Can't get ms-graph to obtain logs

[Joaquim António]

Hello Wazuh team,

I am having issues configuring the ms-graph integration. I am following this documentation on the wazuh-server: https://documentation.wazuh.com/current/cloud-security/azure/ms-graph-api-setup.html#wazuh-server-or-agent

Here is my current configuration:

<ms-graph>
    <enabled>yes</enabled>
    <only_future_events>yes</only_future_events>
    <curl_max_size>100M</curl_max_size>
    <run_on_start>no</run_on_start>
    <interval>5m</interval>
    <version>v1.0</version>
    <api_auth>
      <client_id>REDACTED</client_id>
      <tenant_id>REDACTED</tenant_id>
      <secret_value>REDACTED</secret_value>
      <api_type>global</api_type>
    </api_auth>
    <resource>
      <name>auditLogs</name>
      <relationship>signIns</relationship>
    </resource>
    <resource>
      <name>security</name>
      <relationship>alerts_v2</relationship>
    </resource>
  </ms-graph> 

Just to check if it was an authentication issue, I tried putting wrong credentials in the configuration, and as expected, ossec.log threw a warning:

wazuh-modulesd:ms-graph: WARNING: Received unsuccessful status code when attempting to obtain access token: Status code was '401' & response was [etc]

Putting the correct credentials back in, the logs don't give any error, the only logs from this module are:

wazuh-modulesd:ms-graph[251852] wm_ms_graph.c:103 at wm_ms_graph_main(): INFO: Scanning tenant REDACTED

If I enable wazuh_modules.debug, additionally I only have this log:

wazuh-modulesd:ms-graph[251852] wm_ms_graph.c:394 at wm_ms_graph_scan_relationships(): DEBUG: No new logs received.

I already configured this integration but in another security solution, so the permissions are already set in Azure, and I am currently using the same credentials in the Wazuh integration for authenticating in the Graph API. If I curl for the events manually in the server where Wazuh is installed:

Obtaining the token: curl --location 'https://login.microsoftonline.com/<TENNANT_ID>/oauth2/v2.0/token' --data 'client_id=<CLIENT_ID>&scope=https://graph.microsoft.com/.default&client_secret=<CLIENT_SECRET>&grant_type=client_credentials'

Retrieving the events: curl -X GET \
  -H "Authorization: Bearer OBTAINED_TOKEN" \
  -H "Content-Type: application/json" \
  "https://graph.microsoft.com/v1.0/auditLogs/signIns"

I successfully retrieve the events. Additionally, the other security solution is receiving the events. Here is the configuration for the other solution:

# cat config.yaml
REDACTED
apis:
  - name: microsoft graph
    type: azure_graph
    azure_ad_tenant_id: REDACTED
    azure_ad_client_id: REDACTED
    azure_ad_secret_value: REDACTED
    data_request:
      url: https://graph.microsoft.com/v1.0/auditLogs/signIns
    additional_fields:
      type: Microsoft-Graph
      client: REDACTED
      service: Audit 
    scrape_interval: 1
    days_back_fetch: 2

# cat config.yaml
REDACTED

apis:
  - name: microsoft graph
    type: azure_graph
    azure_ad_tenant_id: REDACTED
    azure_ad_client_id: REDACTED
    azure_ad_secret_value: REDACTED
    data_request:
      url: https://graph.microsoft.com/v1.0/security/alerts_v2    
    additional_fields:
      type: Microsoft-Graph
      client: REDACTED
      service: Defender 
    scrape_interval: 1
    days_back_fetch: 2

So I am assuming there is something wrong with my configuration, but I can't figure out what is is. Does anyone know why with my current configuration, the integration is authenticating correctly but not finding any logs?

Thank you in advance.

Best regards,

Joaquim Antonio

[Isaiah Daboh]

Hello,

I am taking a look at this. I will revert shortly.

Regards

[Isaiah Daboh]

Hello,

The configuration shared looks good and the fact that there is no error or warning is a good a sign.

However, you can troubleshoot this issue by temporarily setting `only_future_events` to no.  Changing the setting to `no` to pull historical data helps us rule out likely polling delay due to no future events or a network issue.

```

     <ms-graph>
    <enabled>yes</enabled>
    <only_future_events>no</only_future_events>

```

Restart Wazuh manager

`# systemctl restart wazuh-manager`

With debugging enabled, recheck the logs to confirm that historical logs were pulled.

Alternatively, after setting `only_future_events`, you can manually test the integration manually without waiting for the scheduled interval using the underlying Python script by following the steps below:

• To prevent the secret from being part of bash history, save the id and key in ` cat /var/ossec/wodles/azure/credentials`. The format should be  application_id = <ID> and application_key = <KEY> on separate lines.  
• Run the command as root:

              `/var/ossec/wodles/azure/azure-logs --graph --graph_auth_path /var/ossec/wodles/azure/credentials --graph_tenant_domain "yourdomain.com" --graph_query "auditLogs/signIns" --debug 2`

Please let me know if this was helpful.

Regards,