rulesets on M365

27 views
Skip to first unread message

Nazmur Sakib

unread,
Apr 27, 2026, 12:41:05 PM (6 days ago) Apr 27
to Wazuh | Mailing List
In Wazuh, is there anyway to create specific rulesets on M365 for specific scenarios like i want a rule to trigger for users where country,name is not United kingdom. Im not sure if possible as it gets geoip data at the alerting level so unsure if you can re-alert on this?

Any ideas or help would be great,

Md. Nazmur Sakib

unread,
Apr 27, 2026, 12:43:14 PM (6 days ago) Apr 27
to Wazuh | Mailing List
Hi M Jones,
Yes, this is possible. GeoIP data should be inserted before rule matching, so you can do something like:
```
  <rule id="100202" level="10">                                                                          
    <if_group>microsoft365</if_group>                                                                    
    <field name="data.office365.Operation">UserLoggedIn|UserLoginFailed</field>
    <field name="data.geoip.country_name" negate="yes">United Kingdom</field>                            
    <field name="data.geoip.country_name">\.+</field>                                                    
    <description>M365 login from outside UK: $(data.office365.UserId) from $(data.geoip.country_name)
  ($(data.geoip.city_name))</description>                                                                
  </rule>        
```

The `negate` part would match on logins outside UK, and the `\.+` field would make sure that the rule only matches when the event contains a country_name.

Are you not seeing the geoip data when creating rules?

I love Wazuh

unread,
Apr 27, 2026, 12:57:22 PM (6 days ago) Apr 27
to Wazuh | Mailing List
Hi,

There are no log entries present in /var/ossec/logs/alerts/alerts.json on the associated manager. The agent details have been verified using /var/ossec/bin/agent_control -i <agent_id>.

The primary objective of this case is to address that the agents are not only failing to generate logs, but are also not visible in the Wazuh console. Despite this, the agent.conf contains the correct server configuration.

During initial troubleshooting to determine why the agents are not appearing in the console, it was observed that the ossec.log file is empty.

Please note that restarting the Wazuh agent service must be avoided, as multiple agents are experiencing the same issue.

Given that the required ports (1514/1515) are open, guidance is requested on the next steps to identify why the agents are not reporting to Wazuh

Reply all
Reply to author
Forward
0 new messages