0

I'm using Security Graph API to get alerts into SIEM. And some of the alerts I get have very little amount of details. Here is the example, with some information edited, but all fields are present:

{
    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#security/alerts/$entity",
    "id": "df59a25b7179858f9d891672dee4e4a48b718fe9271e6867b20a998463b1a703",
    "azureTenantId": "a2c874c8-XXXX-XXXX-XXXX-fXXX56f81134",
    "azureSubscriptionId": null,
    "riskScore": null,
    "tags": [],
    "activityGroupName": null,
    "assignedTo": null,
    "category": "AnomalousToken",
    "closedDateTime": null,
    "comments": [],
    "confidence": null,
    "createdDateTime": "2022-01-05T20:52:18Z",
    "description": "Anomalous token indicates that there are abnormal characteristics in the token such as token duration and authentication from unfamiliar IP address",
    "detectionIds": [],
    "eventDateTime": "2022-01-04T12:26:36.1726686Z",
    "feedback": null,
    "incidentIds": [],
    "lastEventDateTime": null,
    "lastModifiedDateTime": "2022-01-05T22:47:28.909877Z",
    "recommendedActions": [],
    "severity": "medium",
    "sourceMaterials": [],
    "status": "newAlert",
    "title": "Anomalous Token",
    "vendorInformation": {
        "provider": "IPC",
        "providerVersion": null,
        "subProvider": null,
        "vendor": "Microsoft"
    },
    "alertDetections": [],
    "cloudAppStates": [],
    "fileStates": [],
    "hostStates": [],
    "historyStates": [],
    "investigationSecurityStates": [],
    "malwareStates": [],
    "messageSecurityStates": [],
    "networkConnections": [],
    "processes": [],
    "registryKeyStates": [],
    "securityResources": [],
    "triggers": [],
    "userStates": [
        {
            "aadUserId": "7b9b7027-XXXX-XXXX-bXXX-1XXXXXXX9e7",
            "accountName": "NicXXX.XXXXX",
            "domainName": "XXX.co.uk",
            "emailRole": "unknown",
            "isVpn": null,
            "logonDateTime": "2022-01-04T12:26:36.1726686Z",
            "logonId": null,
            "logonIp": "102.11.1.15",
            "logonLocation": "Accra, Greater Accra, GH",
            "logonType": null,
            "onPremisesSecurityIdentifier": null,
            "riskScore": null,
            "userAccountType": null,
            "userPrincipalName": "NicXXX.XXXXX@XXX.co.uk"
        }
    ],
    "uriClickSecurityStates": [],
    "vulnerabilityStates": []
}

In short, the only information I can see is that the user generated some "anomalous token" from some specific IP. But I'd like to see the hostname used, what were the token details, why it was anomalous, etc.
I can see similar alerts almost empty about failed authentication attempts (azure AD), suspicious mail forwarding rule creation (Exchange), etc - all without significant details. How can I get them? Or perhaps - how should I reconfigure the Graph or data sources, to allow Graph to get access to the details?

4

1 回答 1

0

我试图重现您的问题,但我也没有获得有关令牌和主机名的详细信息。希望您也获得部分内容: 206 error

如果成功,此方法会在响应正文中返回200 OK响应代码和警报对象。206 错误代码表示一个或多个批量操作在联合到其提供者时失败。响应将包含来自各个提供商的每个威胁情报指标的成功/错误数据。有关更多信息,您可以关注此Microsoft 文档。

在此处输入图像描述

我阅读了几份 Microsoft 文档,发现异常令牌属于风险检测标志。登录风险表示给定身份验证请求未经身份所有者授权的概率。

可以使用Microsoft 的内部和外部威胁情报来源(包括安全研究人员执法专业人员、Microsoft 的安全团队和其他受信任的来源)实时或离线计算这些风险。

异常令牌检测类型为离线。此检测表明令牌中存在异常特征,例如令牌生命周期异常或从不熟悉的位置播放令牌。此检测涵盖会话令牌和刷新令牌。

Microsoft 于 2021 年 7 月传达了异常令牌检测计划

Azure AD 身份保护现在提供异常令牌检测。此功能可以检测令牌中存在的异常特征,例如时间活跃和来自不熟悉的 IP 地址的身份验证。

因此,从上述结论建议您提出Microsoft 支持请求,我认为他们可以帮助路由到 Microsoft 的安全团队。

于 2022-01-12T07:20:50.823 回答