This article describes the high-risk user API integration using Logic Apps and RSA OAuth Client.
Configure RSA
Generate API Key (Using Legacy API Keys)
- Sign in to Cloud Administration Console and go to Platform > API Access Management.
- Under the Legacy API Keys section, expand Administration API Keys and click ADD.
- In the Administrator Role list, select Super Administrator and click Save & Download.
- Download the RSA ID Plus Admin Rest API Download file (v2.8.0 and later).
- Use the function in GenerateJWTFromAdminApiKeySample class to generate the Legacy API Access token with the help of the downloaded API Key file.
- Use the JWT as bearer token in the requests.
For more details, refer to Authentication for the Cloud Administration APIs.
Generate API Key (Using OAuth API Client)
- Click Platform > API Access Management.
- Click Add API Client against OAuth Clients.
- In the Client Type list, choose Admin API and click Next.
- Click Generate Key Pair.
The Key Pair Generator window appears. - In the Public Key section, click Autofill.
- Click Download and Finish.
- In the Access Token Lifetime field, enter a value in minutes and click Next Step.
- On the Permissions page, expand the Audit section and select the rsa.audit.admin and rsa.audit.user checkboxes.
- Click Save and Finish and click Publish Changes.
- Download the RSA ID Plus Admin Rest API Download file (v2.8.0 and later).
- Install the Python app (version 3.14) and add the location of Python to the environment path.
- Execute/install the following prerequisites (in cmd prompt).
Pip install setuptools
Python.exe -m pip install --upgrade pip
cd \rsa-securidaccess-rest-client-sdk-2.8.0\src\main\python\admin_api_cli
pip install python-jose
pip install python-dateutil
pip3 install requests
- Execute the following command to generate the token.
python.exe admin_api_cli -oauth -f <local path to downloaded key> -o generateToken -oiurl <oauth issue URL> -ocid <oauth client ID> -ocp "rsa.user.risky.manage,rsa.user.risky.read"
-
- local path to downloaded key: Local path to the downloaded jwk key file
- oauth issue URL: Copied from the CAS console
- oauth client ID: Copied from the CAS console
Note: Run python admin_api_cli –help from \rsa-securidaccess-rest-client-sdk-2.8.0\src\main\python\admin_api_cli for more information on the options available.
- Use the token generated as the bearer token for the requests.
Create Access Policy for High-Risk Users
- Navigate to Access > Policies.
- Click Add a Policy.
- Give a name to the policy and click Next Step.
- Select the identity source for the users and click Next Step.
- Enable or disable primary authentication, and then click Next Step.
- Under Access Details, select Conditional and click Add.
- In the Attributes drop-down list, select High-Risk User List and select the Value as True.
- Select an Action of your choice.
- Click Save and click Save and Finish.
- Click Publish Changes.
Configure Microsoft
Perform the following steps to configure Microsoft Sentinel as a High-Risk User API client to CAS.
Custom Tables
Create a custom table by following the steps in the Microsoft Sentinel as SIEM for RSA Admin Logs Using Logic Apps - RSA Ready Implementation Guide. Make changes to the columns as per your requirement. For more details, refer to the Microsoft documentation.
Logic App
- Log in to the Microsoft Azure tenant and select Logic Apps.
- Click Create and add the following details (We have selected the Consumption Multi-tenant plan) and click Review + create > create.
- Resource Group: Select the resource group.
- Region: Select your region (We have selected East US, and we use the same region across our deployments. For multi-region deployments, refer to the Microsoft documentation to confirm any changes.)
- Enable log Analytics: Select Yes.
- Log Analytics workspace: Select your log analytics workspace.
- Workflow Type: Stateful
- Select the Logic App and then go to Development Tools > Logic app designer in the left pane.
- Design a workflow based on your requirements. We have designed a workflow as follows:
- Initialize the variable action.
- We have used an array to store the query result of the custom table.
- Multiple string variables: We use multiple string variables, which will be used to process the query result list. We need user emails followed by a comma(,) in the final processed string.
- Use a string variable named addActionJSONString with the initial value as follows:
- Initialize the variable action.
{"action": "add",
"users": [
-
- Run query and list results action of Azure Monitor Logs. In the Query field, provide your query.
AdminUserName returns a list of user emails that will be added to the high-risk user list. - For each action, append the query result to the array.
- Process the array using the String and the replace function.
- Append the final list of user emails separated by a comma (,) to addActionJSONString and append ” ]} “ to this.
- (Optional) Use the Compose action for logging purposes.
- Create an HTTP action and provide the following values:
- URL: https://<CAS tenant URL>/AdminInterface/restapi/v1/users/highrisk
- Method: PUT
- Headers:
- Content-Type: application/json
- Authorization :Bearer <token generated from RSA>
- Body: json(variables(‘addActionJSONString’)) where addActionJSONString is the string variable storing the processed final string.
This populates the body with the JSON equivalent of the final processed string.
- Run query and list results action of Azure Monitor Logs. In the Query field, provide your query.
- Save the workflow and run it for testing. After a successful run, the High-Risk User attribute for users must be updated to Yes in CAS.
Note: If you are using the workflow to remove users from the high-risk user list, change the initial value of addActionJSONString to have remove instead of add. For more information, refer to Cloud Administration Add/Remove High-Risk User API.
To get the list of high-risk users, refer to Cloud Administration Retrieve High-Risk User List API Version 2.
The configuration is complete.
