IBM Security QRadar SOAR

Hello IBM SOAR community,

I am currently using the Azure AD functions from the app exchange :
https://exchange.xforce.ibmcloud.com/hub/extension/480d1fdc14d757d2c5a1e4765021f6be

Following the documentation, I have set up the app.config file to have the following:
- tenant_id
- client_id
- client_secret

Which all I found under my AD application and following this guide:
https://docs.lacework.com/onboarding/gather-the-required-azure-client-id-tenant-id-and-client-secret

I have also done the following steps (from the documentation);
- Configuring API permissions for the application (audit read ability)
- Granting admin consent for the directory
- Assigning the admin by adding the application to the assignment

Though, in the last step instead of using User Admin or Global Admin, my AD only have cloud Admin so I proceed using that step.

Unfortunately, I still get an error when using the list user function in the playbook. Any help in direction that I should approach this problem is appreciated.


------------------------------
Luqman Nur
Techlab
------------------------------

I manage to get it working by adding the [fn_azure_ad] on the app config, and the function can make API call to the Azure AD although the API call is not successful.
I have search the error and the guide is pointing out towards the API permissions (set the User.Read to true)

Which I already applied and still get the same error when request the user.

------------------------------
Luqman Nur
Techlab
------------------------------

Original Message:
Sent: Thu December 22, 2022 01:04 AM
From: Luqman Nur
Subject: Azure Active Directory Configuration - Problem with app.config

Hello IBM SOAR community,

I am currently using the Azure AD functions from the app exchange :
https://exchange.xforce.ibmcloud.com/hub/extension/480d1fdc14d757d2c5a1e4765021f6be

Following the documentation, I have set up the app.config file to have the following:
- tenant_id
- client_id
- client_secret

Which all I found under my AD application and following this guide:
https://docs.lacework.com/onboarding/gather-the-required-azure-client-id-tenant-id-and-client-secret

I have also done the following steps (from the documentation);
- Configuring API permissions for the application (audit read ability)
- Granting admin consent for the directory
- Assigning the admin by adding the application to the assignment

Though, in the last step instead of using User Admin or Global Admin, my AD only have cloud Admin so I proceed using that step.

Unfortunately, I still get an error when using the list user function in the playbook. Any help in direction that I should approach this problem is appreciated.


------------------------------
Luqman Nur
Techlab
------------------------------

Hi Luqman,

Good to know that you got your app.conf file properly configured, and the app running. This error seems to be generated from the Microsoft endpoint. What exactly are you trying to request here? Can you show us the exact request that you are trying to run? The error seem to point to an invalid object identifier "." (period). Can you check the request to see if the object that you are requesting has a period in it ?

Also, the permissions that you have granted are all "delegated permissions", which means a user will have to login on behalf of the application and provide his/her consent for these permissions. Did you do that? Although, I am not entirely sure if this has anything to do with permissions (scope) as there is no indication to that in the error message.

------------------------------
Calvin Wynne
------------------------------

Original Message:
Sent: Thu December 22, 2022 02:59 AM
From: Luqman Nur
Subject: Azure Active Directory Configuration - Problem with app.config

I manage to get it working by adding the [fn_azure_ad] on the app config, and the function can make API call to the Azure AD although the API call is not successful.
I have search the error and the guide is pointing out towards the API permissions (set the User.Read to true)

Which I already applied and still get the same error when request the user.

------------------------------
Luqman Nur
Techlab

Original Message:
Sent: Thu December 22, 2022 01:04 AM
From: Luqman Nur
Subject: Azure Active Directory Configuration - Problem with app.config

Hello IBM SOAR community,

I am currently using the Azure AD functions from the app exchange :
https://exchange.xforce.ibmcloud.com/hub/extension/480d1fdc14d757d2c5a1e4765021f6be

Following the documentation, I have set up the app.config file to have the following:
- tenant_id
- client_id
- client_secret

Which all I found under my AD application and following this guide:
https://docs.lacework.com/onboarding/gather-the-required-azure-client-id-tenant-id-and-client-secret

I have also done the following steps (from the documentation);
- Configuring API permissions for the application (audit read ability)
- Granting admin consent for the directory
- Assigning the admin by adding the application to the assignment

Though, in the last step instead of using User Admin or Global Admin, my AD only have cloud Admin so I proceed using that step.

Unfortunately, I still get an error when using the list user function in the playbook. Any help in direction that I should approach this problem is appreciated.


------------------------------
Luqman Nur
Techlab
------------------------------

Hi Calvin,

I am trying to request the list of user through the Azure AD function for the SOAR automation and want to test the function, which have the following parameters:

In which I write this following script:
- the ms_input limit
- the display and the username

From what I understand by the documentation of this function, that is the only configuration required to call the list of user. Also, what do you mean when user have to login on behalf  of the application?

Also since I am not doing any direct API request, I am not sure where the period come from.
I currently have access to the Azure AD admin and have given the permission to the application under the API permissions tab, which shows the following:

Is the following above is what you meant?

Is it possible that the error lies on the function, or within my configurations. Thanks

------------------------------
Luqman Nur
Techlab
------------------------------

Original Message:
Sent: Thu December 22, 2022 10:11 AM
From: Calvin Wynne
Subject: Azure Active Directory Configuration - Problem with app.config

Hi Luqman,

Good to know that you got your app.conf file properly configured, and the app running. This error seems to be generated from the Microsoft endpoint. What exactly are you trying to request here? Can you show us the exact request that you are trying to run? The error seem to point to an invalid object identifier "." (period). Can you check the request to see if the object that you are requesting has a period in it ?

Also, the permissions that you have granted are all "delegated permissions", which means a user will have to login on behalf of the application and provide his/her consent for these permissions. Did you do that? Although, I am not entirely sure if this has anything to do with permissions (scope) as there is no indication to that in the error message.

------------------------------
Calvin Wynne

Original Message:
Sent: Thu December 22, 2022 02:59 AM
From: Luqman Nur
Subject: Azure Active Directory Configuration - Problem with app.config

I manage to get it working by adding the [fn_azure_ad] on the app config, and the function can make API call to the Azure AD although the API call is not successful.
I have search the error and the guide is pointing out towards the API permissions (set the User.Read to true)

Which I already applied and still get the same error when request the user.

------------------------------
Luqman Nur
Techlab

Original Message:
Sent: Thu December 22, 2022 01:04 AM
From: Luqman Nur
Subject: Azure Active Directory Configuration - Problem with app.config

Hello IBM SOAR community,

I am currently using the Azure AD functions from the app exchange :
https://exchange.xforce.ibmcloud.com/hub/extension/480d1fdc14d757d2c5a1e4765021f6be

Following the documentation, I have set up the app.config file to have the following:
- tenant_id
- client_id
- client_secret

Which all I found under my AD application and following this guide:
https://docs.lacework.com/onboarding/gather-the-required-azure-client-id-tenant-id-and-client-secret

I have also done the following steps (from the documentation);
- Configuring API permissions for the application (audit read ability)
- Granting admin consent for the directory
- Assigning the admin by adding the application to the assignment

Though, in the last step instead of using User Admin or Global Admin, my AD only have cloud Admin so I proceed using that step.

Unfortunately, I still get an error when using the list user function in the playbook. Any help in direction that I should approach this problem is appreciated.


------------------------------
Luqman Nur
Techlab
------------------------------

Could you provide the documentation link please? i have issues with the permissions. thanks

------------------------------
Nikos Kalonikolaou
------------------------------

Original Message:
Sent: Thu December 22, 2022 01:04 AM
From: Luqman Nur
Subject: Azure Active Directory Configuration - Problem with app.config

Hello IBM SOAR community,

I am currently using the Azure AD functions from the app exchange :
https://exchange.xforce.ibmcloud.com/hub/extension/480d1fdc14d757d2c5a1e4765021f6be

Following the documentation, I have set up the app.config file to have the following:
- tenant_id
- client_id
- client_secret

Which all I found under my AD application and following this guide:
https://docs.lacework.com/onboarding/gather-the-required-azure-client-id-tenant-id-and-client-secret

I have also done the following steps (from the documentation);
- Configuring API permissions for the application (audit read ability)
- Granting admin consent for the directory
- Assigning the admin by adding the application to the assignment

Though, in the last step instead of using User Admin or Global Admin, my AD only have cloud Admin so I proceed using that step.

Unfortunately, I still get an error when using the list user function in the playbook. Any help in direction that I should approach this problem is appreciated.


------------------------------
Luqman Nur
Techlab
------------------------------