wazuh 4.9 MS-Graph issues
275 views
Skip to first unread message
leon appel
Sep 25, 2024, 6:06:09 AM9/25/24
to Wazuh | Mailing List
Hi
I am having issues with the following.
I have tried to add pipelines and then my alerts drop down from thousands to about 6 in a 24hr period
----------------------------------------------------------------------------------
{
"rename": {
"if": "ctx?.data?.initiatedBy.app instanceof Map",
"field": "data.initiatedby.app",
"target_field": "data.initiatedBy.app_obj",
"ignore_missing": true
}
},
"rename": {
"if": "ctx?.data?.initiatedBy.app instanceof Map",
"field": "data.initiatedby.app",
"target_field": "data.initiatedBy.app_obj",
"ignore_missing": true
}
},
-----------------------------------------------------------------------------------------------
{
"rename": {
"if": "ctx?.microsoft.graph.riskDetection instanceof Map",
"field": "createdDateTime",
"target_field": "detectedDateTime",
"ignore_missing": true
}
},
"rename": {
"if": "ctx?.microsoft.graph.riskDetection instanceof Map",
"field": "createdDateTime",
"target_field": "detectedDateTime",
"ignore_missing": true
}
},
I also tried these in the wazuh-template without success
"microsoft.graph.riskDetection.activityDateTime": {
"type": "date"
},
----------------------------------------------------------------------------------------------
"microsoft.graph.riskDetection",
},
"riskDetection": {
"properties": {
"createdDateTime": {
"type": "Date"
"type": "date"
},
----------------------------------------------------------------------------------------------
"microsoft.graph.riskDetection",
},
"riskDetection": {
"properties": {
"createdDateTime": {
"type": "Date"
filebeat log
2024-09-23T16:29:20.215+0100 WARN [elasticsearch] elasticsearch/client.go:408 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xc1b48033cbdf5aa8, ext:47407409001, loc:(*time.Location)(0x42417a0)}, Meta:{"pipeline":"filebeat-7.10.2-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"e26a275f-6afe-4ac1-a397-181f84dd4630","hostname":"WAZUH","id":"0774e386-5ba8-43fb-b42e-7f43ca298a57","name":"WAZUH","type":"filebeat","version":"7.10.2"},"ecs":{"version":"1.6.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-4.x-"},"fileset":{"name":"alerts"},"host":{"name":"WAZUH"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":1504532252},"message":"{\"timestamp\":\"2024-09-23T16:29:18.459+0100\",\"rule\":{\"level\":3,\"description\":\"Azure: AD \",\"id\":\"87802\",\"firedtimes\":134,\"mail\":false,\"groups\":[\"azure\"]},\"agent\":{\"id\":\"000\",\"name\":\"WAZUH\"},\"manager\":{\"name\":\"WAZUH\"},\"id\":\"1727105358.2117630554\",\"cluster\":{\"name\":\"wazuh\",\"node\":\"node-1\"},\"decoder\":{\"name\":\"json\"},\"data\":{\"id\":\"Directory_00000000-0000-0000-0000-000000000000_LPM4P_48984470\",\"category\":\"UserManagement\",\"correlationId\":\"00000000-0000-0000-0000-000000000000\",\"result\":\"failure\",\"resultReason\":\"Microsoft.Online.Workflows.ValidationException\",\"activityDisplayName\":\"Add user\",\"activityDateTime\":\"2024-09-23T15:27:28.6730696Z\",\"loggedByService\":\"Core Directory\",\"operationType\":\"Add\",\"initiatedBy\":{\"app\":\"null\",\"user\":{\"id\":\"1742b5fc-fb38-4453-ae49-78feeea943d0\",\"displayName\":\"null\",\"userPrincipalName\":\"Sync_RESADC2...@contoso.onmicrosoft.com\",\"userType\":\"null\",\"homeTenantId\":\"null\",\"homeTenantName\":\"null\"}},\"targetResources\":[{\"id\":\"1a14fb76-f21e-42d9-bf4b-0e9ad42bdef1\",\"displayName\":null,\"type\":\"User\",\"userPrincipalName\":\"us...@contoso.com\",\"groupType\":null,\"modifiedProperties\":[{\"displayName\":\"Action Client Name\",\"oldValue\":null,\"newValue\":\"\\\"DirectorySync\\\"\"},{\"displayName\":\"MethodExecutionResult.\",\"oldValue\":null,\"newValue\":\"\\\"Microsoft.Online.Workflows.ValidationException\\\"\"}]}],\"additionalDetails\":[],\"azure_tag\":\"azure-ad-graph\",\"azure_aad_tag\":\"azure-ad-graph\"},\"location\":\"Azure\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"native::2621578-64512", PrevId:"", Finished:false, Fileinfo:(*os.fileStat)(0xc00004e8f0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:1504533718, Timestamp:time.Time{wall:0xc1b480284a7b9c5e, ext:1384095010, loc:(*time.Location)(0x42417a0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x28008a, Device:0xfc00}, IdentifierName:"native"}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=400): {"type":"mapper_parsing_exception","reason":"object mapping for [data.initiatedBy.app] tried to parse field [app] as object, but found a concrete value"}
2024-09-23T16:29:20.215+0100 WARN [elasticsearch] elasticsearch/client.go:408 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xc1b48033cbdf7854, ext:47407416598, loc:(*time.Location)(0x42417a0)}, Meta:{"pipeline":"filebeat-7.10.2-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"e26a275f-6afe-4ac1-a397-181f84dd4630","hostname":"WAZUH","id":"0774e386-5ba8-43fb-b42e-7f43ca298a57","name":"WAZUH","type":"filebeat","version":"7.10.2"},"ecs":{"version":"1.6.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-4.x-"},"fileset":{"name":"alerts"},"host":{"name":"WAZUH"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":1504533718},"message":"{\"timestamp\":\"2024-09-23T16:29:18.460+0100\",\"rule\":{\"level\":3,\"description\":\"Azure: AD \",\"id\":\"87802\",\"firedtimes\":135,\"mail\":false,\"groups\":[\"azure\"]},\"agent\":{\"id\":\"000\",\"name\":\"WAZUH\"},\"manager\":{\"name\":\"WAZUH\"},\"id\":\"1727105358.2117633002\",\"cluster\":{\"name\":\"wazuh\",\"node\":\"node-1\"},\"decoder\":{\"name\":\"json\"},\"data\":{\"id\":\"Directory_00000000-0000-0000-0000-000000000000_LPM4P_48984463\",\"category\":\"UserManagement\",\"correlationId\":\"00000000-0000-0000-0000-000000000000\",\"result\":\"failure\",\"resultReason\":\"Microsoft.Online.Workflows.ValidationException\",\"activityDisplayName\":\"Add user\",\"activityDateTime\":\"2024-09-23T15:27:28.6720679Z\",\"loggedByService\":\"Core Directory\",\"operationType\":\"Add\",\"initiatedBy\":{\"app\":\"null\",\"user\":{\"id\":\"1742b5fc-fb38-4453-ae49-78feeea943d0\",\"displayName\":\"null\",\"userPrincipalName\":\"Sync_RESADC2...@contoso.onmicrosoft.com\",\"userType\":\"null\",\"homeTenantId\":\"null\",\"homeTenantName\":\"null\"}},\"targetResources\":[{\"id\":\"cb65edcb-7d4e-42e2-bb47-2dcec05e24fb\",\"displayName\":null,\"type\":\"User\",\"userPrincipalName\":\"ad...@contoso.com\",\"groupType\":null,\"modifiedProperties\":[{\"displayName\":\"Action Client Name\",\"oldValue\":null,\"newValue\":\"\\\"DirectorySync\\\"\"},{\"displayName\":\"MethodExecutionResult.\",\"oldValue\":null,\"newValue\":\"\\\"Microsoft.Online.Workflows.ValidationException\\\"\"}]}],\"additionalDetails\":[],\"azure_tag\":\"azure-ad-graph\",\"azure_aad_tag\":\"azure-ad-graph\"},\"location\":\"Azure\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"native::2621578-64512", PrevId:"", Finished:false, Fileinfo:(*os.fileStat)(0xc00004e8f0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:1504535178, Timestamp:time.Time{wall:0xc1b480284a7b9c5e, ext:1384095010, loc:(*time.Location)(0x42417a0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x28008a, Device:0xfc00}, IdentifierName:"native"}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=400): {"type":"mapper_parsing_exception","reason":"object mapping for [data.initiatedBy.app] tried to parse field [app] as object, but found a concrete value"}
ossec log
2024/09/23 16:46:15 wazuh-modulesd:ms-graph: WARNING: Received unsuccessful status code when attempting to get relationship 'riskDetections' logs: Status code was '400' & response was '{"error":{"code":"BadRequest","message":"Invalid filter clause: Could not find a property named 'createdDateTime' on type 'microsoft.graph.riskDetection'.","innerError":{"date":"2024-09-23T15:46:15","request-id":"2289cf89-389d-4d59-a3a4-21351bf5b2ff","client-request-id":"2289cf89-389d-4d59-a3a4-21351bf5b2ff"}}}'
2024/09/23 16:46:16 wazuh-modulesd:azure-logs: INFO: Finished Graphs log collection for request 'microsoft-entra_id'.
2024/09/23 16:46:17 wazuh-modulesd:azure-logs: INFO: Finished Graphs log collection for request 'azure-ad-graph'.
2024/09/23 16:46:17 wazuh-modulesd:azure-logs: INFO: Finished Graphs log collection for the domain 'contoso.onmicrosoft.com'.
2024/09/23 16:47:15 wazuh-modulesd:azure-logs: INFO: Starting fetching of logs.
2024/09/23 16:47:15 wazuh-modulesd:azure-logs: INFO: Starting Graphs log collection for the domain 'contoso.onmicrosoft.com'.
2024/09/23 16:47:15 wazuh-modulesd:ms-graph: INFO: Scanning tenant '205cb9c8-6d96-2818-9e13-61ec0376d06b'
2024/09/23 16:47:15 wazuh-modulesd:ms-graph: WARNING: Received unsuccessful status code when attempting to get relationship 'riskDetections' logs: Status code was '400' & response was '{"error":{"code":"BadRequest","message":"Invalid filter clause: Could not find a property named 'createdDateTime' on type 'microsoft.graph.riskDetection'.","innerError":{"date":"2024-09-23T15:47:15","request-id":"6737ae49-81b6-47dd-8394-6de42b1bc64c","client-request-id":"6737ae49-81b6-47dd-8394-6de42b1bc64c"}}}'
2024/09/23 16:47:16 wazuh-modulesd:azure-logs: INFO: Finished Graphs log collection for request 'microsoft-entra_id'.
2024/09/23 16:47:17 wazuh-modulesd:azure-logs: INFO: Finished Graphs log collection for request 'azure-ad-graph'.
2024/09/23 16:47:17 wazuh-modulesd:azure-logs: INFO: Finished Graphs log collection for the domain 'contoso.onmicrosoft.com'.
2024-09-23T16:29:20.215+0100 WARN [elasticsearch] elasticsearch/client.go:408 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xc1b48033cbdf5aa8, ext:47407409001, loc:(*time.Location)(0x42417a0)}, Meta:{"pipeline":"filebeat-7.10.2-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"e26a275f-6afe-4ac1-a397-181f84dd4630","hostname":"WAZUH","id":"0774e386-5ba8-43fb-b42e-7f43ca298a57","name":"WAZUH","type":"filebeat","version":"7.10.2"},"ecs":{"version":"1.6.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-4.x-"},"fileset":{"name":"alerts"},"host":{"name":"WAZUH"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":1504532252},"message":"{\"timestamp\":\"2024-09-23T16:29:18.459+0100\",\"rule\":{\"level\":3,\"description\":\"Azure: AD \",\"id\":\"87802\",\"firedtimes\":134,\"mail\":false,\"groups\":[\"azure\"]},\"agent\":{\"id\":\"000\",\"name\":\"WAZUH\"},\"manager\":{\"name\":\"WAZUH\"},\"id\":\"1727105358.2117630554\",\"cluster\":{\"name\":\"wazuh\",\"node\":\"node-1\"},\"decoder\":{\"name\":\"json\"},\"data\":{\"id\":\"Directory_00000000-0000-0000-0000-000000000000_LPM4P_48984470\",\"category\":\"UserManagement\",\"correlationId\":\"00000000-0000-0000-0000-000000000000\",\"result\":\"failure\",\"resultReason\":\"Microsoft.Online.Workflows.ValidationException\",\"activityDisplayName\":\"Add user\",\"activityDateTime\":\"2024-09-23T15:27:28.6730696Z\",\"loggedByService\":\"Core Directory\",\"operationType\":\"Add\",\"initiatedBy\":{\"app\":\"null\",\"user\":{\"id\":\"1742b5fc-fb38-4453-ae49-78feeea943d0\",\"displayName\":\"null\",\"userPrincipalName\":\"Sync_RESADC2...@contoso.onmicrosoft.com\",\"userType\":\"null\",\"homeTenantId\":\"null\",\"homeTenantName\":\"null\"}},\"targetResources\":[{\"id\":\"1a14fb76-f21e-42d9-bf4b-0e9ad42bdef1\",\"displayName\":null,\"type\":\"User\",\"userPrincipalName\":\"us...@contoso.com\",\"groupType\":null,\"modifiedProperties\":[{\"displayName\":\"Action Client Name\",\"oldValue\":null,\"newValue\":\"\\\"DirectorySync\\\"\"},{\"displayName\":\"MethodExecutionResult.\",\"oldValue\":null,\"newValue\":\"\\\"Microsoft.Online.Workflows.ValidationException\\\"\"}]}],\"additionalDetails\":[],\"azure_tag\":\"azure-ad-graph\",\"azure_aad_tag\":\"azure-ad-graph\"},\"location\":\"Azure\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"native::2621578-64512", PrevId:"", Finished:false, Fileinfo:(*os.fileStat)(0xc00004e8f0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:1504533718, Timestamp:time.Time{wall:0xc1b480284a7b9c5e, ext:1384095010, loc:(*time.Location)(0x42417a0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x28008a, Device:0xfc00}, IdentifierName:"native"}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=400): {"type":"mapper_parsing_exception","reason":"object mapping for [data.initiatedBy.app] tried to parse field [app] as object, but found a concrete value"}
2024-09-23T16:29:20.215+0100 WARN [elasticsearch] elasticsearch/client.go:408 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xc1b48033cbdf7854, ext:47407416598, loc:(*time.Location)(0x42417a0)}, Meta:{"pipeline":"filebeat-7.10.2-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"e26a275f-6afe-4ac1-a397-181f84dd4630","hostname":"WAZUH","id":"0774e386-5ba8-43fb-b42e-7f43ca298a57","name":"WAZUH","type":"filebeat","version":"7.10.2"},"ecs":{"version":"1.6.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-4.x-"},"fileset":{"name":"alerts"},"host":{"name":"WAZUH"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":1504533718},"message":"{\"timestamp\":\"2024-09-23T16:29:18.460+0100\",\"rule\":{\"level\":3,\"description\":\"Azure: AD \",\"id\":\"87802\",\"firedtimes\":135,\"mail\":false,\"groups\":[\"azure\"]},\"agent\":{\"id\":\"000\",\"name\":\"WAZUH\"},\"manager\":{\"name\":\"WAZUH\"},\"id\":\"1727105358.2117633002\",\"cluster\":{\"name\":\"wazuh\",\"node\":\"node-1\"},\"decoder\":{\"name\":\"json\"},\"data\":{\"id\":\"Directory_00000000-0000-0000-0000-000000000000_LPM4P_48984463\",\"category\":\"UserManagement\",\"correlationId\":\"00000000-0000-0000-0000-000000000000\",\"result\":\"failure\",\"resultReason\":\"Microsoft.Online.Workflows.ValidationException\",\"activityDisplayName\":\"Add user\",\"activityDateTime\":\"2024-09-23T15:27:28.6720679Z\",\"loggedByService\":\"Core Directory\",\"operationType\":\"Add\",\"initiatedBy\":{\"app\":\"null\",\"user\":{\"id\":\"1742b5fc-fb38-4453-ae49-78feeea943d0\",\"displayName\":\"null\",\"userPrincipalName\":\"Sync_RESADC2...@contoso.onmicrosoft.com\",\"userType\":\"null\",\"homeTenantId\":\"null\",\"homeTenantName\":\"null\"}},\"targetResources\":[{\"id\":\"cb65edcb-7d4e-42e2-bb47-2dcec05e24fb\",\"displayName\":null,\"type\":\"User\",\"userPrincipalName\":\"ad...@contoso.com\",\"groupType\":null,\"modifiedProperties\":[{\"displayName\":\"Action Client Name\",\"oldValue\":null,\"newValue\":\"\\\"DirectorySync\\\"\"},{\"displayName\":\"MethodExecutionResult.\",\"oldValue\":null,\"newValue\":\"\\\"Microsoft.Online.Workflows.ValidationException\\\"\"}]}],\"additionalDetails\":[],\"azure_tag\":\"azure-ad-graph\",\"azure_aad_tag\":\"azure-ad-graph\"},\"location\":\"Azure\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"native::2621578-64512", PrevId:"", Finished:false, Fileinfo:(*os.fileStat)(0xc00004e8f0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:1504535178, Timestamp:time.Time{wall:0xc1b480284a7b9c5e, ext:1384095010, loc:(*time.Location)(0x42417a0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x28008a, Device:0xfc00}, IdentifierName:"native"}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=400): {"type":"mapper_parsing_exception","reason":"object mapping for [data.initiatedBy.app] tried to parse field [app] as object, but found a concrete value"}
ossec log
2024/09/23 16:46:15 wazuh-modulesd:ms-graph: WARNING: Received unsuccessful status code when attempting to get relationship 'riskDetections' logs: Status code was '400' & response was '{"error":{"code":"BadRequest","message":"Invalid filter clause: Could not find a property named 'createdDateTime' on type 'microsoft.graph.riskDetection'.","innerError":{"date":"2024-09-23T15:46:15","request-id":"2289cf89-389d-4d59-a3a4-21351bf5b2ff","client-request-id":"2289cf89-389d-4d59-a3a4-21351bf5b2ff"}}}'
2024/09/23 16:46:16 wazuh-modulesd:azure-logs: INFO: Finished Graphs log collection for request 'microsoft-entra_id'.
2024/09/23 16:46:17 wazuh-modulesd:azure-logs: INFO: Finished Graphs log collection for request 'azure-ad-graph'.
2024/09/23 16:46:17 wazuh-modulesd:azure-logs: INFO: Finished Graphs log collection for the domain 'contoso.onmicrosoft.com'.
2024/09/23 16:47:15 wazuh-modulesd:azure-logs: INFO: Starting fetching of logs.
2024/09/23 16:47:15 wazuh-modulesd:azure-logs: INFO: Starting Graphs log collection for the domain 'contoso.onmicrosoft.com'.
2024/09/23 16:47:15 wazuh-modulesd:ms-graph: INFO: Scanning tenant '205cb9c8-6d96-2818-9e13-61ec0376d06b'
2024/09/23 16:47:15 wazuh-modulesd:ms-graph: WARNING: Received unsuccessful status code when attempting to get relationship 'riskDetections' logs: Status code was '400' & response was '{"error":{"code":"BadRequest","message":"Invalid filter clause: Could not find a property named 'createdDateTime' on type 'microsoft.graph.riskDetection'.","innerError":{"date":"2024-09-23T15:47:15","request-id":"6737ae49-81b6-47dd-8394-6de42b1bc64c","client-request-id":"6737ae49-81b6-47dd-8394-6de42b1bc64c"}}}'
2024/09/23 16:47:16 wazuh-modulesd:azure-logs: INFO: Finished Graphs log collection for request 'microsoft-entra_id'.
2024/09/23 16:47:17 wazuh-modulesd:azure-logs: INFO: Finished Graphs log collection for request 'azure-ad-graph'.
2024/09/23 16:47:17 wazuh-modulesd:azure-logs: INFO: Finished Graphs log collection for the domain 'contoso.onmicrosoft.com'.
With this config
<graph>
<auth_path>/var/ossec/wodles/azure/graph_credentials.txt</auth_path>
<tenantdomain>restoreplc.onmicrosoft.com</tenantdomain>
<request>
<tag>microsoft-entra_id</tag>
<query>auditLogs/signIns</query>
</request>
<request>
<tag>azure-ad-graph</tag>
<query>auditLogs/directoryAudits</query>
<time_offset>1d</time_offset>
</request>
</graph>
</wodle>
<!-- O365 and MS Graph API Logs Config -->
<!-- O365 Logs Config -->
<ossec_config>
<office365>
<enabled>yes</enabled>
<interval>1m</interval>
<curl_max_size>10M</curl_max_size>
<only_future_events>yes</only_future_events>
<api_auth>
<tenant_id>xxx</tenant_id>
<client_id>xxx</client_id>
<client_secret>xxx</client_secret>
<api_type>commercial</api_type>
</api_auth>
<subscriptions>
<subscription>Audit.AzureActiveDirectory</subscription>
<subscription>Audit.Exchange</subscription>
<subscription>Audit.SharePoint</subscription>
</subscriptions>
</office365>
</ossec_config>
<!-- MS Graph API Logs Config -->
<ossec_config>
<ms-graph>
<enabled>yes</enabled>
<only_future_events>yes</only_future_events>
<curl_max_size>10M</curl_max_size>
<run_on_start>yes</run_on_start>
<interval>1m</interval>
<version>v1.0</version>
<api_auth>
<client_id>xxx</client_id>
<tenant_id>xxx</tenant_id>
<secret_value>xxx</secret_value>
<api_type>global</api_type>
</api_auth>
<resource>
<name>security</name>
<relationship>alerts_v2</relationship>
</resource>
<resource>
<name>identityProtection</name>
<relationship>riskDetections</relationship>
</resource>
</ms-graph>
</ossec_config>
<auth_path>/var/ossec/wodles/azure/graph_credentials.txt</auth_path>
<tenantdomain>restoreplc.onmicrosoft.com</tenantdomain>
<request>
<tag>microsoft-entra_id</tag>
<query>auditLogs/signIns</query>
</request>
<request>
<tag>azure-ad-graph</tag>
<query>auditLogs/directoryAudits</query>
<time_offset>1d</time_offset>
</request>
</graph>
</wodle>
<!-- O365 and MS Graph API Logs Config -->
<!-- O365 Logs Config -->
<ossec_config>
<office365>
<enabled>yes</enabled>
<interval>1m</interval>
<curl_max_size>10M</curl_max_size>
<only_future_events>yes</only_future_events>
<api_auth>
<tenant_id>xxx</tenant_id>
<client_id>xxx</client_id>
<client_secret>xxx</client_secret>
<api_type>commercial</api_type>
</api_auth>
<subscriptions>
<subscription>Audit.AzureActiveDirectory</subscription>
<subscription>Audit.Exchange</subscription>
<subscription>Audit.SharePoint</subscription>
</subscriptions>
</office365>
</ossec_config>
<!-- MS Graph API Logs Config -->
<ossec_config>
<ms-graph>
<enabled>yes</enabled>
<only_future_events>yes</only_future_events>
<curl_max_size>10M</curl_max_size>
<run_on_start>yes</run_on_start>
<interval>1m</interval>
<version>v1.0</version>
<api_auth>
<client_id>xxx</client_id>
<tenant_id>xxx</tenant_id>
<secret_value>xxx</secret_value>
<api_type>global</api_type>
</api_auth>
<resource>
<name>security</name>
<relationship>alerts_v2</relationship>
</resource>
<resource>
<name>identityProtection</name>
<relationship>riskDetections</relationship>
</resource>
</ms-graph>
</ossec_config>
Thanks in advance
ofure....@wazuh.com
Sep 25, 2024, 9:34:18 AM9/25/24
to Wazuh | Mailing List
Hi Leon
For context, please clarify what you were trying to achieve and what the challenge experienced was.
For context, please clarify what you were trying to achieve and what the challenge experienced was.
leon appel
Sep 25, 2024, 10:08:40 AM9/25/24
to Wazuh | Mailing List
Hi Ofure
I am trying to ingest the riskdetections from ms-graph
<name>identityProtection</name>
<relationship>riskDetections</relationship>
<relationship>riskDetections</relationship>
Thanks
ofure....@wazuh.com
Sep 29, 2024, 6:53:02 PM9/29/24
to Wazuh | Mailing List
Okay, thanks for clarifying.
To understand and isolate the challenge, can you please confirm the below
1. Are you currently receiving other MS-graph logs and the only issue is setting up risk detections?
2. During your integration, did you use the documentation on monitoring Microsoft Graph activity as a guide?
Please let me know
To understand and isolate the challenge, can you please confirm the below
1. Are you currently receiving other MS-graph logs and the only issue is setting up risk detections?
2. During your integration, did you use the documentation on monitoring Microsoft Graph activity as a guide?
Please let me know
leon appel
Sep 29, 2024, 7:02:13 PM9/29/24
to ofure....@wazuh.com, Wazuh | Mailing List
Hi Ofure
Yes it's only riskdetections affected and the guides were followed. I'm able to get the logs via api direct but not via wazuh
Kind Regards
Leon Appel
From: 'ofure....@wazuh.com' via Wazuh | Mailing List <wa...@googlegroups.com>
Sent: Sunday, September 29, 2024 11:53:02 PM
To: Wazuh | Mailing List <wa...@googlegroups.com>
Subject: Re: wazuh 4.9 MS-Graph issues
Sent: Sunday, September 29, 2024 11:53:02 PM
To: Wazuh | Mailing List <wa...@googlegroups.com>
Subject: Re: wazuh 4.9 MS-Graph issues
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/mcHmkB13Yo4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/49e399b1-d7ae-44f9-919b-1e955e36d23en%40googlegroups.com.
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/mcHmkB13Yo4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/49e399b1-d7ae-44f9-919b-1e955e36d23en%40googlegroups.com.
ofure....@wazuh.com
Oct 3, 2024, 7:48:50 AM10/3/24
to Wazuh | Mailing List
Hi Leon
The challenge seems to be that the createdDateTime field is missing from risk detection logs. According to this, createdDateTime is used as a filter while collecting the logs, but it appears that the logs associated with riskdetection do not seem to have that field, hence the break in logic.
Please raise an issue using the link below:
The challenge seems to be that the createdDateTime field is missing from risk detection logs. According to this, createdDateTime is used as a filter while collecting the logs, but it appears that the logs associated with riskdetection do not seem to have that field, hence the break in logic.
Please raise an issue using the link below:
leon appel
Oct 3, 2024, 7:55:07 AM10/3/24
to ofure....@wazuh.com, Wazuh | Mailing List
Hi Ofure
I have been informed that this issue will be resolved in version 4.9.1 end of October
Kind Regards
Leon Appel
Sent: Thursday, October 3, 2024 12:48:50 PM
To view this discussion on the web visit
https://groups.google.com/d/msgid/wazuh/cef8d9c8-689e-4791-acaa-37f4cda0d7edn%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages