wazuh missing ms-graph events

[leon appel]

Hi

I am having an issue with ms-graph not sending all events to wazuh

I tried updating the template and also tried a the following pipeline, with the result more logs werent visible in the console

    {
     "rename": {
       "if": "ctx?.microsoft.graph.riskDetection instanceof Map",
       "field": "createdDateTime",
       "target_field": "detectedDateTime",
       "ignore_missing": true
      }
    },

Thank you

[Ifeanyi Onyia Odike]

Hi Leon,

Can you share your ms-graph configuration block from ossec.conf and tell me what logs you would like to receive?

Regards,

[leon appel]

Hi

These are the configs 

https://www.reddit.com/media?url=https%3A%2F%2Fpreview.redd.it%2Fvarious-wazuh-4-9-errors-v0-jy72godq07od1.jpeg%3Fwidth%3D572%26format%3Dpjpg%26auto%3Dwebp%26s%3D0b2da66ebb78ff91337d2a0b4abf8576b0a4bdad

https://www.reddit.com/media?url=https%3A%2F%2Fpreview.redd.it%2Fvarious-wazuh-4-9-errors-v0-sf16k6mr07od1.jpeg%3Fwidth%3D523%26format%3Dpjpg%26auto%3Dwebp%26s%3Da38bd8a3e64e4fb002435215c444a3b83ba079b9

Thanks

[Ifeanyi Onyia Odike]

The configuration looks good.
What events are you missing?

[leon appel]

Hi

I am missing these as its somewhere getting the information from that it needs to list createdDateTime but that dont exist in azure. Azure has a property called activityDateTime but where exactly would you change createdDateTime to activityDateTime.

The current config:

<name>identityProtection</name>
<relationship>riskDetections</relationship>

Kind Regards

Leon

[Ifeanyi Onyia Odike]

Hi Lean

I think I understand the issue here:
Can you share with me the log that shows the failed lookup for the condition you meant in this statement: "I am missing these as its somewhere getting the information from that it needs to list createdDateTime but that dont exist in azure."

Can you also confirm your Wazuh version? The ms-graph script retrieves logs using both activityDateTime and createdDateTime conditions. 

[leon appel]

Hi Ifeanyi

This is the error

2024/09/25 14:51:01 wazuh-modulesd:ms-graph: WARNING: Received unsuccessful status code when attempting to get relationship 'riskDetections' logs: Status code was '400' & response was '{"error":{"code":"BadRequest","message":"Invalid filter clause: Could not find a property named 'createdDateTime' on type 'microsoft.graph.riskDetection'.","innerError":{"date":"2024-09-25T13:51:01","request-id":"0b75322c-3694-4634-b2c2-32019280bc38","client-request-id":"0b75322c-3694-4634-b2c2-32019280bc38"}}}'

Regards

[Ifeanyi Onyia Odike]

Hi Leon,

I for some reason, it encounters this challenge when trying to access logs using the identityProtection endpoint. I will have to take this issue internally.

Thank you for bringing this up. I will let you know if there are any updates.

[leon appel]

Hi Ifeanyi

Would there be any way I can perhaps either change the property its lookin for to something like activityDateTime

Kind Regards

[Ifeanyi Onyia Odike]

Modifying this by yourself will mean that you have to understand the ms-graph script stored at /var/ossec/wodles/azure/azure_services/graph.py, and this might be technically complicated.