Script error when trying to deploy template Playbook in MS Sentinel

Alex 0 Reputation points
2024-09-13T10:43:28.6233333+00:00

Hi

I am struggling with PowerShell script that is needed to deploy a template Playbook in MS Sentinel. I am new to MS Sentinel, and trying out the different functions to see if it will be of use to our organization.

This is the playbook that I want to deploy:

playbook1

The template provides you with the PowerShell, command that needs to be run as per the template instructions. Running the PowerShell script ends up in an error, that not even CoPilot can help me with.

This is the code required as a prerequisite for the template to run:

$MIGuid = '<Enter your managed identity guid here>' 

$MI = Get-AzureADServicePrincipal -ObjectId $MIGuid 

$MDEAppId = 'fc780465-2017-40d4-a0c5-307022471b92' 

$PermissionName = 'Machine.Scan' 

$MDEServicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$MDEAppId'" 

$AppRole = $MDEServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains 'Application'} 

New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId ` -ResourceId $MDEServicePrincipal.ObjectId -Id $AppRole.Id $PermissionName = 'Machine.Read.All' 

$AppRole = $MDEServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains 'Application'} 

New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId ` -ResourceId $MDEServicePrincipal.ObjectId -Id $AppRole.Id $PermissionName = 'Machine.ReadWrite.All' 

$AppRole = $MDEServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains 'Application'} 

New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId ` -ResourceId $MDEServicePrincipal.ObjectId -Id $AppRole.Id

This is ending up in this error. 

$AppRole = $MDEServicePrincipal.AppRoles | Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains 'Application'} 

New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -PrincipalId $MI.ObjectId ` -ResourceId $MDEServicePrincipal.ObjectId -Id $AppRole.Id 
New-AzureADServiceAppRoleAssignment : A positional parameter cannot be found that accepts argument 'Machine.Scan'.
At line:13 char:1
+ New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -Principal ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [New-AzureADServiceAppRoleAssignment], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.Open.AzureAD16.PowerShell.NewServicePrincipalAppRoleAssignment
 
New-AzureADServiceAppRoleAssignment : A positional parameter cannot be found that accepts argument 'Machine.Scan'.
At line:17 char:1
+ New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -Principal ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [New-AzureADServiceAppRoleAssignment], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.Open.AzureAD16.PowerShell.NewServicePrincipalAppRoleAssignment
 
New-AzureAdServiceAppRoleAssignment : Error occurred while executing NewServicePrincipalAppRoleAssignment 
Code: Request_BadRequest
Message: Permission being assigned already exists on the object
RequestId: 32fd5b32-db1a-4997-8955-4405ab244b23
DateTimeStamp: Fri, 13 Sep 2024 10:35:28 GMT
Details: PropertyName  - None, PropertyErrorCode  - InvalidUpdate
HttpStatusCode: BadRequest
HttpStatusDescription: Bad Request
HttpResponseStatus: Completed
At line:21 char:1
+ New-AzureAdServiceAppRoleAssignment -ObjectId $MI.ObjectId -Principal ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [New-AzureADServiceAppRoleAssignment], ApiException
    + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.NewServicePrincipalAppRoleAssignmen

The one thing that I am not sure about is if my Principal ID that is retrieved by

$MIGuid = '<Enter your managed identity guid here>'

is correct. I am using the Object id from the template. Not sure if this is correct??

playbook3

Any help would be appreciated!!

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,122 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Givary-MSFT 32,311 Reputation points Microsoft Employee
    2024-09-18T05:37:34.8666667+00:00

    @Alex Apologies for the delayed response, came across this blog - https://techcommunity.microsoft.com/t5/microsoft-sentinel/azure-sentinel-run-antivirus-scan-using-logic-app/m-p/4047771 where similar issue has been discussed, try to follow the steps mentioned here and see if it helps to resolve the above-mentioned issue or not.

    Feel free to post back, if it doesn't help.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.