Microsoft GraphAPI - Get Azure Ad Users and Sentinel Incidents

msgapi_get_aad_sentinel.py

# -*- coding: utf-8 -*-

# 
# Microsoft GraphAPI 
# ------------------
# Get Azure Ad Users and Sentinel Incidents
#
# v0.1 - (C) 2024 by suuhm
#

import requests
import msal
import argparse
from datetime import datetime


# ------------------------------
# PUT HERE UR CONFIGS AND ID'S!!
# ------------------------------

CLIENT_ID = 'XXX'
CLIENT_SECRET = 'XXX'
TENANT_ID = 'XXX'

# ------------------------------
# END CONFIG
# ------------------------------



# Token and auth point
AUTHORITY = "https://login.microsoftonline.com/{}".format(TENANT_ID)
SCOPE = ["https://graph.microsoft.com/.default"]

# Init MSAL
app = msal.ConfidentialClientApplication(
    CLIENT_ID,
    authority=AUTHORITY,
    client_credential=CLIENT_SECRET,
)

def acquire_token():
    result = app.acquire_token_for_client(scopes=SCOPE)
    if "access_token" in result:
        return result["access_token"]
    else:
        raise Exception("Error by call of Token: {}".format(result.get('error_description')))



def get_ad_users():
    token = acquire_token()
    headers = {'Authorization': 'Bearer ' + token}
    graph_endpoint = 'https://graph.microsoft.com/v1.0/users'

    response = requests.get(graph_endpoint, headers=headers)

    if response.status_code == 200:
        users = response.json()
        for user in users['value']:
            print("User: {} - Email: {}".format(user['displayName'], user['mail']))
    else:
        print("Error: {} - {}".format(response.status_code, response.text))



def get_sentinel_alerts(start_date, end_date):
    token = acquire_token()
    headers = {'Authorization': 'Bearer ' + token}

    # date time
    start_date_str = start_date.strftime('%Y-%m-%dT%H:%M:%S')
    end_date_str = end_date.strftime('%Y-%m-%dT%H:%M:%S')

    # Define the API endpoint and query parameters
    query = {
        "$filter": "createdDateTime ge {}Z and createdDateTime le {}Z".format(start_date_str, end_date_str)
    }
    graph_endpoint = 'https://graph.microsoft.com/v1.0/security/alerts'

    response = requests.get(graph_endpoint, headers=headers, params=query)

    if response.status_code == 200:
        alerts = response.json()
        for alert in alerts['value']:
            print("Alert ID: {} - Name: {} - Status: {}".format(alert['id'], alert['title'], alert['status']))
    else:
        print("Error: {} - {}".format(response.status_code, response.text))


def main():
    parser = argparse.ArgumentParser(description="Retrieve Azure AD users or Sentinel alerts within a given date range.")
    subparsers = parser.add_subparsers(dest="command")

    # Subparser für Sentinel Alerts
    parser_alerts = subparsers.add_parser("get-alerts", help="Get Sentinel alerts within a date range")
    parser_alerts.add_argument("start_date", help="Start date in the format YYYY-MM-DD")
    parser_alerts.add_argument("end_date", help="End date in the format YYYY-MM-DD")

    # Subparser für Azure AD Users
    parser_adusers = subparsers.add_parser("get-adusers", help="Get Azure AD users")

    args = parser.parse_args()

    if args.command == "get-alerts":
        try:
            # Convert input dates to datetime objects to validate format
            start_date = datetime.strptime(args.start_date, "%Y-%m-%d")
            end_date = datetime.strptime(args.end_date, "%Y-%m-%d")
        except ValueError:
            print("Please provide dates in the format YYYY-MM-DD")
            return

        print("Fetching Sentinel Alerts:")
        get_sentinel_alerts(start_date, end_date)
    elif args.command == "get-adusers":
        print("Fetching Azure AD Users:")
        get_ad_users()
    else:
        parser.print_help()


if __name__ == "__main__":
    main()