Wazuh - Office365 & Risky Sign-ins
648 views
Skip to first unread message
joh nte
Jan 13, 2023, 4:03:41 AM1/13/23
to Wazuh mailing list
Hi,
i'm using Wazuh 4.3.10 with Office's module enabled, and i'm able to see all the events regarding user accounts, such as account's modification, creation etc, as well as events regarding email revision, so Quarantined messages etc.
However, I notice that parameters are absent that would be very useful to me, namely those related to risky sing-ins.
Is the 365 module able to extrapolate risky sign-ins from Azure?
That way I could identify, on the fly, if a user is logging in (or attempting to log in) from a geolocated IP in an unusual location.
That way I could identify, on the fly, if a user is logging in (or attempting to log in) from a geolocated IP in an unusual location.
Currently, my Office's365 module has the following subscriptions:
<subscription>Audit.AzureActiveDirectory</subscription>
<subscription>Audit.General</subscription>
<subscription>Audit.Exchange</subscription>
<subscription>DLP.All</subscription>
<subscription>Audit.General</subscription>
<subscription>Audit.Exchange</subscription>
<subscription>DLP.All</subscription>
And all of them seems to work as they should.
unfortunately, I repeat, I do not seem to receive information regarding access , or access attempts, considered risky. Am I doing something wrong? is it possible?
Thanks,
Joh
Message has been deleted
Marcel Kemp
Jan 16, 2023, 6:34:51 AM1/16/23
to Wazuh mailing list
Hi Joh,
> and restart Wazuh-manager
systemctl restart wazuh-manager
Currently, the list of events that we can monitor using the audit log for Office 365, would be as shown in the following link:
- https://documentation.wazuh.com/current/office365/index.html
So, if with any of them it would be possible to collect the risky sign-in event, then by creating a rule we could generate an alert for it.
So, if with any of them it would be possible to collect the risky sign-in event, then by creating a rule we could generate an alert for it.
- https://documentation.wazuh.com/current/user-manual/ruleset/custom.html
To do this, first, it is possible that by configuring the Audit.SharePoint's subscription, you have those remaining events, although they are related to Web-based collaborative platform.
To do this, first, it is possible that by configuring the Audit.SharePoint's subscription, you have those remaining events, although they are related to Web-based collaborative platform.
Here is the list of possible subscriptions: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/office365-module.html#subscriptions-subscription
Once we have the subscriptions that we want configured, we can visualize all the events that the manager receives by activating the logall_json option in the manager configuration.
Once we have the subscriptions that we want configured, we can visualize all the events that the manager receives by activating the logall_json option in the manager configuration.
> To activate archives on Wazuh-Manager edit file: /var/ossec/etc/ossec.conf file and edit logall_json label to yes.
<logall_json>yes</logall_json>> and restart Wazuh-manager
systemctl restart wazuh-manager
This way you will receive all the events in the archives.json file, and you will be able to check if any of those events can be used to monitor those risky sign-ins.
> To filter by the event you can see the messages by applying the following filter:
cat /var/ossec/logs/archives/archives.json | grep -iE "office|365"
> Once completed, you have to set logall_json back to NO on /var/ossec/etc/ossec.conf and restart the manager again (this will avoid the file to grow in size).
And finally, regarding the use of geolocation for alerts, you have to keep in mind that you need to compile the manager with the USE_GEOIP flag enabled to support GeoIP.
cat /var/ossec/logs/archives/archives.json | grep -iE "office|365"
> Once completed, you have to set logall_json back to NO on /var/ossec/etc/ossec.conf and restart the manager again (this will avoid the file to grow in size).
And finally, regarding the use of geolocation for alerts, you have to keep in mind that you need to compile the manager with the USE_GEOIP flag enabled to support GeoIP.
I hope this helps you.
Reply all
Reply to author
Forward
0 new messages