search

briandelmsft / STAT-Function

Azure Function for the Microsoft Sentinel Triage AssistanT (STAT)
https://aka.ms/mstat
MIT License
9 stars 1 forks source link

Risk Scoring Module failed on Out of Office Module statusCode 400 #99

Closed NobleWolf closed 4 weeks ago

NobleWolf commented 1 month ago

Steps to repeat:

  1. Add Out of Office Module to Sample playbook
  2. Add Out of Office Module body to Risk Scoring Module

Risk Scoring Module ScoringData field:

[
  {
    "ModuleBody": @{body('AAD_Risks_Module')},
    "ScoreLabel": "AAD Risks",
    "ScoreMultiplier": 1,
    "ScorePerItem": true
  },
  {
    "ModuleBody": @{body('Related_Alerts_Module')},
    "ScoreLabel": "Related Alerts",
    "ScoreMultiplier": 1,
    "ScorePerItem": true
  },
  {
    "ModuleBody": @{body('Threat_Intel_Module')},
    "ScoreLabel": "TI Module",
    "ScoreMultiplier": 5,
    "ScorePerItem": true
  },
  {
    "ModuleBody": @{body('Out_of_Office_Module')},
    "ScoreLabel": "OOF Module",
    "ScoreMultiplier": 1,
    "ScorePerItem": false
  }
]

image

Result:

  1. Out of Office Module completes successfully and adds comment
  2. Risk Scoring Module fails with statusCode = 200 and following error: 
    {
"statusCode": 200,
"headers": {
    "Transfer-Encoding": "chunked",
    "Date": "Fri, 04 Oct 2024 21:30:02 GMT",
    "Content-Type": "application/json",
    "Content-Length": "248"
},
"body": {
    "AllUsersInOffice": true,
    "AllUsersOutOfOffice": false,
    "DetailedResults": [
        {
            "ExternalMessage": "",
            "InternalMessage": "",
            "OOFStatus": "disabled",
            "UPN": "xxxValidUpnxxx"
        }
    ],
    "UsersInOffice": 1,
    "UsersOutOfOffice": 0,
    "UsersUnknown": 0
}
}

image

briandelmsft commented 1 month ago

@NobleWolf at present we don't support that module as an input to the score (https://github.com/briandelmsft/SentinelAutomationModules/wiki/Modules#supported-module-inputs)

We didn't really have have a good approach to using the out of office information to impact the score. We mainly intended it as information to the analyst, for example if their message says they're travelling on business that may be useful to know in some incidents.

We can easily make the scoring module not fail when it's added but not have an impact on the score. If you have thoughts on how it should influence the score we'd love to hear them

NobleWolf commented 1 month ago

@briandelmsft thank you for the explination. I can see scenarios when being Out of Office and your account being used would be suspicious, but if you left your computer on and Outlook syncs it could create an authentication log. So I guess being OOO + suspicious activity would still be a human decision. So I understand why this decision was made.

It would be helpful if the error message could be updated.

Current error in Risk Scoring Module:

{
    "statusCode": 400,
    "headers": {
        "Transfer-Encoding": "chunked",
        "Date": "Fri, 04 Oct 2024 20:53:30 GMT",
        "Content-Type": "application/json",
        "Content-Length": "1678"
    },
    "body": {
        "Error": "Failed to score the module None with label Out of Office",
        "InvocationId": "62d87bbf-6a6c-437c-a67a-db5815043563",
        "SourceError": {
            "Error": "Incorrectly formatted data or data from an unsupported module was passed to the Scoring Module, module name: None"
        },
        "Traceback": [
            "Traceback (most recent call last):\n",
            "  File \"/home/site/wwwroot/modules/scoring.py\", line 21, in execute_scoring_module\n    score_module(score, module, module_body, per_item, multiplier, label)\n",
            "  File \"/home/site/wwwroot/modules/scoring.py\", line 82, in score_module\n    raise STATError(f'Incorrectly formatted data or data from an unsupported module was passed to the Scoring Module, module name: {module}')\n",
            "classes.STATError: Incorrectly formatted data or data from an unsupported module was passed to the Scoring Module, module name: None\n",
            "\nDuring handling of the above exception, another exception occurred:\n\n",
            "Traceback (most recent call last):\n",
            "  File \"/home/site/wwwroot/modules/__init__.py\", line 19, in main\n    return_data = coordinator.initiate_module(module_name=module_name, req_body=req_body)\n",
            "  File \"/home/site/wwwroot/shared/coordinator.py\", line 13, in initiate_module\n    return_data = scoring.execute_scoring_module(req_body)\n",
            "  File \"/home/site/wwwroot/modules/scoring.py\", line 23, in execute_scoring_module\n    raise STATError(f'Failed to score the module {module} with label {label}', {'Error': str(e)})\n",
            "classes.STATError: ('Failed to score the module None with label Out of Office', {'Error': 'Incorrectly formatted data or data from an unsupported module was passed to the Scoring Module, module name: None'})\n"
        ]
    }
}

image

I think a more descriptive error would be helpful. Current error message: Incorrectly formatted data or data from an unsupported module was passed to the Scoring Module, module name: None Possible Updated message: Incorrectly formatted data or data from an unsupported module was passed to the Scoring Module, module name: Out of Office Module. See Risk Scoring Module's Supported Module Input list.

I understand the updated message suggestion does duplicate the "unsupported module" information, but my first instinct was to assume the error was due to "incorrectly formatted data" because the original message ended with ... module name: None making me think it was an input data error.

briandelmsft commented 1 month ago

@NobleWolf thanks, we'll fix that

issue is the module class doesn't define a name like other modules do, so it's missing on the output

https://github.com/briandelmsft/STAT-Function/blob/a56eaa361601d3d2229ed823a6b3236c780175e3/classes/__init__.py#L304