Microsoft Ms-graph integration lacking details in data.ms-graph.evidence field
wazuh
here is an example of a recent json alert for a potentially malicous url clicked.
{ "_index": "wazuh-alerts-4.x-2024.11.14", "_id": "id", "_version": 1, "_score": null, "_source": { "cluster": { "node": "master-node", "name": "wazuh" }, "agent": { "name": "agent-name", "id": "000" }, "data": { "ms-graph": { "firstActivityDateTime": "2024-11-14T19:27:41.1382404Z", "evidence": [ { "subject": null, "@odata.type": "#microsoft.graph.security.analyzedMessageEvidence", "roles": [], "createdDateTime": "2024-11-14T19:32:04.15Z", "language": null, "urls": [], "internetMessageId": null, "deliveryAction": null, "attachmentsCount": 0, "antiSpamDirection": null, "detailedRoles": [], "threats": [], "remediationStatusDetails": null, "remediationStatus": "none", "senderIp": null, "deliveryLocation": null, "networkMessageId": "bfc69d6a-4953-4182-216d-08dd0476bd79", "p1Sender": { "emailAddress": null, "displayName": null, "domainName": null }, "tags": [], "urn": null, "receivedDateTime": "2024-11-14T06:36:58.7962733Z", "threatDetectionMethods": [], "verdict": "unknown", "p2Sender": { "emailAddress": null, "displayName": null, "domainName": null }, "recipientEmailAddress": "reci...@emaill.com", "urlCount": 0 } ], "threatFamilyName": "null", "description": "We have detected that one of your users has recently clicked on a link that was found to be malicious. -V1.0.0.5", "createdDateTime": "2024-11-14T19:32:04.1266667Z", "determination": "null", "title": "A potentially malicious URL click was detected", "assignedTo": "null", "mitreTechniques": [ "T1566.002" ], "productName": "Microsoft Defender for Office 365", "resolvedDateTime": "null", "alertPolicyId": "null", "detectorId": "detectorid", "incidentWebUrl": "https://security.microsoft.com/incidents/9193?tid=tenantid", "alertWebUrl": "https://security.microsoft.com/alerts/alertid?tid=teanantid", "threatDisplayName": "null", "providerAlertId": "someid", "additionalData": "null", "id": "anotherid", "relationship": "alerts_v2", "severity": "high", "lastUpdateDateTime": "2024-11-14T19:32:48.76Z", "comments": [], "serviceSource": "microsoftDefenderForOffice365", "resource": "security", "actorDisplayName": "null", "classification": "null", "tenantId": "tenantid", "systemTags": [], "detectionSource": "microsoftDefenderForOffice365", "lastActivityDateTime": "2024-11-14T19:27:41.1382404Z", "category": "InitialAccess", "incidentId": "9193", "status": "new" }, "integration": "ms-graph" }, "manager": { "name": "managername" }, "log": { "file": { "path": "/var/ossec/logs/alerts/alerts.json" }, "offset": 417630205 }, "rule": { "firedtimes": 27, "mail": true, "level": 14, "groups": [ "ms-graph" ], "description": "MS Graph message: Alerts commonly seen associated with advanced persistent threats (APT). These alerts indicate a high risk because of the severity of damage they can inflict on assets.", "id": "99588" }, "decoder": { "name": "json" }, "fileset": { "name": "alerts" }, "tags": [ "beats_input_codec_plain_applied" ], "input": { "type": "log" }, "ecs": { "version": "1.6.0" }, "service": { "type": "wazuh" }, "host": "hostname", "@version": "1", "location": "ms-graph", "id": "idid", "fields": { "index_prefix": "wazuh-alerts-4.x-" }, "event": { "module": "wazuh", "dataset": "wazuh.alerts" }, "timestamp": "2024-11-14T21:35:19.142+0200" }, "fields": { "timestamp": [ "2024-11-14T19:35:19.142Z" ] }, "highlight": { "cluster.name": [ "@opensearch-dashboards-highlighted-field@wazuh@/opensearch-dashboards-highlighted-field@" ], "data.ms-graph.severity": [ "@opensearch-dashboards-highlighted-field@high@/opensearch-dashboards-highlighted-field@" ], "data.integration": [ "@opensearch-dashboards-highlighted-field@ms-graph@/opensearch-dashboards-highlighted-field@" ], "data.ms-graph.title": [ "@opensearch-dashboards-highlighted-field@A potentially malicious URL click was detected@/opensearch-dashboards-highlighted-field@" ] }, "sort": [ 1731612919730 ] }
Md. Nazmur Sakib
Hi User,
You can review your API permission from this section of the doceumnt:
https://documentation.wazuh.com/current/cloud-security/azure/ms-graph-api-setup.html#api-permissions
I do not think you need to add any additional information.
Can you share information from alerts.json file. I would like to see what the full log Wazuh is getting from your MS graph.
cat /var/ossec/logs/alerts/alerts.json | grep 99588
Replace the sensitive values with dummy values.
Looking forward to your update on the issue.
wazuh
Md. Nazmur Sakib
I was expecting a log like this
{"timestamp":"2024-08-01T13:39:41.608+0100","rule":{"level":6,"description":"MS Graph message: Alerts on threats associated with prevalent malware.","id":"99586","firedtimes":7,"mail":false,"groups":["ms-graph"]},"agent":{"id":"000","name":"WazuhServer"},"manager":{"name":"WazuhServer"},"id":"1722515981.4888132226","full_log":"{"integration":"ms-graph","ms-graph":{"id":"******Id******","providerAlertId":"******ProviderId******","incidentId":"144968","status":"inProgress","severity":"low","classification":null,"determination":null,"serviceSource":"microsoftDefenderForOffice365","detectionSource":"microsoftDefenderForOffice365","productName":"Microsoft Defender for Office 365","detectorId":"******DetectorId******","tenantId":"******TenantId******","title":"Email reported by user as malware or phish","description":"This alert is triggered when any email message is reported as malware or phish by users -V1.0.0.3","recommendedActions":"","category":"InitialAccess","assignedTo":null,"alertWebUrl":"https://security.microsoft.com/alerts/******Id******?tid=******TenantId******","incidentWebUrl":"https://security.microsoft.com/incidents/144968?tid=******TenantId******","actorDisplayName":null,"threatDisplayName":null,"threatFamilyName":null,"mitreTechniques":["T1566"],"createdDateTime":"2024-08-01T12:38:24.38Z","lastUpdateDateTime":"2024-08-01T12:39:08.2533333Z","resolvedDateTime":null,"firstActivityDateTime":"2024-08-01T12:37:00Z","lastActivityDateTime":"2024-08-01T12:38:00Z","systemTags":[],"alertPolicyId":null,"additionalData":null,"comments":[],"evidence":[{"@odata.type":"#microsoft.graph.security.mailboxEvidence","createdDateTime":"2024-08-01T12:38:24.3966667Z","verdict":"unknown","remediationStatus":"none","remediationStatusDetails":null,"roles":[],"detailedRoles":[],"tags":[],"primaryAddress":"*UserPrincipalName*","displayName":"*UserDisplayName*","userAccount":{"accountName":"***UserAccount****","domainName":"***UserDomain****","userSid":"***UserSId****","azureAdUserId":"***AzureId****","userPrincipalName":"*UserPrincipalName*","displayName":null}},{"@odata.type":"#microsoft.graph.security.analyzedMessageEvidence","createdDateTime":"2024-08-01T12:38:24.3966667Z","verdict":"unknown","remediationStatus":"none","remediationStatusDetails":null,"roles":[],"detailedRoles":[],"tags":[],"networkMessageId":"******NMessageId","internetMessageId":"******MessageId.eurprd01.prod.exchangelabs.com","subject":"******Subject******","language":null,"senderIp":"*.*.*.*","recipientEmailAddress":"*UserPrincipalName*","antiSpamDirection":null,"deliveryAction":null,"deliveryLocation":null,"urn":null,"threats":[],"threatDetectionMethods":[],"urls":[],"urlCount":0,"attachmentsCount":0,"receivedDateTime":"2024-08-01T11:26:25.3835934Z","p1Sender":{"emailAddress":null,"displayName":null,"domainName":null},"p2Sender":{"emailAddress":"***P2Email****","displayName":null,"domainName":null}},{"@odata.type":"#microsoft.graph.security.userEvidence","createdDateTime":"2024-08-01T12:38:24.3966667Z","verdict":"unknown","remediationStatus":"none","remediationStatusDetails":null,"roles":[],"detailedRoles":[],"tags":[],"stream":null,"userAccount":{"accountName":"***UserAccount****","domainName":"***UserDomain****","userSid":"***UserSId****","azureAdUserId":"***AzureId****","userPrincipalName":"*UserPrincipalName*","displayName":"*UserDisplayName*"}}],"resource":"security","relationship":"alerts_v2"}}","decoder":{"name":"json"},"data":{"integration":"ms-graph","ms-graph":{"id":"******Id******","providerAlertId":"******ProviderId******","incidentId":"144968","status":"inProgress","severity":"low","classification":"null","determination":"null","serviceSource":"microsoftDefenderForOffice365","detectionSource":"microsoftDefenderForOffice365","productName":"Microsoft Defender for Office 365","detectorId":"******DetectorId******","tenantId":"******TenantId******","title":"Email reported by user as malware or phish","description":"This alert is triggered when any email message is reported as malware or phish by users -V1.0.0.3","category":"InitialAccess","assignedTo":"null","alertWebUrl":"https://security.microsoft.com/alerts/******Id******?tid=******TenantId******","incidentWebUrl":"https://security.microsoft.com/incidents/144968?tid=******TenantId******","actorDisplayName":"null","threatDisplayName":"null","threatFamilyName":"null","mitreTechniques":["T1566"],"createdDateTime":"2024-08-01T12:38:24.38Z","lastUpdateDateTime":"2024-08-01T12:39:08.2533333Z","resolvedDateTime":"null","firstActivityDateTime":"2024-08-01T12:37:00Z","lastActivityDateTime":"2024-08-01T12:38:00Z","systemTags":[],"alertPolicyId":"null","additionalData":"null","comments":[],"evidence":[{"@odata.type":"#microsoft.graph.security.mailboxEvidence","createdDateTime":"2024-08-01T12:38:24.3966667Z","verdict":"unknown","remediationStatus":"none","remediationStatusDetails":null,"roles":[],"detailedRoles":[],"tags":[],"primaryAddress":"*UserPrincipalName*","displayName":"*UserDisplayName*","userAccount":{"accountName":"***UserAccount****","domainName":"***UserDomain****","userSid":"***UserSId****","azureAdUserId":"***AzureId****","userPrincipalName":"*UserPrincipalName*","displayName":null}},{"@odata.type":"#microsoft.graph.security.analyzedMessageEvidence","createdDateTime":"2024-08-01T12:38:24.3966667Z","verdict":"unknown","remediationStatus":"none","remediationStatusDetails":null,"roles":[],"detailedRoles":[],"tags":[],"networkMessageId":"******NMessageId","internetMessageId":"******MessageId.eurprd01.prod.exchangelabs.com","subject":"******Subject******","language":null,"senderIp":"*.*.*.*","recipientEmailAddress":"*UserPrincipalName*","antiSpamDirection":null,"deliveryAction":null,"deliveryLocation":null,"urn":null,"threats":[],"threatDetectionMethods":[],"urls":[],"urlCount":0,"attachmentsCount":0,"receivedDateTime":"2024-08-01T11:26:25.3835934Z","p1Sender":{"emailAddress":null,"displayName":null,"domainName":null},"p2Sender":{"emailAddress":"***P2Email****","displayName":null,"domainName":null}},{"@odata.type":"#microsoft.graph.security.userEvidence","createdDateTime":"2024-08-01T12:38:24.3966667Z","verdict":"unknown","remediationStatus":"none","remediationStatusDetails":null,"roles":[],"detailedRoles":[],"tags":[],"stream":null,"userAccount":{"accountName":"***UserAccount****","domainName":"***UserDomain****","userSid":"***UserSId****","azureAdUserId":"***AzureId****","userPrincipalName":"*UserPrincipalName*","displayName":"*UserDisplayName*"}}],"resource":"security","relationship":"alerts_v2"}},"location":"ms-graph"}
However, I cannot see the full log and the evidence filed in your log.
I am not able to replicate this issue but based on the information you have provided it seems like the field is missing from the API.
I will suggest you report this issue in our GitHub so that the developer team can look into this issue.
https://github.com/wazuh/wazuh/issues/new/choose
Let me know if you need any further information.