Custom rule doesn't trigger on O365 event

[Tom H]

Hey everyone, I would need some advice on custom rules for alerts.Right now I try to get a custom alert based on the O365 management API.
The goal is to create an alert when someone is accessing a specific SharePoint folder, or file in that folder.Right now standard rule 91537 works, so I get generic alerts on access to SharePoint file operation events.I created a new rule: /var/ossec/etc/rules/sharepoint_rules.xml`
Content:

<group name="office365,"> <rule id="100002" level="13"> <if_sid>91531</if_sid> <field name="data.office365.SourceRelativeUrl" type="osregex">^Documents/Confidential$</field> <description>Office 365: Access to confidential file.</description> <options>no_full_log</options> <group>SharePointFileOperation,hipaa_164.312.b,hipaa_164.312.c.1,pci_dss_10.6.2,pci_dss_11.5</group> <mitre> <id>T1078</id> </mitre> </rule> </group>

I restarted the wazuh manager - but nothing happens.I can see alerts based on rule 91531 and more specific on 91537, but my custom rule is never triggered.Testing the rule via ruleset validator shows no error, but also no execution. Only 91537 is triggered.
The log line I use for testing is (the line has been redacted for privacy reason but is still valid):

{"integration":"office365","office365":{"AppAccessContext":{"AADSessionId":"6a9e6789-#######-9be7-8538d52cbf85","ClientAppName":"Unknown","CorrelationId":"402933a1-60a3-9000-35ac-0c25ec1f91a1","TokenIssuedAtTime":"2024-06-15T20:33:02","UniqueTokenId":"-#######"},"CreationTime":"2024-06-16T09:35:52","Id":"354ee104--#######ae0a-08dc8de7b6d3","Operation":"FilePreviewed","OrganizationId":"2d78dcf1--#######-92fd004d07b1","RecordType":6,"UserKey":"i:0h.f|membership|-#######@live.com","UserType":0,"Version":1,"Workload":"OneDrive","ClientIP":"85.195.241.213","UserId":"tom.-#######.onmicrosoft.com","AuthenticationType":"OAuth","BrowserName":"Chrome","BrowserVersion":"126.0.0.0","CorrelationId":"402933a1--#######-35ac-0c25ec1f91a1","EventSource":"SharePoint","IsManagedDevice":false,"ItemType":"File","ListId":"e4cf29f6-1b0e-41af-9a65-03c4cb805909","ListItemUniqueId":"156c935e-053c-459e-8212-8de4137f62aa","Platform":"MacOSX","Site":"50834d26-afd3-4959-a311-aa87aac3e382","UserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36","WebId":"4bdf3a3f-5b82-427d-8653-9ef52126f9d0","DeviceDisplayName":"2a01:111:2056:200:41ac:4d1:5daa:33ed","HighPriorityMediaProcessing":false,"ListBaseType":1,"ListServerTemplate":700,"SourceFileExtension":"docx","SiteUrl":"https://-#######-my.sharepoint.com/personal/-#######_onmicrosoft_com/","SourceRelativeUrl":"Documents/Confidential","SourceFileName":"CanaryToken-SuperSecret.docx","ApplicationDisplayName":"Unknown","ObjectId":"https://-#######-my.sharepoint.com/personal/-#######_onmicrosoft_com/Documents/Confidential/CanaryToken-SuperSecret.docx","Subscription":"Audit.SharePoint"}}

Anyone knows why this doesn't work? I can see data.office365.SourceRelativeUrl : Documents/Confidential  but for some reason it is never triggered.This is the output of the validator:

Trying rule: 91531 - Office 365: $(office365.Workload) $(office365.Operation) operation. *Rule 91531 matched *Trying child rules Trying rule: 100002 - Office 365: Access to confidential file.

It obviously is evaluatd and loads but why is it not working? 
Thanks everyone! 

Tom

[Eric Franco Fahnle]

Hi there Tom! Hope you're doing great. 

Upon creating your same rule in the /var/ossec/etc/rules/local_rules.xml file (this file is not lost during the upgrade process so please be aware of it) I found the same issue as you had. 

I then tried this:

1. Change the SID to rule 91537 and not 91531, as that's the specific rule that matched and the rule we want to "fork" from.

2. Change the regex type, using PCRE2 which is newer and allows for better handling of regex. 

3. Add an escape character for the forward slash

4. I also changed the field name from "data.office365.SourceRelativeUrl" to just "office365.SourceRelativeUrl". At least my logtest utility wasn't including the "data." part, not sure why. We might have different versions so check for that part in your end. 

Finally, this is what the rule would look like (I changed the ID but that's not needed, it's just because I already had a custom rule with your ID)

<group name="office365,">
<rule id="100111" level="13">
<if_sid>91537</if_sid>
<field name="office365.SourceRelativeUrl" type="pcre2">^Documents\/Confidential$</field>

<description>Office 365: Access to confidential file.</description>
<options>no_full_log</options>
<group>SharePointFileOperation,hipaa_164.312.b,hipaa_164.312.c.1,pci_dss_10.6.2,pci_dss_11.5</group>
<mitre>
<id>T1078</id>
</mitre>
</rule>
</group>

And upon running the wauzh-logtest utility, I see that it's working as expected:

root@wazuh:/# /var/ossec/bin/wazuh-logtest
Starting wazuh-logtest v4.4.5
Type one log per line

{"integration":"office365","office365":{"AppAccessContext":{"AADSessionId":"6a9e6789-#######-9be7-8538d52cbf85","ClientAppName":"Unknown","CorrelationId":"402933a1-60a3-9000-35ac-0c25ec1f91a1","TokenIssuedAtTime":"2024-06-15T20:33:02","UniqueTokenId":"-#######"},"CreationTime":"2024-06-16T09:35:52","Id":"354ee104--#######ae0a-08dc8de7b6d3","Operation":"FilePreviewed","OrganizationId":"2d78dcf1--#######-92fd004d07b1","RecordType":6,"UserKey":"i:0h.f|membership|-#######@live.com","UserType":0,"Version":1,"Workload":"OneDrive","ClientIP":"85.195.241.213","UserId":"tom.-#######.onmicrosoft.com","AuthenticationType":"OAuth","BrowserName":"Chrome","BrowserVersion":"126.0.0.0","CorrelationId":"402933a1--#######-35ac-0c25ec1f91a1","EventSource":"SharePoint","IsManagedDevice":false,"ItemType":"File","ListId":"e4cf29f6-1b0e-41af-9a65-03c4cb805909","ListItemUniqueId":"156c935e-053c-459e-8212-8de4137f62aa","Platform":"MacOSX","Site":"50834d26-afd3-4959-a311-aa87aac3e382","UserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36","WebId":"4bdf3a3f-5b82-427d-8653-9ef52126f9d0","DeviceDisplayName":"2a01:111:2056:200:41ac:4d1:5daa:33ed","HighPriorityMediaProcessing":false,"ListBaseType":1,"ListServerTemplate":700,"SourceFileExtension":"docx","SiteUrl":"https://-#######-my.sharepoint.com/personal/-#######_onmicrosoft_com/","SourceRelativeUrl":"Documents/Confidential","SourceFileName":"CanaryToken-SuperSecret.docx","ApplicationDisplayName":"Unknown","ObjectId":"https://-#######-my.sharepoint.com/personal/-#######_onmicrosoft_com/Documents/Confidential/CanaryToken-SuperSecret.docx","Subscription":"Audit.SharePoint"}}

**Phase 1: Completed pre-decoding.

**Phase 2: Completed decoding.
name: 'json'
integration: 'office365'
office365.AppAccessContext.AADSessionId: '6a9e6789-#######-9be7-8538d52cbf85'
office365.AppAccessContext.ClientAppName: 'Unknown'
office365.AppAccessContext.CorrelationId: '402933a1-60a3-9000-35ac-0c25ec1f91a1'
office365.AppAccessContext.TokenIssuedAtTime: '2024-06-15T20:33:02'
office365.AppAccessContext.UniqueTokenId: '-#######'
office365.ApplicationDisplayName: 'Unknown'
office365.AuthenticationType: 'OAuth'
office365.BrowserName: 'Chrome'
office365.BrowserVersion: '126.0.0.0'
office365.ClientIP: '85.195.241.213'
office365.CorrelationId: '402933a1--#######-35ac-0c25ec1f91a1'
office365.CreationTime: '2024-06-16T09:35:52'
office365.DeviceDisplayName: '2a01:111:2056:200:41ac:4d1:5daa:33ed'
office365.EventSource: 'SharePoint'
office365.HighPriorityMediaProcessing: 'false'
office365.Id: '354ee104--#######ae0a-08dc8de7b6d3'
office365.IsManagedDevice: 'false'
office365.ItemType: 'File'
office365.ListBaseType: '1'
office365.ListId: 'e4cf29f6-1b0e-41af-9a65-03c4cb805909'
office365.ListItemUniqueId: '156c935e-053c-459e-8212-8de4137f62aa'
office365.ListServerTemplate: '700'
office365.ObjectId: 'https://-#######-my.sharepoint.com/personal/-#######_onmicrosoft_com/Documents/Confidential/CanaryToken-SuperSecret.docx'
office365.Operation: 'FilePreviewed'
office365.OrganizationId: '2d78dcf1--#######-92fd004d07b1'
office365.Platform: 'MacOSX'
office365.RecordType: '6'
office365.Site: '50834d26-afd3-4959-a311-aa87aac3e382'
office365.SiteUrl: 'https://-#######-my.sharepoint.com/personal/-#######_onmicrosoft_com/'
office365.SourceFileExtension: 'docx'
office365.SourceFileName: 'CanaryToken-SuperSecret.docx'
office365.SourceRelativeUrl: 'Documents/Confidential'
office365.Subscription: 'Audit.SharePoint'
office365.UserAgent: 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36'
office365.UserId: 'tom.-#######.onmicrosoft.com'
office365.UserKey: 'i:0h.f|membership|-#######@live.com'
office365.UserType: '0'
office365.Version: '1'
office365.WebId: '4bdf3a3f-5b82-427d-8653-9ef52126f9d0'
office365.Workload: 'OneDrive'

**Phase 3: Completed filtering (rules).
id: '100111'
level: '13'

description: ' Office 365: Access to confidential file.

'
groups: '['office365', 'SharePointFileOperation']'
firedtimes: '1'
hipaa: '['164.312.b', '164.312.c.1']'
mail: 'True'
mitre.id: '['T1078']'
mitre.tactic: '['Defense Evasion', 'Persistence', 'Privilege Escalation', 'Initial Access']'
mitre.technique: '['Valid Accounts']'
pci_dss: '['10.6.2', '11.5']'
**Alert to be generated.

Related docs I used to check your answer:

Logtest: https://documentation.wazuh.com/current/user-manual/reference/tools/wazuh-logtest.html

Regex validator: https://regex101.com/

Wazuh Regex docs: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/regex.html

Specific field docs: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#field

Creating custom rules on local_rules.xml file: https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html

Let me know if that helps.

Eric

[Tom H]

Hi Eric, 

thank you very much for your support. It was the wrong field, data.office365.SourceRelativeUrl instead of office365.SourceRelativeUrl.

Somehow my message didn't made it to the group before your answer. And thanks for the hint in regards to type="pcre2".

I just ran into a different problem. This rule now triggers as expected once someone accesses the defined folder. 

But this means the malware rules no longer trigger. 
My goal is to have the new rule - alerting when someone is accessing the highly confidential folder - but also the malware alerting via existing rules 91556, 91575, 91700 functioning.

My new custom rule checks for NOT office365.Operation containing FileMalwareDetected.
Strangely it always triggers, even with the FileMalwareDetected string included. 

How can I have the negate option in a rule? Or would you recommend something else for this usecase?

Is there any documentation on more complex rules with negate and multiple conditions? 

I tried to write a negate rule according to: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#regex

<group name="office365,">
  <rule id="100002" level="13">
    <if_sid>91531</if_sid>

    <field name="office365.Operation" negate="yes">^FileMalwareDetected$</field>
    <field name="office365.ObjectID" type="osregex">Confidential</field>

    <description>Office 365: Access to confidential file.</description>

    <group>SharePointFileOperation,hipaa_164.312.b,hipaa_164.312.c.1,pci_dss_10.6.2,pci_dss_11.5</group>
    <options>no_log</options>

    <mitre>
      <id>T1078</id>
    </mitre>
  </rule>

Tom

[Eric Franco Fahnle]

Hi Tom, sorry for the long delay, I was out for a few days. I'll take a look at your case and answer ASAP. 

Thanks!

[Eric Franco Fahnle]

So, I've setup this, let me know if I missed something.

Considering we're looking for an operation called "FileMalwareDetected", the log entry has, in one case:

"Operation":"FilePreviewed"

and in the other one

"Operation":"FileMalwareDetected"

So this should be the custom rule:

<group name="office365,">
<rule id="100111" level="13">
<if_sid>91537</if_sid>
<field name="office365.SourceRelativeUrl" type="pcre2">^Documents\/Confidential$</field>

<field name="office365.Operation" negate="yes">^FileMalwareDetected$</field>

<description>Office 365: Access to confidential file.</description>
<options>no_full_log</options>
<group>SharePointFileOperation,hipaa_164.312.b,hipaa_164.312.c.1,pci_dss_10.6.2,pci_dss_11.5</group>
<mitre>
<id>T1078</id>
</mitre>
</rule>
</group>

And considering that difference I mentioned at the beginning, this log entry would simulate a confidential file viewed

{"integration":"office365","office365":{"AppAccessContext":{"AADSessionId":"6a9e6789-#######-9be7-8538d52cbf85","ClientAppName":"Unknown","CorrelationId":"402933a1-60a3-9000-35ac-0c25ec1f91a1","TokenIssuedAtTime":"2024-06-15T20:33:02","UniqueTokenId":"-#######"},"CreationTime":"2024-06-16T09:35:52","Id":"354ee104--#######ae0a-08dc8de7b6d3","Operation":"FilePreviewed","OrganizationId":"2d78dcf1--#######-92fd004d07b1","RecordType":6,"UserKey":"i:0h.f|membership|-#######@live.com","UserType":0,"Version":1,"Workload":"OneDrive","ClientIP":"85.195.241.213","UserId":"tom.-#######.onmicrosoft.com","AuthenticationType":"OAuth","BrowserName":"Chrome","BrowserVersion":"126.0.0.0","CorrelationId":"402933a1--#######-35ac-0c25ec1f91a1","EventSource":"SharePoint","IsManagedDevice":false,"ItemType":"File","ListId":"e4cf29f6-1b0e-41af-9a65-03c4cb805909","ListItemUniqueId":"156c935e-053c-459e-8212-8de4137f62aa","Platform":"MacOSX","Site":"50834d26-afd3-4959-a311-aa87aac3e382","UserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36","WebId":"4bdf3a3f-5b82-427d-8653-9ef52126f9d0","DeviceDisplayName":"2a01:111:2056:200:41ac:4d1:5daa:33ed","HighPriorityMediaProcessing":false,"ListBaseType":1,"ListServerTemplate":700,"SourceFileExtension":"docx","SiteUrl":"https://-#######-my.sharepoint.com/personal/-#######_onmicrosoft_com/","SourceRelativeUrl":"Documents/Confidential","SourceFileName":"CanaryToken-SuperSecret.docx","ApplicationDisplayName":"Unknown","ObjectId":"https://-#######-my.sharepoint.com/personal/-#######_onmicrosoft_com/Documents/Confidential/CanaryToken-SuperSecret.docx","Subscription":"Audit.SharePoint"}}

And this other log entry would mean malware found (I just changed the operation part)

{"integration":"office365","office365":{"AppAccessContext":{"AADSessionId":"6a9e6789-#######-9be7-8538d52cbf85","ClientAppName":"Unknown","CorrelationId":"402933a1-60a3-9000-35ac-0c25ec1f91a1","TokenIssuedAtTime":"2024-06-15T20:33:02","UniqueTokenId":"-#######"},"CreationTime":"2024-06-16T09:35:52","Id":"354ee104--#######ae0a-08dc8de7b6d3","Operation":"FileMalwareDetected","OrganizationId":"2d78dcf1--#######-92fd004d07b1","RecordType":6,"UserKey":"i:0h.f|membership|-#######@live.com","UserType":0,"Version":1,"Workload":"OneDrive","ClientIP":"85.195.241.213","UserId":"tom.-#######.onmicrosoft.com","AuthenticationType":"OAuth","BrowserName":"Chrome","BrowserVersion":"126.0.0.0","CorrelationId":"402933a1--#######-35ac-0c25ec1f91a1","EventSource":"SharePoint","IsManagedDevice":false,"ItemType":"File","ListId":"e4cf29f6-1b0e-41af-9a65-03c4cb805909","ListItemUniqueId":"156c935e-053c-459e-8212-8de4137f62aa","Platform":"MacOSX","Site":"50834d26-afd3-4959-a311-aa87aac3e382","UserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36","WebId":"4bdf3a3f-5b82-427d-8653-9ef52126f9d0","DeviceDisplayName":"2a01:111:2056:200:41ac:4d1:5daa:33ed","HighPriorityMediaProcessing":false,"ListBaseType":1,"ListServerTemplate":700,"SourceFileExtension":"docx","SiteUrl":"https://-#######-my.sharepoint.com/personal/-#######_onmicrosoft_com/","SourceRelativeUrl":"Documents/Confidential","SourceFileName":"CanaryToken-SuperSecret.docx","ApplicationDisplayName":"Unknown","ObjectId":"https://-#######-my.sharepoint.com/personal/-#######_onmicrosoft_com/Documents/Confidential/CanaryToken-SuperSecret.docx","Subscription":"Audit.SharePoint"}}

Upon checking with the wazuh-logtest, I can correctly classify both rules (91700 and 100111)

Malware:

{"integration":"office365","office365":{"AppAccessContext":{"AADSessionId":"6a9e6789-#######-9be7-8538d52cbf85","ClientAppName":"Unknown","CorrelationId":"402933a1-60a3-9000-35ac-0c25ec1f91a1","TokenIssuedAtTime":"2024-06-15T20:33:02","UniqueTokenId":"-#######"},"CreationTime":"2024-06-16T09:35:52","Id":"354ee104--#######ae0a-08dc8de7b6d3","Operation":"FileMalwareDetected","OrganizationId":"2d78dcf1--#######-92fd004d07b1","RecordType":6,"UserKey":"i:0h.f|membership|-#######@live.com","UserType":0,"Version":1,"Workload":"OneDrive","ClientIP":"85.195.241.213","UserId":"tom.-#######.onmicrosoft.com","AuthenticationType":"OAuth","BrowserName":"Chrome","BrowserVersion":"126.0.0.0","CorrelationId":"402933a1--#######-35ac-0c25ec1f91a1","EventSource":"SharePoint","IsManagedDevice":false,"ItemType":"File","ListId":"e4cf29f6-1b0e-41af-9a65-03c4cb805909","ListItemUniqueId":"156c935e-053c-459e-8212-8de4137f62aa","Platform":"MacOSX","Site":"50834d26-afd3-4959-a311-aa87aac3e382","UserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36","WebId":"4bdf3a3f-5b82-427d-8653-9ef52126f9d0","DeviceDisplayName":"2a01:111:2056:200:41ac:4d1:5daa:33ed","HighPriorityMediaProcessing":false,"ListBaseType":1,"ListServerTemplate":700,"SourceFileExtension":"docx","SiteUrl":"https://-#######-my.sharepoint.com/personal/-#######_onmicrosoft_com/","SourceRelativeUrl":"Documents/Confidential","SourceFileName":"CanaryToken-SuperSecret.docx","ApplicationDisplayName":"Unknown","ObjectId":"https://-#######-my.sharepoint.com/personal/-#######_onmicrosoft_com/Documents/Confidential/CanaryToken-SuperSecret.docx","Subscription":"Audit.SharePoint"}}

office365.Operation: 'FileMalwareDetected'

office365.OrganizationId: '2d78dcf1--#######-92fd004d07b1'
office365.Platform: 'MacOSX'
office365.RecordType: '6'
office365.Site: '50834d26-afd3-4959-a311-aa87aac3e382'
office365.SiteUrl: 'https://-#######-my.sharepoint.com/personal/-#######_onmicrosoft_com/'
office365.SourceFileExtension: 'docx'
office365.SourceFileName: 'CanaryToken-SuperSecret.docx'
office365.SourceRelativeUrl: 'Documents/Confidential'
office365.Subscription: 'Audit.SharePoint'
office365.UserAgent: 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36'
office365.UserId: 'tom.-#######.onmicrosoft.com'
office365.UserKey: 'i:0h.f|membership|-#######@live.com'
office365.UserType: '0'
office365.Version: '1'
office365.WebId: '4bdf3a3f-5b82-427d-8653-9ef52126f9d0'
office365.Workload: 'OneDrive'

**Phase 3: Completed filtering (rules).

id: '91700'
level: '14'
description: 'Office 365: Detected malware in file .'
groups: '['office365', 'OneDrive', 'SharePoint']'
firedtimes: '1'
hipaa: '['164.312.b']'
mail: 'True'
pci_dss: '['10.6.1']'
**Alert to be generated.

Confidential file

Let me know if that helps

Eric

[Tom H]

Hi Eric, 

Thank you very much and no worries. Actually your reply ended up in my spam folder. 

FYI I just signed an official support agreement because now the O365 integartion is broken as well and I can’t test it right now. 

Thanks again for your support, I really appreciate it!

Tom

{"integration":"office365","office365":{"AppAccessContext":{"AADSessionId":"6a9e6789-#######-9be7-8538d52cbf85","ClientAppName":"Unknown","CorrelationId":"402933a1-60a3-9000-35ac-0c25ec1f91a1","TokenIssuedAtTime":"2024-06-15T20:33:02","UniqueTokenId":"-#######"},"CreationTime":"2024-06-16T09:35:52","Id":"354ee104--#######ae0a-08dc8de7b6d3","Operation":"FilePreviewed","OrganizationId":"2d78dcf1--#######-92fd004d07b1","RecordType":6,"UserKey":"i:0h.f|membership|-#######@live.com","UserType":0,"Version":1,"Workload":"OneDrive","ClientIP":"85.195.241.213","UserId":"tom.-#######.onmicrosoft.com","AuthenticationType":"OAuth","BrowserName":"Chrome","BrowserVersion":"126.0.0.0","CorrelationId":"402933a1--#######-35ac-0c25ec1f91a1","EventSource":"SharePoint","IsManagedDevice":false,"ItemType":"File","ListId":"e4cf29f6-1b0e-41af-9a65-03c4cb805909","ListItemUniqueId":"156c935e-053c-459e-8212-8de4137f62aa","Platform":"MacOSX","Site":"50834d26-afd3-4959-a311-aa87aac3e382","UserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0Safari/537.36","WebId":"4bdf3a3f-5b82-427d-8653-9ef52126f9d0","DeviceDisplayName":"2a01:111:2056:200:41ac:4d1:5daa:33ed","HighPriorityMediaProcessing":false,"ListBaseType":1,"ListServerTemplate":700,"SourceFileExtension":"docx","SiteUrl":"https://-#######-my.sharepoint.com/personal/-#######_onmicrosoft_com/","SourceRelativeUrl":"Documents/Confidential","SourceFileName":"CanaryToken-SuperSecret.docx","ApplicationDisplayName":"Unknown","ObjectId":"https://-#######-my.sharepoint.com/personal/-#######_onmicrosoft_com/Documents/Confidential/CanaryToken-SuperSecret.docx","Subscription":"Audit.SharePoint"}}

Anyone knows why this doesn't work? I can see data.office365.SourceRelativeUrl : Documents/Confidential  but for some reason it is never triggered.This is the output of the validator:

Trying rule: 91531 - Office 365: $(office365.Workload) $(office365.Operation) operation. *Rule 91531 matched *Trying child rules Trying rule: 100002 - Office 365: Access to confidential file.

It obviously is evaluatd and loads but why is it not working? 
Thanks everyone! 

Tom

-- 
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/J3BHm13N_Ww/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/a861cee2-bbea-46af-aff6-671584e17dedn%40googlegroups.com.