Wazuh + Office365 Problem
36 views
Skip to first unread message
Brenno Garcia
Feb 6, 2026, 11:08:26 AM (6 days ago) Feb 6
to Wazuh | Mailing List
Hi, can anyone help me?
My Wazuh is behaving strangely with Office 365 in a specific context of alerts.
My Wazuh alerts are sent to Teams, and as I noticed, suddenly some very old alerts (3 months ago) were reprocessed.
And I found them in archives.log and alerts.json.
My Wazuh is behaving strangely with Office 365 in a specific context of alerts.
My Wazuh alerts are sent to Teams, and as I noticed, suddenly some very old alerts (3 months ago) were reprocessed.
And I found them in archives.log and alerts.json.
{"timestamp":"2026-02-06T15:35:47.946+0000","rule":{"level":6,"description":"Account testebrenno@domain disabled","id":"100405","firedtimes":1,"mail":false,"groups":["office365","AzureActiveDirectory"],"hipaa":["164.312.b"],"pci_dss":["10.6.2"]},"agent":{"id":"000","name":"wazuh.manager"},"manager":{"name":"wazuh.manager"},"id":"x","full_log":"{\"integration\":\"office365\",\"office365\":{\"CreationTime\":\"2025-11-07T15:39:01\",\"Id\":\"x-x-x-x-x\",\"Operation\":\"Disable account.\",\"OrganizationId\":\"x-x-x-x-x\",\"RecordType\":8,\"ResultStatus\":\"Success\",\"UserKey\":\"Not Available\",\"UserType\":4,\"Version\":1,\"Workload\":\"AzureActiveDirectory\",\"ObjectId\":\"testebrenno@domain\",\"UserId\":\"x-x-x-x-140c8578b9f5\",\"AzureActiveDirectoryEventType\":1,\"ExtendedProperties\":[{\"N
But I can't find them in any index on the Wazuh dashboard.What could be happening? Only the events related to Account Enable/Created/Disabled/Deleted are "reprocessing" from almost 3 months ago; all other events like SharePoint, Exchange, and Azure AD are normal. They can be found in archives.log and alerts.json, but not in any index or dashboard.
hasitha.u...@wazuh.com
Feb 8, 2026, 2:15:28 AM (4 days ago) Feb 8
to Wazuh | Mailing List
Hi Brenno,
Let me know the update on this.
By default, the module’s only_future_events setting is set to yes, which means it collects only events generated after the Wazuh manager starts or restarts.
If this setting is changed to no, the module will also collect older events that were generated before the Wazuh manager started.
The default value is yes, and the allowed values are yes and no.
Office365 config Default settings:
- <office365>
- <enabled>yes</enabled>
- <interval>1m</interval>
- <curl_max_size>1M</curl_max_size>
- <only_future_events>yes</only_future_events>
- <api_auth>
- <tenant_id><YOUR_TENANT_ID></tenant_id>
- <client_id><YOUR_CLIENT_ID></client_id>
- <client_secret><YOUR_CLIENT_SECRET></client_secret>
- <api_type>commercial</api_type>
- </api_auth>
- <subscriptions>
- <subscription>Audit.SharePoint</subscription>
- </subscriptions>
- </office365>
Let me know the update on this.
Brenno Garcia
Feb 9, 2026, 11:40:33 PM (2 days ago) Feb 9
to Wazuh | Mailing List
It already was set to yes
This problem began on friday e resolved itself
hasitha.u...@wazuh.com
Feb 10, 2026, 7:06:25 AM (2 days ago) Feb 10
to Wazuh | Mailing List
Hi Brenno,
It's strange that you have not changed the config and resolved the issue without any manual interaction. However, please closely monitor this behaviour and let us know the issue still facing, so we can check further. Thanks!
It's strange that you have not changed the config and resolved the issue without any manual interaction. However, please closely monitor this behaviour and let us know the issue still facing, so we can check further. Thanks!
Reply all
Reply to author
Forward
0 new messages