Office 365 monitors failing

170 views
Skip to first unread message

David Brindley

unread,
Oct 30, 2024, 1:33:01 PM10/30/24
to Wazuh | Mailing List
Hi All,

I'm working on getting 365 logs ingested into Wazuh from an agent. I used the below process to configure the app registration and the Wazuh agent. I kept getting errors when I tried running the PS script saying it's a potentially dangerous request. The guide made it sound like it was more to identify what logs could be ingested so I'm not sure if it's necessary or the cause of my problem. Below is also my agent config and the errors I'm seeing in the agent log. I have other Wazuh agents forwarding logs for other 365 tenants successfully and I'm not using the actual Wazuh server for any of it so I assume the issue is with the agent or this 365 tenant, but do not know where to look from here. I also confirmed that unified audit is enabled for the tenant based on looking through historical cases in the mailing list. 


<!-- XDR Sensors -->
<office365>
    <enabled>yes</enabled>
    <interval>1m</interval>
    <curl_max_size>1M</curl_max_size>
    <only_future_events>yes</only_future_events>
    <api_auth>
        <tenant_id>******************************************</tenant_id>
        <client_id>*******************************************</client_id>
        <client_secret>***************************************</client_secret>
    </api_auth>
    <subscriptions>
<subscription>Audit.AzureActiveDirectory</subscription>
        <subscription>Audit.Exchange</subscription>
        <subscription>Audit.General</subscription>
        <subscription>DLP.All</subscription>
    </subscriptions>
</office365>

Wazuh Agent Logs

2024/10/29 16:35:45 wazuh-modulesd:office365: INFO: Module Office365 started.
2024/10/29 16:38:45 wazuh-modulesd:office365: WARNING: Sending Office365 internal message: '{"integration":"office365","office365":{"actor":"wazuh","tenant_id":"***************************","response":"Unknown error"}}'

Thanks,
David Brindley

juancarl...@wazuh.com

unread,
Nov 1, 2024, 1:28:14 AM11/1/24
to Wazuh | Mailing List
Hi David,

Could you please provide a screenshot of how you're running the PowerShell script? Make sure to obscure any sensitive information before sharing.

Verify Configuration:
Double-check your Office 365 module configuration against the [Wazuh documentation](https://documentation.wazuh.com/current/cloud-security/office365/monitoring-office365-activity.html). Ensure all necessary parameters are correctly set.

I recommend you set the verbosity level of the Windows module to "2", on the agent side in the local_internal_options file to be able to capture more details in the errors, you can guide yourself with this documentation.
or simply follow these steps:

In Windows you should go to C:\Program Files (x86)\ossec-agent\local_internal_options, and add the following line: `windows.debug=2`

image
After saving the updated file, restart the wazuh agent on that windows server so that it takes the new configuration,
Once you provide the screenshot and verify these settings, we'll better understand the issue and can take further steps to resolve it.

Best regards,
Juan Carlos Amiune

David Brindley

unread,
Nov 1, 2024, 1:18:49 PM11/1/24
to Wazuh | Mailing List
Hi Juan,

I updated the log settings so I'll wait till Monday to see if that provides any new details. In the mean time, I realized I misconfigured the "Invoke-RestMethod" command. I removed the start and end date variables and was able to run the command to pull information for audit.azure and exchange as tests. The "Get <CONTENT_URI> command in power shell with the URI link from the last command failed saying the term "GET" is not a recognized cmdlet though. 

Thank you,
David Brindley

David Brindley

unread,
Nov 4, 2024, 3:32:25 PM11/4/24
to Wazuh | Mailing List
Hi Juan,

I checked the logs again today, and found the below errors related to the 365 module. 

2024/11/03 00:00:36 wazuh-modulesd:office365[16972] wm_office365.c:320 at wm_office365_execute_scan(): DEBUG: Scanning tenant: '*************************************'
2024/11/03 00:00:36 wazuh-modulesd:office365[16972] wm_office365.c:554 at wm_office365_get_access_token(): DEBUG: Office 365 API access token URL: 'https://login.microsoftonline.com/******************************/oauth2/v2.0/token'
2024/11/03 00:00:36 wazuh-agent[16972] url.c:525 at wurl_http_request(): DEBUG: curl_easy_perform() failed: SSL connect error
2024/11/03 00:00:36 wazuh-modulesd:office365[16972] wm_office365.c:585 at wm_office365_get_access_token(): DEBUG: Unknown error while getting access token.

Thank You,
David Brindley

juancarl...@wazuh.com

unread,
Nov 11, 2024, 11:20:03 PM11/11/24
to Wazuh | Mailing List

Hello David,

Thank you for the update and additional information.

The error curl_easy_perform() failed: SSL connect error suggests an SSL/TLS handshake issue between your agent and the Microsoft API. Here are a few troubleshooting steps that may help:
Verify Network Access:
Confirm that your agent can reach the Microsoft login URL: https://login.microsoftonline.com/******************************/oauth2/v2.0/token
Check if there are any firewalls or network restrictions that could block this connection.

Update Curl and Certificates:
Ensure that your Wazuh agent's curl version is up-to-date and that it supports the necessary SSL/TLS protocols.
Confirm that the certificate authorities on the agent include Microsoft’s SSL.

Regarding The "Get <CONTENT_URI>" you can use either Invoke-RestMethod or Invoke-WebRequest to make HTTP GET requests directly.

Here’s an example of the syntax you could use:
Invoke-RestMethod -Uri "<CONTENT_URI>" -Method Get

Be sure to replace <CONTENT_URI> with the actual URI you’re trying to pull information from. This should help retrieve the information as expected.

Please let me know if this resolves the issue or if there’s anything further I can assist with.

Best regards,
Juan Carlos Amiune


Reply all
Reply to author
Forward
0 new messages