Extend MS-Graph integration - MDM Intune integration

[TomasTurina]

Related issue
wazuh/wazuh#24498

Description

This PR includes the following changes:

• New query to obtain auditEvents from MDM Intune API suing the ms-graph module.
  • Query:
    • https://graph.microsoft.com/v1.0/deviceManagement/auditEvents
• New query to obtain managedDevices from MDM Intune API using the ms-graph module.
  • Query:
    • https://graph.microsoft.com/v1.0/deviceManagement/managedDevices
• New queries to obtain detectedApps from MDM Intune API using the ms-graph module.
  • Results are expanded to include managedDevices information for each app.
  • Queries:
    • https://graph.microsoft.com/v1.0/deviceManagement/detectedApps
    • https://graph.microsoft.com/v1.0/deviceManagement/detectedApps/{appId}/managedDevices?$select=id,deviceName
• Add scan_id to inventory queries (managedDevices and detectedApps) so results can be distinguished.
• Improve ms-graph queries filters to obtain logs, to avoid losing some of them.
• Fix auth_header size, as it can be over 2048 characters.
• Fix relationship configuration parse.
• Add pagination to ms-graph queries, to avoid losing logs.
• Create generic rules to auditEvents from MDM Intune API.
• Create generic rules to managedDevices from MDM Intune API.
• Create generic rules to detectedApps from MDM Intune API.

Configuration options

  <ms-graph>
    <enabled>yes</enabled>
    <only_future_events>yes</only_future_events>
    <curl_max_size>10M</curl_max_size>
    <run_on_start>yes</run_on_start>
    <interval>10s</interval>
    <version>v1.0</version>
    <api_auth>
      <tenant_id>xxxxx</tenant_id>
      <client_id>xxxxxx</client_id>
      <secret_value>xxxxxx</secret_value>
      <api_type>global</api_type>
    </api_auth>
    <resource>
      <name>deviceManagement</name>
      <relationship>auditEvents</relationship>
      <relationship>managedDevices</relationship>
      <relationship>detectedApps</relationship>
    </resource>
  </ms-graph>

Logs/Alerts example

2024/08/09 14:56:42 wazuh-modulesd:ms-graph[1302] wm_ms_graph.c:82 at wm_ms_graph_main(): INFO: Scanning tenant '0fea4e03-8146-453b-b889-54b4bd11565b'
2024/08/09 14:56:45 wazuh-modulesd:ms-graph[1302] wm_ms_graph.c:296 at wm_ms_graph_scan_relationships(): DEBUG: Microsoft Graph API Log URL: 'https://graph.microsoft.com/v1.0/deviceManagement/auditEvents?$top=100&$filter=activityDateTime+ge+2024-08-09T14:56:34Z+and+activityDateTime+lt+2024-08-09T14:56:45Z'
2024/08/09 14:56:46 wazuh-modulesd:ms-graph[1302] wm_ms_graph.c:343 at wm_ms_graph_scan_relationships(): DEBUG: No new logs received.
2024/08/09 14:56:46 wazuh-modulesd:ms-graph[1302] wm_ms_graph.c:373 at wm_ms_graph_scan_relationships(): DEBUG: Bookmark updated to '2024-08-09T14:56:45Z' for tenant '0fea4e03-8146-453b-b889-54b4bd11565b' resource 'deviceManagement' and relationship 'auditEvents', waiting '10' seconds to run next scan.
2024/08/09 14:56:46 wazuh-modulesd:ms-graph[1302] wm_ms_graph.c:296 at wm_ms_graph_scan_relationships(): DEBUG: Microsoft Graph API Log URL: 'https://graph.microsoft.com/v1.0/deviceManagement/managedDevices?$top=100'
2024/08/09 14:56:47 wazuh-modulesd:ms-graph[1302] wm_ms_graph.c:343 at wm_ms_graph_scan_relationships(): DEBUG: No new logs received.
2024/08/09 14:56:47 wazuh-modulesd:ms-graph[1302] wm_ms_graph.c:296 at wm_ms_graph_scan_relationships(): DEBUG: Microsoft Graph API Log URL: 'https://graph.microsoft.com/v1.0/deviceManagement/detectedApps?$top=100&$expand=managedDevices($select=id)'
2024/08/09 14:56:48 wazuh-modulesd:ms-graph[1302] wm_ms_graph.c:343 at wm_ms_graph_scan_relationships(): DEBUG: No new logs received.
2024/08/09 14:56:48 wazuh-modulesd:ms-graph[1302] wm_ms_graph.c:68 at wm_ms_graph_main(): DEBUG: Waiting until: 2024/08/09 14:56:52

Tests

• Compilation without warnings in every supported platform
  • Linux
  • Windows
  • MAC OS X
• Source installation
• Package installation
• Source upgrade
• Package upgrade

• Memory tests for Linux
  • Scan-build report
  • Valgrind (memcheck and descriptor leaks check)

• Added unit tests (for new features)