Azure AD monitoring with Graph API
200 views
Skip to first unread message
Nataliia
Oct 25, 2022, 11:22:06 AM10/25/22
to Wazuh mailing list
Hello!
I have done step by step which is on the website https://documentation.wazuh.com/current/azure/activity-services/active-directory/graph.html
But in the azure_logs.log I see that it was unsuccessfull:
10/25/2022 06:05:10 PM INFO: AZURE Azure Graph starting.
10/25/2022 06:05:10 PM INFO: AZURE Graph: Getting authentication token.
10/25/2022 06:05:10 PM DEBUG: AZURE Starting new HTTPS connection (1): login.microsoftonline.com:443
10/25/2022 06:05:10 PM DEBUG: AZURE https://login.microsoftonline.com:443 "POST /<my_tenatnt_domain>/oauth2/token?api-version=1.0 HTTP/1.1" 200 1482
10/25/2022 06:05:10 PM INFO: AZURE Graph: Getting data.
10/25/2022 06:05:10 PM INFO: AZURE Graph: The search starts from the date: 2022-10-24T15:05:10.1666613110Z for query: 'auditLogs/directoryAudits'
10/25/2022 06:05:10 PM DEBUG: AZURE Starting new HTTPS connection (1): graph.windows.net:443
10/25/2022 06:05:10 PM DEBUG: AZURE https://graph.windows.net:443 "GET /<my_tenatnt_domain>/auditLogs/directoryAudits&$filter=activityDate+ge+2022-10-24T15:05:10.1666613110Z HTTP/1.1" 404 0
10/25/2022 06:05:10 PM INFO: AZURE Graph: Getting authentication token.
10/25/2022 06:05:10 PM DEBUG: AZURE Starting new HTTPS connection (1): login.microsoftonline.com:443
10/25/2022 06:05:10 PM DEBUG: AZURE https://login.microsoftonline.com:443 "POST /<my_tenatnt_domain>/oauth2/token?api-version=1.0 HTTP/1.1" 200 1482
10/25/2022 06:05:10 PM INFO: AZURE Graph: Getting data.
10/25/2022 06:05:10 PM INFO: AZURE Graph: The search starts from the date: 2022-10-24T15:05:10.1666613110Z for query: 'auditLogs/directoryAudits'
10/25/2022 06:05:10 PM DEBUG: AZURE Starting new HTTPS connection (1): graph.windows.net:443
10/25/2022 06:05:10 PM DEBUG: AZURE https://graph.windows.net:443 "GET /<my_tenatnt_domain>/auditLogs/directoryAudits&$filter=activityDate+ge+2022-10-24T15:05:10.1666613110Z HTTP/1.1" 404 0
10/25/2022 06:05:10 PM INFO: AZURE Graph: Request status: 404
10/25/2022 06:05:10 PM ERROR: AZURE Error: The request for the query could not be made: '404 Client Error: Not Found for url: https://graph.windows.net/<my_tenatnt_domain>/auditLogs/directoryAudits&$filter=activityDate+ge+2022-10-24T15:05:10.1666613110Z'.
10/25/2022 06:05:10 PM ERROR: AZURE Error: The request for the query could not be made: '404 Client Error: Not Found for url: https://graph.windows.net/<my_tenatnt_domain>/auditLogs/directoryAudits&$filter=activityDate+ge+2022-10-24T15:05:10.1666613110Z'.
10/25/2022 06:05:10 PM INFO: AZURE Graph: End
wodle section in ossec.conf is:
<!-- Logs from Azure -->
<wodle name="azure-logs">
<disabled>no</disabled>
<run_on_start>yes</run_on_start>
<log_analytics>
<auth_path>/var/ossec/wodles/credentials/log_analytics_credentials.txt</auth_path>
<tenantdomain>*****</tenantdomain>
<request>
<tag>azure-log-analytics</tag>
<query>AzureActivity</query>
<workspace>********</workspace>
<time_offset>1h</time_offset>
</request>
</log_analytics>
</wodle>
<!-- Logs from Azure AD -->
<wodle name="azure-logs">
<disabled>no</disabled>
<run_on_start>yes</run_on_start>
<graph>
<auth_path>/var/ossec/wodles/credentials/ad_credentials.txt</auth_path>
<tenantdomain>****</tenantdomain>
<request>
<tag>azure-ad-graph</tag>
<query>auditLogs/directoryAudits</query>
<time_offset>1d</time_offset>
</request>
</graph>
</wodle>
<wodle name="azure-logs">
<disabled>no</disabled>
<run_on_start>yes</run_on_start>
<log_analytics>
<auth_path>/var/ossec/wodles/credentials/log_analytics_credentials.txt</auth_path>
<tenantdomain>*****</tenantdomain>
<request>
<tag>azure-log-analytics</tag>
<query>AzureActivity</query>
<workspace>********</workspace>
<time_offset>1h</time_offset>
</request>
</log_analytics>
</wodle>
<!-- Logs from Azure AD -->
<wodle name="azure-logs">
<disabled>no</disabled>
<run_on_start>yes</run_on_start>
<graph>
<auth_path>/var/ossec/wodles/credentials/ad_credentials.txt</auth_path>
<tenantdomain>****</tenantdomain>
<request>
<tag>azure-ad-graph</tag>
<query>auditLogs/directoryAudits</query>
<time_offset>1d</time_offset>
</request>
</graph>
</wodle>
File /var/ossec/wodles/credentials/ad_credentials.txt consist of:
application_id = *********
application_key = *********
application_key = *********
How can I set up Azure AD monitoring?
Nicolas Stefani
Oct 25, 2022, 1:01:39 PM10/25/22
to Wazuh mailing list
Hi Nataliia,
Thanks for using Wazuh!
I think that maybe is a problem with permission to access the API. If you go to <Name of your application>/API Permissions, what do you see?
Another thing, what version of Wazuh have you installed?
Regards,
Nataliia
Oct 27, 2022, 7:05:26 AM10/27/22
to Wazuh mailing list
Hi Nicola,
Wazuh version is v4.2.6.
I have added API Permissions screenshot.
вівторок, 25 жовтня 2022 р. о 20:01:39 UTC+3 nicola...@wazuh.com пише:
Nicolas Stefani
Oct 27, 2022, 3:55:54 PM10/27/22
to Wazuh mailing list
Nataliia
Oct 28, 2022, 3:16:05 AM10/28/22
to Wazuh mailing list
Nicolas Stefani
Oct 28, 2022, 7:54:29 AM10/28/22
to Nataliia, Wazuh mailing list
Yes it is.
Regards
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/2c0f93d9-c6a0-45c8-bd02-8d7f196b96abn%40googlegroups.com.
--
 |
Nicolás Stefani Software Engineer |
Nataliia
Oct 28, 2022, 10:50:45 AM10/28/22
to Wazuh mailing list
I upgrated Wazuh and successfully can connect to Microsoft Graph.
Thank you!
пʼятниця, 28 жовтня 2022 р. о 14:54:29 UTC+3 nicola...@wazuh.com пише:
Reply all
Reply to author
Forward
0 new messages