Comments (7)
@jujaakko I suspect there's an issue with the inputs to the module, can you share the raw inputs from a failing run (redact as needed) into the scoring module? If you can't share that can you share a screenshot of how the inputs are setup into that module?
from sentinelautomationmodules.
Certainly, here's the raw input from the last run into the risk scoring module with values redacted, let me know if this is enough. If it's not, I can share more details privately.
{
"method": "post",
"path": "/api/modules/scoring",
"host": {
"connection": {
"name": ""
}
},
"body": {
"BaseModuleBody": {
"Accounts": [
{
"RawEntity": {
"accountName": "",
"additionalData": {
"AccountName": ""
},
"friendlyName": ""
}
}
],
"AccountsCount": "",
"Alerts": [
{
"id": "",
"type": "",
"kind": "",
"properties": {
"systemAlertId": "",
"tactics": [],
"alertDisplayName": "",
"description": "",
"confidenceLevel": "",
"severity": "",
"vendorName": "",
"productName": "",
"productComponentName": "",
"alertType": "",
"processingEndTime": "",
"status": "",
"endTimeUtc": "",
"startTimeUtc": "",
"timeGenerated": "",
"providerAlertId": "",
"alertLink": "",
"resourceIdentifiers": [
{
"type": "",
"workspaceId": ""
}
],
"additionalData": {
"MitreTechniques": "",
"IncidentId": "",
"OriginSource": "",
"Category": "",
"DetectionSource": "",
"AssignedTo": null,
"Determination": null,
"Classification": null,
"ThreatName": null,
"ThreatFamilyName": null,
"DetectorId": "",
"LastUpdated": "",
"Trigger Operator": "",
"Trigger Threshold": "",
"Correlation Id": "",
"Search Query Results Overall Count": "",
"Data Sources": "",
"Analytic Rule Ids": "",
"Event Grouping": "",
"Analytic Rule Name": "",
"ProcessedBySentinel": "",
"Alert generation status": "",
"Query": "",
"Query Period": "",
"Query Start Time UTC": "",
"Query End Time UTC": ""
},
"friendlyName": ""
}
}
],
"Domains": [],
"DomainsCount": "",
"EntitiesCount": "",
"FileHashes": [],
"FileHashesCount": "",
"Files": [],
"FilesCount": "",
"Hosts": [],
"HostsCount": "",
"IPs": [],
"IPsCount": "",
"IncidentARMId": "",
"IncidentTriggered": "",
"IncidentAvailable": "",
"ModuleVersions": {
"AADRisksModule": "",
"BaseModule": "",
"FileModule": "",
"KQLModule": "",
"MCASModule": "",
"MDEModule": "",
"OOFModule": "",
"RelatedAlerts": "",
"RunPlaybook": "",
"ScoringModule": "",
"STATConnector": "",
"STATFunction": "",
"TIModule": "",
"UEBAModule": "",
"WatchlistModule": ""
},
"MultiTenantConfig": {},
"OtherEntities": [],
"OtherEntitiesCount": "",
"RelatedAnalyticRuleIds": [
""
],
"SentinelRGARMId": "",
"TenantDisplayName": "",
"TenantId": "",
"URLs": [],
"URLsCount": "",
"WorkspaceARMId": "",
"WorkspaceId": ""
},
"ScoringData": [
{
"ModuleBody": [],
"ScoreLabel": "",
"ScoreMultiplier": "",
"ScorePerItem": ""
},
{
"ModuleBody": {
"AllTactics": [],
"AllTacticsCount": "",
"DetailedResults": [],
"FusionIncident": "",
"HighestSeverityAlert": "",
"ModuleName": "",
"RelatedAccountAlertsCount": "",
"RelatedAccountAlertsFound": "",
"RelatedAlertsCount": "",
"RelatedAlertsFound": "",
"RelatedHostAlertsCount": "",
"RelatedHostAlertsFound": "",
"RelatedIPAlertsCount": "",
"RelatedIPAlertsFound": ""
},
"ScoreLabel": "",
"ScoreMultiplier": "",
"ScorePerItem": ""
},
{
"ModuleBody": {
"AnyTIFound": "",
"DetailedResults": [],
"DomainEntitiesCount": "",
"DomainEntitiesWithTI": "",
"DomainTIFound": "",
"FileHashEntitiesCount": "",
"FileHashEntitiesWithTI": "",
"FileHashTIFound": "",
"IPEntitiesCount": "",
"IPEntitiesWithTI": "",
"IPTIFound": "",
"ModuleName": "",
"TotalTIMatchCount": "",
"URLEntitiesCount": "",
"URLEntitiesWithTI": "",
"URLTIFound": ""
},
"ScoreLabel": "",
"ScoreMultiplier": "",
"ScorePerItem": ""
}
]
}
}
from sentinelautomationmodules.
hi @jujaakko unless there was an error in the redaction I do see a problem with the input, one of the modules passed appears to be null or incomplete. The error you're getting is that it can't find the ModuleName in the ModuleBody, of the 3 modules passed into the scoring module, 2 of them look ok but the first one is missing a lot of properties:
Note the yellow highlighted section there's no data in ModuleBody, including ModuleName which the green section has.
Look to see if any of the inputs to the risk scoring module are missing a module body and if so, either add it, or delete that element from the input array (yellow is a problem, green is expected):
This could have easily happened if you removed a module from the playbook, but didn't remove it from the inputs to the scoring module.
from sentinelautomationmodules.
Ah I see the issue, it seems to be with the Entra ID risks module. In our configuration (I don't think we made any modifications to this), Risk scoring module expects the detailed results array(?):
But the detailed results array seem to be empty in every case:
from sentinelautomationmodules.
@jujaakko it expects the Body which is labelled, AAD Risks Module Body in the case of the Entra module. Also, I'm not sure why Logic apps does this but there's an easier editor for this if you click to the right:
clicking that button on the right will switch the view to that shown in my previous comment
from sentinelautomationmodules.
Thank you for the help, wrong input was indeed the issue. Not sure how and when the wrong configuration happened but need to double check these next time.
from sentinelautomationmodules.
@jujaakko ok great, thanks for updating us
from sentinelautomationmodules.
Related Issues (20)
- [Feature] GrantPermissions - Fail if Connect-MgGraph or Login-AzAccount fail HOT 1
- STATv2 - Remove App Insights from Deployment
- [QUESTION] STATv2 preview without public storage account HOT 1
- [BUG] Wrong data in "ID" variable from MDE-Module - STAT v2 HOT 4
- [QUESTION] STAT V2 AAD Risk Module 403 Forbidden HOT 3
- [BUG] Deploy - Deploy/GrantPermissions.ps1 does not work HOT 8
- [BUG] MDE - Links to entities are broken HOT 2
- [BUG] Base Module - custom entity array incorrectly processed HOT 5
- [Feature] Monitor executions and consumption HOT 1
- [Feature] Suspicious Behaviour Searches HOT 1
- [BUG] STAT Quick Deploy HOT 6
- [BUG] DeployPermissions.ps1 HOT 3
- [Feature] Add tags to incident HOT 1
- [QUESTION] Incident comments - max lines HOT 2
- Function Code Documentation HOT 2
- Suggestion to add more steps into documentation of GrantPermissions.ps1 script HOT 2
- [Feature] Add additional methods to MDE module HOT 5
- [Feature] Security Exposure Management module
- [BUG] Permission Script timeout HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sentinelautomationmodules.