Duplicated Office 365 Logs

121 views
Skip to first unread message

Joduter

unread,
Sep 4, 2023, 6:30:38 AM9/4/23
to Wazuh | Mailing List
Hi,

I have a problem with wazuh, wazuh receives records from office 365, the problem comes with some duplicate login logs.


for example:
Log in portal to Azure.



Screenshot_19.png
The same log in Wazuh.


As can be seen, the wazuh receives the duplicate log at two different times, but the creation date and the log id are the same.

I would like to know if there is any way that these logs will not be duplicated.

in the file /var/ossec/etc/ossec.conf is configured as follows:

<ossec_config>
  <office365>
    <enabled>yes</enabled>
    <interval>10m</interval>
    <curl_max_size>1M</curl_max_size>
    <only_future_events>yes</only_future_events>
    <api_auth>
        <tenant_id>********-****-****-****-***********d</tenant_id>
        <client_id>********-****-****-****-***********f</client_id>
        <client_secret>****************************************</client_secret>
    </api_auth>
    <subscriptions>
        <subscription>Audit.AzureActiveDirectory</subscription>
        <subscription>Audit.Exchange</subscription>
        <subscription>Audit.SharePoint</subscription>
        <subscription>Audit.General</subscription>
    </subscriptions>
  </office365>
...

Md. Nazmur Sakib

unread,
Sep 4, 2023, 8:05:37 AM9/4/23
to Wazuh | Mailing List

Hi Joduter,

Hope you are doing well. Thank you for using Wazuh.

Your configuration looks fine to me. You can add a custom rule to tackle this issue. This rule means if 91545 is triggered 2 times in 2 sec, for the second time. it will not trigger rule 101545 instead of 91545. And as 101545 has level 0 it will not create any alert.


<group name="office365,">

    <rule id="101545" level="0" frequency="2" timeframe="2">

        <if_sid>91545</if_sid>

        <description>Ignoring duplicate log-in rule.</description>

    </rule>

</group>

Please make sure to add this file in the custom decoder xml file.

Restart the manager after adding the rule to take impact.

systemctl restart wazuh-manager


To learn more about custom rules please check this document:

https://documentation.wazuh.com/current/user-manual/ruleset/custom.html

Also, you can check if duplicate logs are sent to Wazuh server in 

cat /var/ossec/logs/alerts/alerts.log | grep "KEYWORDS"

cat /var/ossec/logs/alerts/alerts.json | grep "KEYWORDS"


If you see duplicate alerts for the same log you change the configuration in your log source. So that it does not forward the duplicate log to Wazuh server. Or you can write custom rules to tackle the issue based on your needs.

I hope you find it helpful. Please let me know if you need any further help.


Regards

Md. Nazmur Sakib

Joduter

unread,
Sep 7, 2023, 4:56:31 AM9/7/23
to Wazuh | Mailing List
Thanks with your answer.

I have been trying this rule, but it seems that logs of this kind no longer arrive, not just duplicates.

Joduter

unread,
Sep 20, 2023, 3:57:56 AM9/20/23
to Wazuh | Mailing List

Hello,

I'm need help
Reply all
Reply to author
Forward
0 new messages