Microsoft Graph Error retriving signIns

[serano...@gmail.com]

Hi all.

I've a wazuh 4.3.10 node where i've configured the Azure wodle to retrive logs from azure.

This is the configuration of my wodle:

<wodle name="azure-logs">

    <disabled>no</disabled>

    <interval>1d</interval>

    <run_on_start>yes</run_on_start>

    <graph>

        <auth_path>/var/ossec/wodles/azure/credentials</auth_path>

        <tenantdomain>mydomain.org</tenantdomain>

        <request>

            <query>auditLogs/signIns</query>

            <time_offset>10m</time_offset>

        </request>

    </graph>

</wodle>

now, if i set the query to:

auditLogs/directoryaudits

or 

auditLogs/provisioning

i got no error, but if i set:

auditLogs/signIns i got this error:

04/18/2023 09:49:08 PM INFO: AZURE Graph: Building the url.
04/18/2023 09:49:08 PM INFO: AZURE *** was not found in /var/ossec/wodles/azure/last_dates.json for graph
04/18/2023 09:49:08 PM INFO: AZURE Graph: The search starts for query: 'auditLogs/signIns' using createdDateTime+ge+2023-04-18T19:39:08.278711Z
04/18/2023 09:49:08 PM INFO: AZURE Graph: The URL is 'https://graph.microsoft.com/v1.0/auditLogs/signIns?&$filter=createdDateTime+ge+2023-04-18T19:39:08.278711Z'
04/18/2023 09:49:08 PM INFO: AZURE Graph: Pagination starts
04/18/2023 09:49:09 PM ERROR: AZURE Graph: 403 Client Error: Forbidden for url: https://graph.microsoft.com/v1.0/auditLogs/signIns?&$filter=createdDateTime+ge+2023-04-18T19:39:08.278711Z
04/18/2023 09:49:09 PM INFO: AZURE Graph: End

look like  permisison error, but i don't understand where is the problem. 

someone get the same problem and could help? Thanks!

[Mauricio Aguilar]

Hi there, it looks like you are experiencing a permission error when trying to retrieve logs from Azure using the auditLogs/signIns query. This could be due to a misconfiguration of your Azure credentials or a lack of permissions for the user account associated with the credentials.

We recommend double-checking your credentials and ensuring that the user account has the necessary permissions to retrieve logs using the auditLogs/signIns query. If the issue persists, please let us know and we will be happy to assist you further. 

Check:

* content, user and permissions of the credentials file:

/var/ossec/wodles/azure/credentials.
(command: cat /var/ossec/wodles/azure/credentials)

(command: ls -lha)

* content, user and permissions of credentials file: :
/var/ossec/wodles/azure/last_dates.json.

(command: cat /var/ossec/wodles/azure/last_dates.json)

(command: ls -lha)

* permissions for the azure user.

* Docs information:
https://documentation.wazuh.com/4.3/user-manual/reference/ossec-conf/wodle-azure-logs.html#example-of-graph-configuration

While I will continue to investigate your case.

Best regards
Wazuh Cloud Team

Thank you!

(Do not send sensitive information.)

[serano...@gmail.com]

Hi Mauricio.

Sorry for my late reply.

I've make the checks you ask:

FILE PERMISSIONS:

-rwxr-x--- 1 root  wazuh  1020 Nov 11 14:12 azure-logs
-rwxr-x--- 1 root  wazuh 36423 Nov 11 14:12 azure-logs.py
-rw-r--r-- 1 wazuh wazuh   113 Apr 21 11:06 credentials
-rw-r--r-- 1 root  wazuh   275 Apr 18 18:06 last_dates.json

Azure Permissions:

auditlog.read.all OK

Wodle COnfiguration:

<wodle name="azure-logs">

    <disabled>no</disabled>

    <interval>1d</interval>

    <run_on_start>yes</run_on_start>

    <graph>

        <auth_path>/var/ossec/wodles/azure/credentials</auth_path>

        <tenantdomain>mydomain.it</tenantdomain>

        <request>

            <tag>azure-active_directory</tag>

            <query>auditLogs/signIns</query>

            <time_offset>1d</time_offset>

        </request>

    </graph>

</wodle>

Is possible that the license i've is not enough to get these data over api?

[Mauricio Aguilar]

Hi again.

It looks like you need to add permissions to the wazuh application (highlighted in yellow):

Please check this point. More info in: https://documentation.wazuh.com/4.3/azure/activity-services/active-directory/graph.html#giving-permissions-to-the-application Steps 5.

Let me know if this works for you.

Regards.

Mauricio.

[Stefano Serano]

Hi Mauricio.

Already checked, i've even give more permissions to be sure. Attached you can find the screenshot about it.

Unfortunately the problem is still the same:

04/26/2023 08:39:37 AM INFO: AZURE Graph: Pagination starts
04/26/2023 08:39:38 AM ERROR: AZURE Graph: 403 Client Error: Forbidden for url: https://graph.microsoft.com/v1.0/auditLogs/signIns?&$filter=createdDateTime+ge+2023-04-25T06:39:37.357092Z
04/26/2023 08:39:38 AM INFO: AZURE Graph: End

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/jQvolPpvxnQ/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/789b97f4-5307-4b18-aeac-b5e6474362f8n%40googlegroups.com.

[Mauricio Aguilar]

Hi Stefano, ok, I am checking it with the team.

There is a possibility that the <auth_path> is wrong, please try to use this one:

<wodle name="azure-logs">

    <disabled>no</disabled>

    <interval>1d</interval>

    <run_on_start>yes</run_on_start>

    <graph>

        <auth_path>/var/ossec/wodles/credentials/log_analytics_credentials</auth_path>

        <tenantdomain>mydomain.it</tenantdomain>

        <request>

            <tag>azure-active_directory</tag>

            <query>auditLogs/signIns</query>

            <time_offset>1d</time_offset>

        </request>

    </graph>

</wodle>

In general terms,

First of all it is necessary to configure a series of prerequisites (these may vary depending on what you are looking for): 

        1. Configuring Azure credentials

After you have followed the steps in our documentation of configuring credetials. 

         2. You need to configure to monitor Azure Active directory follow this steps.

If the <auth_path>  change doesn't work, please, make a check of each point.

Best regards,
Mauricio.

[serano...@gmail.com]

Hi.

if i use this configuration:

 <wodle name="azure-logs">

    <disabled>no</disabled>
    <interval>1d</interval>
    <run_on_start>yes</run_on_start>

    <graph>

        <auth_path>/var/ossec/wodles/credentials/graph_credentials</auth_path>
        <tenantdomain> mydomain.com  </tenantdomain>
        <request>
            <tag>azure-active_directory</tag>
            <query>auditLogs/directoryAudits</query>

            <time_offset>1d</time_offset>
        </request>

    </graph>

 </wodle>

everything is fine, as the azure logs show:

05/03/2023 10:19:10 AM INFO: AZURE Azure Graph starting.
05/03/2023 10:19:10 AM INFO: AZURE Graph: Getting authentication token.
05/03/2023 10:19:11 AM INFO: AZURE Graph: Building the url.
05/03/2023 10:19:11 AM INFO: AZURE Graph: The search starts for query: 'auditLogs/directoryAudits' using activityDateTime+ge+2023-05-02T08:19:11.034052Z
05/03/2023 10:19:11 AM INFO: AZURE Graph: The URL is 'https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?&$filter=activityDateTime+ge+2023-05-02T08:19:11.034052Z'
05/03/2023 10:19:11 AM INFO: AZURE Graph: Pagination starts
05/03/2023 10:19:12 AM INFO: AZURE Graph: Sending event by socket.
05/03/2023 10:19:12 AM INFO: AZURE Graph: Sending event by socket.
05/03/2023 10:19:12 AM INFO: AZURE Graph: Sending event by socket.
05/03/2023 10:19:12 AM INFO: AZURE Graph: Sending event by socket.
05/03/2023 10:19:12 AM INFO: AZURE Graph: Sending event by socket.
05/03/2023 10:19:12 AM INFO: AZURE Graph: Sending event by socket.
05/03/2023 10:19:12 AM INFO: AZURE Graph: Sending event by socket.
05/03/2023 10:19:12 AM INFO: AZURE Graph: Sending event by socket.
05/03/2023 10:19:12 AM INFO: AZURE Graph: Sending event by socket.
05/03/2023 10:19:12 AM INFO: AZURE Graph: Sending event by socket.
05/03/2023 10:19:12 AM INFO: AZURE Graph: Sending event by socket.
05/03/2023 10:19:12 AM INFO: AZURE Graph: Sending event by socket.
05/03/2023 10:19:12 AM INFO: AZURE Graph: Sending event by socket.
05/03/2023 10:19:12 AM INFO: AZURE Graph: Sending event by socket.
05/03/2023 10:19:12 AM INFO: AZURE Graph: Sending event by socket.
05/03/2023 10:19:12 AM INFO: AZURE Graph: Sending event by socket.
05/03/2023 10:19:12 AM INFO: AZURE Graph: Sending event by socket.
05/03/2023 10:19:12 AM INFO: AZURE Graph: Sending event by socket.
05/03/2023 10:19:12 AM INFO: AZURE Graph: Sending event by socket.
05/03/2023 10:19:12 AM INFO: AZURE Updating /var/ossec/wodles/azure/last_dates.json file.

if i use this configuration:

 <wodle name="azure-logs">

    <disabled>no</disabled>
    <interval>1d</interval>
    <run_on_start>yes</run_on_start>

    <graph>

        <auth_path>/var/ossec/wodles/credentials/graph_credentials</auth_path>
        <tenantdomain>mydomain.com</tenantdomain>

        <request>
            <tag>azure-active_directory</tag>
            <query>auditLogs/signIns</query>
            <time_offset>1d</time_offset>
        </request>

    </graph>

 </wodle>

i got this error:

05/03/2023 10:20:52 AM INFO: AZURE Azure Graph starting.
05/03/2023 10:20:52 AM INFO: AZURE Graph: Getting authentication token.
05/03/2023 10:20:52 AM INFO: AZURE Graph: Building the url.
05/03/2023 10:20:52 AM INFO: AZURE 2012f3812bfc764b6a927f00ddcd7c16 was not found in /var/ossec/wodles/azure/last_dates.json for graph
05/03/2023 10:20:52 AM INFO: AZURE Graph: The search starts for query: 'auditLogs/signIns' using createdDateTime+ge+2023-05-02T08:20:52.599627Z
05/03/2023 10:20:52 AM INFO: AZURE Graph: The URL is 'https://graph.microsoft.com/v1.0/auditLogs/signIns?&$filter=createdDateTime+ge+2023-05-02T08:20:52.599627Z'
05/03/2023 10:20:52 AM INFO: AZURE Graph: Pagination starts
05/03/2023 10:20:53 AM ERROR: AZURE Graph: 403 Client Error: Forbidden for url: https://graph.microsoft.com/v1.0/auditLogs/signIns?&$filter=createdDateTime+ge+2023-05-02T08:20:52.599627Z
05/03/2023 10:20:53 AM INFO: AZURE Graph: End

for me is not possible is an authentication problem, because the only thing i've changed is the query parameter.

Have a nice day.

[serano...@gmail.com]

Hi All.

Maybe i've figured out.

if i run this script with the same access data:

import requests
import json

tenant_id = '<your tenant id>'
client_id = '<your client id>'
client_secret = '<your client secret>'
resource = 'https://graph.microsoft.com'
version = 'v1.0'
endpoint = f'{resource}/{version}/auditLogs/signIns?&$filter=createdDateTime+ge+2023-05-02T08:20:52.599627Z'

# Get access token
url = f'https://login.microsoftonline.com/{tenant_id}/oauth2/token'
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
data = {
    'grant_type': 'client_credentials',
    'client_id': client_id,
    'client_secret': client_secret,
    'resource': resource
}
response = requests.post(url, headers=headers, data=data)
access_token = json.loads(response.content)['access_token']

# Get auditLogs/signIns
headers = {'Authorization': f'Bearer {access_token}', 'Content-Type': 'application/json'}
response = requests.get(endpoint, headers=headers)
audit_logs = json.loads(response.content)

# Print auditLogs/signIns
print(audit_logs)

i got this error:

{'error': {'code': 'Authentication_RequestFromNonPremiumTenantOrB2CTenant', 'message': "Neither tenant is B2C or tenant doesn't have premium license", 'innerError': {'date': '2023-05-03T09:04:26', 'request-id': '87fccf66-d472-45a5-8b79-7de2be779893', 'client-request-id': '87fccf66-d472-45a5-8b79-7de2be779893'}}}

based on this error i've found that to get signins logs you need a premium license:

https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/howto-configure-prerequisites-for-reporting-api

Have a nice day.

[serano...@gmail.com]

I Confirm.

I've enabled the wodle into a tenant with enterprise license and it's working.