Configuration - Microsoft EntraID

Configuring Playbook Connections

After deployment - create/validate the Connections in each of deployed Playbooks. The logic app will have errors and save is disabled until all connectors are authorized.

entra-config1.png

API Connector Authorization

Connector Description
/recordedfutureidenti Microsoft power platform connector
/RFI-CustomConnector RecordedFuture-CustomConnector
/azureloganalyticsdatacollector Azure Log Analytics Data Collector
How to find Log Analytics Workspace key
/azuremonitorlogs Azure Monitor Logs
/azuread Microsoft Entra ID power platform connectors
/azureadip Azure AD Identity Protection

Configuring Search Playbook Parameters

Search playbooks are configured using Playbooks Parameters. Parameters can be found and set in the Logic App designer.

entra-playbook1.png

Playbook parameters for Search Playbooks:

You need to create a Microsoft EntraID Group, and provide the Object ID as a parameter to the Playbook. For more information, see Microsoft EntraID Groups documentation.

You need to create a Log Analytics Workspace and provide the ID as a parameter to the playbook.

Recorded Future must be authorize organization_domain to search for connected to the API Tokens. This is done during the API request process

Note: Make sure to set lookup_lookback_days same or larger than search_lookback_days. Otherwise, you can encounter a situation when you get empty results on Lookup for the compromised credentials from the search.

Parameter Description
organization_domain Organization domain to search exposures for.
search_lookback_days Time range for Search / number of days before today to search (e.g. input "-14" to search the last 14 days).
malware_logs_log_analytics_custom_log_name Name for Log Analytics Custom Log to save Credential Dumps Search results at (needs to end with "_CL").
credential_dumps_log_analytics_custom_log_name Name for Log Analytics Custom Log to save Malware Logs Search results at (needs to end with "_CL").
active_directory_security_group_id Object ID of Microsoft EntraID Group for users at risk. You need to pre-create it by hand: search for "Groups" in Service search at the top of the page. For more information, see Microsoft EntraID Groups documentation.
lookup_lookback_days Time range for Lookup / number of days before today to search (e.g. input "-14" to search the last 14 days). Make sure to use lookup_lookback_days same or larger than search_lookback_days. Otherwise you can encounter a situation when you get empty results on Lookup for the compromised credentials from the Search.
lookup_results_log_analytics_custom_log_name Name for Log Analytics Custom Log to save Lookup results at (needs to end with "_CL").
active_directory_domain (Optional, can be left empty) - in case your Microsoft EntraID domain is different from your organization domain, this parameter will be used to transform compromised credentials to find corresponding user in your Microsoft EntraID (ex. Compromised email: leaked@mycompany.com), your Microsoft EntraID domain: @mycompany.onmicrosoft.com, so you set parameter active_directory_domain = mycompany.onmicrosoft.com (just domain, without "@"), and search playbooks will replace the domain from the leaked email with the provided domain from the active_directory_domain parameter, before searching for the corresponding user in your Microsoft EntraID: leaked@mycompany.com -> leaked@mycompany.onmicrosoft.com. (Lookup playbook - will still use the original email to Lookup the data).

Playbook parameters for Search playbook "External use case" are the same as for "Workforce use case", except "External use case" does NOT need credential_dumps_log_analytics_custom_log_name parameter.

Remove base playbook steps from search playbooks if the actions are not valid for your use case. Actions like set user as risky requires additional licensing from Microsoft (RFI-confirm-EntraID-risky-user).

entra-config2.png

Run Playbooks

RFI-search-workforce-user or/and RFI-search-external-user are running on recurrence schedule. It's possible to reschedule or change interval.

entra-config3.png

Access Log Analytics Custom Logs

To see Log Analytics Custom Logs:

  • From then Azure Portal, navigate to the Log Analytics workspaces service
  • Select the Log Analytic Workspace in which you have deployed the Solution
  • In the left-side menu click on Logs, and expand second left side menu, and select Custom Logs

 

 

This content is confidential. Do not distribute or download content in a manner that violates your Recorded Future license agreement. Sharing this content outside of licensed Recorded Future users constitutes a breach of the terms and/or agreement and shall be considered a breach by your organization.
Was this article helpful?
0 out of 0 found this helpful

Articles in this section

See more