Skip to content

Commit e164e2b

Browse files
zh54321zh54321
committed
Bump version and added Agent Identities
1 parent 30e04dd commit e164e2b

1 file changed

Lines changed: 46 additions & 23 deletions

File tree

run_EntraFalcon.ps1

Lines changed: 46 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -115,12 +115,15 @@ Param (
115115
[Parameter(Mandatory=$false)]
116116
[switch]$Csv = $false,
117117

118+
[Parameter(Mandatory=$false)]
119+
[switch]$ExportCapUncoveredUsers = $false,
120+
118121
[Parameter(Mandatory = $false)]
119122
[string]$BroCiToken
120123
)
121124

122125
#Constants
123-
$EntraFalconVersion = "V20260327"
126+
$EntraFalconVersion = "V20260414"
124127

125128
# Import shared functions
126129
$ScriptRoot = if ($PSScriptRoot) { $PSScriptRoot } else { Split-Path -Parent $MyInvocation.MyCommand.Path }
@@ -206,6 +209,10 @@ $optionalParamsOutput = @{}
206209
if ($Csv) {
207210
$optionalParamsOutput['Csv'] = $true
208211
}
212+
$optionalParamsCap = @{}
213+
if ($ExportCapUncoveredUsers) {
214+
$optionalParamsCap['ExportCapUncoveredUsers'] = $true
215+
}
209216

210217
#Define summary array and show banner
211218
Start-InitTasks -EntraFalconVersion $EntraFalconVersion -UserAgent $UserAgent
@@ -321,6 +328,9 @@ $Devices = Get-Devices -ApiTop $ApiTop
321328
# Get Basic User info
322329
$AllUsersBasicHT = Get-UsersBasic -ApiTop $ApiTop
323330

331+
# Preload agent-specific basics so early reports can resolve mixed owner/member objects correctly.
332+
$AgentObjectBasics = Get-AgentObjectBasics -CurrentTenant $CurrentTenant -ApiTop $ApiTop
333+
324334

325335
# Determine which reports will be generated
326336
$TenantReports = [pscustomobject]@{
@@ -367,48 +377,61 @@ Initialize-TenantReportTabs -StartTimestamp $global:ReportContext.StartTimestamp
367377
$TenantReportsText = ($TenantReports.PSObject.Properties | Sort-Object Name | ForEach-Object { "{0} = {1}" -f $_.Name, $_.Value }) -join " | "
368378
Write-Log -Level Debug -Message ("Reports:{0}" -f $TenantReportsText)
369379

380+
$ServicePrincipalSignInActivityLookup = Get-ServicePrincipalSignInActivityLookup -ApiTop $ApiTop
381+
370382
# Main enumeration
371-
write-host "`n********************************** [1/12] Enumerating Groups **********************************"
372-
$AllGroupsDetails = Invoke-CheckGroups -AdminUnitWithMembers $AdminUnitWithMembers -CurrentTenant $CurrentTenant -StartTimestamp $StartTimestamp -ConditionalAccessPolicies $Caps -AzureIAMAssignments $AzureIAMAssignments -TenantRoleAssignments $TenantRoleAssignments -TenantPimForGroupsAssignments $TenantPimForGroupsAssignments -OutputFolder $OutputFolder -Devices $Devices -AllUsersBasicHT $AllUsersBasicHT -ApiTop $ApiTop @optionalParamsUserandGroup @optionalParamsOutput
383+
write-host "`n********************************** [1/15] Enumerating Groups **********************************"
384+
$AllGroupsDetails = Invoke-CheckGroups -AdminUnitWithMembers $AdminUnitWithMembers -CurrentTenant $CurrentTenant -StartTimestamp $StartTimestamp -ConditionalAccessPolicies $Caps -AzureIAMAssignments $AzureIAMAssignments -TenantRoleAssignments $TenantRoleAssignments -TenantPimForGroupsAssignments $TenantPimForGroupsAssignments -OutputFolder $OutputFolder -Devices $Devices -AllUsersBasicHT $AllUsersBasicHT -AgentObjectBasics $AgentObjectBasics -ApiTop $ApiTop @optionalParamsUserandGroup @optionalParamsOutput
385+
386+
write-host "`n********************************** [2/15] Enumerating Enterprise Apps **********************************"
387+
$AppRoleReferenceCache = @{}
388+
$EnterpriseApps = Invoke-CheckEnterpriseApps -CurrentTenant $CurrentTenant -StartTimestamp $StartTimestamp -AzureIAMAssignments $AzureIAMAssignments -TenantRoleAssignments $TenantRoleAssignments -AllGroupsDetails $AllGroupsDetails -OutputFolder $OutputFolder -AllUsersBasicHT $AllUsersBasicHT -AgentObjectBasics $AgentObjectBasics -ApiTop $ApiTop -ServicePrincipalSignInActivityLookup $ServicePrincipalSignInActivityLookup -AppRoleReferenceCacheOut ([ref]$AppRoleReferenceCache) @optionalParamsET @optionalParamsOutput
373389

374-
write-host "`n********************************** [2/12] Enumerating Enterprise Apps **********************************"
375-
$EnterpriseApps = Invoke-CheckEnterpriseApps -CurrentTenant $CurrentTenant -StartTimestamp $StartTimestamp -AzureIAMAssignments $AzureIAMAssignments -TenantRoleAssignments $TenantRoleAssignments -AllGroupsDetails $AllGroupsDetails -OutputFolder $OutputFolder -AllUsersBasicHT $AllUsersBasicHT -ApiTop $ApiTop @optionalParamsET @optionalParamsOutput
390+
write-host "`n********************************** [3/15] Enumerating Managed Identities **********************************"
391+
$ManagedIdentities = Invoke-CheckManagedIdentities -CurrentTenant $CurrentTenant -StartTimestamp $StartTimestamp -AzureIAMAssignments $AzureIAMAssignments -AppRoleReferenceCache $AppRoleReferenceCache -TenantRoleAssignments $TenantRoleAssignments -AllGroupsDetails $AllGroupsDetails -OutputFolder $OutputFolder -ApiTop $ApiTop @optionalParamsOutput
376392

377-
write-host "`n********************************** [3/12] Enumerating Managed Identities **********************************"
378-
$ManagedIdentities = Invoke-CheckManagedIdentities -CurrentTenant $CurrentTenant -StartTimestamp $StartTimestamp -AzureIAMAssignments $AzureIAMAssignments -TenantRoleAssignments $TenantRoleAssignments -AllGroupsDetails $AllGroupsDetails -OutputFolder $OutputFolder -ApiTop $ApiTop @optionalParamsOutput
393+
write-host "`n********************************** [4/15] Enumerating App Registrations **********************************"
394+
$AppRegistrations = Invoke-CheckAppRegistrations -CurrentTenant $CurrentTenant -StartTimestamp $StartTimestamp -EnterpriseApps $EnterpriseApps -AllGroupsDetails $AllGroupsDetails -AgentObjectBasics $AgentObjectBasics -TenantRoleAssignments $TenantRoleAssignments -OutputFolder $OutputFolder @optionalParamsOutput
379395

380-
write-host "`n********************************** [4/12] Enumerating App Registrations **********************************"
381-
$AppRegistrations = Invoke-CheckAppRegistrations -CurrentTenant $CurrentTenant -StartTimestamp $StartTimestamp -EnterpriseApps $EnterpriseApps -AllGroupsDetails $AllGroupsDetails -TenantRoleAssignments $TenantRoleAssignments -OutputFolder $OutputFolder @optionalParamsOutput
396+
write-host "`n********************************** [5/15] Enumerating Agent Identities **********************************"
397+
$AgentIdentities = Invoke-AgentIdentities -CurrentTenant $CurrentTenant -StartTimestamp $StartTimestamp -AzureIAMAssignments $AzureIAMAssignments -AppRoleReferenceCache $AppRoleReferenceCache -TenantRoleAssignments $TenantRoleAssignments -AllGroupsDetails $AllGroupsDetails -AllUsersBasicHT $AllUsersBasicHT -ApiTop $ApiTop -ServicePrincipalSignInActivityLookup $ServicePrincipalSignInActivityLookup @optionalParamsET
382398

383-
write-host "`n********************************** [5/12] Enumerating Agent Identities **********************************"
384-
$AgentIdentities = Invoke-AgentIdentities -CurrentTenant $CurrentTenant -StartTimestamp $StartTimestamp -AzureIAMAssignments $AzureIAMAssignments -TenantRoleAssignments $TenantRoleAssignments -AllGroupsDetails $AllGroupsDetails -OutputFolder $OutputFolder -AllUsersBasicHT $AllUsersBasicHT -ApiTop $ApiTop @optionalParamsET @optionalParamsOutput
385-
$AgentIdentityBlueprintsPrincipals = Invoke-AgentIdentityBlueprintsPrincipals -CurrentTenant $CurrentTenant -StartTimestamp $StartTimestamp -AzureIAMAssignments $AzureIAMAssignments -TenantRoleAssignments $TenantRoleAssignments -AllGroupsDetails $AllGroupsDetails -OutputFolder $OutputFolder -AgentIdentities $AgentIdentities -AllUsersBasicHT $AllUsersBasicHT -ApiTop $ApiTop @optionalParamsET @optionalParamsOutput
386-
$AgentIdentityBlueprints = Invoke-AgentIdentityBlueprints -CurrentTenant $CurrentTenant -StartTimestamp $StartTimestamp -EnterpriseApps $EnterpriseApps -AllGroupsDetails $AllGroupsDetails -OutputFolder $OutputFolder -AgentIdentityBlueprintsPrincipals $AgentIdentityBlueprintsPrincipals @optionalParamsOutput
399+
write-host "`n********************************** [6/15] Enumerating Agent Identity Blueprint Principals **********************************"
400+
$AgentIdentityBlueprintsPrincipals = Invoke-AgentIdentityBlueprintsPrincipals -CurrentTenant $CurrentTenant -StartTimestamp $StartTimestamp -AzureIAMAssignments $AzureIAMAssignments -AppRoleReferenceCache $AppRoleReferenceCache -TenantRoleAssignments $TenantRoleAssignments -AllGroupsDetails $AllGroupsDetails -AgentIdentities $AgentIdentities -AllUsersBasicHT $AllUsersBasicHT -ApiTop $ApiTop -ServicePrincipalSignInActivityLookup $ServicePrincipalSignInActivityLookup @optionalParamsET
387401

388-
write-host "`n********************************** [6/12] Enumerating Users **********************************"
389-
$Users = Invoke-CheckUsers -CurrentTenant $CurrentTenant -StartTimestamp $StartTimestamp -EnterpriseApps $EnterpriseApps -AllGroupsDetails $AllGroupsDetails -ConditionalAccessPolicies $Caps -AzureIAMAssignments $AzureIAMAssignments -TenantRoleAssignments $TenantRoleAssignments -AppRegistrations $AppRegistrations -AdminUnitWithMembers $AdminUnitWithMembers -TenantPimForGroupsAssignments $TenantPimForGroupsAssignments -UserAuthMethodsTable $UserAuthMethodsTable -Devices $Devices -OutputFolder $OutputFolder -ApiTop $ApiTop @optionalParamsUserandGroup @optionalParamsOutput
402+
write-host "`n********************************** [7/15] Enumerating Agent Identity Blueprints **********************************"
403+
$AgentIdentityBlueprints = Invoke-AgentIdentityBlueprints -CurrentTenant $CurrentTenant -StartTimestamp $StartTimestamp -AppRoleReferenceCache $AppRoleReferenceCache -EnterpriseApps $EnterpriseApps -AllGroupsDetails $AllGroupsDetails -AgentIdentityBlueprintsPrincipals $AgentIdentityBlueprintsPrincipals
390404

391-
write-host "`n********************************** [7/12] Finalizing Agent Objects **********************************"
405+
write-host "`n********************************** [8/15] Enumerating Users **********************************"
406+
$UserReportState = $null
407+
$Users = Invoke-CheckUsers -CurrentTenant $CurrentTenant -StartTimestamp $StartTimestamp -EnterpriseApps $EnterpriseApps -AllGroupsDetails $AllGroupsDetails -ConditionalAccessPolicies $Caps -AzureIAMAssignments $AzureIAMAssignments -TenantRoleAssignments $TenantRoleAssignments -AppRegistrations $AppRegistrations -AdminUnitWithMembers $AdminUnitWithMembers -TenantPimForGroupsAssignments $TenantPimForGroupsAssignments -UserAuthMethodsTable $UserAuthMethodsTable -Devices $Devices -AgentIdentities $AgentIdentities -AgentIdentityBlueprintsPrincipals $AgentIdentityBlueprintsPrincipals -OutputFolder $OutputFolder -ApiTop $ApiTop -ReportStateOut ([ref]$UserReportState) @optionalParamsUserandGroup @optionalParamsOutput
408+
409+
write-host "`n********************************** [9/15] Finalizing Agent Objects **********************************"
392410
Invoke-CheckAgentsFinalize -CurrentTenant $CurrentTenant -StartTimestamp $StartTimestamp -OutputFolder $OutputFolder -AllUsersBasicHT $AllUsersBasicHT -Users $Users -AgentIdentities $AgentIdentities -AgentIdentityBlueprintsPrincipals $AgentIdentityBlueprintsPrincipals -AgentIdentityBlueprints $AgentIdentityBlueprints @optionalParamsOutput
393411

394-
write-host "`n********************************** [8/12] Generating Role Assignments **********************************"
395-
Invoke-CheckRoles -CurrentTenant $CurrentTenant -StartTimestamp $StartTimestamp -EnterpriseApps $EnterpriseApps -AllGroupsDetails $AllGroupsDetails -AzureIAMAssignments $AzureIAMAssignments -TenantRoleAssignments $TenantRoleAssignments -AppRegistrations $AppRegistrations -AdminUnitWithMembers $AdminUnitWithMembers -Users $Users -ManagedIdentities $ManagedIdentities -OutputFolder $OutputFolder @optionalParamsOutput
412+
write-host "`n********************************** [10/15] Finalizing Users Report **********************************"
413+
Write-Host "[*] Applying finalized Agent Identity Blueprint ownership impact to Users"
414+
Update-EntraFalconUserBlueprintOwnershipImpact -Users $Users -AgentIdentityBlueprints $AgentIdentityBlueprints
415+
Write-EntraFalconUsersReport -UserReportState $UserReportState -Users $Users
416+
417+
write-host "`n********************************** [11/15] Generating Role Assignments **********************************"
418+
Invoke-CheckRoles -CurrentTenant $CurrentTenant -StartTimestamp $StartTimestamp -EnterpriseApps $EnterpriseApps -AllGroupsDetails $AllGroupsDetails -AzureIAMAssignments $AzureIAMAssignments -TenantRoleAssignments $TenantRoleAssignments -AppRegistrations $AppRegistrations -AdminUnitWithMembers $AdminUnitWithMembers -Users $Users -ManagedIdentities $ManagedIdentities -AgentIdentities $AgentIdentities -AgentIdentityBlueprintsPrincipals $AgentIdentityBlueprintsPrincipals -OutputFolder $OutputFolder @optionalParamsOutput
396419

397-
write-host "`n********************************** [9/12] Enumerating Conditional Access Policies **********************************"
398-
$AllCaps = Invoke-CheckCaps -CurrentTenant $CurrentTenant -StartTimestamp $StartTimestamp -AllGroupsDetails $AllGroupsDetails -Users $Users -OutputFolder $OutputFolder -TenantRoleAssignments $TenantRoleAssignments @optionalParamsOutput
420+
write-host "`n********************************** [12/15] Enumerating Conditional Access Policies **********************************"
421+
$AllCaps = Invoke-CheckCaps -CurrentTenant $CurrentTenant -StartTimestamp $StartTimestamp -AllGroupsDetails $AllGroupsDetails -Users $Users -OutputFolder $OutputFolder -TenantRoleAssignments $TenantRoleAssignments @optionalParamsOutput @optionalParamsCap
399422

400-
write-host "`n********************************** [10/12] Enumerating PIM Role Settings **********************************"
423+
write-host "`n********************************** [13/15] Enumerating PIM Role Settings **********************************"
401424
if ($GLOBALPIMForEntraRolesChecked) {
402425
$PimforEntraRoles = Invoke-CheckPIM -CurrentTenant $CurrentTenant -StartTimestamp $StartTimestamp -OutputFolder $OutputFolder -AllGroupsDetails $AllGroupsDetails -Users $Users -TenantRoleAssignments $TenantRoleAssignments -AllCaps $AllCaps @optionalParamsOutput
403426
} else {
404427
write-host "[!] Tenant is not licensed to use PIM. Skipping role settings checks..."
405428
$PimforEntraRoles = @{}
406429
}
407430

408-
write-host "`n********************************** [11/12] Enumerating Security Findings **********************************"
431+
write-host "`n********************************** [14/15] Enumerating Security Findings **********************************"
409432
Invoke-CheckTenant -CurrentTenant $CurrentTenant -StartTimestamp $StartTimestamp -OutputFolder $OutputFolder -EnterpriseApps $EnterpriseApps -AppRegistrations $AppRegistrations -ManagedIdentities $ManagedIdentities -AllCaps $AllCaps -PimforEntraRoles $PimforEntraRoles -AllGroupsDetails $AllGroupsDetails -Users $Users -Devices $Devices -TenantRoleAssignments $TenantRoleAssignments
410433

411-
write-host "`n********************************** [12/12] Generating Summary Report **********************************"
434+
write-host "`n********************************** [15/15] Generating Summary Report **********************************"
412435
# Show assessment summary and generate summary HTML report
413436
Export-Summary -CurrentTenant $CurrentTenant -StartTimestamp $StartTimestamp -OutputFolder $OutputFolder -TenantDomains $TenantDomains -Users $Users
414437

0 commit comments

Comments
 (0)