Wazuh - Office 365 wodle script problem

[joh nte]

Good morning.

I'm using Wazuh 4.0.4 and i'm trying to retrieve data from Office 365 by using this guide:

https://wazuh.com/blog/monitor-office-365-with-wazuh/

I've modified the Python script according to my version and, by launching it from the command line, it retrieve all the data that i need, however, the wodle "command" doesn't seems to start!

Reading the logs, i saw only a warning regarding the "tag", but isn't needed.

The wodle goes like this:

<wodle name="command">

  <disabled>no</disabled>

  <command>/path/to/script/office_365.py --contentType Audit.Exchange Audit.SharePoint DLP.All Audit.General Audit.AzureActiveDirectory --hours 24 --tenantId your_tenant_id --clientId your_client_id --clientSecret your_client_secret</command>

  <interval>24h</interval>

  <ignore_output>yes</ignore_output>

  <run_on_start>yes</run_on_start>

  <timeout>0</timeout>

</wodle>

Obviously, the "command" parameter is set with the right parameters, and i verified it by executing the exact same command trought the terminal.

The rules has been setted too, and the manager restarted, but, has i said, i can't see, in the logs, the execution of the script and no data seems to be retrieved.

Am i doing something wrong?

Thanks for the reply.

[Mercedes Fernández Argüelles]

Hi Joh!

Try adding the tag option to the wodle and check the logs again:

<wodle name="command">

  <disabled>no</disabled>

  <tag>office365</tag>

  <command>/path/to/script/office_365.py --contentType Audit.Exchange Audit.SharePoint DLP.All Audit.General Audit.AzureActiveDirectory --hours 24 --tenantId your_tenant_id --clientId your_client_id --clientSecret your_client_secret</command>

  <interval>24h</interval>

  <ignore_output>yes</ignore_output>

  <run_on_start>yes</run_on_start>

  <timeout>0</timeout>

</wodle>

After making this changes, restart the manager to apply the configuration.

If you are still encountering problems, please paste the output of:

grep -i -E "err|warn" /var/ossec/logs/ossec.log

Let me know how it goes!

Mercedes

[joh nte]

Hi Mercedes,

thanks for the reply, it works now, however, i would like to add the GeoIP information to the alerts for the  "data.office_365.ClientIP "!

I've tried by modifing the /usr/share/filebeat/module/wazuh/alerts/ingest/pipeline.json  adding this code:

"geoip": {
"field": "data.office_365.ClientIP",
"target_field": "GeoLocation",
"properties": ["city_name", "country_name", "region_name", "location"],
"ignore_missing": true,
"ignore_failure": true
},

then i run "filebeat setup --pipelines" and restarted the manager, but still can't see the GeoIP information.

Am i missing somethings? any suggestion?

Thank you!

[Mercedes Fernández Argüelles]

Hi Joh,

Your configuration seems mostly fine, you shouldn't have that comma in that last bracket but rather: 

{

  "geoip": {
    "field": "data.clientip",

    "target_field": "GeoLocation",
    "properties": ["city_name", "country_name", "region_name", "location"],
    "ignore_missing": true,
    "ignore_failure": true
  }

},

Other than that I don't see any issues with your configuration. However, keep in mind that the IPs should be public for geolocalization to work.

Hope this helps!

Mercedes

[joh nte]

Thank you very much Mercedes,
seeing your suggestion i notice that i missed the } antecedent to the } with the comma, now i can see the geolocation into the Visualize.

Now i'm tryin to implement an alert, trought mail, for the login attempts, in order to catch unusual login for the Office 365 users, but i think that i can only trigger the email generally for the rule_id 100002 (the Office_365 rule_id) and this will give me a lot of unnecessary data!

Any suggestion about that?

Thanks againg for your support, i appreciate it very much.

[Mercedes Fernández Argüelles]

Anytime!

Regarding your other question, you could analyze the Office 365 alerts you are generating in /var/ossec/logs/alerts/alerts.log (or alerts.json). Then search for the ones you are interested in (failed login attempts) and create a custom child rule for rule 100002. That way you can send an email only for that one with the options field.

The new rule could look something like this:

<rule id="100003" level="5">

  <id_sid>100002</if_sid>

  <regex>failed login</regex>

  <description>Failed login attempt on Office365</description>

  <options>alert_by_email</options>

</rule>

Keep in mind that the field regex should match part of the original event with a regular expression. You can read about regex syntax here.

To learn more about custom rules, please refer to the following documentation pages:

• Custom rules and creating custom rules from scratch
• Rule syntax

Hope this helps! Let me know if you need further help.

[joh nte]

Thanks a lot for helping me!

Anyway, i'm struggling with my intent! 

I'm trying to create a rule that give me data like the ones that i can see trought the visualization that i created.

It goes like this

and is linked to a "search" that leave out some countries (es: Germany, United Kingdom, US and others).

so, the new rule should filter any logins that isn't risky for me and send me a report every hour; I think i should set those parameters in the regex field, but i'm triyng to find how.

Any suggestion?

[joh nte]

Any suggestion about it?

Thanks.

[Mercedes Fernández Argüelles]

Hi Joh,

First of all, excuse me for the delayed response! Secondly, I'm afraid that what you want to do is not currently possible. This is because GeoLocation fields are generated after decoding the log and matching it against the ruleset, meaning you don't have any country_name field to check in the rule itself. For other fields (the ones that are present after decoding) you can either use the field option (doc) or the designated ones for default fields (like srcip, user, etc).

Let me now if you have any more questions!

Mercedes.