Office365 does not work

[ayran louro]

Hello guys,

I'm here to try to understand why I can't display my office365 module information in my wazuh.

In file: /var/ossec/logs/alerts/alerts.json I can see the data coming to my server, but the graphs on the page show like "There are no results for selected time range. Try another one." Even putting any time.

I've been following both documents below: https://documentation.wazuh.com/current/office365/monitoring-office365-activity.html
https://learn.microsoft.com/en-us/microsoft-365/compliance/audit-log-enable-disable?
view=o365-worldwide

Any idea what it could be?

 All other functions of my wazuh are working perfectly.

 Thanks !

[Héctor Gómez]

Hello friend, Thanks for using Wazuh.!

I configure the decoding rules for office 365 in wazuh?

You can also see detailed information on the wazuh blog

https://wazuh.com/blog/monitor-office-365-with-wazuh/

Please send a screenshot of the office365 configuration and also of the rule.

/var/ossec/etc/rules/

[ayran louro]

Hello Hector !

(1) - Here:  ls /var/ossec/etc/rules/
local_rules.xml  local_sophos-central_rules.xml

cat local_rules.xml
<!-- Local rules -->
<!-- Modify it at your will. -->
<!-- Copyright (C) 2015, Wazuh Inc. -->
<!-- Example -->
<group name="local,syslog,sshd,">
  <!--
  Dec 10 01:02:02 host sshd[1234]: Failed none for root from 1.1.1.1 port 1066 ssh2
  -->
  <rule id="100001" level="5">
    <if_sid>5716</if_sid>
    <srcip>1.1.1.1</srcip>
    <description>sshd: authentication failed from IP 1.1.1.1.</description>
    <group>authentication_failed,pci_dss_10.2.4,pci_dss_10.2.5,</group>
  </rule>
</group>

vim /var/ossec/etc/rules/local_sophos-central_rules.xml
<group name="sophos_high_severity_alerts">
    <rule id="100002" level="0">
        <decoded_as>json</decoded_as>
        <field name="suser">^REDLINE</field>
        <decoded_as>json</decoded_as>
        <description>Sophos Central parent rule.</description>
    </rule>

    <rule id="100003" level="3">
        <if_sid>100002</if_sid>
        <field name="severity">high</field>
        <description>Sophos Central high severity.</description>
    </rule>
</group>

vim /var/ossec/etc/ossec.conf
<office365>
    <enabled>yes</enabled>
    <interval>1m</interval>
    <curl_max_size>1M</curl_max_size>
    <only_future_events>yes</only_future_events>
    <api_auth>
        <tenant_id>tenant_id</tenant_id>
        <client_id>client_id</client_id>
        <client_secret>password</client_secret>
    </api_auth>
    <subscriptions>
        <subscription>Audit.AzureActiveDirectory</subscription>
        <subscription>Audit.Exchange</subscription>
        <subscription>Audit.SharePoint</subscription>
        <subscription>Audit.General</subscription>
    </subscriptions>
  </office365>

Obs: Office365 was working until last month, but for some reason it suddenly stopped working. I created a new password in Azure following the documentation but it doesn't seem to have worked, I also checked and the exchange auditlog is enabled.

Thank you !!!

[Héctor Gómez]

Okay I understand.
and in the file /var/ossec/logs/alerts/alerts.json are office365 alerts being logged?

[ayran louro]

Yes ! 

For example, i catched this log right now:

tail -f /var/ossec/logs/alerts/alerts.json | grep -i office365 | jq

"data": {
    "integration": "office365",
    "office365": {
      "CreationTime": "2023-01-11T19:31:21",
      "Id": "Id",
      "Operation": "UserLoggedIn",
      "OrganizationId": "OrganizationId",
      "RecordType": "15",
      "ResultStatus": "Success",
      "UserKey": "UserKey",
      "UserType": "0",
      "Version": "1",
      "Workload": "AzureActiveDirectory",
      "ClientIP": "ClientIP",
      "ObjectId": "000000034-0000-0000-c000-0000000",
      "UserId": "UserId",
      "AzureActiveDirectoryEventType": "1",
      "ExtendedProperties": [
        {
          "Name": "ResultStatusDetail",
          "Value": "Redirect"
        },
        {
          "Name": "UserAgent",
          "Value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"
        },
        {
          "Name": "RequestType",
          "Value": "OAuth2:Authorize"
        }
      ],
      "ModifiedProperties": [],
      "Actor": [
        {
          "ID": "ID",
          "Type": 0
        },
        {
          "ID": "ID",
          "Type": 5
        }
      ],
      "ActorContextId": "ActorContextId",
      "ActorIpAddress": "ActorIpAddress",
      "InterSystemsId": "InterSystemsId",
      "IntraSystemId": "IntraSystemId",
      "Target": [
        {
          "ID": "00000034-0000-0000-c000-000000",
          "Type": 0
        }
      ],
      "TargetContextId": "TargetContextId",
      "ApplicationId": "ApplicationId",
      "DeviceProperties": [
        {
          "Name": "OS",
          "Value": "Windows 10"
        },
        {
          "Name": "BrowserType",
          "Value": "Chrome"
        },
        {
          "Name": "IsCompliantAndManaged",
          "Value": "False"
        },
        {
          "Name": "SessionId",
          "Value": "Value"
        }
      ],
      "ErrorNumber": "0",
      "Subscription": "Audit.AzureActiveDirectory"
    }
  },
  "location": "office365"

[Héctor Gómez]

what version of wazuh do you have?

And what type of installation?

[ayran louro]

Hello,

App version: 4.3.9

I installed following this documentation: https://documentation.wazuh.com/current/installation-guide/wazuh-indexer/installation-assistant.html

[Héctor Gómez]

This is a generic rule that will trigger an alert regardless of the event type. Place it in your Wazuh manager /var/ossec/etc/rules/ folder:

<group name="office365">

  <rule id="100002" level="3">

    <location>office365</location>

    <description>$(office365.Workload) $(office365.Operation) operation.</description>

    <options>no_full_log</options>

  </rule>

</group>

Don’t forget to restart the Wazuh manager afterwards.

[ayran louro]

Hello Hector,

I put this rule in the file but my panel still doesn't display office365 information.

 I can only display information from 90 days ago, but 24 hours, 7 days or any other period of time does not appear, and I can see the data arriving at /var/ossec/logs/alerts/alerts.json

 Any idea?

[Héctor Gómez]

Regards,
But that information from 90 days ago was already there before you placed the rule that I indicated? or did it appear later?

Plis send log wazuh
/var/ossec/logs/ossec.log
please hide sensitive information

[ayran louro]

the 90-day logs are when office365 was working in the environment, they are "old" logs, me putting the rule you asked me did not change that, but the time frame still does not work.

ossec.log is attached

Thank you.

[ayran louro]

the curious thing is that I can visualize the data in /var/ossec/logs/alerts/alerts.json but on my dashboard it is as if this data was not arriving.

I've tried all the times in "show dates" but none work, only if I put 90 days that are old logs from December 2022.

Look the imagem attached.

[Héctor Gómez]

Well, I consult information, and I will answer you in a few minutes

[ayran louro]

Hello Hector, 

Any news ? 

Thank you !

[Mario Garofano]

Hi guys, any updates? We are having the exact same issue. Office 365 events do not appear anymore in the Manager/OpenSearch dashboard but are indeed saved to archives.json only. This happened abruptly much like what Ayrqn was reporting.

[suricata]

Hi,

I don't know if you have commented but the client_secret has an expiration date. Check it to see if that might be the problem.

[Mario Garofano]

Hi, thanks for the comment. We have indeed re-generated the client secret just be on the safe sire and tested API calls execution both with Postman and Powershell and they do to work. Also archives.json is populated with proper Office 365 events so the integration itself is confirmed to be able to pull events from our Office365 tenant. The issue here is they never reach alerts.json and the dashboard. Rules are never triggered as events are stay in archives.json only. We did not apply any changes to our configuration and now decoders and rules for O365 are embedded in Wazuh so we have a hard time figuring out why the O365 integration simply stopped working altogether.

Kind Regards,

Mario

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/9fg0tR5apIc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/1f1f8e94-bb20-419c-a22c-00642fe09e3en%40googlegroups.com.

[suricata]

Hí,

Another thing that occurs to me is that there are duplicate rule.ids and that is why those of office365 are cancelled. The truth is that it is rare.

Regards,

[Mario Garofano]

Would it then be necessary for the team to review the internal office365 rule set ? We did not add any custom rules for it. However , what is odd is we are now getting no events at all from O365, not skipping just a few. It seems as though the integrations runs properly but it’s totally dead in terms of visibility from the dashboard.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/73ea6fd0-a426-4ee3-895a-a85ba0386ad7n%40googlegroups.com.

[suricata]

Hí, Mario.

If you haven't created any custom rules for any other event, you don't have to review any of that. But if you have created it, see if they are duplicated from ID 91531 to 91725.

Regards,

[Mario Garofano]

Hi! Thanks for taking the time to help. I’ve checked and couldn’t find any duplicate O365 rules. It appear something is off in how the integrations are supposed to work, even a fresh deployment of Wazuh did not help, while ours is a fairly straightforward configuration

Kind Regards,

Mario

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/e0235203-da0a-47de-a6c1-bfdaad7e8590n%40googlegroups.com.

[suricata]

Hí, Maio.

I remember that when we applied the Office365 integration, it took several days to show data in the dashboard. Also, you have to activate it. Let's see if it's going to be either of those two things.

[Mario Garofano]

Hi! That one is active as well, but we tried turning it off and on again to see if anything changes . Will keep you posted , thanks !

Il 22 ago 2023, 18:30 +0200, suricata <suri.w...@gmail.com>, ha scritto:

Hí, Maio.

I remember that when we applied the Office365 integration, it took several days to show data in the dashboard. Also, you have to activate it. Let's see if it's going to be either of those two things.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/978964fc-67bf-49de-b5c7-8c3c94c97e05n%40googlegroups.com.

[Raony Jose]

Did you manage to solve it?

[Mario Garofano]

Yes, in my case this was due to a custom decoder breaking the O365 integration as it was intercepting events even when it shouldn’t. Removing it resulted in O365 events showing up again.

You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.

To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/9fg0tR5apIc/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/c7c93b66-580a-4de3-b0a2-66f097abda3bn%40googlegroups.com.