M365 Alerting
33 views
Skip to first unread message
M Jones
Apr 21, 2026, 9:29:21 AM (6 days ago) Apr 21
to Wazuh | Mailing List
In Wazuh, is there anyway to create specific rulesets on M365 for specific scenarios like i want a rule to trigger for users where country,name is not United kingdom. Im not sure if possible as it gets geoip data at the alerting level so unsure if you can re-alert on this?
Any ideas or help would be great,
juan.c...@wazuh.com
Apr 21, 2026, 10:26:48 AM (6 days ago) Apr 21
to Wazuh | Mailing List
Hi M Jones,
Are you not seeing the geoip data when creating rules?
Yes, this is possible. GeoIP data should be inserted before rule matching, so you can do something like:
```
<rule id="100202" level="10">
<if_group>microsoft365</if_group>
<field name="data.office365.Operation">UserLoggedIn|UserLoginFailed</field>
<field name="data.geoip.country_name" negate="yes">United Kingdom</field>
<field name="data.geoip.country_name">\.+</field>
<description>M365 login from outside UK: $(data.office365.UserId) from $(data.geoip.country_name)
($(data.geoip.city_name))</description>
</rule>
```
```
<rule id="100202" level="10">
<if_group>microsoft365</if_group>
<field name="data.office365.Operation">UserLoggedIn|UserLoginFailed</field>
<field name="data.geoip.country_name" negate="yes">United Kingdom</field>
<field name="data.geoip.country_name">\.+</field>
<description>M365 login from outside UK: $(data.office365.UserId) from $(data.geoip.country_name)
($(data.geoip.city_name))</description>
</rule>
```
The `negate` part would match on logins outside UK, and the `\.+` field would make sure that the rule only matches when the event contains a country_name.
Are you not seeing the geoip data when creating rules?
Reply all
Reply to author
Forward
0 new messages