search

briandelmsft / STAT-Function

Azure Function for the Microsoft Sentinel Triage AssistanT (STAT)
https://aka.ms/mstat
MIT License
9 stars 1 forks source link

Update aadrisks.py #58

Closed piaudonn closed 6 months ago

piaudonn commented 6 months ago

Addressing #57 

if any(d.get("Key") == "riskReasons" for d in add_info):

There are risks with no risk reasons (like Unlikely travel). If that's the case we skip the risk_reasons management.

Also, added the following default values in the current_account dictionary: 

...
'RiskDetections': None,
'UserRiskDetectionCount':0
...

This is to address an issue if the function doesn't have the permission to call the riskDetections endpoint (missing IdentityRiskEvent.Read.All can happen after an update - well happened to me) but continues until it fails at

aadrisks_object.RiskDetectionTotalCount = sum(total['UserRiskDetectionCount'] for total in aadrisks_object.DetailedResults)

because UserRiskDetectionCount doesn't exist (instead of telling us it is a permission issue on the Graph API call).

piaudonn commented 6 months ago

@briandelmsft - my brain isn't working fully, just to let you know 🤯

briandelmsft commented 6 months ago

@piaudonn I added a default value for the risk reasons here: https://github.com/briandelmsft/STAT-Function/blob/314012c5a7871fc258c5f1fceff9ac11445ab29e/modules/aadrisks.py#L55-L56

Otherwise, if none of the risk events have a risk reason, the table will fail to build here as that column is expected: https://github.com/briandelmsft/STAT-Function/blob/314012c5a7871fc258c5f1fceff9ac11445ab29e/modules/aadrisks.py#L96

I also renamed the local user_risk_level to user_risk_detections to better reflect the data it was carrying