Sentinel - Run Antivirus Scan using Logic App

Hey @HA01329.

So your managed identity will have Scan permissions now. There's an issue with the PowerShell and the $PermissionName variable (line 3) is what needs to be changed to fix the other two perm assignments.

My PowerShell isn't that good so we are going to take the noob way out. Run the code two more times and change line 3 from $PermissionName = 'Machine.Scan' to $PermissionName = 'Machine.Read.All' on run 1 and $PermissionName = 'Machine.ReadWrite.All' on run 2.

This will flag errors but when you view the managed identity it will then have all permissions required. I will probably get giggled at for the above but its a workaround until I look into PowerShell more!

(I had a quick look into the perms, and Machine.Scan should include the read perms anyway and Machine.ReadWrite.All shouldn't be needed as I don't believe the logic app includes tagging etc? So this logic app/playbook should now work without you running the code 2 more times for the extra perms, but to leave out any doubts and link with the prereqs I've included the work around anyway)

Have a good weekend :)

View solution in original post

0 Likes
Reply