Office365 STS Logon Events
493 views
Skip to first unread message
William Thomas
Feb 4, 2023, 11:55:54 AM2/4/23
to Wazuh mailing list
I recently started delving into the Office365 integration that is available in Wazuh 4.x, and have a question about rules. Specifically, most rules differentiate between logon success and failure, but the Rule ID 91545 Office 365: Secure Token Service (STS) logon events in Azure Active Directory does not.
What would be the best course to propose getting rules added for this?
Example log messages
2023 Feb 04 03:33:16 log001->office365 {"integration":"office365","office365":{"CreationTime":"2023-02-04T09:24:59","Id":"b0ad6879-8bb3-4325-b541-de51b651cd00","Operation":"UserLoginFailed","OrganizationId":"xxxxxxxx-c287-42b8-a81b-xxxxxxxxxxxx","RecordType":15,"ResultStatus":"Success","UserKey":"xxxxxxxx-289e-4243-a69a-xxxxxxxxxxxx","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"10.10.10.64","ObjectId":"00000002-0000-0ff1-ce00-000000000000","UserId":"us...@domain.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Success"},{"Name":"UserAgent","Value":"Mozilla/5.0 (iPhone; CPU iPhone OS 16_1_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.1 Mobile/15E148 Safari/604.1"},{"Name":"RequestType","Value":"Login:reprocess"}],"ModifiedProperties":[],"Actor":[{"ID":"87656ec1-289e-4243-a69a-7a6d43e4533c","Type":0},{"ID":"us...@domain.com","Type":5}],"ActorContextId":"0e7b98a8-c287-42b8-a81b-7c16f5b20891","ActorIpAddress":"10.10.10.64","InterSystemsId":"ff140306-4d5c-4254-acff-d6e1dd393e4b","IntraSystemId":"b0ad6879-8bb3-4325-b541-de51b651cd00","SupportTicketId":"","Target":[{"ID":"00000002-0000-0ff1-ce00-000000000000","Type":0}],"TargetContextId":"0e7b98a8-c287-42b8-a81b-7c16f5b20891","ApplicationId":"f8d98a96-0999-43f5-8af3-69971c7bb423","DeviceProperties":[{"Name":"OS","Value":"iOS 16"},{"Name":"BrowserType","Value":"Safari"},{"Name":"IsCompliantAndManaged","Value":"False"},{"Name":"SessionId","Value":"bf8b1b4f-473a-4459-931e-9ba8cfc4241e"}],"ErrorNumber":"50133","LogonError":"SsoArtifactRevoked","Subscription":"Audit.AzureActiveDirectory"}}
2023 Feb 03 01:18:24 log001->office365 {"integration":"office365","office365":{"CreationTime":"2023-02-03T07:12:32","Id":"b0829383-a5a5-4992-93be-c73e6e30c500","Operation":"UserLoginFailed","OrganizationId":"xxxxxxxx-93f0-42ad-a929-xxxxxxxxxxxx","RecordType":15,"ResultStatus":"Failed","UserKey":"xxxxxxxx-f65d-48a2-928f-xxxxxxxxxxxx","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"10.10.10.144","ObjectId":"00000002-0000-0ff1-ce00-000000000000","UserId":"us...@domain.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"UserError"},{"Name":"UserAgent","Value":"BAV2ROPC"},{"Name":"UserAuthenticationMethod","Value":"16"},{"Name":"RequestType","Value":"OAuth2:Token"}],"ModifiedProperties":[],"Actor":[{"ID":"a28a011a-f65d-48a2-928f-a30bd7ebcd93","Type":0},{"ID":"us...@domain.com","Type":5}],"ActorContextId":"8ac7fe80-93f0-42ad-a929-ad9682b194b4","ActorIpAddress":"10.10.10.144","InterSystemsId":"dfeaec58-a382-4264-b670-60d2886ebaba","IntraSystemId":"b0829383-a5a5-4992-93be-c73e6e30c500","SupportTicketId":"","Target":[{"ID":"00000002-0000-0ff1-ce00-000000000000","Type":0}],"TargetContextId":"8ac7fe80-93f0-42ad-a929-ad9682b194b4","ApplicationId":"00000002-0000-0ff1-ce00-000000000000","DeviceProperties":[{"Name":"BrowserType","Value":"Other"},{"Name":"IsCompliantAndManaged","Value":"False"}],"ErrorNumber":"50053","LogonError":"IdsLocked","Subscription":"Audit.AzureActiveDirectory"}}
2023 Feb 04 00:40:04 log001->office365 {"integration":"office365","office365":{"CreationTime":"2023-02-04T06:33:00","Id":"c3399fa3-231a-476a-97eb-f15a4922bf00","Operation":"UserLoggedIn","OrganizationId":"xxxxxxxx-93f0-42ad-a929-xxxxxxxxxxxx","RecordType":15,"ResultStatus":"Success","UserKey":"xxxxxxxx-d437-4ee4-91c2-xxxxxxxxxxxx","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"10.10.10.165","ObjectId":"00000002-0000-0000-c000-000000000000","UserId":"us...@domain.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Success"},{"Name":"UserAgent","Value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.61"},{"Name":"RequestType","Value":"Saml2:processrequest"}],"ModifiedProperties":[],"Actor":[{"ID":"b4ac13ed-d437-4ee4-91c2-11de784aaf7c","Type":0},{"ID":"us...@domain.com","Type":5}],"ActorContextId":"8ac7fe80-93f0-42ad-a929-ad9682b194b4","ActorIpAddress":"10.10.10.165","InterSystemsId":"1801d983-d306-4373-9126-f50fb58d1f69","IntraSystemId":"c3399fa3-231a-476a-97eb-f15a4922bf00","SupportTicketId":"","Target":[{"ID":"00000002-0000-0000-c000-000000000000","Type":0}],"TargetContextId":"8ac7fe80-93f0-42ad-a929-ad9682b194b4","ApplicationId":"46588d8e-c270-4348-9e6b-7f5d0a32d431","DeviceProperties":[{"Name":"Id","Value":"b25b53ed-9120-4cbf-956f-269021ab5dec"},{"Name":"DisplayName","Value":"INT-nb-INT-drl"},{"Name":"OS","Value":"Windows 10"},{"Name":"BrowserType","Value":"Edge"},{"Name":"IsCompliantAndManaged","Value":"False"},{"Name":"TrustType","Value":"0"},{"Name":"SessionId","Value":"58678b78-e320-4659-bfae-ceb07786ec58"}],"ErrorNumber":"0","Subscription":"Audit.AzureActiveDirectory"}}
2023 Feb 03 01:18:24 log001->office365 {"integration":"office365","office365":{"CreationTime":"2023-02-03T07:12:32","Id":"b0829383-a5a5-4992-93be-c73e6e30c500","Operation":"UserLoginFailed","OrganizationId":"xxxxxxxx-93f0-42ad-a929-xxxxxxxxxxxx","RecordType":15,"ResultStatus":"Failed","UserKey":"xxxxxxxx-f65d-48a2-928f-xxxxxxxxxxxx","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"10.10.10.144","ObjectId":"00000002-0000-0ff1-ce00-000000000000","UserId":"us...@domain.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"UserError"},{"Name":"UserAgent","Value":"BAV2ROPC"},{"Name":"UserAuthenticationMethod","Value":"16"},{"Name":"RequestType","Value":"OAuth2:Token"}],"ModifiedProperties":[],"Actor":[{"ID":"a28a011a-f65d-48a2-928f-a30bd7ebcd93","Type":0},{"ID":"us...@domain.com","Type":5}],"ActorContextId":"8ac7fe80-93f0-42ad-a929-ad9682b194b4","ActorIpAddress":"10.10.10.144","InterSystemsId":"dfeaec58-a382-4264-b670-60d2886ebaba","IntraSystemId":"b0829383-a5a5-4992-93be-c73e6e30c500","SupportTicketId":"","Target":[{"ID":"00000002-0000-0ff1-ce00-000000000000","Type":0}],"TargetContextId":"8ac7fe80-93f0-42ad-a929-ad9682b194b4","ApplicationId":"00000002-0000-0ff1-ce00-000000000000","DeviceProperties":[{"Name":"BrowserType","Value":"Other"},{"Name":"IsCompliantAndManaged","Value":"False"}],"ErrorNumber":"50053","LogonError":"IdsLocked","Subscription":"Audit.AzureActiveDirectory"}}
2023 Feb 04 00:40:04 log001->office365 {"integration":"office365","office365":{"CreationTime":"2023-02-04T06:33:00","Id":"c3399fa3-231a-476a-97eb-f15a4922bf00","Operation":"UserLoggedIn","OrganizationId":"xxxxxxxx-93f0-42ad-a929-xxxxxxxxxxxx","RecordType":15,"ResultStatus":"Success","UserKey":"xxxxxxxx-d437-4ee4-91c2-xxxxxxxxxxxx","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"10.10.10.165","ObjectId":"00000002-0000-0000-c000-000000000000","UserId":"us...@domain.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Success"},{"Name":"UserAgent","Value":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.61"},{"Name":"RequestType","Value":"Saml2:processrequest"}],"ModifiedProperties":[],"Actor":[{"ID":"b4ac13ed-d437-4ee4-91c2-11de784aaf7c","Type":0},{"ID":"us...@domain.com","Type":5}],"ActorContextId":"8ac7fe80-93f0-42ad-a929-ad9682b194b4","ActorIpAddress":"10.10.10.165","InterSystemsId":"1801d983-d306-4373-9126-f50fb58d1f69","IntraSystemId":"c3399fa3-231a-476a-97eb-f15a4922bf00","SupportTicketId":"","Target":[{"ID":"00000002-0000-0000-c000-000000000000","Type":0}],"TargetContextId":"8ac7fe80-93f0-42ad-a929-ad9682b194b4","ApplicationId":"46588d8e-c270-4348-9e6b-7f5d0a32d431","DeviceProperties":[{"Name":"Id","Value":"b25b53ed-9120-4cbf-956f-269021ab5dec"},{"Name":"DisplayName","Value":"INT-nb-INT-drl"},{"Name":"OS","Value":"Windows 10"},{"Name":"BrowserType","Value":"Edge"},{"Name":"IsCompliantAndManaged","Value":"False"},{"Name":"TrustType","Value":"0"},{"Name":"SessionId","Value":"58678b78-e320-4659-bfae-ceb07786ec58"}],"ErrorNumber":"0","Subscription":"Audit.AzureActiveDirectory"}}
I do see someone has put some effort into this, but in the custom rules range.
Openime Oniagbi
Feb 5, 2023, 9:35:42 AM2/5/23
to Wazuh mailing list
Hi,
Thanks for using Wazuh.
The best way to propose new rules to be added to future Wazuh releases is to open an issue on GitHub, and the development team will add it to their roadmap.
Meanwhile, you can always use custom rules to track such events.
I hope this helps.
Regards,
Openime
Thanks for using Wazuh.
The best way to propose new rules to be added to future Wazuh releases is to open an issue on GitHub, and the development team will add it to their roadmap.
Meanwhile, you can always use custom rules to track such events.
I hope this helps.
Regards,
Openime
William Thomas
Feb 6, 2023, 9:31:53 AM2/6/23
to Wazuh mailing list
I have created an issue for this
Openime Oniagbi
Feb 6, 2023, 10:32:45 AM2/6/23
to Wazuh mailing list
Great, thank you!
Reply all
Reply to author
Forward
0 new messages