Integration with Office365
708 views
Skip to first unread message
Igor
Nov 7, 2023, 3:55:49 PM11/7/23
to Wazuh | Mailing List
Hello,
My Office365 was integrated with my Wazuh, but log sending stopped and now I'm trying to resolve the issue. First, we recreated the step-by-step instructions in the Wazuh documentation, but still no logs are arriving.
Looking at the logs on the server, I have information that the office365 module started.
Could you help me?
Looking at the logs on the server, I have information that the office365 module started.
Could you help me?
Abdullah Al Rafi Fahim
Nov 8, 2023, 12:42:10 AM11/8/23
to Wazuh | Mailing List
Hello Igor,
Can you please review and confirm that you have configured the Office365 side and Wazuh side properly as discussed in this documentation: https://documentation.wazuh.com/current/cloud-security/office365/monitoring-office365-activity.html? If yes, please share the <office365> configuration section you are using along with the output of the following command so that we can review further and find the root cause.
cat /var/ossec/logs/ossec.log |grep "office365"
cat /var/ossec/logs/ossec.log |grep "office365"
Note: please mask any confidential info (for example: client_secret) before sharing the configuration and logs.
Message has been deleted
Igor
Nov 8, 2023, 4:19:38 PM11/8/23
to Wazuh | Mailing List
Hello,
I tested a connection within the wazuh server using curl and the api keys that the office provides, I had an OK status in this request.
I tested a connection within the wazuh server using curl and the api keys that the office provides, I had an OK status in this request.
The request:
curl -i -X POST -H "Content-Type:application/x-www-form-urlencoded" -d "grant_type=client_credentials" -d "client_id=%CLIENT_ID%" -d "scope=https://securitycenter.onmicrosoft.com/windowsatpservice/.default" -d "client_secret=%CLIENT_SECRET%" "https://login.microsoftonline.com/%TENANT_ID%/oauth2/v2.0/token" -k
Abdullah Al Rafi Fahim
Nov 8, 2023, 10:59:34 PM11/8/23
to Wazuh | Mailing List
Hello Igor,
Can you please check at your office365 end if the unified audit logging is enabled or not? You need to enable this by turning on the Office 365 audit log so that it can be used with Management Activity API. Reference: https://learn.microsoft.com/en-us/office/office-365-management-api/troubleshooting-the-office-365-management-activity-api#enable-unified-audit-logging-in-office-365
Here is the guide from Microsoft to turn on Audit logging: https://learn.microsoft.com/en-us/purview/audit-log-enable-disable
Please let us know if this helps.
Igor
Nov 9, 2023, 4:12:27 PM11/9/23
to Wazuh | Mailing List
Hello,
The Office audit system was already on, but I requested that it be turned off and on again. Even after this test, we are still not receiving logs.
The Office audit system was already on, but I requested that it be turned off and on again. Even after this test, we are still not receiving logs.
Igor
Nov 14, 2023, 10:02:32 AM11/14/23
to Wazuh | Mailing List
Hello,
Any news?
Any news?
Abdullah Al Rafi Fahim
Nov 15, 2023, 3:09:26 AM11/15/23
to Wazuh | Mailing List
Hello Igor,
chmod +x office_365.py
Sorry for the late response!
Can you please enable the archives and check in the server backend if you receive any log related to office365 at the /var/ossec/logs/archives/archives.json file? You can enable archives (logall_json) at the manager's ossec.conf file as described here: https://documentation.wazuh.com/current/user-manual/manager/wazuh-archives.html#enabling-the-wazuh-archives
Then you can check in the archives.json with command:
cat /var/ossec/logs/archives/archives.json |grep "office365"
However, if you find no relevant logs at your archives as well, I will recommend you to troubleshoot this issue further using the manual script as discussed here: Monitor Office 365 with Wazuh | Wazuh?
You need to do the following steps to test this:
Create a python file in your preferred directory named as office_365.py and add the content as shared in the attachment.
Make this file executable with the following command:
Run the script manually with debug mode enabled:
./office_365.py --contentType Audit.General Audit.AzureActiveDirectory --hours 24 --tenantId <your_tenant_id> --clientId <your_client_id> --clientSecret <your_client_secret> --debug 2
Please replace <your_tenant_id>, <your_client_id> and <your_client_secret> with you relevant IDs and secret. Please share the command output so that we can review the debug log and identify the issue there.
I will wait for your response here.
Igor
Nov 16, 2023, 2:54:28 PM11/16/23
to Wazuh | Mailing List
Hello Abdullah. How you doing?
I checked the archives.log file and we are receiving office logs, but these logs do not appear on the dashboard.
Regarding the script, the result is attached as "script_output". As we can see, the tokens are working perfectly.
I checked the archives.log file and we are receiving office logs, but these logs do not appear on the dashboard.
Regarding the script, the result is attached as "script_output". As we can see, the tokens are working perfectly.
Abdullah Al Rafi Fahim
Nov 16, 2023, 11:48:05 PM11/16/23
to Wazuh | Mailing List
Hello Igor,
As you are receiving the logs at your archives, it means that the integration is working fine and the logs are reaching Wazuh. Anyway, as they are not appearing in the dashboard, possibly they are not triggering any alert. Though we have default decoders and rules for office365 logs, we suspect your received logs are somehow not matching them and there not triggering any alerts.
Can you please share some log samples from your archives that you are receiving from office365 so that I can review them, investigate this further and help you to resolve the issue properly?
Igor
Nov 22, 2023, 2:37:43 PM11/22/23
to Wazuh | Mailing List
Hello,
We had a problem with our SIEM, so I don't have logs to show you at the moment. Let's solve the SIEM problem and show the example logs.
We had a problem with our SIEM, so I don't have logs to show you at the moment. Let's solve the SIEM problem and show the example logs.
Abdullah Al Rafi Fahim
Nov 24, 2023, 1:57:31 AM11/24/23
to Wazuh | Mailing List
Sure, Igor! I will wait here for your response with the sample logs once the issue is solved.
Danish Ibrar
Nov 24, 2023, 6:30:26 AM11/24/23
to Wazuh mailing list
Hello,
I've integrated Office365 with my Wazuh, but It generates warnings and now I'm trying to resolve the issue. First, I recreated the step-by-step instructions in the Wazuh documentation, and double checked all the values but still no logs are arriving, only the belows warnings. Looking at the logs on the server, I have information that the office365 module started. But exceptions on the subscriptions. Could anyone help me to verify if the error is on wazuh integration end or the Office365 side?
I've integrated Office365 with my Wazuh, but It generates warnings and now I'm trying to resolve the issue. First, I recreated the step-by-step instructions in the Wazuh documentation, and double checked all the values but still no logs are arriving, only the belows warnings. Looking at the logs on the server, I have information that the office365 module started. But exceptions on the subscriptions. Could anyone help me to verify if the error is on wazuh integration end or the Office365 side?
Below is the screenshot attached for the error message.
I've also tested with the script
Abdullah Al Rafi Fahim
Dec 1, 2023, 12:03:20 AM12/1/23
to Wazuh | Mailing List
Hello Igor,
Can you please share some of these logs in text format (not screenshot) so that I can review and test them in my lab to identify why they are not triggering alerts? You can also take the json log starting from {"integration":"office365",....} and test it with wazuh logtest to identify if the logs are triggering any alert or not. Reference: https://documentation.wazuh.com/current/user-manual/ruleset/testing.html
Abdullah Al Rafi Fahim
Dec 1, 2023, 12:10:57 AM12/1/23
to Wazuh | Mailing List
Hello Danish,
Thank you for sharing the debug logs! As I reviewed the logs, I identified an error message there as below:
[ERROR] Error while retrieving Office 365 activity logs: (' Request ', 'GET', ' ', 'https://manage.office.com/api/v1.0/........', ' failed with ', 400, ' - ', '{"error":{"code":"AF20023","message":"The subscription was disabled."}}' ).
This error refers to the issue that the unified audit logging for your Office 365 organization is not enable. You need to enable this by turning on the Office 365 audit log so that it can be used with Management Activity API. Reference: https://learn.microsoft.com/en-us/office/office-365-management-api/troubleshooting-the-office-365-management-activity-api#enable-unified-audit-logging-in-office-365
This troubleshooting document also refers to an error similar to the one you get with the default <office365> module.
Here is the guide from Microsoft to turn on Audit logging: https://learn.microsoft.com/en-us/purview/audit-log-enable-disable. Therefore, please complete the configuration properly in Microsoft end to enable the audit logging and then test the the office365 integration again.
I hope it helps. Please let us know how it goes.
Reply all
Reply to author
Forward
0 new messages