Azure / SimuLand

Understand adversary tradecraft and improve detection strategies
MIT License
704 stars 80 forks source link

M365 Defender Connector - Missing Consent - Invalid License #23

Open Cyb3rWard0g opened 3 years ago

Cyb3rWard0g commented 3 years ago

Testing environment in a new environment with M365 E5 licenses enabled. I believe I might be missing either a license to enable the Azure Sentinel data connector or maybe just a few settings in MDE to enable the connection with the SIEM

image

Cyb3rWard0g commented 3 years ago

Maybe? Testing.

image

Cyb3rWard0g commented 3 years ago

Nope!

Cyb3rWard0g commented 3 years ago

mmm license is not recognized in Azure Sentinel?

image

Cyb3rWard0g commented 3 years ago

In my tenant, this is what is failing

https://github.com/OTRF/Azure-Sentinel2Go/blob/master/azure-sentinel/linkedtemplates/data-connectors/m365defender.json#L41-L71

Cyb3rWard0g commented 3 years ago

The Incidents connection was enabled properly via the UI:

image

I got the following logs with network developer tools:

{
    "requests": [
        {
            "content": {
                "kind": "MicrosoftThreatProtection",
                "properties": {
                    "tenantId": "TENANT-ID",
                    "dataTypes": {
                        "incidents": {
                            "state": "enabled"
                        },
                        "alerts": {
                            "state": "disabled"
                        }
                    }
                },
                "id": null
            },
            "httpMethod": "PUT",
            "name": "NAME",
            "requestHeaderDetails": {
                "commandName": "Microsoft_Azure_Security_Insights."
            },
            "url": "https://management.azure.com/subscriptions/SUBSCRIPTION-ID/resourceGroups/RESOURCE-GROUP-NAME/providers/Microsoft.OperationalInsights/workspaces/AZ-DENTINEL-NAME/providers/Microsoft.SecurityInsights/dataConnectors/DATA-CONNECTOR-ID?api-version=2019-01-01-preview"
        }
    ]
}

{
    "requests": [
        {
            "content": {
                "kind": "MicrosoftDefenderAdvancedThreatProtection",
                "properties": {
                    "tenantId": "TENANT-ID",
                    "dataTypes": {
                        "alerts": {
                            "state": "enabled"
                        }
                    }
                }
            },
            "httpMethod": "PUT",
            "name": "NAME",
            "requestHeaderDetails": {
                "commandName": "Microsoft_Azure_Security_Insights."
            },
            "url": "https://management.azure.com/subscriptions/SUBSCRIPTION-ID/resourceGroups/RESOURCE-GROUP-NAME/providers/Microsoft.OperationalInsights/workspaces/AZ-DENTINEL-NAME/providers/Microsoft.SecurityInsights/dataConnectors/CONNECTOR-ID?api-version=2019-01-01-preview"
        },
        {
            "content": {
                "kind": "OfficeATP",
                "properties": {
                    "tenantId": "TENANT-ID",
                    "dataTypes": {
                        "alerts": {
                            "state": "enabled"
                        }
                    }
                },
                "id": "/subscriptions/SUBSCRIPTION-ID/resourceGroups/RESOURCE-GROUP-NAME/providers/Microsoft.OperationalInsights/workspaces/AZ-DENTINEL-NAME/providers/Microsoft.SecurityInsights/dataConnectors/OATP-ID",
                "etag": "TAG"
            },
            "httpMethod": "PUT",
            "name": "NAME",
            "requestHeaderDetails": {
                "commandName": "Microsoft_Azure_Security_Insights."
            },
            "url": "https://management.azure.com/subscriptions/SUBSCRIPTION-ID/resourceGroups/RESOURCE-GROUP-NAME/providers/Microsoft.OperationalInsights/workspaces/AZ-DENTINEL-NAME/providers/Microsoft.SecurityInsights/dataConnectors/OATP-ID?api-version=2019-01-01-preview"
        },
        {
            "content": {
                "kind": "AzureAdvancedThreatProtection",
                "properties": {
                    "tenantId": "TENANT-ID",
                    "dataTypes": {
                        "alerts": {
                            "state": "enabled"
                        }
                    }
                },
                "id": "/subscriptions/SUBSCRIPTION-ID/resourceGroups/RESOURCE-GROUP-NAME/providers/Microsoft.OperationalInsights/workspaces/AZ-DENTINEL-NAME/providers/Microsoft.SecurityInsights/dataConnectors/AATP-ID",
                "etag": "TAG"
            },
            "httpMethod": "PUT",
            "name": "NAME",
            "requestHeaderDetails": {
                "commandName": "Microsoft_Azure_Security_Insights."
            },
            "url": "https://management.azure.com/subscriptions/SUBSCRIPTION-ID/resourceGroups/RESOURCE-GROUP-NAME/providers/Microsoft.OperationalInsights/workspaces/AZ-DENTINEL-NAME/providers/Microsoft.SecurityInsights/dataConnectors/AATP-ID?api-version=2019-01-01-preview"
        },
        {
            "content": {
                "kind": "MicrosoftCloudAppSecurity",
                "properties": {
                    "dataTypes": {
                        "alerts": {
                            "state": "enabled"
                        },
                        "discoveryLogs": {
                            "state": "enabled"
                        }
                    },
                    "tenantId": "TENANT-ID"
                },
                "id": "/subscriptions/SUBSCRIPTION-ID/resourceGroups/RESOURCE-GROUP-NAME/providers/Microsoft.OperationalInsights/workspaces/AZ-DENTINEL-NAME/providers/Microsoft.SecurityInsights/dataConnectors/MCAS-ID",
                "etag": "TAG"
            },
            "httpMethod": "PUT",
            "name": "NAME",
            "requestHeaderDetails": {
                "commandName": "Microsoft_Azure_Security_Insights."
            },
            "url": "https://management.azure.com/subscriptions/SUBSCRIPTION-ID/resourceGroups/RESOURCE-GROUP-NAME/providers/Microsoft.OperationalInsights/workspaces/AZ-DENTINEL-NAME/providers/Microsoft.SecurityInsights/dataConnectors/MCAS-ID?api-version=2019-01-01-preview"
        }
    ]
}

It all looks good to me compared with the data connector file from above.

ReneRebsdorf commented 3 years ago

We had similar problem. Activated E5 preview, which made the License available under the same pane as the one you screenshotted. However we still experience:

{
    "status": "Failed",
    "error": {
        "code": "InvalidLicense",
        "message": "Missing consent"
    }
}

I suspect it may be related to the template also trying to configure the 'Advanced Hunting', which require the M365 defender preview connector - but not sure.

@Cyb3rWard0g : Were you able to resolve the issue?

julivanespi commented 2 years ago

@Cyb3rWard0g @ReneRebsdorf I am experiencing the same issue with postman.

{
    "error": {
        "code": "InvalidLicense",
        "message": "Missing consent"
    }
}

I assume that you both are using the api-version=2020-01-01 correct? @ReneRebsdorf, the json response that you provided is slightly different.

I had tried this api back in 8/20/2021 when I was integrating the other Microsoft data connectors. I was able to connect O365 just fine.

ReneRebsdorf commented 2 years ago

@julivanespi Yes we are using the 2020-01-01 API. Our bicep template looks like this:

resource mdatp 'Microsoft.SecurityInsights/dataConnectors@2020-01-01' = {
  scope: logAnalytics
  name: 'mdatp'
  kind: 'MicrosoftDefenderAdvancedThreatProtection'
  properties: {
    tenantId: tenantId
    dataTypes: {
      alerts: {
        state: 'Enabled'
      }
    }
  }
}
Dabuek commented 2 years ago

+1 I am now having the same issues as this for the EnableDataConnector deployment - specifically;

image

Cyb3rWard0g commented 2 years ago

This the template we use btwe: https://github.com/OTRF/Microsoft-Sentinel2Go/blob/master/microsoft-sentinel/linkedtemplates/data-connectors/allConnectors.json

I use API version 2019-01-01-preview since that's what the portal was using when doing it manually. I just tested it again today and it worked fine:

image

Cyb3rWard0g commented 2 years ago

@julivanespi @ReneRebsdorf @Dabuek are you still having issues with the data connectors?

ReneRebsdorf commented 2 years ago

@Cyb3rWard0g I'll make sure to test next week.

ReneRebsdorf commented 2 years ago

@Cyb3rWard0g

Strangely I am still unable to get it to work, tested using the following API versions:

Still gives error:

{
    "status": "Failed",
    "error": {
        "code": "InvalidLicense",
        "message": "Missing consent"
    }
}

If I enable the the connector manually and run the code I do not get the error, but this is not ideal for initial configuration, nor for dev environments.

Bicep template is the same as in my reply from the 14th of December 2021 in this thread

Is there perhaps something else you've been able to do, that resolved the issue for you?

f-bader commented 2 years ago

The same problem applies to MicrosoftThreatProtection connector. As soon as you connect it through the UI it works fine, but before that an License is invalid is thrown. This is regardless of the fact that MDE is licensed through Defender for Cloud

Cyb3rWard0g commented 2 years ago

The weird thing is that it works sometimes and sometimes it doesn't. 🤔

f-bader commented 2 years ago

I contacted Microsoft support about this and they confirmed it is a current limitation but have no immediate solution.

The issue is related to an additional API call to the security API, that enables the Sentinel integration on the Defender end. As soon as this setting is enabled you can deploy without issue, but the bicep or arm deployment will fail if it is not set correctly.

ReneRebsdorf commented 2 years ago

I contacted Microsoft support about this and they confirmed it is a current limitation but have no immediate solution.

The issue is related to an additional API call to the security API, that enables the Sentinel integration on the Defender end. As soon as this setting is enabled you can deploy without issue, but the bicep or arm deployment will fail if it is not set correctly.

I wonder if this call could be made using a deploymentScript?

Ugh, this sounds like things the backend should take care of for us. We declare what we need through a template, and the resource provider should take care of dependencies...

Cyb3rWard0g commented 2 years ago

I contacted Microsoft support about this and they confirmed it is a current limitation but have no immediate solution.

The issue is related to an additional API call to the security API, that enables the Sentinel integration on the Defender end. As soon as this setting is enabled you can deploy without issue, but the bicep or arm deployment will fail if it is not set correctly.

Hello @f-bader ! Thank you for the additional information. Do you remember who you talked to about it? I will send a private message to get more information and see if we could expedite something on our end. Thank you in advance!

sandeep5234 commented 2 years ago

MicrosoftThreatProtection {"error":{"code":"InvalidLicense","message":"License is invalid"}} 401

Getting same error here , I am using api-version=2022-07-01-preview . I am deploying it using invoke-azrestMethod Any update on this?

paggarwalmsft commented 1 year ago

Hi Team, any update on the same a we are also facing the same problem

MicrosoftAdvanceedThreatProtection {"error":{"code":"InvalidLicense","message":"License is invalid"}} 401

CloudGuardianMike commented 1 year ago

Any update on this? same error.

findajay commented 1 year ago

Same error while trying from terraform azurerm_sentinel_data_connector_microsoft_threat_protection │ securityinsight.DataConnectorsClient#CreateOrUpdate: Failure responding to │ request: StatusCode=401 -- Original Error: autorest/azure: Service returned │ an error. Status=401 Code="InvalidLicense" Message="License is invalid"

mezzofix commented 1 year ago

Same when deploying from Terraform. @Microsoft any clowns available in the MSFT circus to look at this ?

Anyone with a workaround ?

Kaloszer commented 1 year ago

Same here, bicep template. This needs to be addressed, it blocks MSSPs from automating sentinel dc deployments.

AlfredSchreuder commented 9 months ago

@microsoft We also experience this issue for the following data connectors: 'MicrosoftThreatProtection' and 'MicrosoftDefenderAdvancedThreatProtection'. It seems that this issue is open for a long time and there is no solution still.

Same issues:

Next to this issue I see almost no development on the data connectors API, is there some news to be spread how to enable data connectors automated in the future, since it seems to be moving to Content Hub. It is hard to find any docs about how to deploy this for example via Bicep!?

Also I have a question regarding 'Tenant-based Microsoft Defender for Cloud (Preview)' data connector. We deploy this now via GenericUI data connector kind, but this has no option to enable it via automation. Same as the question in the previous paragraph, how would this be made possible?

Kaloszer commented 6 months ago

@AlfredSchreuder

I have raised another support issue but got the same response not supported...

https://github.com/Azure/Azure-Sentinel/issues/9986#issuecomment-2082325311