Wazuh 4.8.1 MsGraph
191 views
Skip to first unread message
Ricardo Mendonça
Aug 1, 2024, 9:46:25 AM8/1/24
to Wazuh | Mailing List
Hi all,
Msgraph for security alerts since wazuh version 4.7.3 working flawlessly, with forwarding to dfir solution.
Since 4.8.1 upgrade:
Log Alert Level - 3
Logall Option - Log from msgraph is received in archives.json
Ruleset Test - Log is completely decoded correctly with Rule Level 6, Rule ID 99586 and Rule Groups ms-graph
Alert is exported correctly to my DFIR solution, and i can see the raw information coming from wazuh (So it's working)
In discover menu i cannot see any alert from msgraph rule group, or from rule ID 99586, or from rule groups ms-graph.
So, everything's working great, besides msgraph alerts not being displayed in discover menu. Looks like it's hidden somewhere, eventhough being decoded and parsed correctly.
Any ideas?
Farouk Musa
Aug 1, 2024, 3:19:38 PM8/1/24
to Wazuh | Mailing List
Hello Ricardo,
The rule group field might not be indexed for searching yet at the time you are checking for the alerts. Can you try searching for the alert using the filter (rather than a basic search) with another field such as rule.id. Also check to ensure that you are searching the correct index (wazuh-alerts on default).
I hope this helps.
Ricardo Mendonça
Aug 2, 2024, 3:44:37 AM8/2/24
to Wazuh | Mailing List
Thanks Farouk for your answer.
I'm searching in the correct index, where all other logs from different solutions are shown, and searching for both, rule.id, or rule.level, or rule.groups, or even for the user identified in the alert, and the result is nothing. I know it's working, cause it's exporting the alert to my dfir solution, and it has to be parsed correctly in wazuh first. The problem is that i can't see these alerts. Looks like something is hidding them
Farouk Musa
Aug 2, 2024, 5:45:12 AM8/2/24
to Wazuh | Mailing List
Hi. Thanks for the additional info. can you confirm if this affects all MS graph rules? Also can you provide me with a sample alert (redacted) from the alerts.json file and if possible a screenshot of your search so i can try to replicate your issue.
Thanks.
Ricardo Mendonça
Aug 2, 2024, 6:49:23 AM8/2/24
to Wazuh | Mailing List
Thanks once again for your answer. Here it goes
Edited alert
{"timestamp":"2024-08-01T13:39:41.608+0100","rule":{"level":6,"description":"MS
Graph message: Alerts on threats associated with prevalent
malware.","id":"99586","firedtimes":7,"mail":false,"groups":["ms-graph"]},"agent":{"id":"000","name":"WazuhServer"},"manager":{"name":"WazuhServer"},"id":"1722515981.4888132226","full_log":"{\"integration\":\"ms-graph\",\"ms-graph\":{\"id\":\"******Id******\",\"providerAlertId\":\"******ProviderId******\",\"incidentId\":\"144968\",\"status\":\"inProgress\",\"severity\":\"low\",\"classification\":null,\"determination\":null,\"serviceSource\":\"microsoftDefenderForOffice365\",\"detectionSource\":\"microsoftDefenderForOffice365\",\"productName\":\"Microsoft
Defender for Office
365\",\"detectorId\":\"******DetectorId******\",\"tenantId\":\"******TenantId******\",\"title\":\"Email
reported by user as malware or phish\",\"description\":\"This alert is
triggered when any email message is reported as malware or phish by
users
-V1.0.0.3\",\"recommendedActions\":\"\",\"category\":\"InitialAccess\",\"assignedTo\":null,\"alertWebUrl\":\"https://security.microsoft.com/alerts/******Id******?tid=******TenantId******\",\"incidentWebUrl\":\"https://security.microsoft.com/incidents/144968?tid=******TenantId******\",\"actorDisplayName\":null,\"threatDisplayName\":null,\"threatFamilyName\":null,\"mitreTechniques\":[\"T1566\"],\"createdDateTime\":\"2024-08-01T12:38:24.38Z\",\"lastUpdateDateTime\":\"2024-08-01T12:39:08.2533333Z\",\"resolvedDateTime\":null,\"firstActivityDateTime\":\"2024-08-01T12:37:00Z\",\"lastActivityDateTime\":\"2024-08-01T12:38:00Z\",\"systemTags\":[],\"alertPolicyId\":null,\"additionalData\":null,\"comments\":[],\"evidence\":[{\"@odata.type\":\"#microsoft.graph.security.mailboxEvidence\",\"createdDateTime\":\"2024-08-01T12:38:24.3966667Z\",\"verdict\":\"unknown\",\"remediationStatus\":\"none\",\"remediationStatusDetails\":null,\"roles\":[],\"detailedRoles\":[],\"tags\":[],\"primaryAddress\":\"*UserPrincipalName*\",\"displayName\":\"*UserDisplayName*\",\"userAccount\":{\"accountName\":\"***UserAccount****\",\"domainName\":\"***UserDomain****\",\"userSid\":\"***UserSId****\",\"azureAdUserId\":\"***AzureId****\",\"userPrincipalName\":\"*UserPrincipalName*\",\"displayName\":null}},{\"@odata.type\":\"#microsoft.graph.security.analyzedMessageEvidence\",\"createdDateTime\":\"2024-08-01T12:38:24.3966667Z\",\"verdict\":\"unknown\",\"remediationStatus\":\"none\",\"remediationStatusDetails\":null,\"roles\":[],\"detailedRoles\":[],\"tags\":[],\"networkMessageId\":\"******NMessageId\",\"internetMessageId\":\"******MessageId.eurprd01.prod.exchangelabs.com\",\"subject\":\"******Subject******\",\"language\":null,\"senderIp\":\"*.*.*.*\",\"recipientEmailAddress\":\"*UserPrincipalName*\",\"antiSpamDirection\":null,\"deliveryAction\":null,\"deliveryLocation\":null,\"urn\":null,\"threats\":[],\"threatDetectionMethods\":[],\"urls\":[],\"urlCount\":0,\"attachmentsCount\":0,\"receivedDateTime\":\"2024-08-01T11:26:25.3835934Z\",\"p1Sender\":{\"emailAddress\":null,\"displayName\":null,\"domainName\":null},\"p2Sender\":{\"emailAddress\":\"***P2Email****\",\"displayName\":null,\"domainName\":null}},{\"@odata.type\":\"#microsoft.graph.security.userEvidence\",\"createdDateTime\":\"2024-08-01T12:38:24.3966667Z\",\"verdict\":\"unknown\",\"remediationStatus\":\"none\",\"remediationStatusDetails\":null,\"roles\":[],\"detailedRoles\":[],\"tags\":[],\"stream\":null,\"userAccount\":{\"accountName\":\"***UserAccount****\",\"domainName\":\"***UserDomain****\",\"userSid\":\"***UserSId****\",\"azureAdUserId\":\"***AzureId****\",\"userPrincipalName\":\"*UserPrincipalName*\",\"displayName\":\"*UserDisplayName*\"}}],\"resource\":\"security\",\"relationship\":\"alerts_v2\"}}","decoder":{"name":"json"},"data":{"integration":"ms-graph","ms-graph":{"id":"******Id******","providerAlertId":"******ProviderId******","incidentId":"144968","status":"inProgress","severity":"low","classification":"null","determination":"null","serviceSource":"microsoftDefenderForOffice365","detectionSource":"microsoftDefenderForOffice365","productName":"Microsoft
Defender for Office
365","detectorId":"******DetectorId******","tenantId":"******TenantId******","title":"Email
reported by user as malware or phish","description":"This alert is
triggered when any email message is reported as malware or phish by
users
-V1.0.0.3","category":"InitialAccess","assignedTo":"null","alertWebUrl":"https://security.microsoft.com/alerts/******Id******?tid=******TenantId******","incidentWebUrl":"https://security.microsoft.com/incidents/144968?tid=******TenantId******","actorDisplayName":"null","threatDisplayName":"null","threatFamilyName":"null","mitreTechniques":["T1566"],"createdDateTime":"2024-08-01T12:38:24.38Z","lastUpdateDateTime":"2024-08-01T12:39:08.2533333Z","resolvedDateTime":"null","firstActivityDateTime":"2024-08-01T12:37:00Z","lastActivityDateTime":"2024-08-01T12:38:00Z","systemTags":[],"alertPolicyId":"null","additionalData":"null","comments":[],"evidence":[{"@odata.type":"#microsoft.graph.security.mailboxEvidence","createdDateTime":"2024-08-01T12:38:24.3966667Z","verdict":"unknown","remediationStatus":"none","remediationStatusDetails":null,"roles":[],"detailedRoles":[],"tags":[],"primaryAddress":"*UserPrincipalName*","displayName":"*UserDisplayName*","userAccount":{"accountName":"***UserAccount****","domainName":"***UserDomain****","userSid":"***UserSId****","azureAdUserId":"***AzureId****","userPrincipalName":"*UserPrincipalName*","displayName":null}},{"@odata.type":"#microsoft.graph.security.analyzedMessageEvidence","createdDateTime":"2024-08-01T12:38:24.3966667Z","verdict":"unknown","remediationStatus":"none","remediationStatusDetails":null,"roles":[],"detailedRoles":[],"tags":[],"networkMessageId":"******NMessageId","internetMessageId":"******MessageId.eurprd01.prod.exchangelabs.com","subject":"******Subject******","language":null,"senderIp":"*.*.*.*","recipientEmailAddress":"*UserPrincipalName*","antiSpamDirection":null,"deliveryAction":null,"deliveryLocation":null,"urn":null,"threats":[],"threatDetectionMethods":[],"urls":[],"urlCount":0,"attachmentsCount":0,"receivedDateTime":"2024-08-01T11:26:25.3835934Z","p1Sender":{"emailAddress":null,"displayName":null,"domainName":null},"p2Sender":{"emailAddress":"***P2Email****","displayName":null,"domainName":null}},{"@odata.type":"#microsoft.graph.security.userEvidence","createdDateTime":"2024-08-01T12:38:24.3966667Z","verdict":"unknown","remediationStatus":"none","remediationStatusDetails":null,"roles":[],"detailedRoles":[],"tags":[],"stream":null,"userAccount":{"accountName":"***UserAccount****","domainName":"***UserDomain****","userSid":"***UserSId****","azureAdUserId":"***AzureId****","userPrincipalName":"*UserPrincipalName*","displayName":"*UserDisplayName*"}}],"resource":"security","relationship":"alerts_v2"}},"location":"ms-graph"}
----------------------------------------------------------------------------------------------and
decoded----------------------------------------------------------------------
**Phase 1: Completed pre-decoding.
full event: '{"timestamp":"2024-08-01T13:39:41.608+0100","rule":{"level":6,"description":"MS Graph message: Alerts on threats associated with prevalent malware.","id":"99586","firedtimes":7,"mail":false,"groups":["ms-graph"]},"agent":{"id":"000","name":"WazuhServer"},"manager":{"name":"WazuhServer"},"id":"1722515981.4888132226","full_log":"{\"integration\":\"ms-graph\",\"ms-graph\":{\"id\":\"******Id******\",\"providerAlertId\":\"******ProviderId******\",\"incidentId\":\"144968\",\"status\":\"inProgress\",\"severity\":\"low\",\"classification\":null,\"determination\":null,\"serviceSource\":\"microsoftDefenderForOffice365\",\"detectionSource\":\"microsoftDefenderForOffice365\",\"productName\":\"Microsoft Defender for Office 365\",\"detectorId\":\"******DetectorId******\",\"tenantId\":\"******TenantId******\",\"title\":\"Email reported by user as malware or phish\",\"description\":\"This alert is triggered when any email message is reported as malware or phish by users -V1.0.0.3\",\"recommendedActions\":\"\",\"category\":\"InitialAccess\",\"assignedTo\":null,\"alertWebUrl\":\"https://security.microsoft.com/alerts/******Id******?tid=******TenantId******\",\"incidentWebUrl\":\"https://security.microsoft.com/incidents/144968?tid=******TenantId******\",\"actorDisplayName\":null,\"threatDisplayName\":null,\"threatFamilyName\":null,\"mitreTechniques\":[\"T1566\"],\"createdDateTime\":\"2024-08-01T12:38:24.38Z\",\"lastUpdateDateTime\":\"2024-08-01T12:39:08.2533333Z\",\"resolvedDateTime\":null,\"firstActivityDateTime\":\"2024-08-01T12:37:00Z\",\"lastActivityDateTime\":\"2024-08-01T12:38:00Z\",\"systemTags\":[],\"alertPolicyId\":null,\"additionalData\":null,\"comments\":[],\"evidence\":[{\"@odata.type\":\"#microsoft.graph.security.mailboxEvidence\",\"createdDateTime\":\"2024-08-01T12:38:24.3966667Z\",\"verdict\":\"unknown\",\"remediationStatus\":\"none\",\"remediationStatusDetails\":null,\"roles\":[],\"detailedRoles\":[],\"tags\":[],\"primaryAddress\":\"*UserPrincipalName*\",\"displayName\":\"*UserDisplayName*\",\"userAccount\":{\"accountName\":\"***UserAccount****\",\"domainName\":\"***UserDomain****\",\"userSid\":\"***UserSId****\",\"azureAdUserId\":\"***AzureId****\",\"userPrincipalName\":\"*UserPrincipalName*\",\"displayName\":null}},{\"@odata.type\":\"#microsoft.graph.security.analyzedMessageEvidence\",\"createdDateTime\":\"2024-08-01T12:38:24.3966667Z\",\"verdict\":\"unknown\",\"remediationStatus\":\"none\",\"remediationStatusDetails\":null,\"roles\":[],\"detailedRoles\":[],\"tags\":[],\"networkMessageId\":\"******NMessageId\",\"internetMessageId\":\"******MessageId.eurprd01.prod.exchangelabs.com\",\"subject\":\"******Subject******\",\"language\":null,\"senderIp\":\"*.*.*.*\",\"recipientEmailAddress\":\"*UserPrincipalName*\",\"antiSpamDirection\":null,\"deliveryAction\":null,\"deliveryLocation\":null,\"urn\":null,\"threats\":[],\"threatDetectionMethods\":[],\"urls\":[],\"urlCount\":0,\"attachmentsCount\":0,\"receivedDateTime\":\"2024-08-01T11:26:25.3835934Z\",\"p1Sender\":{\"emailAddress\":null,\"displayName\":null,\"domainName\":null},\"p2Sender\":{\"emailAddress\":\"***P2Email****\",\"displayName\":null,\"domainName\":null}},{\"@odata.type\":\"#microsoft.graph.security.userEvidence\",\"createdDateTime\":\"2024-08-01T12:38:24.3966667Z\",\"verdict\":\"unknown\",\"remediationStatus\":\"none\",\"remediationStatusDetails\":null,\"roles\":[],\"detailedRoles\":[],\"tags\":[],\"stream\":null,\"userAccount\":{\"accountName\":\"***UserAccount****\",\"domainName\":\"***UserDomain****\",\"userSid\":\"***UserSId****\",\"azureAdUserId\":\"***AzureId****\",\"userPrincipalName\":\"*UserPrincipalName*\",\"displayName\":\"*UserDisplayName*\"}}],\"resource\":\"security\",\"relationship\":\"alerts_v2\"}}","decoder":{"name":"json"},"data":{"integration":"ms-graph","ms-graph":{"id":"******Id******","providerAlertId":"******ProviderId******","incidentId":"144968","status":"inProgress","severity":"low","classification":"null","determination":"null","serviceSource":"microsoftDefenderForOffice365","detectionSource":"microsoftDefenderForOffice365","productName":"Microsoft Defender for Office 365","detectorId":"******DetectorId******","tenantId":"******TenantId******","title":"Email reported by user as malware or phish","description":"This alert is triggered when any email message is reported as malware or phish by users -V1.0.0.3","category":"InitialAccess","assignedTo":"null","alertWebUrl":"https://security.microsoft.com/alerts/******Id******?tid=******TenantId******","incidentWebUrl":"https://security.microsoft.com/incidents/144968?tid=******TenantId******","actorDisplayName":"null","threatDisplayName":"null","threatFamilyName":"null","mitreTechniques":["T1566"],"createdDateTime":"2024-08-01T12:38:24.38Z","lastUpdateDateTime":"2024-08-01T12:39:08.2533333Z","resolvedDateTime":"null","firstActivityDateTime":"2024-08-01T12:37:00Z","lastActivityDateTime":"2024-08-01T12:38:00Z","systemTags":[],"alertPolicyId":"null","additionalData":"null","comments":[],"evidence":[{"@odata.type":"#microsoft.graph.security.mailboxEvidence","createdDateTime":"2024-08-01T12:38:24.3966667Z","verdict":"unknown","remediationStatus":"none","remediationStatusDetails":null,"roles":[],"detailedRoles":[],"tags":[],"primaryAddress":"*UserPrincipalName*","displayName":"*UserDisplayName*","userAccount":{"accountName":"***UserAccount****","domainName":"***UserDomain****","userSid":"***UserSId****","azureAdUserId":"***AzureId****","userPrincipalName":"*UserPrincipalName*","displayName":null}},{"@odata.type":"#microsoft.graph.security.analyzedMessageEvidence","createdDateTime":"2024-08-01T12:38:24.3966667Z","verdict":"unknown","remediationStatus":"none","remediationStatusDetails":null,"roles":[],"detailedRoles":[],"tags":[],"networkMessageId":"******NMessageId","internetMessageId":"******MessageId.eurprd01.prod.exchangelabs.com","subject":"******Subject******","language":null,"senderIp":"*.*.*.*","recipientEmailAddress":"*UserPrincipalName*","antiSpamDirection":null,"deliveryAction":null,"deliveryLocation":null,"urn":null,"threats":[],"threatDetectionMethods":[],"urls":[],"urlCount":0,"attachmentsCount":0,"receivedDateTime":"2024-08-01T11:26:25.3835934Z","p1Sender":{"emailAddress":null,"displayName":null,"domainName":null},"p2Sender":{"emailAddress":"***P2Email****","displayName":null,"domainName":null}},{"@odata.type":"#microsoft.graph.security.userEvidence","createdDateTime":"2024-08-01T12:38:24.3966667Z","verdict":"unknown","remediationStatus":"none","remediationStatusDetails":null,"roles":[],"detailedRoles":[],"tags":[],"stream":null,"userAccount":{"accountName":"***UserAccount****","domainName":"***UserDomain****","userSid":"***UserSId****","azureAdUserId":"***AzureId****","userPrincipalName":"*UserPrincipalName*","displayName":"*UserDisplayName*"}}],"resource":"security","relationship":"alerts_v2"}},"location":"ms-graph"}'
**Phase 2: Completed decoding.
name: 'json'
agent.id: '000'
agent.name: 'WazuhServer'
data.integration: 'ms-graph'
data.ms-graph.actorDisplayName: 'null'
data.ms-graph.additionalData: 'null'
data.ms-graph.alertPolicyId: 'null'
data.ms-graph.alertWebUrl: 'https://security.microsoft.com/alerts/******Id******?tid=******TenantId******'
data.ms-graph.assignedTo: 'null'
data.ms-graph.category: 'InitialAccess'
data.ms-graph.classification: 'null'
data.ms-graph.comments: '[]'
data.ms-graph.createdDateTime: '2024-08-01T12:38:24.38Z'
data.ms-graph.description: 'This alert is triggered when any email message is reported as malware or phish by users -V1.0.0.3'
data.ms-graph.detectionSource: 'microsoftDefenderForOffice365'
data.ms-graph.detectorId: '******DetectorId******'
data.ms-graph.determination: 'null'
data.ms-graph.evidence: '[{"@odata.type":"#microsoft.graph.security.mailboxEvidence","createdDateTime":"2024-08-01T12:38:24.3966667Z","verdict":"unknown","remediationStatus":"none","remediationStatusDetails":null,"roles":[],"detailedRoles":[],"tags":[],"primaryAddress":"*UserPrincipalName*","displayName":"*UserDisplayName*","userAccount":{"accountName":"***UserAccount****","domainName":"***UserDomain****","userSid":"***UserSId****","azureAdUserId":"***AzureId****","userPrincipalName":"*UserPrincipalName*","displayName":null}},{"@odata.type":"#microsoft.graph.security.analyzedMessageEvidence","createdDateTime":"2024-08-01T12:38:24.3966667Z","verdict":"unknown","remediationStatus":"none","remediationStatusDetails":null,"roles":[],"detailedRoles":[],"tags":[],"networkMessageId":"******NMessageId","internetMessageId":"******MessageId.eurprd01.prod.exchangelabs.com","subject":"******Subject******","language":null,"senderIp":"*.*.*.*","recipientEmailAddress":"*UserPrincipalName*","antiSpamDirection":null,"deliveryAction":null,"deliveryLocation":null,"urn":null,"threats":[],"threatDetectionMethods":[],"urls":[],"urlCount":0,"attachmentsCount":0,"receivedDateTime":"2024-08-01T11:26:25.3835934Z","p1Sender":{"emailAddress":null,"displayName":null,"domainName":null},"p2Sender":{"emailAddress":"***P2Email****","displayName":null,"domainName":null}},{"@odata.type":"#microsoft.graph.security.userEvidence","createdDateTime":"2024-08-01T12:38:24.3966667Z","verdict":"unknown","remediationStatus":"none","remediationStatusDetails":null,"roles":[],"detailedRoles":[],"tags":[],"stream":null,"userAccount":{"accountName":"***UserAccount****","domainName":"***UserDomain****","userSid":"***UserSId****","azureAdUserId":"***AzureId****","userPrincipalName":"*UserPrincipalName*","displayName":"*UserDisplayName*"}}]'
data.ms-graph.firstActivityDateTime: '2024-08-01T12:37:00Z'
data.ms-graph.id: '******Id******'
data.ms-graph.incidentId: '144968'
data.ms-graph.incidentWebUrl: 'https://security.microsoft.com/incidents/144968?tid=******TenantId******'
data.ms-graph.lastActivityDateTime: '2024-08-01T12:38:00Z'
data.ms-graph.lastUpdateDateTime: '2024-08-01T12:39:08.2533333Z'
data.ms-graph.mitreTechniques: '["T1566"]'
data.ms-graph.productName: 'Microsoft Defender for Office 365'
data.ms-graph.providerAlertId: '******ProviderId******'
data.ms-graph.relationship: 'alerts_v2'
data.ms-graph.resolvedDateTime: 'null'
data.ms-graph.resource: 'security'
data.ms-graph.serviceSource: 'microsoftDefenderForOffice365'
data.ms-graph.severity: 'low'
data.ms-graph.status: 'inProgress'
data.ms-graph.systemTags: '[]'
data.ms-graph.tenantId: '******TenantId******'
data.ms-graph.threatDisplayName: 'null'
data.ms-graph.threatFamilyName: 'null'
data.ms-graph.title: 'Email reported by user as malware or phish'
decoder.name: 'json'
full_log: '{"integration":"ms-graph","ms-graph":{"id":"******Id******","providerAlertId":"******ProviderId******","incidentId":"144968","status":"inProgress","severity":"low","classification":null,"determination":null,"serviceSource":"microsoftDefenderForOffice365","detectionSource":"microsoftDefenderForOffice365","productName":"Microsoft Defender for Office 365","detectorId":"******DetectorId******","tenantId":"******TenantId******","title":"Email reported by user as malware or phish","description":"This alert is triggered when any email message is reported as malware or phish by users -V1.0.0.3","recommendedActions":"","category":"InitialAccess","assignedTo":null,"alertWebUrl":"https://security.microsoft.com/alerts/******Id******?tid=******TenantId******","incidentWebUrl":"https://security.microsoft.com/incidents/144968?tid=******TenantId******","actorDisplayName":null,"threatDisplayName":null,"threatFamilyName":null,"mitreTechniques":["T1566"],"createdDateTime":"2024-08-01T12:38:24.38Z","lastUpdateDateTime":"2024-08-01T12:39:08.2533333Z","resolvedDateTime":null,"firstActivityDateTime":"2024-08-01T12:37:00Z","lastActivityDateTime":"2024-08-01T12:38:00Z","systemTags":[],"alertPolicyId":null,"additionalData":null,"comments":[],"evidence":[{"@odata.type":"#microsoft.graph.security.mailboxEvidence","createdDateTime":"2024-08-01T12:38:24.3966667Z","verdict":"unknown","remediationStatus":"none","remediationStatusDetails":null,"roles":[],"detailedRoles":[],"tags":[],"primaryAddress":"*UserPrincipalName*","displayName":"*UserDisplayName*","userAccount":{"accountName":"***UserAccount****","domainName":"***UserDomain****","userSid":"***UserSId****","azureAdUserId":"***AzureId****","userPrincipalName":"*UserPrincipalName*","displayName":null}},{"@odata.type":"#microsoft.graph.security.analyzedMessageEvidence","createdDateTime":"2024-08-01T12:38:24.3966667Z","verdict":"unknown","remediationStatus":"none","remediationStatusDetails":null,"roles":[],"detailedRoles":[],"tags":[],"networkMessageId":"******NMessageId","internetMessageId":"******MessageId.eurprd01.prod.exchangelabs.com","subject":"******Subject******","language":null,"senderIp":"*.*.*.*","recipientEmailAddress":"*UserPrincipalName*","antiSpamDirection":null,"deliveryAction":null,"deliveryLocation":null,"urn":null,"threats":[],"threatDetectionMethods":[],"urls":[],"urlCount":0,"attachmentsCount":0,"receivedDateTime":"2024-08-01T11:26:25.3835934Z","p1Sender":{"emailAddress":null,"displayName":null,"domainName":null},"p2Sender":{"emailAddress":"***P2Email****","displayName":null,"domainName":null}},{"@odata.type":"#microsoft.graph.security.userEvidence","createdDateTime":"2024-08-01T12:38:24.3966667Z","verdict":"unknown","remediationStatus":"none","remediationStatusDetails":null,"roles":[],"detailedRoles":[],"tags":[],"stream":null,"userAccount":{"accountName":"***UserAccount****","domainName":"***UserDomain****","userSid":"***UserSId****","azureAdUserId":"***AzureId****","userPrincipalName":"*UserPrincipalName*","displayName":"*UserDisplayName*"}}],"resource":"security","relationship":"alerts_v2"}}'
id: '1722515981.4888132226'
location: 'ms-graph'
manager.name: 'WazuhServer'
rule.description: 'MS Graph message: Alerts on threats associated with prevalent malware.'
rule.firedtimes: '7'
rule.groups: '["ms-graph"]'
rule.id: '99586'
rule.level: '6'
rule.mail: 'false'
timestamp: '2024-08-01T13:39:41.608+0100'
full event: '{"timestamp":"2024-08-01T13:39:41.608+0100","rule":{"level":6,"description":"MS Graph message: Alerts on threats associated with prevalent malware.","id":"99586","firedtimes":7,"mail":false,"groups":["ms-graph"]},"agent":{"id":"000","name":"WazuhServer"},"manager":{"name":"WazuhServer"},"id":"1722515981.4888132226","full_log":"{\"integration\":\"ms-graph\",\"ms-graph\":{\"id\":\"******Id******\",\"providerAlertId\":\"******ProviderId******\",\"incidentId\":\"144968\",\"status\":\"inProgress\",\"severity\":\"low\",\"classification\":null,\"determination\":null,\"serviceSource\":\"microsoftDefenderForOffice365\",\"detectionSource\":\"microsoftDefenderForOffice365\",\"productName\":\"Microsoft Defender for Office 365\",\"detectorId\":\"******DetectorId******\",\"tenantId\":\"******TenantId******\",\"title\":\"Email reported by user as malware or phish\",\"description\":\"This alert is triggered when any email message is reported as malware or phish by users -V1.0.0.3\",\"recommendedActions\":\"\",\"category\":\"InitialAccess\",\"assignedTo\":null,\"alertWebUrl\":\"https://security.microsoft.com/alerts/******Id******?tid=******TenantId******\",\"incidentWebUrl\":\"https://security.microsoft.com/incidents/144968?tid=******TenantId******\",\"actorDisplayName\":null,\"threatDisplayName\":null,\"threatFamilyName\":null,\"mitreTechniques\":[\"T1566\"],\"createdDateTime\":\"2024-08-01T12:38:24.38Z\",\"lastUpdateDateTime\":\"2024-08-01T12:39:08.2533333Z\",\"resolvedDateTime\":null,\"firstActivityDateTime\":\"2024-08-01T12:37:00Z\",\"lastActivityDateTime\":\"2024-08-01T12:38:00Z\",\"systemTags\":[],\"alertPolicyId\":null,\"additionalData\":null,\"comments\":[],\"evidence\":[{\"@odata.type\":\"#microsoft.graph.security.mailboxEvidence\",\"createdDateTime\":\"2024-08-01T12:38:24.3966667Z\",\"verdict\":\"unknown\",\"remediationStatus\":\"none\",\"remediationStatusDetails\":null,\"roles\":[],\"detailedRoles\":[],\"tags\":[],\"primaryAddress\":\"*UserPrincipalName*\",\"displayName\":\"*UserDisplayName*\",\"userAccount\":{\"accountName\":\"***UserAccount****\",\"domainName\":\"***UserDomain****\",\"userSid\":\"***UserSId****\",\"azureAdUserId\":\"***AzureId****\",\"userPrincipalName\":\"*UserPrincipalName*\",\"displayName\":null}},{\"@odata.type\":\"#microsoft.graph.security.analyzedMessageEvidence\",\"createdDateTime\":\"2024-08-01T12:38:24.3966667Z\",\"verdict\":\"unknown\",\"remediationStatus\":\"none\",\"remediationStatusDetails\":null,\"roles\":[],\"detailedRoles\":[],\"tags\":[],\"networkMessageId\":\"******NMessageId\",\"internetMessageId\":\"******MessageId.eurprd01.prod.exchangelabs.com\",\"subject\":\"******Subject******\",\"language\":null,\"senderIp\":\"*.*.*.*\",\"recipientEmailAddress\":\"*UserPrincipalName*\",\"antiSpamDirection\":null,\"deliveryAction\":null,\"deliveryLocation\":null,\"urn\":null,\"threats\":[],\"threatDetectionMethods\":[],\"urls\":[],\"urlCount\":0,\"attachmentsCount\":0,\"receivedDateTime\":\"2024-08-01T11:26:25.3835934Z\",\"p1Sender\":{\"emailAddress\":null,\"displayName\":null,\"domainName\":null},\"p2Sender\":{\"emailAddress\":\"***P2Email****\",\"displayName\":null,\"domainName\":null}},{\"@odata.type\":\"#microsoft.graph.security.userEvidence\",\"createdDateTime\":\"2024-08-01T12:38:24.3966667Z\",\"verdict\":\"unknown\",\"remediationStatus\":\"none\",\"remediationStatusDetails\":null,\"roles\":[],\"detailedRoles\":[],\"tags\":[],\"stream\":null,\"userAccount\":{\"accountName\":\"***UserAccount****\",\"domainName\":\"***UserDomain****\",\"userSid\":\"***UserSId****\",\"azureAdUserId\":\"***AzureId****\",\"userPrincipalName\":\"*UserPrincipalName*\",\"displayName\":\"*UserDisplayName*\"}}],\"resource\":\"security\",\"relationship\":\"alerts_v2\"}}","decoder":{"name":"json"},"data":{"integration":"ms-graph","ms-graph":{"id":"******Id******","providerAlertId":"******ProviderId******","incidentId":"144968","status":"inProgress","severity":"low","classification":"null","determination":"null","serviceSource":"microsoftDefenderForOffice365","detectionSource":"microsoftDefenderForOffice365","productName":"Microsoft Defender for Office 365","detectorId":"******DetectorId******","tenantId":"******TenantId******","title":"Email reported by user as malware or phish","description":"This alert is triggered when any email message is reported as malware or phish by users -V1.0.0.3","category":"InitialAccess","assignedTo":"null","alertWebUrl":"https://security.microsoft.com/alerts/******Id******?tid=******TenantId******","incidentWebUrl":"https://security.microsoft.com/incidents/144968?tid=******TenantId******","actorDisplayName":"null","threatDisplayName":"null","threatFamilyName":"null","mitreTechniques":["T1566"],"createdDateTime":"2024-08-01T12:38:24.38Z","lastUpdateDateTime":"2024-08-01T12:39:08.2533333Z","resolvedDateTime":"null","firstActivityDateTime":"2024-08-01T12:37:00Z","lastActivityDateTime":"2024-08-01T12:38:00Z","systemTags":[],"alertPolicyId":"null","additionalData":"null","comments":[],"evidence":[{"@odata.type":"#microsoft.graph.security.mailboxEvidence","createdDateTime":"2024-08-01T12:38:24.3966667Z","verdict":"unknown","remediationStatus":"none","remediationStatusDetails":null,"roles":[],"detailedRoles":[],"tags":[],"primaryAddress":"*UserPrincipalName*","displayName":"*UserDisplayName*","userAccount":{"accountName":"***UserAccount****","domainName":"***UserDomain****","userSid":"***UserSId****","azureAdUserId":"***AzureId****","userPrincipalName":"*UserPrincipalName*","displayName":null}},{"@odata.type":"#microsoft.graph.security.analyzedMessageEvidence","createdDateTime":"2024-08-01T12:38:24.3966667Z","verdict":"unknown","remediationStatus":"none","remediationStatusDetails":null,"roles":[],"detailedRoles":[],"tags":[],"networkMessageId":"******NMessageId","internetMessageId":"******MessageId.eurprd01.prod.exchangelabs.com","subject":"******Subject******","language":null,"senderIp":"*.*.*.*","recipientEmailAddress":"*UserPrincipalName*","antiSpamDirection":null,"deliveryAction":null,"deliveryLocation":null,"urn":null,"threats":[],"threatDetectionMethods":[],"urls":[],"urlCount":0,"attachmentsCount":0,"receivedDateTime":"2024-08-01T11:26:25.3835934Z","p1Sender":{"emailAddress":null,"displayName":null,"domainName":null},"p2Sender":{"emailAddress":"***P2Email****","displayName":null,"domainName":null}},{"@odata.type":"#microsoft.graph.security.userEvidence","createdDateTime":"2024-08-01T12:38:24.3966667Z","verdict":"unknown","remediationStatus":"none","remediationStatusDetails":null,"roles":[],"detailedRoles":[],"tags":[],"stream":null,"userAccount":{"accountName":"***UserAccount****","domainName":"***UserDomain****","userSid":"***UserSId****","azureAdUserId":"***AzureId****","userPrincipalName":"*UserPrincipalName*","displayName":"*UserDisplayName*"}}],"resource":"security","relationship":"alerts_v2"}},"location":"ms-graph"}'
**Phase 2: Completed decoding.
name: 'json'
agent.id: '000'
agent.name: 'WazuhServer'
data.integration: 'ms-graph'
data.ms-graph.actorDisplayName: 'null'
data.ms-graph.additionalData: 'null'
data.ms-graph.alertPolicyId: 'null'
data.ms-graph.alertWebUrl: 'https://security.microsoft.com/alerts/******Id******?tid=******TenantId******'
data.ms-graph.assignedTo: 'null'
data.ms-graph.category: 'InitialAccess'
data.ms-graph.classification: 'null'
data.ms-graph.comments: '[]'
data.ms-graph.createdDateTime: '2024-08-01T12:38:24.38Z'
data.ms-graph.description: 'This alert is triggered when any email message is reported as malware or phish by users -V1.0.0.3'
data.ms-graph.detectionSource: 'microsoftDefenderForOffice365'
data.ms-graph.detectorId: '******DetectorId******'
data.ms-graph.determination: 'null'
data.ms-graph.evidence: '[{"@odata.type":"#microsoft.graph.security.mailboxEvidence","createdDateTime":"2024-08-01T12:38:24.3966667Z","verdict":"unknown","remediationStatus":"none","remediationStatusDetails":null,"roles":[],"detailedRoles":[],"tags":[],"primaryAddress":"*UserPrincipalName*","displayName":"*UserDisplayName*","userAccount":{"accountName":"***UserAccount****","domainName":"***UserDomain****","userSid":"***UserSId****","azureAdUserId":"***AzureId****","userPrincipalName":"*UserPrincipalName*","displayName":null}},{"@odata.type":"#microsoft.graph.security.analyzedMessageEvidence","createdDateTime":"2024-08-01T12:38:24.3966667Z","verdict":"unknown","remediationStatus":"none","remediationStatusDetails":null,"roles":[],"detailedRoles":[],"tags":[],"networkMessageId":"******NMessageId","internetMessageId":"******MessageId.eurprd01.prod.exchangelabs.com","subject":"******Subject******","language":null,"senderIp":"*.*.*.*","recipientEmailAddress":"*UserPrincipalName*","antiSpamDirection":null,"deliveryAction":null,"deliveryLocation":null,"urn":null,"threats":[],"threatDetectionMethods":[],"urls":[],"urlCount":0,"attachmentsCount":0,"receivedDateTime":"2024-08-01T11:26:25.3835934Z","p1Sender":{"emailAddress":null,"displayName":null,"domainName":null},"p2Sender":{"emailAddress":"***P2Email****","displayName":null,"domainName":null}},{"@odata.type":"#microsoft.graph.security.userEvidence","createdDateTime":"2024-08-01T12:38:24.3966667Z","verdict":"unknown","remediationStatus":"none","remediationStatusDetails":null,"roles":[],"detailedRoles":[],"tags":[],"stream":null,"userAccount":{"accountName":"***UserAccount****","domainName":"***UserDomain****","userSid":"***UserSId****","azureAdUserId":"***AzureId****","userPrincipalName":"*UserPrincipalName*","displayName":"*UserDisplayName*"}}]'
data.ms-graph.firstActivityDateTime: '2024-08-01T12:37:00Z'
data.ms-graph.id: '******Id******'
data.ms-graph.incidentId: '144968'
data.ms-graph.incidentWebUrl: 'https://security.microsoft.com/incidents/144968?tid=******TenantId******'
data.ms-graph.lastActivityDateTime: '2024-08-01T12:38:00Z'
data.ms-graph.lastUpdateDateTime: '2024-08-01T12:39:08.2533333Z'
data.ms-graph.mitreTechniques: '["T1566"]'
data.ms-graph.productName: 'Microsoft Defender for Office 365'
data.ms-graph.providerAlertId: '******ProviderId******'
data.ms-graph.relationship: 'alerts_v2'
data.ms-graph.resolvedDateTime: 'null'
data.ms-graph.resource: 'security'
data.ms-graph.serviceSource: 'microsoftDefenderForOffice365'
data.ms-graph.severity: 'low'
data.ms-graph.status: 'inProgress'
data.ms-graph.systemTags: '[]'
data.ms-graph.tenantId: '******TenantId******'
data.ms-graph.threatDisplayName: 'null'
data.ms-graph.threatFamilyName: 'null'
data.ms-graph.title: 'Email reported by user as malware or phish'
decoder.name: 'json'
full_log: '{"integration":"ms-graph","ms-graph":{"id":"******Id******","providerAlertId":"******ProviderId******","incidentId":"144968","status":"inProgress","severity":"low","classification":null,"determination":null,"serviceSource":"microsoftDefenderForOffice365","detectionSource":"microsoftDefenderForOffice365","productName":"Microsoft Defender for Office 365","detectorId":"******DetectorId******","tenantId":"******TenantId******","title":"Email reported by user as malware or phish","description":"This alert is triggered when any email message is reported as malware or phish by users -V1.0.0.3","recommendedActions":"","category":"InitialAccess","assignedTo":null,"alertWebUrl":"https://security.microsoft.com/alerts/******Id******?tid=******TenantId******","incidentWebUrl":"https://security.microsoft.com/incidents/144968?tid=******TenantId******","actorDisplayName":null,"threatDisplayName":null,"threatFamilyName":null,"mitreTechniques":["T1566"],"createdDateTime":"2024-08-01T12:38:24.38Z","lastUpdateDateTime":"2024-08-01T12:39:08.2533333Z","resolvedDateTime":null,"firstActivityDateTime":"2024-08-01T12:37:00Z","lastActivityDateTime":"2024-08-01T12:38:00Z","systemTags":[],"alertPolicyId":null,"additionalData":null,"comments":[],"evidence":[{"@odata.type":"#microsoft.graph.security.mailboxEvidence","createdDateTime":"2024-08-01T12:38:24.3966667Z","verdict":"unknown","remediationStatus":"none","remediationStatusDetails":null,"roles":[],"detailedRoles":[],"tags":[],"primaryAddress":"*UserPrincipalName*","displayName":"*UserDisplayName*","userAccount":{"accountName":"***UserAccount****","domainName":"***UserDomain****","userSid":"***UserSId****","azureAdUserId":"***AzureId****","userPrincipalName":"*UserPrincipalName*","displayName":null}},{"@odata.type":"#microsoft.graph.security.analyzedMessageEvidence","createdDateTime":"2024-08-01T12:38:24.3966667Z","verdict":"unknown","remediationStatus":"none","remediationStatusDetails":null,"roles":[],"detailedRoles":[],"tags":[],"networkMessageId":"******NMessageId","internetMessageId":"******MessageId.eurprd01.prod.exchangelabs.com","subject":"******Subject******","language":null,"senderIp":"*.*.*.*","recipientEmailAddress":"*UserPrincipalName*","antiSpamDirection":null,"deliveryAction":null,"deliveryLocation":null,"urn":null,"threats":[],"threatDetectionMethods":[],"urls":[],"urlCount":0,"attachmentsCount":0,"receivedDateTime":"2024-08-01T11:26:25.3835934Z","p1Sender":{"emailAddress":null,"displayName":null,"domainName":null},"p2Sender":{"emailAddress":"***P2Email****","displayName":null,"domainName":null}},{"@odata.type":"#microsoft.graph.security.userEvidence","createdDateTime":"2024-08-01T12:38:24.3966667Z","verdict":"unknown","remediationStatus":"none","remediationStatusDetails":null,"roles":[],"detailedRoles":[],"tags":[],"stream":null,"userAccount":{"accountName":"***UserAccount****","domainName":"***UserDomain****","userSid":"***UserSId****","azureAdUserId":"***AzureId****","userPrincipalName":"*UserPrincipalName*","displayName":"*UserDisplayName*"}}],"resource":"security","relationship":"alerts_v2"}}'
id: '1722515981.4888132226'
location: 'ms-graph'
manager.name: 'WazuhServer'
rule.description: 'MS Graph message: Alerts on threats associated with prevalent malware.'
rule.firedtimes: '7'
rule.groups: '["ms-graph"]'
rule.id: '99586'
rule.level: '6'
rule.mail: 'false'
timestamp: '2024-08-01T13:39:41.608+0100'
Cheers,
Farouk Musa
Aug 5, 2024, 4:56:55 AM8/5/24
to Wazuh | Mailing List
Hi,
I have replayed your event and identified the issue.
The issue stems from the field ms-graph.resolvedDateTime which has an invalid date-time value (null) thereby causing issues for Filebeat as it cannot decode the value which is set to null. File beat has the following error:
"type":"wazuh"}}, Private:file.State{Id:"native::1356005-2051", PrevId:"", Finished:false, Fileinfo:(*os.fileStat)(0xc0004a7c70), Source:"/var/ossec/logs/alerts/alerts.json", Offset:4038, Timestamp:time.Time{wall:0xc1a41fde4ddc738d, ext:2350657993551, loc:(*time.Location)(0x42417a0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x14b0e5, Device:0x803}, IdentifierName:"native"}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=400): {"type":"mapper_parsing_exception","reason":"failed to parse field [data.ms-graph.resolvedDateTime] of type [date] in document with id 'trSfH5EBLZxh_3y8sn1H'. Preview of field's value: 'null'","caused_by":{"type":"illegal_argument_exception","reason":"failed to parse date field [null] with format [strict_date_optional_time||epoch_millis]","caused_by":{"type":"date_time_parse_exception","reason":"Failed to parse with all enclosed parsers"}}}
When i change the date to a valid date, the alert is seen on the Wazuh dashboard. Unfortunately i cannot find any Azure documentation that explains how that field may be manipulated.
Message has been deleted
Ricardo Mendonça
Aug 5, 2024, 5:20:38 AM8/5/24
to Wazuh | Mailing List
Thank you once again for your answer.
So it must be
something related to this 4.8.1 version, as in 4.7.3 it was working like
it should. I send you a printscreen of an alert prior to the upgrade,
with data.ms-graph.resolvedDateTime as null and still showing. And it
makes sense, since this is an alert, so it has not been resolved yet,
and therefore no resolved time
Thanks a lot
charl...@gmail.com
Aug 12, 2024, 6:25:20 AM8/12/24
to Wazuh | Mailing List
Hi, Did you manage to find a fix, I am struggling with both this error and this:
Reply all
Reply to author
Forward
0 new messages