How to retrieve information on users and applications vulnerable to risk with API?
We are currently integrating Microsoft Security Insights into our application to strengthen Security monitoring capabilities. For alerts list report, found this API https://learn.microsoft.com/en-us/rest/api/securityinsights/incidents/list-alerts?view=rest-securityinsights-2024-03-01&tabs=HTTP
POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents/{incidentId}/alerts?api-version=2024-03-01
Our focus is to expand this functionality to include detailed reports on users and applications vulnerable to Security risks. Could someone help us on any available APIs or methods within Microsoft Security Insights or any other that can generate such reports?
PFB:
You can make use of Microsoft Graph Beta API to retrieve information on users and applications vulnerable to risk. Note that, you need to have "Microsoft Entra ID P2" license to use riskyUsers API.
I have below list of users vulnerable to risk in my Microsoft Entra ID tenant:
To get this risky users information, I ran below API requests in Graph Explorer by signing in with user having "Global Reader" role:
GET https://graph.microsoft.com/beta/identityProtection/riskyUsers?$filter=riskLevel eq microsoft.graph.riskLevel'medium'
Response:
Similarly, I have below application vulnerable to risk that can be found in "Risky workload identities" tab:
To get information regarding risky applications, make use of below API call:
GET https://graph.microsoft.com/beta/identityProtection/riskyServicePrincipals
Response:
References:
- Logic Apps: How to use create a new watchlist with data (raw content) module
- Count how many elements are in an array created by make_set in kusto language
- KQL: bag unpack json into single row
- How to retrieve information on users and applications vulnerable to risk with API?
- How do I search through the in Sentinel Workbooks stored queries?
- How to create a whitelist with two fields in KQL with a Watchlist?
- KQL: How to reference columns within a let query in the next query
- Logic Apps copy action gives: The managed identity used with this operation no longer exists. To continue, set up an identity or change the connection
- String function not parsing all characters
- Azure Sentinel: Logic App Playbook Code Migration to Another Tenant
- Does using Azure Whois api needs microsoft sentinel to be set up or it can be used stand alone
- KQL: Datetime conversion and use of min and max functions
- Is there a way to change the Playbook Settings in Microsoft Sentinel through Terraform
- KQL query construction with parameters and default values
- Azure Sentinel Incident Trigger in Logic Apps Automation Delay
- How to understand Microsoft Entra application required for log ingestion API
- KQL - How to enrich an event by matching an IP address to an IP range from a Sentinel Watchlist?
- Need help to understand if azure sentinel data connection solution is being built correctly
- TimeGenerated field not taking provided date
- Trying to parse non-uniform JSON arrays with KQL in Sentinel
- Is there a replace multiple / parse unicode in string function?
- How to change/upgrade the microsoft azure function app plan from consumption to premium under microsoft sentinel using GCP Data Connnector?
- Azure AKS in-container logs to Azure Logs/Azure Sentinel
- Using KQL and externaldata() operator to pull infromation from Azure storage account table
- Azure Sentinel: Be notified when a playbook run fails or playbook action is disconnected
- KQL - Aggregate on latest entry
- KQL: Check table of IPs against table of subnets
- Use KQL query to return a list of column names
- Store variable in Azure logic app to use in next run
- Full Outer join in KQL