I recently started delving into the Office365 integration that is available in Wazuh 4.x, and have a question about rules. Specifically, most rules differentiate between logon success and failure, but the Rule ID 91545 Office 365: Secure Token Service (STS) logon events in Azure Active Directory does not.
2023 Feb 04 03:33:16 log001->office365 {"integration":"office365","office365":{"CreationTime":"2023-02-04T09:24:59","Id":"b0ad6879-8bb3-4325-b541-de51b651cd00","Operation":"UserLoginFailed","OrganizationId":"xxxxxxxx-c287-42b8-a81b-xxxxxxxxxxxx","RecordType":15,"ResultStatus":"Success","UserKey":"xxxxxxxx-289e-4243-a69a-xxxxxxxxxxxx","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"10.10.10.64","ObjectId":"00000002-0000-0ff1-ce00-000000000000","UserId":"
us...@domain.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Success"},{"Name":"UserAgent","Value":"Mozilla/5.0 (iPhone; CPU iPhone OS 16_1_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.1 Mobile/15E148 Safari/604.1"},{"Name":"RequestType","Value":"Login:reprocess"}],"ModifiedProperties":[],"Actor":[{"ID":"87656ec1-289e-4243-a69a-7a6d43e4533c","Type":0},{"ID":"
us...@domain.com","Type":5}],"ActorContextId":"0e7b98a8-c287-42b8-a81b-7c16f5b20891","ActorIpAddress":"10.10.10.64","InterSystemsId":"ff140306-4d5c-4254-acff-d6e1dd393e4b","IntraSystemId":"b0ad6879-8bb3-4325-b541-de51b651cd00","SupportTicketId":"","Target":[{"ID":"00000002-0000-0ff1-ce00-000000000000","Type":0}],"TargetContextId":"0e7b98a8-c287-42b8-a81b-7c16f5b20891","ApplicationId":"f8d98a96-0999-43f5-8af3-69971c7bb423","DeviceProperties":[{"Name":"OS","Value":"iOS 16"},{"Name":"BrowserType","Value":"Safari"},{"Name":"IsCompliantAndManaged","Value":"False"},{"Name":"SessionId","Value":"bf8b1b4f-473a-4459-931e-9ba8cfc4241e"}],"ErrorNumber":"50133","LogonError":"SsoArtifactRevoked","Subscription":"Audit.AzureActiveDirectory"}}
2023 Feb 03 01:18:24 log001->office365 {"integration":"office365","office365":{"CreationTime":"2023-02-03T07:12:32","Id":"b0829383-a5a5-4992-93be-c73e6e30c500","Operation":"UserLoginFailed","OrganizationId":"xxxxxxxx-93f0-42ad-a929-xxxxxxxxxxxx","RecordType":15,"ResultStatus":"Failed","UserKey":"xxxxxxxx-f65d-48a2-928f-xxxxxxxxxxxx","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"10.10.10.144","ObjectId":"00000002-0000-0ff1-ce00-000000000000","UserId":"
us...@domain.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"UserError"},{"Name":"UserAgent","Value":"BAV2ROPC"},{"Name":"UserAuthenticationMethod","Value":"16"},{"Name":"RequestType","Value":"OAuth2:Token"}],"ModifiedProperties":[],"Actor":[{"ID":"a28a011a-f65d-48a2-928f-a30bd7ebcd93","Type":0},{"ID":"
us...@domain.com","Type":5}],"ActorContextId":"8ac7fe80-93f0-42ad-a929-ad9682b194b4","ActorIpAddress":"10.10.10.144","InterSystemsId":"dfeaec58-a382-4264-b670-60d2886ebaba","IntraSystemId":"b0829383-a5a5-4992-93be-c73e6e30c500","SupportTicketId":"","Target":[{"ID":"00000002-0000-0ff1-ce00-000000000000","Type":0}],"TargetContextId":"8ac7fe80-93f0-42ad-a929-ad9682b194b4","ApplicationId":"00000002-0000-0ff1-ce00-000000000000","DeviceProperties":[{"Name":"BrowserType","Value":"Other"},{"Name":"IsCompliantAndManaged","Value":"False"}],"ErrorNumber":"50053","LogonError":"IdsLocked","Subscription":"Audit.AzureActiveDirectory"}}
2023 Feb 04 00:40:04 log001->office365 {"integration":"office365","office365":{"CreationTime":"2023-02-04T06:33:00","Id":"c3399fa3-231a-476a-97eb-f15a4922bf00","Operation":"UserLoggedIn","OrganizationId":"xxxxxxxx-93f0-42ad-a929-xxxxxxxxxxxx","RecordType":15,"ResultStatus":"Success","UserKey":"xxxxxxxx-d437-4ee4-91c2-xxxxxxxxxxxx","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"10.10.10.165","ObjectId":"00000002-0000-0000-c000-000000000000","UserId":"
us...@domain.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Success"},{"Name":"UserAgent","Value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/
109.0.0.0 Safari/537.36 Edg/109.0.1518.61"},{"Name":"RequestType","Value":"Saml2:processrequest"}],"ModifiedProperties":[],"Actor":[{"ID":"b4ac13ed-d437-4ee4-91c2-11de784aaf7c","Type":0},{"ID":"
us...@domain.com","Type":5}],"ActorContextId":"8ac7fe80-93f0-42ad-a929-ad9682b194b4","ActorIpAddress":"10.10.10.165","InterSystemsId":"1801d983-d306-4373-9126-f50fb58d1f69","IntraSystemId":"c3399fa3-231a-476a-97eb-f15a4922bf00","SupportTicketId":"","Target":[{"ID":"00000002-0000-0000-c000-000000000000","Type":0}],"TargetContextId":"8ac7fe80-93f0-42ad-a929-ad9682b194b4","ApplicationId":"46588d8e-c270-4348-9e6b-7f5d0a32d431","DeviceProperties":[{"Name":"Id","Value":"b25b53ed-9120-4cbf-956f-269021ab5dec"},{"Name":"DisplayName","Value":"INT-nb-INT-drl"},{"Name":"OS","Value":"Windows 10"},{"Name":"BrowserType","Value":"Edge"},{"Name":"IsCompliantAndManaged","Value":"False"},{"Name":"TrustType","Value":"0"},{"Name":"SessionId","Value":"58678b78-e320-4659-bfae-ceb07786ec58"}],"ErrorNumber":"0","Subscription":"Audit.AzureActiveDirectory"}}
I do see someone has put some effort into this, but in the custom rules range.