Office365 GeoLocation Rule Not Triggering
Robby Hunters
Dear Wazuh Team,
We are trying to create a custom rule to generate an alert whenever there is any Office 365 activity from a country other than Indonesia (based on GeoLocation).
Below is the rule we configured:
<rule id="100002" level="12">However, the rule is not triggering even when the activity comes from outside Indonesia.
Could you please help us check whether GeoLocation.country_name can be used at the manager rule level, or if there is a recommended approach for implementing GeoIP-based alerting for Office 365 events?
Thank you for your assistance.
Best regards,
Robby
Md. Nazmur Sakib
Hi Robby,
The field GeoLocation.country_name is enriched by filebeat before forwarding the alerts to Wazuh indexer from alerts.json based on some alert's IP fields. This step takes place at a higher level of the stack than when the events are matched to the rules. That field is not available during the alert processing. The important thing to understand here is that by default, the geolocation information is not available at the moment when the event is being analyzed for rule matching. That is why your rule will not work.
In this case, you can use the Alerting plugin based on the indices fields to monitor alerts based on GeoLocation.country_name and you can also use it to trigger notifications to mail or other channels.
https://wazuh.com/blog/exploring-security-alerting-options-for-improved-threat-detection-in-wazuh-part-1/
Or you can make dashboards to easily monitor alerts from specific countries.
Ref: Maps
Let me know if you need any further information.
Robby Hunters
<rule id="100002" level="10">
<if_group>office365</if_group>
<list field="office365.ClientIP" lookup="not_match_key">etc/lists/malicious-ioc/indonesia-ip</list>
<description>
Office365 activity from non-Indonesia country
</rule>
for example i have add this cdb ip :