Azure AD Audit log

[Nataliia]

Hello!

I setted up monitoring Azure AD Audit log using Microsoft Graph regard to guid.

In /var/ossec/logs/azure_logs.log I see lines:

10/30/2022 07:19:49 PM INFO: AZURE Getting the data from /var/ossec/wodles/azure/last_dates.json.
10/30/2022 07:19:49 PM INFO: AZURE Azure Graph starting.
10/30/2022 07:19:49 PM INFO: AZURE Graph: Getting authentication token.
10/30/2022 07:19:49 PM INFO: AZURE Graph: Building the url.
10/30/2022 07:19:49 PM INFO: AZURE Graph: The search starts for query: 'auditLogs/directoryAudits' using activityDateTime+ge+2022-10-30T17:16:49.583392Z
10/30/2022 07:19:49 PM INFO: AZURE Graph: The URL is 'https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?&$filter=activityDateTime+ge+2022-10-30T17:16:49.583392Z'
10/30/2022 07:19:49 PM INFO: AZURE Graph: Pagination starts
10/30/2022 07:19:50 PM INFO: AZURE Updating /var/ossec/wodles/azure/last_dates.json file.
10/30/2022 07:19:50 PM INFO: AZURE Graph: There are no new results
10/30/2022 07:19:50 PM INFO: AZURE Graph: End

In the Azure Audit logs I see that events are writting, but in the Wazuh discover I don't see any logs.

My ossec.conf:

  <wodle name="azure-logs">

    <disabled>no</disabled>
    <run_on_start>yes</run_on_start>

    <graph>

        <auth_path>/var/ossec/wodles/credentials/ad_credentials.txt</auth_path>
        <tenantdomain>*****.***</tenantdomain>

        <request>
            <tag>azure-ad-graph</tag>
            <query>auditLogs/directoryAudits</query>
            <time_offset>3m</time_offset>
        </request>

    </graph>

  </wodle>

How can I get logs from Azure Audit log?

[Nicolas Stefani]

Hi Nataliia,

If you try with an offset greater than 3 minutes, for example, 1 day. Still, you don't get any logs?

[Nataliia]

Hi Nicola,

I tried an offset 1 day and saw logs in Wazuh discovery.

Thank you!

понеділок, 31 жовтня 2022 р. о 20:04:30 UTC+2 nicola...@wazuh.com пише: