Can't get ms-graph to obtain logs

[Joaquim António]

Hello Wazuh team,

I am having issues configuring the ms-graph integration. I am following this documentation on the wazuh-server: https://documentation.wazuh.com/current/cloud-security/azure/ms-graph-api-setup.html#wazuh-server-or-agent

Here is my current configuration:

<ms-graph>
    <enabled>yes</enabled>
    <only_future_events>yes</only_future_events>
    <curl_max_size>100M</curl_max_size>
    <run_on_start>no</run_on_start>
    <interval>5m</interval>
    <version>v1.0</version>
    <api_auth>
      <client_id>REDACTED</client_id>
      <tenant_id>REDACTED</tenant_id>
      <secret_value>REDACTED</secret_value>
      <api_type>global</api_type>
    </api_auth>
    <resource>
      <name>auditLogs</name>
      <relationship>signIns</relationship>
    </resource>
    <resource>
      <name>security</name>
      <relationship>alerts_v2</relationship>
    </resource>
  </ms-graph> 

Just to check if it was an authentication issue, I tried putting wrong credentials in the configuration, and as expected, ossec.log threw a warning:

wazuh-modulesd:ms-graph: WARNING: Received unsuccessful status code when attempting to obtain access token: Status code was '401' & response was [etc]

Putting the correct credentials back in, the logs don't give any error, the only logs from this module are:

wazuh-modulesd:ms-graph[251852] wm_ms_graph.c:103 at wm_ms_graph_main(): INFO: Scanning tenant REDACTED

If I enable wazuh_modules.debug, additionally I only have this log:

wazuh-modulesd:ms-graph[251852] wm_ms_graph.c:394 at wm_ms_graph_scan_relationships(): DEBUG: No new logs received.

I already configured this integration but in another security solution, so the permissions are already set in Azure, and I am currently using the same credentials in the Wazuh integration for authenticating in the Graph API. If I curl for the events manually in the server where Wazuh is installed:

Obtaining the token: curl --location 'https://login.microsoftonline.com/<TENNANT_ID>/oauth2/v2.0/token' --data 'client_id=<CLIENT_ID>&scope=https://graph.microsoft.com/.default&client_secret=<CLIENT_SECRET>&grant_type=client_credentials'

Retrieving the events: curl -X GET \
  -H "Authorization: Bearer OBTAINED_TOKEN" \
  -H "Content-Type: application/json" \
  "https://graph.microsoft.com/v1.0/auditLogs/signIns"

I successfully retrieve the events. Additionally, the other security solution is receiving the events. Here is the configuration for the other solution:

# cat config.yaml
REDACTED
apis:
  - name: microsoft graph
    type: azure_graph
    azure_ad_tenant_id: REDACTED
    azure_ad_client_id: REDACTED
    azure_ad_secret_value: REDACTED
    data_request:
      url: https://graph.microsoft.com/v1.0/auditLogs/signIns
    additional_fields:
      type: Microsoft-Graph
      client: REDACTED
      service: Audit 
    scrape_interval: 1
    days_back_fetch: 2

# cat config.yaml
REDACTED

apis:
  - name: microsoft graph
    type: azure_graph
    azure_ad_tenant_id: REDACTED
    azure_ad_client_id: REDACTED
    azure_ad_secret_value: REDACTED
    data_request:
      url: https://graph.microsoft.com/v1.0/security/alerts_v2    
    additional_fields:
      type: Microsoft-Graph
      client: REDACTED
      service: Defender 
    scrape_interval: 1
    days_back_fetch: 2

So I am assuming there is something wrong with my configuration, but I can't figure out what is is. Does anyone know why with my current configuration, the integration is authenticating correctly but not finding any logs?

Thank you in advance.

Best regards,

Joaquim Antonio

[Isaiah Daboh]

Hello,

I am taking a look at this. I will revert shortly.

Regards

[Isaiah Daboh]

Hello,

The configuration shared looks good and the fact that there is no error or warning is a good a sign.

However, you can troubleshoot this issue by temporarily setting `only_future_events` to no.  Changing the setting to `no` to pull historical data helps us rule out likely polling delay due to no future events or a network issue.

```

     <ms-graph>
    <enabled>yes</enabled>
    <only_future_events>no</only_future_events>

```

Restart Wazuh manager

`# systemctl restart wazuh-manager`

With debugging enabled, recheck the logs to confirm that historical logs were pulled.

Alternatively, after setting `only_future_events`, you can manually test the integration manually without waiting for the scheduled interval using the underlying Python script by following the steps below:

• To prevent the secret from being part of bash history, save the id and key in ` cat /var/ossec/wodles/azure/credentials`. The format should be  application_id = <ID> and application_key = <KEY> on separate lines.  
• Run the command as root:

              `/var/ossec/wodles/azure/azure-logs --graph --graph_auth_path /var/ossec/wodles/azure/credentials --graph_tenant_domain "yourdomain.com" --graph_query "auditLogs/signIns" --debug 2`

Please let me know if this was helpful.

Regards,

[Joaquim António]

Hello,

Thank you for your help! The logs now show up in archives.log, but they are not in the dashboard. This is after I increased the rule level of the base rule to show up in the dashboard, and restarted the server. I overwrote it in local_rules.xml like this:

<group name="ms-graph">

  <rule id="99500" level="3" overwrite="yes">
    <decoded_as>json-msgraph</decoded_as>
    <field name="integration">ms-graph</field>
    <description>MS Graph message: Microsoft graph messages grouped.</description>
  </rule>

</group>

Pasting one of the retrieved logs in /var/ossec/bin/wazuh-logtest also shows that it parses correctly and triggers the rule above as expected, but it does not show up in the dashboard. What could be the issue?

Thank you in advance.

Best regards,
Joaquim Antonio

[Isaiah Daboh]

Hello,

The alerts should be on the dashboard if the logs are correctly processed from the Logtest like you mentioned.

No logs on the dashboard could be a problem with your filter. Please take the following steps to verify that the logs are correctly processed.

• Check alerts.json for ms-graph related logs:

      # cat /var/ossec/logs/alerts/alerts.json | grep ms-graph

• If there is no ms-graph related alert, then you need to review your custom rules. 
• If there is any ms-graph related alert but not visible on the dashboard then this will have to do with your filter. Please share screenshot of your dashboard masking any sensitive info.

Note:  Please make sure that your dashboard filter is NOT set to "Hide Manager Alerts," else the logs will be hidden.

Creating custom rules: https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html

Regards,

[Joaquim António]

Hello,

After reading this article: https://www.yoshee08.com/installing-wazuhs-ms-graph-api-integration-transitioning-from-o365-integration/

I found out it could be due to filebeat expecting a keyword for the status field, but the data received would be better fitted as an object. Here are the steps I took in case anyone else may have the same issue with the ms-graph module:

1) Editing /etc/filebeat/wazuh-template.json, and changing the ms-graph.status from keyword to an object, so replacing this:

"status": {
  "type": "keyword"
}

with this:

"status": {
  "type": "object"
}

2) Applying the changes:

# filebeat setup --pipelines
# filebeat setup --index-management -E output.logstash.enabled=false

# systemctl daemon-reload

# systemctl restart filebeat

# systemctl restart wazuh-manager

# systemctl restart wazuh-indexer

3) Waiting for the next day, since apparently it only applied for the next index, which was the next day.

 

Best regards,
Joaquim Antonio

[Isaiah Daboh]

Hello Joaquim,

Kindly confirm the issue has been resolved.

Regards,

[Joaquim António]

Hello Isaiah,

Thank you for checking in. The issue was resolved in the sense that MS-Graph events now show up on the dashboard. However, the number of them, within the same time frame, is always much lower than in the other tool we have. For instance, in the last 24h, we have 15 events of this type in Wazuh, while in the other solution we have 64. Is this an issue with Microsoft Graph API, or is there anything I need to do from the Wazuh server side?

Best regards,
Joaquim Antonio

[Isaiah Daboh]

Hello Joaquim,

Please can you validate the following:

• Are the logs delayed or completely missing?
• The expected logs from your config is the 'signIn logs', is this the same with the other tools or you have other log types?
• Do you have the same results when you try the manual approach stated earlier?

                Run the command as root:

              `/var/ossec/wodles/azure/azure-logs --graph --graph_auth_path /var/ossec/wodles/azure/credentials --graph_tenant_domain "yourdomain.com" --graph_query "auditLogs/signIns" --debug 2`

Regards,

[Joaquim António]

Hello,

After changing the frequency of the queries, from <interval>5m</interval> to <interval>1h</interval>, I receive all the logs. We can consider this issue as resolved. Thank you for your feedback and help.

Best regards,
Joaquim Antonio