How are Logs received before being decoded in Wazuh

187 views
Skip to first unread message

Yanis Halit

unread,
Jun 13, 2024, 9:09:59 AM6/13/24
to Wazuh | Mailing List
Following this topic https://github.com/wazuh/wazuh/issues/14271 as i am facing the same problem with ms-graph integration (not receiving the alert even though the decoder and alert test are a success)

I was hopping that someone would explain me how logs are really received and parsed before being treated so i can improve my decoder accuracy.

At first i was using the archives.log event as a reference but it doesn't seem to be the right path.

Sample of log from archives.log :

2024 Jun 13 13:33:45 glowazlp01->ms-graph {"integration":"ms-graph","ms-graph":{"id":"XXXXX","createdDateTime":"2024-06-13T11:.co.uk","userId":"XXXXX","appId":"XXXX","appDisplayName":"XXXX","ipAddress"XXXXX","conditionalAccessStatus":"failure","isInteractive":true,"riskDetail":"hidden","riskLevelAggregated":"hidden","riskLevelDuringSignIn":"hidlayName":"XXXX","resourceId":"e03a13ee-9730-4cae-8525-47559c8cf18a","status":{"errorCode":50076,"failureReason":"Due to a configuration chanuse multi-factor authentication to access '{resource}'.","additionalDetails":"User needs to perform multi-factor authentication. There could be multiple thint, requested by client, among others."},"deviceDetail":{"deviceId":"XXXXX","displayName":"XXX","operatingSystem":"Windowsbrid Azure AD joined"},"location":{"city":"XXX","state":"XXXX","countryOrRegion":"XXX","geoCoordinates":{"altitude":null,"latitude":XXX,"longelationship":"signIns"}}


Thank you 



Mauricio Aguilar

unread,
Jun 13, 2024, 1:45:57 PM6/13/24
to Wazuh | Mailing List
Hi Yanis, thanks for using Wazuh!.

Please, let me know,

So, have you tried using the wazuh alert tools, to test if the alert is being generated?

Have you enabled archives.log with logall=true? You do not receive any event in archives.log?

Have you followed all the steps in the documentation?

What version of Wazuh are you using?

What steps, or what guide have you followed?

related info:

Yanis Halit

unread,
Jun 14, 2024, 7:19:20 AM6/14/24
to Wazuh | Mailing List
Hello,

I'm currently running the version 4.7.3 of Wazuh.

I enabled the archive.log with the logall=true.

I followed the steps of the documentation about the ms-graph integration : https://documentation.wazuh.com/current/cloud-security/ms-graph/monitoring-ms-graph-activity.html


I'm currently receiving logs on my archive.json and archive.log, testing the decoding with the "default parameter" it's decoded with the json decoder wich trigger an error as i'm looking at Filebeat log :

2024-06-12T14:56:31.280+0200    WARN    [elasticsearch] elasticsearch/client.go:408     Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xc192849fc9f55d80, ext:1213487100737846, loc:(*time.Location)(0x42417a0)}, Meta:{"pipeline":"filebeat-7.10.2-wazuh-archives-pipeline"}, Fields:{"agent":{"ephemeral_id":"XXXXX","hostname":"XXX","id":"XXXXX","name":"XXX","type":"filebeat","version":"7.10.2"},"ecs":{"version":"1.6.0"},"event":{"dataset":"wazuh.archives","module":"wazuh"},"fields":{"index_prefix":"wazuh-archives-4.x-"},"fileset":{"name":"archives"},"host":{"name":"XXXX"},"input":{"type":"log"},"log":{XXXXXXXXXXXXXXXXX}(status=400): {"type":"mapper_parsing_exception","reason":"failed to parse field [data.ms-graph.status] of type [keyword] in document with id '8N6FDJABhpqQsALiJcug'. Preview of field's value: '{failureReason=Other., errorCode=0, additionalDetails=MFA requirement satisfied by claim in the token}'","caused_by":{"type":"illegal_state_exception","reason":"Can't get text on a START_OBJECT at 1:1318"}}
thus i'm not receiving my logs that are in archive.log/json in the alerts.log/json file as i'm using a rule to trigger this kind of event (which works bacause i'm receiving the email alerts), so this logs aren't displayed on my dashboard.

So i tried to used a custom decoder based on the logs i sent on my first email :

<decoder name="ms-graph-log">
     <prematch>^\.*->ms-graph {"integration":"ms-graph","ms-graph":</prematch>
</decoder>

<decoder name="ms-graph-child-log">
    <parent>ms-graph-log</parent>
    <regex offset="after_parent">^{"id":(\.*),"createdDateTime":(\.*),"userDisplayName":(\.*),"userPrincipalName":(\.*),"userId":(\.*),"appId":(\.*),"appDisplayName":(\.*),"ipAddress":(\.*),"clientAppUsed":(\.*),"correlationId":(\.*),"conditionalAccessStatus":(\.*),"isInteractive":(\.*),"riskDetail":(\.*),"riskLevelAggregated":(\.*),"riskLevelDuringSignIn":(\.*),"riskState":(\.*),"riskEventTypes":(\.*),"riskEventTypes_v2":(\.*),"resourceDisplayName":(\.*),"resourceId":(\.*),"status":{"errorCode":(\.*),"failureReason":(\.*).","additionalDetails":(\.*)},"deviceDetail":{"deviceId":(\.*),"displayName":(\.*),"operatingSystem":(\.*),"browser":(\.*),"isCompliant":(\.*),"isManaged":(\.*),"trustType":(\.*)},"location":{"city":(\.*),"state":(\.*),"countryOrRegion":(\.*),"geoCoordinates":{"altitude":(\.*),"latitude":(\.*),"longitude":(\.*)}},"appliedConditionalAccessPolicies":(\.*),"resource":(\.*),"relationship":(\.*)}}$</regex>
    <order>integration,id,createdDateTime,userDisplayName,userPrincipalName,userId,appId,appDisplayName,ipAddress,clientAppUsed,correlationId,conditionalAccessStatus,isInteractive,riskDetail,riskLevelAggregated,riskLevelDuringSignIn,riskState,riskEventTypes,riskEventTypes_v2,resourceDisplayName,resourceId,errorCode,failureReason,additionalDetails,deviceId,displayName,operatingSystem,browser,isCompliant,isManaged,trustType,city,state,countryOrRegion,altitude,latitude,longitude,appliedConditionalAccessPolicies,resource,relationship</order>
</decoder>


i also used this rule :

<group name="MS-Graph">

    <rule id="100102" level="13">
        <decoded_as>ms-graph-log</decoded_as>
        <description>ms-graph test.</description>
        <options>alert_by_email</options>
    </rule>

</group>


when i'm testing the decoder and rule with the  /var/ossec/bin/wazuh-logtest i get this :

LOG as i am receiving it in archive.log :

2024 Jun 13 16:49:44 glowazlp01->ms-graph {"integration":"ms-graph","ms-graph":{"id":"-a05d-3a28a59c1900","createdDateTime":"2024-06-13T14:44:42Z","userDisplayName":"8-b87b-a881a1f45655","userPrincipalName":"a881a1f45655","userId":"867d82b5a1f45655","appId":"ab1b-5451cc387264","appDisplayName":"Microsoft Teams","ipAddress":"77.105","clientAppUsed":"","correlationId":"4cd5-bfb8-0eb1d7c46d58","conditionalAccessStatus":"notApplied","isInteractive":true,"riskDetail":"hidden","riskLevelAggregated":"hidden","riskLevelDuringSignIn":"hidden","riskState":"none","riskEventTypes":[],"riskEventTypes_v2":[],"resourceDisplayName":"Office 365 Search Service","resourceId":"66a88757-258c-4c72-893c-3e8bed4d6899","status":{"errorCode":50074,"failureReason":"Strong Authentication is required.","additionalDetails":"User needs to perform multi-factor authentication. There could be multiple things requiring multi-factor, e.g. Conditional Access policies, per-user enforcement, requested by client, among others."},"deviceDetail":{"deviceId":"","displayName":"","operatingSystem":"Windows","browser":"Edge 18.19045","isCompliant":false,"isManaged":false,"trustType":""},"location":{"city":"","state":"","countryOrRegion":"","geoCoordinates":{"altitude":null,"latitude":null,"longitude":null}},"appliedConditionalAccessPolicies":[],"resource":"auditLogs","relationship":"signIns"}}


Result with logtest : 

**Phase 1: Completed pre-decoding. full event: '2024 Jun 13 16:49:44 glowazlp01->ms-graph {"integration":"ms-graph","ms-graph":{"id":"-a05d-3a28a59c1900","createdDateTime":"2024-06-13T14:44:42Z","userDisplayName":"8-b87b-a881a1f45655","userPrincipalName":"a881a1f45655","userId":"867d82b5a1f45655","appId":"ab1b-5451cc387264","appDisplayName":"Microsoft Teams","ipAddress":"77.105","clientAppUsed":"","correlationId":"4cd5-bfb8-0eb1d7c46d58","conditionalAccessStatus":"notApplied","isInteractive":true,"riskDetail":"hidden","riskLevelAggregated":"hidden","riskLevelDuringSignIn":"hidden","riskState":"none","riskEventTypes":[],"riskEventTypes_v2":[],"resourceDisplayName":"Office 365 Search Service","resourceId":"66a88757-258c-4c72-893c-3e8bed4d6899","status":{"errorCode":50074,"failureReason":"Strong Authentication is required.","additionalDetails":"User needs to perform multi-factor authentication. There could be multiple things requiring multi-factor, e.g. Conditional Access policies, per-user enforcement, requested by client, among others."},"deviceDetail":{"deviceId":"","displayName":"","operatingSystem":"Windows","browser":"Edge 18.19045","isCompliant":false,"isManaged":false,"trustType":""},"location":{"city":"","state":"","countryOrRegion":"","geoCoordinates":{"altitude":null,"latitude":null,"longitude":null}},"appliedConditionalAccessPolicies":[],"resource":"auditLogs","relationship":"signIns"}}' timestamp: '2024 Jun 13 16:49:44' **Phase 2: Completed decoding. name: 'ms-graph-log' additionalDetails: '""' altitude: 'null' appDisplayName: '"77.105"' appId: '"Microsoft Teams"' appliedConditionalAccessPolicies: '"auditLogs"' browser: 'false' city: '""' clientAppUsed: '"4cd5-bfb8-0eb1d7c46d58"' conditionalAccessStatus: 'true' correlationId: '"notApplied"' countryOrRegion: 'null' createdDateTime: '"8-b87b-a881a1f45655"' deviceId: '""' displayName: '"Windows"' errorCode: '"Strong Authentication is required' failureReason: '"User needs to perform multi-factor authentication. There could be multiple things requiring multi-factor, e.g. Conditional Access policies, per-user enforcement, requested by client, among others."' id: '"2024-06-13T14:44:42Z"' integration: '"-a05d-3a28a59c1900"' ipAddress: '""' isCompliant: 'false' isInteractive: '"hidden"' isManaged: '""' latitude: 'null' longitude: '[]' operatingSystem: '"Edge 18.19045"' resource: '"signIns"' resourceDisplayName: '"66a88757-258c-4c72-893c-3e8bed4d6899"' resourceId: '50074' riskDetail: '"hidden"' riskEventTypes: '[]' riskEventTypes_v2: '"Office 365 Search Service"' riskLevelAggregated: '"hidden"' riskLevelDuringSignIn: '"none"' riskState: '[]' state: '""' trustType: '""' userDisplayName: '"a881a1f45655"' userId: '"ab1b-5451cc387264"' userPrincipalName: '"867d82b5a1f45655"' **Phase 3: Completed filtering (rules). id: '100102' level: '13' description: 'ms-graph test.' groups: '["MS-Graph"]' firedtimes: '3' mail: 'true' **Alert to be generated.**Phase 1: Completed pre-decoding. full event: '2024 Jun 13 16:49:44 glowazlp01->ms-graph {"integration":"ms-graph","ms-graph":{"id":"-a05d-3a28a59c1900","createdDateTime":"2024-06-13T14:44:42Z","userDisplayName":"8-b87b-a881a1f45655","userPrincipalName":"a881a1f45655","userId":"867d82b5a1f45655","appId":"ab1b-5451cc387264","appDisplayName":"Microsoft Teams","ipAddress":"77.105","clientAppUsed":"","correlationId":"4cd5-bfb8-0eb1d7c46d58","conditionalAccessStatus":"notApplied","isInteractive":true,"riskDetail":"hidden","riskLevelAggregated":"hidden","riskLevelDuringSignIn":"hidden","riskState":"none","riskEventTypes":[],"riskEventTypes_v2":[],"resourceDisplayName":"Office 365 Search Service","resourceId":"66a88757-258c-4c72-893c-3e8bed4d6899","status":{"errorCode":50074,"failureReason":"Strong Authentication is required.","additionalDetails":"User needs to perform multi-factor authentication. There could be multiple things requiring multi-factor, e.g. Conditional Access policies, per-user enforcement, requested by client, among others."},"deviceDetail":{"deviceId":"","displayName":"","operatingSystem":"Windows","browser":"Edge 18.19045","isCompliant":false,"isManaged":false,"trustType":""},"location":{"city":"","state":"","countryOrRegion":"","geoCoordinates":{"altitude":null,"latitude":null,"longitude":null}},"appliedConditionalAccessPolicies":[],"resource":"auditLogs","relationship":"signIns"}}' timestamp: '2024 Jun 13 16:49:44' **Phase 2: Completed decoding. name: 'ms-graph-log' additionalDetails: '""' altitude: 'null' appDisplayName: '"77.105"' appId: '"Microsoft Teams"' appliedConditionalAccessPolicies: '"auditLogs"' browser: 'false' city: '""' clientAppUsed: '"4cd5-bfb8-0eb1d7c46d58"' conditionalAccessStatus: 'true' correlationId: '"notApplied"' countryOrRegion: 'null' createdDateTime: '"8-b87b-a881a1f45655"' deviceId: '""' displayName: '"Windows"' errorCode: '"Strong Authentication is required' failureReason: '"User needs to perform multi-factor authentication. There could be multiple things requiring multi-factor, e.g. Conditional Access policies, per-user enforcement, requested by client, among others."' id: '"2024-06-13T14:44:42Z"' integration: '"-a05d-3a28a59c1900"' ipAddress: '""' isCompliant: 'false' isInteractive: '"hidden"' isManaged: '""' latitude: 'null' longitude: '[]' operatingSystem: '"Edge 18.19045"' resource: '"signIns"' resourceDisplayName: '"66a88757-258c-4c72-893c-3e8bed4d6899"' resourceId: '50074' riskDetail: '"hidden"' riskEventTypes: '[]' riskEventTypes_v2: '"Office 365 Search Service"' riskLevelAggregated: '"hidden"' riskLevelDuringSignIn: '"none"' riskState: '[]' state: '""' trustType: '""' userDisplayName: '"a881a1f45655"' userId: '"ab1b-5451cc387264"' userPrincipalName: '"867d82b5a1f45655"' **Phase 3: Completed filtering (rules). id: '100102' level: '13' description: 'ms-graph test.' groups: '["MS-Graph"]' firedtimes: '3' mail: 'true' **Alert to be generated.

My rule is triggered but nothing in alerts.log/json :/


Thank you for you help 

Mauricio Aguilar

unread,
Jun 14, 2024, 5:29:25 PM6/14/24
to Wazuh | Mailing List
Hi again, please let me check this.

Mauricio Aguilar

unread,
Jun 25, 2024, 9:16:49 AM6/25/24
to Wazuh | Mailing List
Hi, 
sorry for the delay.
Whenever an event is indexed that was not present in that idex's mapping, it is assigned a type dependent on the data present. You can check your current index mapping under the index management section.
In this case, it seems like the first time the data.ms-graph.status field appeared, it was assigned the keyword type, but on the event you shared with us, it is an object:
"status": {
"errorCode": 50074,
"failureReason": "Strong Authentication is required.",
"additionalDetails": "User needs to perform multi-factor authentication. There could be multiple things requiring multi-factor, e.g. Conditional Access policies, per-user enforcement, requested by client, among others."
},

In order to prevent these kinds of alerts from happening in the future, I would recommend the index mapping template is updated so future events are handled correctly as objects.
To do this, you can edit the file /etc/filebeat/wazuh-template.json in your manager's machine. Add a mapping under the data.properties object for "status" with the type "object" or "flattened"
You can learn more about field data types on this URL https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-types.html

I hope this is helps!

Yanis Halit

unread,
Jun 26, 2024, 4:56:06 AM6/26/24
to Wazuh | Mailing List
Hello, 

Thank you for your answer, but as i followed your instructions (changed the type of status from "keyboard" to "object" ) i'm facing this type of kibana log (/var/log/filebeat/filebeat
) error :


2024-06-26T10:04:59.126+0200    INFO    log/harvester.go:302    Harvester started for file: /var/ossec/logs/alerts/alerts.json
2024-06-26T10:10:04.132+0200    INFO    log/harvester.go:333    File is inactive: /var/ossec/logs/alerts/alerts.json. Closing because close_inactive of 5m0s reached.



There is a part of my /etc/filebeat/wazuh-template.json :

"data": {
        "properties": {
          "audit": {
            "properties": {
              "acct": {
                "type": "keyword"
              },
              "arch": {
                "type": "keyword"
              },
              "auid": {
                "type": "keyword"
              },
              "command": {
                "type": "keyword"
              },
              "cwd": {
                "type": "keyword"
              },
              "dev": {
                "type": "keyword"
              },
              "directory": {
                "properties": {
                  "inode": {
                    "type": "keyword"
                  },
                  "mode": {
                    "type": "keyword"
                  },
                  "name": {
                    "type": "keyword"
                  }
                }
              },
              "egid": {
                "type": "keyword"
              },
              "enforcing": {
                "type": "keyword"
              },
              "euid": {
                "type": "keyword"
              },
              "exe": {
                "type": "keyword"
              },
              "execve": {
                "properties": {
                  "a0": {
                    "type": "keyword"
                  },
                  "a1": {
                    "type": "keyword"
                  },
                  "a2": {
                    "type": "keyword"
                  },
                  "a3": {
                    "type": "keyword"
                  }
                }
              },
              "exit": {
                "type": "keyword"
              },
              "file": {
                "properties": {
                  "inode": {
                    "type": "keyword"
                  },
                  "mode": {
                    "type": "keyword"
                  },
                  "name": {
                    "type": "keyword"
                  }
                }
              },
              "fsgid": {
                "type": "keyword"
              },
              "fsuid": {
                "type": "keyword"
              },
              "gid": {
                "type": "keyword"
              },
              "id": {
                "type": "keyword"
              },
              "key": {
                "type": "keyword"
              },
              "list": {
                "type": "keyword"
              },
              "old-auid": {
                "type": "keyword"
              },
              "old-ses": {
                "type": "keyword"
              },
              "old_enforcing": {
                "type": "keyword"
              },
              "old_prom": {
                "type": "keyword"
              },
              "op": {
                "type": "keyword"
              },
              "pid": {
                "type": "keyword"
              },
              "ppid": {
                "type": "keyword"
              },
              "prom": {
                "type": "keyword"
              },
              "res": {
                "type": "keyword"
              },
              "session": {
                "type": "keyword"
              },
              "sgid": {
                "type": "keyword"
              },
              "srcip": {
                "type": "keyword"
              },
              "subj": {
                "type": "keyword"
              },
              "success": {
                "type": "keyword"
              },
              "suid": {
                "type": "keyword"
              },
              "syscall": {
                "type": "keyword"
              },
              "tty": {
                "type": "keyword"
              },
              "type": {
                "type": "keyword"
              },
              "uid": {
                "type": "keyword"
              }
            }
          },
          "protocol": {
            "type": "keyword"
          },
          "action": {
            "type": "keyword"
          },
          "srcip": {
            "type": "keyword"
          },
          "dstip": {
            "type": "keyword"
          },
          "srcport": {
            "type": "keyword"
          },
          "dstport": {
            "type": "keyword"
          },
          "srcuser": {
            "type": "keyword"
          },
          "dstuser": {
            "type": "keyword"
          },
          "id": {
            "type": "keyword"
          },
          "status": {
            "type": "object"
          },

          "data": {
            "type": "keyword"
          },

Mauricio Aguilar

unread,
Jun 27, 2024, 5:21:28 PM6/27/24
to Wazuh | Mailing List
Ok and in archive.log you don't see any errors?
Reply all
Reply to author
Forward
0 new messages