Creating Custom rule to trigger events based on geolocation
639 views
Skip to first unread message
sunil kumar
Apr 1, 2022, 7:02:00 AM4/1/22
to Wazuh mailing list
Hi team,
I am looking for a solution that can trigger alerts if there is a user logged in from the non United States logged in to Office 365.
I have attached a smaple log below for office 365 event. The geo tagging part is working fine for the Office 365 user logged in events. I need to create alerts for the list of user who loggin to O365 other than the United States.
I created CDB list with the United States as key and kept a rule that compares it with Geolocation.country field. But it failed to create alerts. ( I think the CDB list cant be compared with the feild that are added from wazuh filebeat )
Could someone help me with this? TIA.
I am looking for a solution that can trigger alerts if there is a user logged in from the non United States logged in to Office 365.
I have attached a smaple log below for office 365 event. The geo tagging part is working fine for the Office 365 user logged in events. I need to create alerts for the list of user who loggin to O365 other than the United States.
I created CDB list with the United States as key and kept a rule that compares it with Geolocation.country field. But it failed to create alerts. ( I think the CDB list cant be compared with the feild that are added from wazuh filebeat )
Could someone help me with this? TIA.
Sample Log:
{"office_365":{"CreationTime":"2021-05-13T19:56:16","Id":"a0418ddb-35ac-47e4-b499-0d06ca331a00","Operation":"UserLoggedIn","OrganizationId":"0fea4e03-8146-453b-b889-54b4bd11565b","RecordType":15,"ResultStatus":"Success","UserKey":"a39dd957-d295-4548-b537-2055469bafbb","UserType":0,"Version":1,"Workload":"AzureActiveDirectory","ClientIP":"77.225.159.6","ObjectId":"797f4846-ba00-4fd7-ba43-dac1f8f63013","UserId":"alberto....@wazuh.com","AzureActiveDirectoryEventType":1,"ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Success"},{"Name":"UserAgent","Value":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.128 Safari/537.36"},{"Name":"RequestType","Value":"OAuth2:Authorize"}],"ModifiedProperties":[],"Actor":[{"ID":"a39dd957-d295-4548-b537-2055469bafbb","Type":0},{"ID":"alberto....@wazuh.com","Type":5}],"ActorContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","ActorIpAddress":"77.225.159.6","InterSystemsId":"5f4be1e4-cfc4-4ee7-a9c8-a45656ae7e3f","IntraSystemId":"a0418ddb-35ac-47e4-b499-0d06ca331a00","SupportTicketId":"","Target":[{"ID":"797f4846-ba00-4fd7-ba43-dac1f8f63013","Type":0}],"TargetContextId":"0fea4e03-8146-453b-b889-54b4bd11565b","ApplicationId":"c44b4083-3bb0-49c1-b47d-974e53cbdf3c","DeviceProperties":[{"Name":"BrowserType","Value":"Chrome"},{"Name":"IsCompliantAndManaged","Value":"False"},{"Name":"SessionId","Value":"171b21f2-2b04-4ce9-9c26-4bbcc5edd782"}],"ErrorNumber":"0"}}Custom Rule :
<group name="office_365,">
<rule id="100002" level="5">
<!--location>office_365</location-->
<description>$(office_365.Workload) $(office_365.Operation) operation.</description>
<options>no_full_log</options>
</rule>
<rule id="100004" level="10">
<decoded_as>json</decoded_as>
<if_sid>100002</if_sid>
<list field="GeoLocation.country_name" lookup="not_match_key">etc/lists/geo-USA</list>
<description>Office_365: Unauthorised User Login from Non US location</description>
<group>unauthorised_user</group>
</rule>
</group>
<rule id="100002" level="5">
<!--location>office_365</location-->
<description>$(office_365.Workload) $(office_365.Operation) operation.</description>
<options>no_full_log</options>
</rule>
<rule id="100004" level="10">
<decoded_as>json</decoded_as>
<if_sid>100002</if_sid>
<list field="GeoLocation.country_name" lookup="not_match_key">etc/lists/geo-USA</list>
<description>Office_365: Unauthorised User Login from Non US location</description>
<group>unauthorised_user</group>
</rule>
</group>
Matias Pereyra
Apr 5, 2022, 6:03:32 PM4/5/22
to Wazuh mailing list
Hi!
The GeoIP data is added to the events in a higher level of the stack, that's why you can see it in the final events but it can't be used to trigger alerts.
If you want to make the Wazuh manager capable of using the GeoIP data for alerts, it's necessary to compile the manager with the USE_GEOIP flag enabled (Available flags). Also, you have to download the GeoLite2 legacy database and convert it with the geolite2legacy tool.
The GeoIP data is added to the events in a higher level of the stack, that's why you can see it in the final events but it can't be used to trigger alerts.
If you want to make the Wazuh manager capable of using the GeoIP data for alerts, it's necessary to compile the manager with the USE_GEOIP flag enabled (Available flags). Also, you have to download the GeoLite2 legacy database and convert it with the geolite2legacy tool.
The whole process is already described in this previous answer, don't hesitate in making any question you have:
There are also some open issues on Github related to this feature
Include GeoIP support for missing source IP fields in Wazuh's Filebeat pipeline.json files, using field normalization #11097
Include GeoIP support for missing source IP fields in Wazuh's Filebeat pipeline.json files, using field normalization #11097
Regards.
Reply all
Reply to author
Forward
0 new messages