Office 365 Monitoring
45 views
Skip to first unread message
Fear cube_A
Nov 6, 2025, 12:06:11 PM (5 days ago) Nov 6
to Wazuh | Mailing List
I am new to monitoring Office 365 cloud environment. What should I focus on in determine true positive security event in Wazuh. Can anyone share resource where I can refer
diego...@wazuh.com
Nov 6, 2025, 12:44:29 PM (5 days ago) Nov 6
to Wazuh | Mailing List
Hi, Fear cube_A
When monitoring O365 with Wazuh, focus on these event categories that the platform captures:
Key event types from Office 365 subscriptions:
- Azure AD events: Sign-ins, authentication events, role assignments and changes
- Exchange activities: Email operations, mailbox permission changes, forwarding rules
- SharePoint events: Document sharing, permissions changes, file operations
- Security & Compliance: DLP policy violations, compliance events
Common security indicators to investigate:
- Multiple failed sign-ins followed by success
- Unusual geographic locations for authentication
- Mailbox forwarding rules (especially external)
- Admin role changes and privilege escalations
- Mass file operations or external sharing
Official documentation:
- Wazuh O365 integration: https://documentation.wazuh.com/current/cloud-security/office365/monitoring-office365-activity.html
- O365 subscription types: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/office365-module.html
- Microsoft audit operations: https://learn.microsoft.com/en-us/purview/audit-log-activities
Recommendations: Establishing a 2-4 week baseline before tuning rules. Correlate multiple indicators for higher confidence alerts.
diego...@wazuh.com
Nov 7, 2025, 5:25:45 AM (4 days ago) Nov 7
to Wazuh | Mailing List
From: Fear cube_A
" That was a good one.
Hi, Fear cube_A
" That was a good one.
Thanks for the recommendation "
----Hi, Fear cube_A
You're welcome! Glad it was helpful.
Just a quick reminder: please use "Reply All" for any questions or feedback so the entire team can benefit from the discussion. This helps other Wazuh users who might have similar questions.
Fear cube_A
Nov 7, 2025, 5:43:49 AM (4 days ago) Nov 7
to diego...@wazuh.com, Wazuh | Mailing List
Thanks for the heads up. I'm not quite familiar with this platform yet
--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/985a6475-c1c1-464b-b4d4-24bb82acce99n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages