[BUG] Risk Scoring Module - Bug about sentinelautomationmodules HOT 7 CLOSED

@jujaakko I suspect there's an issue with the inputs to the module, can you share the raw inputs from a failing run (redact as needed) into the scoring module? If you can't share that can you share a screenshot of how the inputs are setup into that module?

from sentinelautomationmodules.

Certainly, here's the raw input from the last run into the risk scoring module with values redacted, let me know if this is enough. If it's not, I can share more details privately.

{
"method": "post",
"path": "/api/modules/scoring",
"host": {
"connection": {
"name": ""
}
},
"body": {
"BaseModuleBody": {
"Accounts": [
{
"RawEntity": {
"accountName": "",
"additionalData": {
"AccountName": ""
},
"friendlyName": ""
}
}
],
"AccountsCount": "",
"Alerts": [
{
"id": "",
"type": "",
"kind": "",
"properties": {
"systemAlertId": "",
"tactics": [],
"alertDisplayName": "",
"description": "",
"confidenceLevel": "",
"severity": "",
"vendorName": "",
"productName": "",
"productComponentName": "",
"alertType": "",
"processingEndTime": "",
"status": "",
"endTimeUtc": "",
"startTimeUtc": "",
"timeGenerated": "",
"providerAlertId": "",
"alertLink": "",
"resourceIdentifiers": [
{
"type": "",
"workspaceId": ""
}
],
"additionalData": {
"MitreTechniques": "",
"IncidentId": "",
"OriginSource": "",
"Category": "",
"DetectionSource": "",
"AssignedTo": null,
"Determination": null,
"Classification": null,
"ThreatName": null,
"ThreatFamilyName": null,
"DetectorId": "",
"LastUpdated": "",
"Trigger Operator": "",
"Trigger Threshold": "",
"Correlation Id": "",
"Search Query Results Overall Count": "",
"Data Sources": "",
"Analytic Rule Ids": "",
"Event Grouping": "",
"Analytic Rule Name": "",
"ProcessedBySentinel": "",
"Alert generation status": "",
"Query": "",
"Query Period": "",
"Query Start Time UTC": "",
"Query End Time UTC": ""
},
"friendlyName": ""
}
}
],
"Domains": [],
"DomainsCount": "",
"EntitiesCount": "",
"FileHashes": [],
"FileHashesCount": "",
"Files": [],
"FilesCount": "",
"Hosts": [],
"HostsCount": "",
"IPs": [],
"IPsCount": "",
"IncidentARMId": "",
"IncidentTriggered": "",
"IncidentAvailable": "",
"ModuleVersions": {
"AADRisksModule": "",
"BaseModule": "",
"FileModule": "",
"KQLModule": "",
"MCASModule": "",
"MDEModule": "",
"OOFModule": "",
"RelatedAlerts": "",
"RunPlaybook": "",
"ScoringModule": "",
"STATConnector": "",
"STATFunction": "",
"TIModule": "",
"UEBAModule": "",
"WatchlistModule": ""
},
"MultiTenantConfig": {},
"OtherEntities": [],
"OtherEntitiesCount": "",
"RelatedAnalyticRuleIds": [
""
],
"SentinelRGARMId": "",
"TenantDisplayName": "",
"TenantId": "",
"URLs": [],
"URLsCount": "",
"WorkspaceARMId": "",
"WorkspaceId": ""
},
"ScoringData": [
{
"ModuleBody": [],
"ScoreLabel": "",
"ScoreMultiplier": "",
"ScorePerItem": ""
},
{
"ModuleBody": {
"AllTactics": [],
"AllTacticsCount": "",
"DetailedResults": [],
"FusionIncident": "",
"HighestSeverityAlert": "",
"ModuleName": "",
"RelatedAccountAlertsCount": "",
"RelatedAccountAlertsFound": "",
"RelatedAlertsCount": "",
"RelatedAlertsFound": "",
"RelatedHostAlertsCount": "",
"RelatedHostAlertsFound": "",
"RelatedIPAlertsCount": "",
"RelatedIPAlertsFound": ""
},
"ScoreLabel": "",
"ScoreMultiplier": "",
"ScorePerItem": ""
},
{
"ModuleBody": {
"AnyTIFound": "",
"DetailedResults": [],
"DomainEntitiesCount": "",
"DomainEntitiesWithTI": "",
"DomainTIFound": "",
"FileHashEntitiesCount": "",
"FileHashEntitiesWithTI": "",
"FileHashTIFound": "",
"IPEntitiesCount": "",
"IPEntitiesWithTI": "",
"IPTIFound": "",
"ModuleName": "",
"TotalTIMatchCount": "",
"URLEntitiesCount": "",
"URLEntitiesWithTI": "",
"URLTIFound": ""
},
"ScoreLabel": "",
"ScoreMultiplier": "",
"ScorePerItem": ""
}
]
}
}

from sentinelautomationmodules.

hi @jujaakko unless there was an error in the redaction I do see a problem with the input, one of the modules passed appears to be null or incomplete. The error you're getting is that it can't find the ModuleName in the ModuleBody, of the 3 modules passed into the scoring module, 2 of them look ok but the first one is missing a lot of properties:

Note the yellow highlighted section there's no data in ModuleBody, including ModuleName which the green section has.

Look to see if any of the inputs to the risk scoring module are missing a module body and if so, either add it, or delete that element from the input array (yellow is a problem, green is expected):

This could have easily happened if you removed a module from the playbook, but didn't remove it from the inputs to the scoring module.

from sentinelautomationmodules.

Ah I see the issue, it seems to be with the Entra ID risks module. In our configuration (I don't think we made any modifications to this), Risk scoring module expects the detailed results array(?):

But the detailed results array seem to be empty in every case:

from sentinelautomationmodules.

@jujaakko it expects the Body which is labelled, AAD Risks Module Body in the case of the Entra module. Also, I'm not sure why Logic apps does this but there's an easier editor for this if you click to the right:

clicking that button on the right will switch the view to that shown in my previous comment

from sentinelautomationmodules.

Thank you for the help, wrong input was indeed the issue. Not sure how and when the wrong configuration happened but need to double check these next time.

from sentinelautomationmodules.

@jujaakko ok great, thanks for updating us

from sentinelautomationmodules.