API permissions Monitoring Microsoft Graph

[javiersanchz]

Wazuh version
4.7.3

Description

User has reported about the lack of API permissions for Microsoft Graph, receiving the following logs:

2024/05/08 15:26:35 wazuh-modulesd:ms-graph: WARNING: Received unsuccessful status code when attempting to get relationship 'alerts_v2' logs: Status code was '403' & response was '{"error":{"code":"Forbidden","message":"Missing application roles. API required roles: SecurityAlert.Read.All,SecurityAlert.ReadWrite.All,SecurityIncident.Read.All,SecurityIncident.ReadWrite.All, application roles: .","innerError":{"date":"2024-05-08T08:26:35","request-id":"xxxxx","client-request-id":"xxxxx"}}}'
2024/05/08 15:26:36 wazuh-modulesd:ms-graph: WARNING: Received unsuccessful status code when attempting to get relationship 'incidents' logs: Status code was '403' & response was '{"error":{"code":"Forbidden","message":"Missing application roles. API required roles: SecurityIncident.Read.All,SecurityIncident.ReadWrite.All, application roles: .","innerError":{"date":"2024-05-08T08:26:36","request-id":"xxxxxx,"client-request-id":"xxxxxx"}}}'

He stated that he granted the current permissions mentioned in the documentation: SecurityAlert.Read.All and SecurityIncident.Read.All with administrator consent, and continues to receive the same warning logs.

t seems that he also needs the following permissions: SecurityAlert.ReadWrite.All and SecurityIncident.ReadWrite.All
We should check if these permissions have changed recently.

https://documentation.wazuh.com/current/cloud-security/ms-graph/monitoring-ms-graph-activity.html#api-permissions