Wazuh and Office 365 monitor

[Nicolas Pasquarè]

Hello to all Guys,

i'm following this KB https://wazuh.com/blog/monitor-office-365-with-wazuh/

I've implemented all, and also the code works, but when arrive to step for "test" the script i don't understand what i need to know. Anyway, my problem is that i can't see any logs in Wazuh, where i should find them?

Thanks

[Borja Arroba]

Hi Nicolas Pasquarè

You can enable the debug option and see the events that are sent to the manager to process the alerts, the events are sent in the following format:

Sending <message> to /var/ossec/queue/ossec/queue socket.

If you don’t see any such message the module is not getting Azure’s account information correctly.

In a second step, you can search the events in the Wazuh manager by activating the ‘logall‘ option in the ossec.conf.

/var/ossec/etc/ossec.conf

<logall>yes</logall>
<logall_json>yes</logall_json> (for JSON format)

This option enables the registration of all events received by the manager in /var/ossec/logs/archives/archives.log or archives.json

Finally, if the events are arriving to the manager correctly they must be decoded (with the JSON decoder by default) and generate the alerts with the rules created in the blogpost:

<group name="office_365,">
  <rule id="100002" level="5">
    <location>office_365</location>
    <description>$(office_365.Workload) $(office_365.Operation) operation.</description>
    <options>no_full_log</options>
  </rule>
</group>

In the file /var/ossec/logs/alert/alert.json or alert.log you should see the generated alerts.

You can further customize the rules according to your needs by following these steps in our documentation:

https://documentation.wazuh.com/3.12/user-manual/ruleset/custom.html?highlight=custom%20rules#custom-rules-and-decoders

You can get more information about Azure monitoring in our documentation:
https://documentation.wazuh.com/3.12/azure/index.html

I hope it’s helpful.
Best regards.

[Stock, Christoph]

Hello together,

 

thanks for providing the office 365 script.

 

We configured the script and connection and Transfer from office 365 is working properly.

Within the Kibana Dashboard we can only see some “Metainformation” as you can see in the Screenshot below.

 

 

After following you debugging guide (below) we found all data within the /var/ossec/logs/alerts.log but just the aggregated “Metainformation” in the /var/ossec/logs/alerts.json.

 

So we think that delivery off all information form the cloud is working but wazuh seams not to understand the json format.

 

Do you hava any idea how we can get all information into wazuh by either switching from json to log or by changing parameters to properly readout the json.

 

Screenshot from /var/ossec/logs/alerts/alerts.json

 

Mit freundlichen Grüßen / Best regards
Ing. Christoph Stock, CISM

---

IT Security
Grazer Wechselseitige Versicherung AG

Pestalozzistr. 73, 8010
Tel.:      +43 316 908031-6225
Mobil:   +43 664 25 89 636

Mail:     christo...@grawe.at
Web:    www.grawe.at

 

FN 37748m, Landes- als Handelsgericht Graz

Bitte denken Sie an die Umwelt, bevor Sie dieses E-Mail ausdrucken!

 

 

 

From: wa...@googlegroups.com <wa...@googlegroups.com> On Behalf Of Borja Arroba
Sent: Montag, 27. April 2020 10:53
To: Wazuh mailing list <wa...@googlegroups.com>
Subject: Re: Wazuh and Office 365 monitor

 

[EXTERNAL MAIL]

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/945981a4-f2e5-4036-a247-459336ade878%40googlegroups.com.

[Stock, Christoph]

 

Hi,

 

any news to this ??

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/5cbd64b65c494da6a6b3cf640794f5d9%40grawe.at.

[Kpex]

i confirm that now works.

But, the fields are not index, are you already working for the update template in filebeat?

Thanks

[Borja Arroba]

Hi Christoph Stock,

Sorry for the late response.

If I have understood well the problem is that the alerts that appear in the file alerts.json are incomplete and in the alerts.log all the fields appear correctly.

If so, the problem is not that they are not being indexed correctly since the fields are not found in the alerts.json which is the source of information.

So to see why the fields do appear correctly in the .log you would need some information.

• The rule with which the alerts are being generated.
• The complete event that is shown in the archives.log file in the /var/ossec/logs/archives folder.
• And finally, the two alerts to compare the missing fields. The one generated in the alerts.log and the one generated in the alerts.json.

Regards.

​

[Kpex]

Hi Borja,

do you have a new version of wazuh-template.json ( https://raw.githubusercontent.com/wazuh/wazuh/v3.13.1/extensions/elasticsearch/7.x/wazuh-template.json ) with fields for office 365?

Thanks

[Vlad Petrescu]

Hi,

The template containing the o365 fields is something useful and I'm also interested in updates on this.