Azure-Sentinel icon indicating copy to clipboard operation
Azure-Sentinel copied to clipboard
verified publisher icon Azure

Get-MDEInvestigationPackage playbook retrives SAS URI but returns "expired token"

Open applefacts opened this issue 3 years ago • 4 comments

Describe the bug A clear and concise description of what the bug is.

This playbook https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Get-MDEInvestigationPackage Is ran against a Sentinel Incident and it is able to retrieve the get investigation package download URI. However when I navigate to the URL I get a JSON error Message: "Expired token"

To Reproduce Steps to reproduce the behavior:

  1. Go to 'Sentinel Incident'
  2. Click on 'Run Playbook (Preview)'
  3. Select Get-MDEInvestigationPackage and click "Run"
  4. See error 2022-09-12 10_23_24

2022-09-12 10_24_46

Expected behavior A clear and concise description of what you expected to happen.

URL from playbook is supposed to download the investigation package

Screenshots If applicable, add screenshots to help explain your problem.

See above

Desktop (please complete the following information):

  • OS: Windows 11
  • Browser Firefox
  • Version 104.0.2

Additional context Add any other context about the problem here. Permissions as per readme were granted to managed identity.

applefacts avatar Sep 12 '22 17:09 applefacts

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

github-actions[bot] avatar Sep 12 '22 17:09 github-actions[bot]

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

github-actions[bot] avatar Sep 12 '22 17:09 github-actions[bot]

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

github-actions[bot] avatar Oct 07 '22 19:10 github-actions[bot]

Hi @kevelife - we are currently investigating why there is error with expired token. in meantime you can utilize HTTP action as a workaround image

BenjiSec avatar Oct 14 '22 11:10 BenjiSec

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

github-actions[bot] avatar Oct 19 '22 09:10 github-actions[bot]

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

github-actions[bot] avatar Oct 19 '22 09:10 github-actions[bot]

Update - API token to get investigation package expires couple of minutes after generating by design, so if you don't click on the link immediately, you will get "token expired" notification.

BenjiSec avatar Feb 13 '23 09:02 BenjiSec

@BenjiSec - Thaks for the prompt response. @applefacts - Closing this incident as its by design and please feel free to reopen if you need any further information on this. Thanks

v-mchatla avatar Feb 13 '23 10:02 v-mchatla

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

github-actions[bot] avatar Feb 13 '23 10:02 github-actions[bot]

Update - API token to get investigation package expires couple of minutes after generating by design, so if you don't click on the link immediately, you will get "token expired" notification.

Hi @BenjiSec, I am clicking the package URL immediately and I am not waiting for it to expire.

applefacts avatar Feb 13 '23 18:02 applefacts

The token life is definitely too short for this use case - I've managed to download it clicking refresh on the incident page only during the second run (2 minutes); after the first, 5 minutes run, the token was already expired. I can see that the token life is something between 4-5 minutes in total, please correct me if I'm wrong. Anyway, as I said, it is way too short for the production use.

KrisDeb78 avatar May 09 '23 23:05 KrisDeb78