Implemented High Risk Permissions Identification

[juliusperez1695]

Pull Request Template

Description

Addressing Ticket #168, I've added the identification and flagging of both High Risk and Extremely Dangerous grants along with the broad-scope grants that were previously reported on. Additional Notices within Hawk logs were included and an additional Flag property was added to the output files to highlight these grants to be investigated by the analyst/user.

Fixes: 3

• Added additional notices to the Hawk log file if High Risk or Extremely Dangerous grants were detected
• Added 'Flag' property to the output Consent_Grants.csv/json for reporting these risky grants
• Added 'Broad-Scope' flag for 'AllPrincipals' consent type and 'all'-type permissions

Type of change

Please delete options that are not relevant.

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration

• Test A
• Test B
• Individually ran Get-HawkTenantConsentGrants following changes and verified desired output within Hawk logs and Consent-Grants.csv/json files

Checklist:

• My code follows the style guidelines of Hawk
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• Any dependent changes have been merged and published in downstream modules
• I have checked my code and corrected any misspellings

[jonnybottles]

Hey there Julius, I just reviewed your merge request. Great work, everything is working for the most part as intended. There are a few things to update though. Take a look below. If you have any questions, I will be online the majority of the day / night. You can always give me a call and or video chat too:

1. Modify Extremely Dangerous Grants Array:

In the ExtremelyDangerousGrants array, you have "RoleManagementAlert.ReadWrite.Directory" defined. This should be "RoleManagement.ReadWrite.Directory" instead (no Alert).
High Risk:"

2. Permissions Flagged as High Risk when not actually High Risk:

The following permissions are being flagged as high risk, when they are not actually high risk:

Directory.AccessAsUser.All
IdentityRiskyUser.Read.All
Files.SelectedOperations.Selected
UserState.ReadWrite.All

This is probably happening because of the wild cards in the high risks and the way we are matching, not sure but i'll let you look into this.

3. Include Grant Counts in Output

This wasn't in the ticket, and is more of a nice / easy add on. Right now when ever we detect a broad or extremely dangerous / high risk grant, we just state:

"Found at least one [GRANT TYPE] Grant"

This is how had it implemented before, but looking at it now, it would be more informative to the user to replace "at least one" with the count. You are already tracking the count of all the grant detections in the code, its just a matter of replacing the static "at least one" string with the count variables it in the code.