O365 - Get "Conditional Access" property in wazuh security events
202 views
Skip to first unread message
Stuti Gupta
Apr 12, 2024, 5:36:23 AM4/12/24
to Wazuh | Mailing List
Hi Yanis Halit,
I hope you're doing well.
Logs should include a conditional access status field. If logs contain this field, they can be decoded by decoders, allowing you to view the decoded fields in alerts on the Wazuh dashboard, as shown in the first image shared. If a log already matches the default decoders but fails to decode the desired field, you can modify the existing decoder using the instructions provided in this document:https://documentation.wazuh.com/current/user-manual/ruleset/decoders/custom.html
Hope this helps
Regards
I hope you're doing well.
Logs should include a conditional access status field. If logs contain this field, they can be decoded by decoders, allowing you to view the decoded fields in alerts on the Wazuh dashboard, as shown in the first image shared. If a log already matches the default decoders but fails to decode the desired field, you can modify the existing decoder using the instructions provided in this document:https://documentation.wazuh.com/current/user-manual/ruleset/decoders/custom.html
Hope this helps
Regards
Yanis Halit
Apr 29, 2024, 10:30:26 AM4/29/24
to Wazuh | Mailing List
Hello,
Thank you for your answer, but i don't really get it, i'm new on Wazuh usage haha
Thank you again
Thank you for your answer, but i don't really get it, i'm new on Wazuh usage haha
Thank you again
Stuti Gupta
Apr 30, 2024, 5:49:29 AM4/30/24
to Wazuh | Mailing List
Hi again
For example, if this is the log capture in the wazuh-manager and you want to view actor_id in wazuh events as a property. That field should be in log. Log is :
{"@timestamp":1734240522505,"_document_id":"XXXXXXXXX","action":"org.register-something","actor":"something-something-for-something[bot]","actor_id":123,"actor_ip":"12.123.123.12","actor_is_bot":true,"actor_location":{"country_code":"IS"},"created_at":1734240522506,"operation_type":"create","org":"something","org_id":123,"user_agent":"GitHubActionsRunner-linux-x64/2.308.0 CommitSHA/7a6b65428cbe"}
Now this log is decoded with built-in json decoder and this will decoded the actor_id . In case that is not decoded by any of the default decoders the you need to create the decoder. For example this kind of log:
1 2024-04-22T13:53:49+02:00 vpn-lsx.lenny.fr PulseSecure: - - - 2024-04-22 13:53:47 - vpn-mlb - [94.156.67.98] Default Network::DOMLEN\\movie(CFNM_VPN_ONLY)[][] - Login failed for 'Primary' authentication using auth server 'DOMLEN' ('Active Directory'). Reason: 'Invalid Credentials'
Then you need to caree the decoder like:
<!-- Pulse Secure Decoders -->
<decoder name="pulse-secure-custom">
<prematch>PulseSecure:</prematch>
</decoder>
<decoder name="pulse-secure-custom_login">
<parent>pulse-secure-custom</parent>
<regex offset="after_parent">(\d+:\d+:\d+)</regex>
<order>timestamp1</order>
</decoder>
<decoder name="pulse-secure-custom_login">
<parent>pulse-secure-custom</parent>
<regex offset="after_regex">(\d+.\d+.\d+.\d+)</regex>
<order>srcip</order>
</decoder>
<decoder name="pulse-secure-custom_login">
<parent>pulse-secure-custom</parent>
<regex offset="after_regex">::(\S+)\\\\(\S+)\((\S+)\)</regex>
<order>domain,srcuser,auth</order>
</decoder>
<decoder name="pulse-secure-custom_login">
<parent>pulse-secure-custom</parent>
<regex offset="after_regex">Reason: (\.+)</regex>
<order>reason</order>
</decoder>
This will decode the field then you can see that in the wazuh events as a property once the rules matches. In case ther is no rules the you need to care thje log so the alert can triggere and you can see that in security events and then as a property
<group name="access_control,PulseSecure">
<rule id="200030" level="5">
<if_sid>2501</if_sid>
<decoded_as>pulse-secure-custom</decoded_as>
<field name="reason">Invalid Credentials</field>
<description>PulseSecure VPN ($(srcip)) login failure detected for user $(srcuser) in authenticator $(auth) on domain $(domain). Reason: $(reason)</descr
iption>
<group>access_control,authentication_failed</group>
</rule>
</group>
<group name="github">
<rule id="222202" level="10">
<decoded_as>json</decoded_as>
<field name="org">something</field>
<description>test json.log github</description>
</rule>
<group>
Then you need to restart the wazuh-maanger to appy the changes using the command: systemctl restart wazuh-manager
Now you can see the fields like: actor_id and reason as poperty of security events like in tha image
All this is possible if the log that is coming in wazuh-manger has field in you case that field should be conditional Access then we can create the custom decoders and rules Like exampled above. For more example you can refer to https://wazuh.com/blog/monitoring-linux-resource-usage-with-wazuh/
For rules and decoders you can refer to https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
For example, if this is the log capture in the wazuh-manager and you want to view actor_id in wazuh events as a property. That field should be in log. Log is :
{"@timestamp":1734240522505,"_document_id":"XXXXXXXXX","action":"org.register-something","actor":"something-something-for-something[bot]","actor_id":123,"actor_ip":"12.123.123.12","actor_is_bot":true,"actor_location":{"country_code":"IS"},"created_at":1734240522506,"operation_type":"create","org":"something","org_id":123,"user_agent":"GitHubActionsRunner-linux-x64/2.308.0 CommitSHA/7a6b65428cbe"}
Now this log is decoded with built-in json decoder and this will decoded the actor_id . In case that is not decoded by any of the default decoders the you need to create the decoder. For example this kind of log:
1 2024-04-22T13:53:49+02:00 vpn-lsx.lenny.fr PulseSecure: - - - 2024-04-22 13:53:47 - vpn-mlb - [94.156.67.98] Default Network::DOMLEN\\movie(CFNM_VPN_ONLY)[][] - Login failed for 'Primary' authentication using auth server 'DOMLEN' ('Active Directory'). Reason: 'Invalid Credentials'
Then you need to caree the decoder like:
<!-- Pulse Secure Decoders -->
<decoder name="pulse-secure-custom">
<prematch>PulseSecure:</prematch>
</decoder>
<decoder name="pulse-secure-custom_login">
<parent>pulse-secure-custom</parent>
<regex offset="after_parent">(\d+:\d+:\d+)</regex>
<order>timestamp1</order>
</decoder>
<decoder name="pulse-secure-custom_login">
<parent>pulse-secure-custom</parent>
<regex offset="after_regex">(\d+.\d+.\d+.\d+)</regex>
<order>srcip</order>
</decoder>
<decoder name="pulse-secure-custom_login">
<parent>pulse-secure-custom</parent>
<regex offset="after_regex">::(\S+)\\\\(\S+)\((\S+)\)</regex>
<order>domain,srcuser,auth</order>
</decoder>
<decoder name="pulse-secure-custom_login">
<parent>pulse-secure-custom</parent>
<regex offset="after_regex">Reason: (\.+)</regex>
<order>reason</order>
</decoder>
This will decode the field then you can see that in the wazuh events as a property once the rules matches. In case ther is no rules the you need to care thje log so the alert can triggere and you can see that in security events and then as a property
<group name="access_control,PulseSecure">
<rule id="200030" level="5">
<if_sid>2501</if_sid>
<decoded_as>pulse-secure-custom</decoded_as>
<field name="reason">Invalid Credentials</field>
<description>PulseSecure VPN ($(srcip)) login failure detected for user $(srcuser) in authenticator $(auth) on domain $(domain). Reason: $(reason)</descr
iption>
<group>access_control,authentication_failed</group>
</rule>
</group>
<group name="github">
<rule id="222202" level="10">
<decoded_as>json</decoded_as>
<field name="org">something</field>
<description>test json.log github</description>
</rule>
<group>
Then you need to restart the wazuh-maanger to appy the changes using the command: systemctl restart wazuh-manager
Now you can see the fields like: actor_id and reason as poperty of security events like in tha image
All this is possible if the log that is coming in wazuh-manger has field in you case that field should be conditional Access then we can create the custom decoders and rules Like exampled above. For more example you can refer to https://wazuh.com/blog/monitoring-linux-resource-usage-with-wazuh/
For rules and decoders you can refer to https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
Hope this helps
Yanis Halit
May 22, 2024, 5:16:37 AM5/22/24
to Wazuh | Mailing List
Hello !
Thanks for your answer i got the idea, but looking at my raw FailedUserLogin logs i don't see something related to conditional access, only the mention that the loggin was a failure :
Can you give me an idea please ?
Thank you
Thanks for your answer i got the idea, but looking at my raw FailedUserLogin logs i don't see something related to conditional access, only the mention that the loggin was a failure :
{
"timestamp": "2024-04-30T14:57:35.547+0200",
"rule": {
"level": 3,
"description": "Office 365: Secure Token Service (STS) logon events in Azure Active Directory.",
"id": "91545",
"firedtimes": 854,
"mail": false,
"groups": ["office365", "AzureActiveDirectoryStsLogon"],
"hipaa": ["164.312.a.2.I", "164.312.b", "164.312.d", "164.312.e.2.II"],
"pci_dss": ["8.3", "10.6.1"]
},
"agent": {
"id": "####",
"name": "####"
},
"manager": {
"name": "####"
},
"id": "####",
"full_log": "{\"integration\":\"office365\",\"office365\":{\"CreationTime\":\"2024-04-30T12:53:58\",\"Id\":\"####\",\"Operation\":\"UserLoginFailed\",\"OrganizationId\":\"####\",\"RecordType\":15,\"ResultStatus\":\"Failed\",\"UserKey\":\"####\",\"UserType\":4,\"Version\":1,\"Workload\":\"AzureActiveDirectory\",\"ClientIP\":\"####\",\"ObjectId\":\"####\",\"UserId\":\"Not Available\",\"AzureActiveDirectoryEventType\":1,\"ExtendedProperties\":[{\"Name\":\"ResultStatusDetail\",\"Value\":\"UserError\"},{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko AnyConnect/4.9.04043 (win)\"},{\"Name\":\"RequestType\",\"Value\":\"SAS:EndAuth\"}],\"ModifiedProperties\":[],\"Actor\":[{\"ID\":\"####\",\"Type\":0}],\"ActorContextId\":\"####\",\"ActorIpAddress\":\"####\",\"InterSystemsId\":\"####\",\"IntraSystemId\":\"####\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"####\",\"Type\":0}],\"TargetContextId\":\"####\",\"DeviceProperties\":[{\"Name\":\"OS\",\"Value\":\"Windows\"},{\"Name\":\"BrowserType\",\"Value\":\"IE\"}],\"ErrorNumber\":\"500121\",\"LogonError\":\"AuthenticationFailedSasError\",\"Subscription\":\"Audit.AzureActiveDirectory\"}}",
"decoder": {
"name": "json"
},
"data": {
"integration": "office365",
"office365": {
"CreationTime": "2024-04-30T12:53:58",
"Id": "####",
"Operation": "UserLoginFailed",
"OrganizationId": "####",
"RecordType": "15",
"ResultStatus": "Failed",
"UserKey": "####",
"UserType": "4",
"Version": "1",
"Workload": "AzureActiveDirectory",
"ClientIP": "####",
"ObjectId": "####",
"UserId": "Not Available",
"AzureActiveDirectoryEventType": "1",
"ExtendedProperties": [
{
"Name": "ResultStatusDetail",
"Value": "UserError"
},
{
"Name": "UserAgent",
"Value": "Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko AnyConnect/4.9.04043 (win)"
},
{
"Name": "RequestType",
"Value": "SAS:EndAuth"
}
],
"ModifiedProperties": [],
"Actor": [
{
"ID": "####",
"Type": 0
}
],
"ActorContextId": "####",
"ActorIpAddress": "####",
"InterSystemsId": "####",
"IntraSystemId": "####",
"Target": [
{
"ID": "####",
"Type": 0
}
],
"TargetContextId": "####",
"DeviceProperties": [
{
"Name": "OS",
"Value": "Windows"
},
{
"Name": "BrowserType",
"Value": "IE"
}
],
"ErrorNumber": "500121",
"LogonError": "AuthenticationFailedSasError",
"Subscription": "Audit.AzureActiveDirectory"
}
},
"location": "office365"
}
Thank you
Reply all
Reply to author
Forward
0 new messages