search

Azure / Azure-Sentinel

Cloud-native SIEM for intelligent security analytics for your entire enterprise.
https://azure.microsoft.com/en-us/services/azure-sentinel/
MIT License
4.61k stars 3.03k forks source link

AWS Security Hub Integration with Sentinel "Authentication Issue" #11165

Open Mandar16161 opened 1 month ago

Mandar16161 commented 1 month ago

Describe the bug Deploying the AWS security hub gives a AAD authentication related issue when test run in the function app. image (5)

To Reproduce Steps to reproduce the behavior:

  1. Go to '...'
  2. Click on '....'
  3. Scroll down to '....'
  4. See error

Expected behavior The steps are followed as mentioned in the document, the managed identity should have authenticated but its failing while runing.

Screenshots image

Desktop (please complete the following information):

Smartphone (please complete the following information):

Additional context Add any other context about the problem here.

v-rusraut commented 1 month ago

Hi @Mandar16161, We have been able to reproduce this issue and found that the error occurred due to an incorrect ClientID value. Please check the attached document to add the correct ClientID value in the function app configuration.

FunctionsAppConfiguration.docx Please let us know if your issue has been resolved or not Thanks

v-rusraut commented 1 month ago

Hi @Mandar16161, We are waiting for your response.

Mandar16161 commented 1 month ago

Hi @v-rusraut i am not able to access the document shared by you.

v-rusraut commented 1 month ago

Hi @Mandar16161, Please refer below steps

• Open Azure portal and search ‘Microsoft Entra ID’ image

• Click on Enterprise applications image

• Type your function app name in search textbox and copy Application ID image

• Open function app -> Settings - > Environment variables - > App settings -> Click on Client ID and paste application ID and click on Apply.

image

• After that restart the function app image

v-rusraut commented 1 month ago

Hi @Mandar16161, We are waiting for your response.

Mandar16161 commented 1 month ago

Hi @v-rusraut, I have provided the the solution you provided to the team waiting for their response ,will keep you posted.

Mandar16161 commented 1 month ago

@v-rusraut please let me know did you provide any RBAC role the managed identity during the deployment?

v-rusraut commented 1 month ago

Hi @Mandar16161, not provided any role while deployment, what error you are getting now ?

Mandar16161 commented 1 month ago

Same issue we had the client id in place already .

Mandar16161 commented 1 month ago

image this is the error

Mandar16161 commented 1 month ago

image

Mandar16161 commented 1 month ago

image

rcscoggin commented 1 month ago

We having same exact issue, ClientID is correct, have verified it multiple times.

rcscoggin commented 1 month ago

2024-10-02_11-58-02

Mandar16161 commented 1 month ago

Hi @rcscoggin at line no 75 add credential = ManagedIdentityCredential( client_id=client_id) it should resolve the issue, also there are numerous other errors once you solve this one the code needs to be rechecked by the developer.

v-rusraut commented 1 month ago

Hi @Mandar16161, which new error you are getting now?

Mandar16161 commented 1 month ago

Hi @v-rusraut Last changes made on code Audience='https://sts.amazonaws.com/' on line number 155 of visual studio but not ran successfully.

v-rusraut commented 1 month ago

Hi @Mandar16161, Please provide more details about the error.

v-rusraut commented 1 month ago

2024-10-02_11-58-02

Hi @rcscoggin, Please deploy the function app and share the invocation logs.

rcscoggin commented 1 month ago

@v-rusraut I don't have any changes in place nor do I see an update in the code on the repo, just the current branch. Would probably be better for @Mandar16161 to share his logs with his new error after fixing line 75 then another log after modifying 155.

v-rusraut commented 1 month ago

Hi @Mandar16161, We are waiting for your response, please provide more details about the current error.

Mandar16161 commented 1 month ago

Hi we have currently stopped the testing due to too many errors, we are co-ordinating with Microsoft Team to get a resolution on this.

v-rusraut commented 1 month ago

Hi @Mandar16161, as you mentioned you are coordinating with the Microsoft Team for this, can we close this issue, or do you still need support?

rcscoggin commented 1 month ago

Hi, end user here of the solution. We still have the original issue, we reached out to Microsoft and they said they do not support this code and to contact authors of the code for resolution. Would ask you not close issue as we would have to open another. We are still getting the original error that Mandar16161 is getting. thanks.

v-rusraut commented 1 month ago

Hi @rcscoggin, we received a response from @sreedharande indicating that the error you’re encountering is due to incorrect AWS side configuration. Please refer to the following section of the README file for AWS side configuration : https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AWS-SecurityHubFindings/README.md#aws Image

rcscoggin commented 1 month ago

@v-rusraut right, we are not a new user of this and have deployed the connector over the past years many times. We have triple checked the AWS settings. What we are NOT seeing are any entries in the signin logs for the managed identity indicating the code never attempts to properly authenticate. We had troubleshooted to the same issue that the ManagedIdentityCredential call may be suspect.

Please, confirm on your side that the managed identity would have some entry in the signin logs for a failed attempt since that would happen BEFORE it would attempt to use the AWS api hence resulting in some evidence of the Azure authentication code having been able to at least attempt an authentication.

Thanks, Rodger

v-rusraut commented 1 month ago

Hi @sreedharande , please help on this issue.

Mandar16161 commented 1 month ago

Hi @v-rusraut we are still not able to resolve the issue, @sreedharande your support on this would be appreciated.

rcscoggin commented 2 weeks ago

@v-rusraut @sreedharande any updates on this issue? Still receiving the following error and the identity associated with function app shows no attempts to AuthN.

11/5/2024, 12:40:00 PM

Information

Authenticating to Azure AD.

11/5/2024, 12:40:00 PM

Information

ManagedIdentityCredential will use App Service managed identity

11/5/2024, 12:40:00 PM

Information

No environment configuration found.

11/5/2024, 12:40:00 PM

Information

ManagedIdentityCredential will use App Service managed identity

11/5/2024, 12:40:00 PM

Information

Request URL: 'http://localhost:8081/msi/token?api-version=REDACTED&resource=REDACTED' Request method: 'GET' Request headers: 'X-IDENTITY-HEADER': 'REDACTED' 'User-Agent': 'azsdk-python-identity/1.15.0 Python/3.9.17 (Linux-5.10.102.2-microsoft-standard-x86_64-with-glibc2.28)' No body was attached to the request

11/5/2024, 12:40:10 PM

Information

Response status: 500 Response headers: 'Content-Type': 'application/json; charset=utf-8' 'Date': 'Tue, 05 Nov 2024 17:40:10 GMT' 'Server': 'Kestrel' 'Transfer-Encoding': 'chunked' 'X-CORRELATION-ID': 'REDACTED'