Wazuh- Active Directory
598 views
Skip to first unread message
Daniel Hinojo
Dec 15, 2021, 7:34:46 PM12/15/21
to Wazuh mailing list
Good afternoon everyone,
I would like to make the following query, how can I do for the wazuh system capture the attribute changes that I make to a user, I have an Active directory, within it I have Organizational Units, user and groups, at the time of performing a change of the attribute phone, email to user X I observe that the wazuh does not capture it.
carlos...@wazuh.com
Dec 16, 2021, 6:03:55 AM12/16/21
to Wazuh mailing list
Hello,
It is possible to monitor those changes in your Active Directory by making use of our Azure integration. However, these logs must be retrieved using the Microsoft Graph API. Our Azure integration makes use of the old Azure AD Graph API which has been deprecated by Microsoft in favor of the new Microsoft Graph API.
We have reviewed, updated and improved our Azure module, including the Graph integration, as well as its documentation pages. This will allow you to ingest these logs you are demanding. This revised and improved version will be available with the next Wazuh release, which is 4.3.0. We are working hard to release it as soon as possible. However, until 4.3.0 is available you will not be able to make proper use of this functionality.
We apologize for any inconvenience this may cause.
It is possible to monitor those changes in your Active Directory by making use of our Azure integration. However, these logs must be retrieved using the Microsoft Graph API. Our Azure integration makes use of the old Azure AD Graph API which has been deprecated by Microsoft in favor of the new Microsoft Graph API.
We have reviewed, updated and improved our Azure module, including the Graph integration, as well as its documentation pages. This will allow you to ingest these logs you are demanding. This revised and improved version will be available with the next Wazuh release, which is 4.3.0. We are working hard to release it as soon as possible. However, until 4.3.0 is available you will not be able to make proper use of this functionality.
We apologize for any inconvenience this may cause.
Daniel Hinojo
Dec 16, 2021, 12:18:48 PM12/16/21
to Wazuh mailing list
Hi Carlos, thank you for your reply.
I have the following queries:
1.- Will this improvement of version 4.3 be available for your Opensource version?
2.- Currently my Active Directory is One-premises, that is, a Domain controller on Windows server 2016. Will it be applicable for this version?
carlos...@wazuh.com
Dec 20, 2021, 12:17:02 PM12/20/21
to Wazuh mailing list
Hi Daniel,
Wazuh already supports Active Directory monitoring in on-premise environments, as I imagine you have already configured. However, what you comment is true: if you modify user parameters such as email or phone number no alert will be displayed in the UI. This is because Active Directory does not raise any event when this happens. Therefore, the problem would be that Active Directory does not generate alerts for this type of actions.
Continuing with your example, what Wazuh does is to capture the event 4738 which is generated every time user object is changed. As you can see in their official documentation, some changes do not invoke a 4738 event hence no Wazuh alert is shown.
In conclusion, Wazuh is currently monitoring and showing any changes considered relevant by Active Domain, but these are not included.
I hope this solved your question.
Reply all
Reply to author
Forward
0 new messages