search

briandelmsft / SentinelAutomationModules

The Microsoft Sentinel Triage AssistanT (STAT) enables easy to create incident triage automation in Microsoft Sentinel
MIT License
212 stars 58 forks source link

[QUESTION] STAT V2 AAD Risk Module 403 Forbidden #436

Closed KSJHASJBX closed 3 months ago

KSJHASJBX commented 1 year ago

Hi,

Hope you are doing well. I have deployed stat V2 according to the docs and ran the grantpermissions.ps1 script. It seems to work but I keep on receiving an 403 forbidden error in the AAD risk module. This is the output:

{ "statusCode": 400, "headers": { "Transfer-Encoding": "chunked", "Date": "Fri, 29 Sep 2023 13:52:50 GMT", "Content-Type": "application/json", "Content-Length": "1258" }, "body": { "Error": "The API call to msgraph with path /v1.0/identityProtection/riskyUsers/21b3b6da-20e4-4751-ba82-7b268d028fb5 failed with status 403", "InvocationId": "57658876-e69d-42c7-8bba-aea7185450bd", "SourceError": { "status_code": 403, "reason": "Forbidden" }, "Traceback": [ "Traceback (most recent call last):\n", " File \"/home/site/wwwroot/modules/init.py\", line 19, in main\n return_data = coordinator.initiate_module(module_name=module_name, req_body=req_body)\n", " File \"/home/site/wwwroot/shared/coordinator.py\", line 27, in initiate_module\n return_data = aadrisks.execute_aadrisks_module(req_body)\n", " File \"/home/site/wwwroot/modules/aadrisks.py\", line 28, in execute_aadrisks_module\n user_risk_level = json.loads(rest.rest_call_get(base_object, api='msgraph', path=path).content)['riskLevel']\n", " File \"/home/site/wwwroot/shared/rest.py\", line 109, in rest_call_get\n raise STATError(f'The API call to {api} with path {path} failed with status {response.status_code}', source_error={'status_code': int(response.status_code), 'reason': str(response.reason)})\n", "classes.STATError: The API call to msgraph with path /v1.0/identityProtection/riskyUsers/21b3b6da-20e4-4751-ba82-7b268d028fb5 failed with status 403\n" ] } }

The tenant only has a Microsoft 365 Business Premium license. Does this hinder calling the Graph API for the AAD risks module?

briandelmsft commented 1 year ago

Hi @KSJHASJBX unfortunately it does appear to be a license issue.

According to the docs for the risky users API, you need an AAD P2 license to call it and from what I see M365 Business Premium comes with P1, not P2.

https://learn.microsoft.com/en-us/graph/api/resources/riskyuser?view=graph-rest-beta

piaudonn commented 1 year ago

@briandelmsft I will update the doc to make sure it reflects this, just to make sure.

The v-2 version should also make this a non-terminating error. Or at least mention overwrite the error message when status_code is 403 to include it might be a license thing.

piaudonn commented 3 months ago

I updated the wiki to reflect the license requirements.