Update collectors

silverhack · Dec 22, 2023 · 70d0841 · 70d0841
1 parent d7fa2f8
commit 70d0841
Show file tree

Hide file tree

Showing 175 changed files with 7,177 additions and 5,614 deletions.
diff --git a/.../applications/Get-MonkeyADApplication.ps1 → .../applications/Get-MonkeyADApplication.ps1 b/.../applications/Get-MonkeyADApplication.ps1 → .../applications/Get-MonkeyADApplication.ps1
@@ -16,10 +16,10 @@
 function Get-MonkeyADApplication {
 <#
         .SYNOPSIS
-		Plugin to get azure apps from Azure AD
+		Collector to get azure apps from Microsoft Entra ID
 
         .DESCRIPTION
-		Plugin to get azure apps from Azure AD
+		Collector to get azure apps from Microsoft Entra ID
 
         .INPUTS
 
@@ -39,52 +39,62 @@ function Get-MonkeyADApplication {
 
 	[CmdletBinding()]
 	param(
-		[Parameter(Mandatory = $false,HelpMessage = "Background Plugin ID")]
-		[string]$pluginId
+		[Parameter(Mandatory = $false,HelpMessage = "Background Collector ID")]
+		[string]$collectorId
 	)
 	begin {
-		#Plugin metadata
+		#Collector metadata
 		$monkey_metadata = @{
 			Id = "aad0001";
-			Provider = "AzureAD";
-			Resource = "AzureAD";
+			Provider = "EntraID";
+			Resource = "EntraID";
 			ResourceType = $null;
 			resourceName = $null;
-			PluginName = "Get-MonkeyADApplication";
+			collectorName = "Get-MonkeyADApplication";
 			ApiType = "Graph";
-			Title = "Plugin to get azure apps from Azure AD";
-			Group = @("AzureAD");
+			description = "Collector to get azure apps from Microsoft Entra ID";
+			Group = @(
+				"EntraID"
+			);
 			Tags = @{
 				"enabled" = $true
 			};
-			Docs = "https://silverhack.github.io/monkey365/"
+			Docs = "https://silverhack.github.io/monkey365/";
+			ruleSuffixes = @(
+				"aad_app_registrations",
+				"aad_app_role_assignments",
+				"aad_user_consented_apps"
+			);
+			dependsOn = @(
+
+			);
 		}
 		#Get Environment
 		$Environment = $O365Object.Environment
 		#Get Azure Active Directory Auth
 		$AADAuth = $O365Object.auth_tokens.Graph
-        #Get Config
-        try{
-            $aadConf = $O365Object.internal_config.azuread.provider.graph
-        }
-        catch{
-            $msg = @{
-                MessageData = ($message.MonkeyInternalConfigError);
-                callStack = (Get-PSCallStack | Select-Object -First 1);
-                logLevel = 'verbose';
-                InformationAction = $O365Object.InformationAction;
-                Tags = @('Monkey365ConfigError');
-            }
-            Write-Verbose @msg
-            break
-        }
+		#Get Config
+		try {
+			$aadConf = $O365Object.internal_config.entraId.Provider.Graph
+		}
+		catch {
+			$msg = @{
+				MessageData = ($message.MonkeyInternalConfigError);
+				callStack = (Get-PSCallStack | Select-Object -First 1);
+				logLevel = 'verbose';
+				InformationAction = $O365Object.InformationAction;
+				Tags = @('Monkey365ConfigError');
+			}
+			Write-Verbose @msg
+			break
+		}
 		$all_role_assignments = @()
 		$all_apps = @()
 		$user_consent_apps = @()
 	}
 	process {
 		$msg = @{
-			MessageData = ($message.MonkeyGenericTaskMessage -f $pluginId,"Applications",$O365Object.TenantID);
+			MessageData = ($message.MonkeyGenericTaskMessage -f $collectorId,"Applications",$O365Object.TenantID);
 			callStack = (Get-PSCallStack | Select-Object -First 1);
 			logLevel = 'info';
 			InformationAction = $InformationAction;
@@ -99,7 +109,7 @@ function Get-MonkeyADApplication {
 			ContentType = 'application/json';
 			Method = "GET";
 			APIVersion = $aadConf.api_version;
-            InformationAction = $O365Object.InformationAction;
+			InformationAction = $O365Object.InformationAction;
 			Verbose = $O365Object.Verbose;
 			Debug = $O365Object.Debug;
 		}
@@ -151,9 +161,9 @@ function Get-MonkeyADApplication {
 					ContentType = 'application/json';
 					Method = "GET";
 					APIVersion = $aadConf.api_version;
-                    InformationAction = $O365Object.InformationAction;
-			        Verbose = $O365Object.Verbose;
-			        Debug = $O365Object.Debug;
+					InformationAction = $O365Object.InformationAction;
+					Verbose = $O365Object.Verbose;
+					Debug = $O365Object.Debug;
 				}
 				$owners = Get-MonkeyGraphObject @params
 				if ($owners) {
@@ -171,9 +181,9 @@ function Get-MonkeyADApplication {
 					ContentType = 'application/json';
 					Method = "GET";
 					APIVersion = $aadConf.api_version;
-                    InformationAction = $O365Object.InformationAction;
-			        Verbose = $O365Object.Verbose;
-			        Debug = $O365Object.Debug;
+					InformationAction = $O365Object.InformationAction;
+					Verbose = $O365Object.Verbose;
+					Debug = $O365Object.Debug;
 				}
 				$app_assigned_roles = Get-MonkeyGraphObject @params
 				if ($null -ne $app_assigned_roles) {
@@ -189,9 +199,9 @@ function Get-MonkeyADApplication {
 								ContentType = 'application/json';
 								Method = "GET";
 								APIVersion = $aadConf.api_version;
-                                InformationAction = $O365Object.InformationAction;
-			                    Verbose = $O365Object.Verbose;
-			                    Debug = $O365Object.Debug;
+								InformationAction = $O365Object.InformationAction;
+								Verbose = $O365Object.Verbose;
+								Debug = $O365Object.Debug;
 							}
 							$raw_app = Get-MonkeyGraphObject @params
 							if ($null -ne $raw_app) {
@@ -270,7 +280,7 @@ function Get-MonkeyADApplication {
 			ContentType = 'application/json';
 			Method = "GET";
 			APIVersion = $aadConf.api_version;
-            InformationAction = $O365Object.InformationAction;
+			InformationAction = $O365Object.InformationAction;
 			Verbose = $O365Object.Verbose;
 			Debug = $O365Object.Debug;
 		}
@@ -314,9 +324,9 @@ function Get-MonkeyADApplication {
 						ContentType = 'application/json';
 						Method = "GET";
 						APIVersion = $aadConf.api_version;
-                        InformationAction = $O365Object.InformationAction;
-			            Verbose = $O365Object.Verbose;
-			            Debug = $O365Object.Debug;
+						InformationAction = $O365Object.InformationAction;
+						Verbose = $O365Object.Verbose;
+						Debug = $O365Object.Debug;
 					}
 					$raw_app = Get-MonkeyGraphObject @params
 					$objectType = ("servicePrincipals/{0}" -f $grant.resourceId)
@@ -327,9 +337,9 @@ function Get-MonkeyADApplication {
 						ContentType = 'application/json';
 						Method = "GET";
 						APIVersion = $aadConf.api_version;
-                        InformationAction = $O365Object.InformationAction;
-			            Verbose = $O365Object.Verbose;
-			            Debug = $O365Object.Debug;
+						InformationAction = $O365Object.InformationAction;
+						Verbose = $O365Object.Verbose;
+						Debug = $O365Object.Debug;
 					}
 					$resource_app = Get-MonkeyGraphObject @params
 					if ($raw_app -and $resource_app -and $grant.Scope) {
@@ -356,7 +366,7 @@ function Get-MonkeyADApplication {
 	}
 	end {
 		if ($all_applications) {
-			$all_applications.PSObject.TypeNames.Insert(0,'Monkey365.AzureAD.app_registrations')
+			$all_applications.PSObject.TypeNames.Insert(0,'Monkey365.EntraID.app_registrations')
 			[pscustomobject]$obj = @{
 				Data = $all_applications;
 				Metadata = $monkey_metadata;
@@ -375,7 +385,7 @@ function Get-MonkeyADApplication {
 			Write-Verbose @msg
 		}
 		if ($all_role_assignments) {
-			$all_role_assignments.PSObject.TypeNames.Insert(0,'Monkey365.AzureAD.app_role_assignments')
+			$all_role_assignments.PSObject.TypeNames.Insert(0,'Monkey365.EntraID.app_role_assignments')
 			[pscustomobject]$obj = @{
 				Data = $all_role_assignments;
 				Metadata = $monkey_metadata;
@@ -395,7 +405,7 @@ function Get-MonkeyADApplication {
 		}
 		#Add user consented apps
 		if ($user_consent_apps) {
-			$user_consent_apps.PSObject.TypeNames.Insert(0,'Monkey365.AzureAD.app.user.consent')
+			$user_consent_apps.PSObject.TypeNames.Insert(0,'Monkey365.EntraID.app.user.consent')
 			[pscustomobject]$obj = @{
 				Data = $user_consent_apps;
 				Metadata = $monkey_metadata;
@@ -419,3 +429,6 @@ function Get-MonkeyADApplication {
 
 
 
+
+
+
diff --git a/collectors/aad/graph/audit/Get-MonkeyADAudit.ps1 b/collectors/aad/graph/audit/Get-MonkeyADAudit.ps1
@@ -0,0 +1,166 @@
+# Monkey365 - the PowerShell Cloud Security Tool for Azure and Microsoft 365 (copyright 2022) by Juan Garrido
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+function Get-MonkeyADAudit {
+<#
+        .SYNOPSIS
+		Collector extract audit logs from Microsoft Entra ID
+
+        .DESCRIPTION
+		Collector extract audit logs from Microsoft Entra ID
+
+        .INPUTS
+
+        .OUTPUTS
+
+        .EXAMPLE
+
+        .NOTES
+	        Author		: Juan Garrido
+            Twitter		: @tr1ana
+            File Name	: Get-MonkeyADAudit
+            Version     : 1.0
+
+        .LINK
+            https://github.com/silverhack/monkey365
+    #>
+
+	[CmdletBinding()]
+	param(
+		[Parameter(Mandatory = $false,HelpMessage = "Background Collector ID")]
+		[string]$collectorId
+	)
+	begin {
+		#Collector metadata
+		$monkey_metadata = @{
+			Id = "aad0002";
+			Provider = "EntraID";
+			Resource = "EntraID";
+			ResourceType = $null;
+			resourceName = $null;
+			collectorName = "Get-MonkeyADAudit";
+			ApiType = "Graph";
+			description = "Collector to extract audit logs from Microsoft Entra ID";
+			Group = @(
+				"EntraID"
+			);
+			Tags = @{
+				"enabled" = $true
+			};
+			Docs = "https://silverhack.github.io/monkey365/";
+			ruleSuffixes = @(
+				"aad_audit_logs"
+			);
+			dependsOn = @(
+
+			);
+		}
+		#Get Environment
+		$Environment = $O365Object.Environment
+		#Get Azure Active Directory Auth
+		$AADAuth = $O365Object.auth_tokens.Graph
+		#Set array
+		$formatted_events = @()
+	}
+	process {
+		$msg = @{
+			MessageData = ($message.MonkeyGenericTaskMessage -f $collectorId,"audit",$O365Object.TenantID);
+			callStack = (Get-PSCallStack | Select-Object -First 1);
+			logLevel = 'info';
+			InformationAction = $InformationAction;
+			Tags = @('AzureGraphAuditLog');
+		}
+		Write-Information @msg
+		try {
+			$enabled = [System.Convert]::ToBoolean($O365Object.internal_config.entraId.auditLog.enabled)
+			$DaysAgo = "{0:s}" -f (Get-Date).AddDays($O365Object.internal_config.entraId.auditLog.AuditLogDaysAgo) + "Z"
+		}
+		catch {
+			$enabled = $false
+			$DaysAgo = -15
+		}
+		$Query = 'activityDate gt {0}' -f $DaysAgo
+		if ($enabled) {
+			#Get audit log
+			$params = @{
+				Authentication = $AADAuth;
+				ObjectType = 'activities/audit';
+				Filter = $Query
+				Environment = $Environment;
+				ContentType = 'application/json';
+				Method = "GET";
+				APIVersion = "beta";
+				InformationAction = $O365Object.InformationAction;
+				Verbose = $O365Object.Verbose;
+				Debug = $O365Object.Debug;
+			}
+			#Get Audit Logs from Azure AAD
+			$all_events = Get-MonkeyGraphObject @params
+			#format events
+			if ($all_events) {
+				$msg = @{
+					MessageData = ($message.MonkeyResponseCountMessage -f $all_events.Count);
+					callStack = (Get-PSCallStack | Select-Object -First 1);
+					logLevel = 'info';
+					InformationAction = $InformationAction;
+					Tags = @('AzureGraphAuditLogCount');
+				}
+				Write-Information @msg
+				#Iterate over all events
+				foreach ($entry in $all_events) {
+					$entry.actor = $entry.actor.userPrincipalName
+					$entry | Add-Member -Type NoteProperty -Name targetResourceType -Value $entry.targets.targetResourceType
+					$entry | Add-Member -Type NoteProperty -Name targetobjectId -Value $entry.targets.objectId
+					$entry | Add-Member -Type NoteProperty -Name targetName -Value $entry.targets.Name
+					$entry | Add-Member -Type NoteProperty -Name targetUserPrincipalName -Value $entry.targets.userPrincipalName
+					$Changes = $entry.targets.modifiedProperties
+					$entry | Add-Member -Type NoteProperty -Name ChangeAttribute -Value (@($Changes.Name) -join ',')
+					$entry | Add-Member -Type NoteProperty -Name OldValue -Value (@($Changes.oldvalue) -join ',')
+					$entry | Add-Member -Type NoteProperty -Name NewValue -Value (@($Changes.newvalue) -join ',')
+					$formatted_events += $entry
+				}
+			}
+		}
+	}
+	end {
+		if ($formatted_events) {
+			$formatted_events = $formatted_events | Select-Object $AADConfig.AuditLogFilter
+			$formatted_events.PSObject.TypeNames.Insert(0,'Monkey365.AzureAAD.AuditLogs')
+			[pscustomobject]$obj = @{
+				Data = $formatted_events;
+				Metadata = $monkey_metadata;
+			}
+			$returnData.aad_audit_logs = $obj
+		}
+		else {
+			$msg = @{
+				MessageData = ($message.MonkeyEmptyResponseMessage -f "Audit Log",$O365Object.TenantID);
+				callStack = (Get-PSCallStack | Select-Object -First 1);
+				logLevel = "verbose";
+				InformationAction = $O365Object.InformationAction;
+				Tags = @('AzureGraphUsersEmptyResponse');
+				Verbose = $O365Object.Verbose;
+			}
+			Write-Verbose @msg
+		}
+	}
+}
+
+
+
+
+
+
+