Installing Wazuh’s MS-Graph API Integration – Transitioning from O365 Integration

As someone who’s been working with Wazuh for a while, I’ve come to rely on its powerful capabilities for monitoring and security. Initially, I had the Office 365 (O365) integration enabled in my Wazuh setup. However, I quickly realized that my needs went beyond what O365 integration could offer. Specifically, I wanted to track user logins that bypassed Multi-Factor Authentication (MFA). Despite my best efforts, the O365 integration fell short in delivering the detailed information I needed.

This led me down a rabbit hole, where I discovered that Wazuh offers two different integrations for Office 365 services: the O365 integration and the Microsoft Graph API (MS-Graph) integration. The MS-Graph integration is newer and, as it turns out, better suited for capturing detailed security data, such as MFA usage during login events.

Realizing the Need for MS-Graph API Integration

At first glance, it wasn’t obvious that one might need to use both integrations, or perhaps even switch entirely to MS-Graph. The documentation could have been clearer on this, but after much digging and forum searching, I discovered that the MS-Graph API integration provides access to a broader set of data, including critical security logs that the O365 integration does not cover. I have previously toyed with the MS Graph developer explorer online https://developer.microsoft.com/en-us/graph/graph-explorer and this was very helpful in figuring out if the documentation that I was following was accurate, and even if any ChatGPT suggestions were out of whack.

My Initial Setup with MS-Graph

After realizing that MS-Graph was the way to go, I decided to set it up. Below is a sample configuration that I used in my ossec.conf file: (note, that this is not a working version, as you will see below)

<ms-graph>
    <enabled>yes</enabled>
    <only_future_events>no</only_future_events>
    <curl_max_size>10M</curl_max_size>
    <run_on_start>yes</run_on_start>
    <interval>1m</interval>
    <version>v1.0</version>
    <api_auth>
        <tenant_id>xyz</tenant_id>
        <client_id>xyz</client_id>
        <secret_value>xyz</secret_value>
        <api_type>global</api_type>
    </api_auth>
    <resource>
        <name>security</name>
        <relationship>alerts_v2</relationship>
        <relationship>incidents</relationship>
        <relationship>threatIntelligence</relationship>
    </resource>
    <resource>
        <name>auditLogs</name>
        <relationship>signIns</relationship>
        <relationship>provisioning</relationship>
    </resource>
</ms-graph>

This configuration is pretty straightforward, but there’s a catch. For each resource you configure, you also need to enable the corresponding API permissions in Microsoft Entra (formerly Azure AD). This step is crucial, as without the correct permissions, Wazuh won’t be able to pull the data you need.

The Frustrating Forbidden Error

After setting up the configuration and approving all necessary permissions in Entra, I hit a wall. I kept getting the following error in Wazuh:

Received unsuccessful status code when attempting to get relationship 'alerts_v2' logs: Status code was '403' & response was '{"error":{"code":"Forbidden","message":"Missing application roles. API required roles: SecurityAlert.Read.All,SecurityAlert.ReadWrite.All,SecurityIncident.Read.All,SecurityIncident.ReadWrite.All"}}

This error was frustrating, to say the least. After digging deeper, I realized that not all endpoints were supported by the MS-Graph API in Wazuh. I had to simplify my configuration by limiting it to only alerts, incidents, and signIns. (Originally I tried to add “Users”, “Provisioning”, and “Threat Inteligence”) This adjustment finally got it working, but with a caveat—I only received one alert.

    <resource>
        <name>security</name>
        <relationship>alerts_v2</relationship>
        <relationship>incidents</relationship>
    </resource>
    <resource>
        <name>auditLogs</name>
        <relationship>signIns</relationship>
    </resource>

Fine-Tuning the Configuration

With the integration technically working, I noticed that I was still only getting a single alert. After some more investigation, I found an open GitHub issue where another user mentioned a potential bug. The workaround? Increasing the scan interval.

I updated the interval in my configuration to 15 minutes:

<interval>5m</interval>

This change led to some success—I received one alert. It was an incident alert, but only one.

Conclusion

Installing and configuring Wazuh’s MS-Graph API integration was a bit of a rollercoaster. It seems more like a BETA integration rather then a production ready ingestion. Be prepared for some trial and error, and don’t forget to tweak your settings, such as the scan interval.

For more detailed guidance, you can check out the Wazuh documentation on MS-Graph integration and the related GitHub issue1 GitHub issue2 and I encountered.

Resources

Leave a Reply

Your email address will not be published. Required fields are marked *