Wazuh - Custom Field - Office365
18 views
Skip to first unread message
Brenno Garcia
Nov 6, 2025, 12:06:06 PM (5 days ago) Nov 6
to Wazuh | Mailing List
Hi everyone,
I've configured the Wazuh integration with Office 365.
When I create, delete, or update a group, rule 91539 is triggered.
The relevant part about which group was changed is as follows:
I've configured the Wazuh integration with Office 365.
When I create, delete, or update a group, rule 91539 is triggered.
The relevant part about which group was changed is as follows:
"Target": [
{
"Type": 2,
"ID": "Group_abcd"
},
{
"Type": 2,
"ID": "abcdefg"
},
{
"Type": 2,
"ID": "Group"
},
{
"Type": 1,
"ID": "testwazuh"
}
],
"RecordType": "8",
"Version": "1",
"ModifiedProperties": [
{
"OldValue": "[]",
"NewValue": "[\r\n \"testwazuh\"\r\n]",
"Name": "Description"
},
{
"OldValue": "[]",
"NewValue": "[\r\n \"testwazuh\"\r\n]",
"Name": "DisplayName"
},
{
"OldValue": "[]",
"NewValue": "[\r\n \"Unified\"\r\n]",
"Name": "GroupType"
},
{
"OldValue": "[]",
"NewValue": "[\r\n false\r\n]",
"Name": "IsAssignableToRole"
},
{
"OldValue": "[]",
"NewValue": "[\r\n true\r\n]",
"Name": "IsPublic"
},
{
"OldValue": "[]",
"NewValue": "[\r\n \"test...@domain.com\"\r\n]",
"Name": "Mail"
},
{
"OldValue": "[]",
"NewValue": "[\r\n true\r\n]",
"Name": "MailEnabled"
},
{
"OldValue": "[]",
"NewValue": "[\r\n \"testwazuh\"\r\n]",
"Name": "MailNickname"
},
[...]
I would like to send some alerts, including this information, to Microsoft Teams, but I need to specify which fields will be in the alert.
I don't have any field that contains the group name separately.
Is there any way to capture the group name and put it in another field, or extract it for Teams?
Or will I need to extract this information using a custom decoder?
I don't have any field that contains the group name separately.
Is there any way to capture the group name and put it in another field, or extract it for Teams?
Or will I need to extract this information using a custom decoder?
Dennis Ariel Gamboa Veliz
Nov 6, 2025, 12:48:07 PM (4 days ago) Nov 6
to Wazuh | Mailing List
Hi Brenno,
You are correct, the group name(or similar attributes DisplayName or MailNicknmae) is not extracted automatically by Wazuh from Office 365 events.
The recommended approach is to create custom decores and rules to extract the specific values you need and include them as custom fields (e.g., custom.group_name or extra_data).
Once those fields are available in the alert JSON, they can be easily sent to Microsoft Teams through the existing Wazuh integration.
You are correct, the group name(or similar attributes DisplayName or MailNicknmae) is not extracted automatically by Wazuh from Office 365 events.
The recommended approach is to create custom decores and rules to extract the specific values you need and include them as custom fields (e.g., custom.group_name or extra_data).
Once those fields are available in the alert JSON, they can be easily sent to Microsoft Teams through the existing Wazuh integration.
Here are the relevant official documentation links for guidance:
- decoders: https://documentation.wazuh.com/current/user-manual/ruleset/decoders/custom.html
- rules: https://documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html
If you have any further questions or need help, please do not hesitate to contact us.
regards,
Reply all
Reply to author
Forward
0 new messages