Office 365 Module filtering

51 views
Skip to first unread message

Paul

unread,
Aug 28, 2023, 12:42:31 PM8/28/23
to Wazuh | Mailing List
Hi,

Im a new user to Wazuh and I've just started using Wazuh to monitor my Office 365 events, i am having issues when filtering events and would be grateful of any assistance or advise.

I'm in the Office 365 module and I click  Events
I add a filter of: data.office365.subscription is Audit.AzureActiveDirectory

I can now see my filtered AzureActiveDirectory log. I am focusing on data.office365.operation and data.office365.userid

I can see the list of users that have UserLoggedIn and I want to drill down on one user in particular.

I can see that joe.b...@contoso.com has multiple UserLoggedIn among all the other users and I want to filter to see joe.b...@contoso.com

I then add another filter for data.office365.UserID is joe.b...@contoso.com

I then receive: No results match your search criteria

I don't understand why i am receiving no results as they are clearly there before I add the user filter.

Many Thanks in advance Paul


Eduardo Leon Aldazoro

unread,
Aug 28, 2023, 1:13:50 PM8/28/23
to Wazuh | Mailing List

Hi Paul,

To troubleshoot this issue, follow :

  1. Verify that the filter syntax you are using is correct. Double-check the spelling and ensure that there are no typos or missing characters.

  2. Check if the data.office365.subscription field is correctly populated for the events you are trying to filter. It's possible that the events you are expecting to see do not have the 'Audit.AzureActiveDirectory' value in the data.office365.subscription field.

  3. Ensure that the data.office365.UserID field is correctly populated for the events related to ID you want to filter. It's possible that there is a discrepancy in the data or that the field is not populated as expected.

  4. Verify that the events you are trying to filter are within the time range you have specified. It's possible that the events you are looking for occurred outside the specified time range.

If the issue persists after following these steps, please provide the version of Wazuh you are using. 

Message has been deleted

Paul

unread,
Aug 28, 2023, 5:28:41 PM8/28/23
to Wazuh | Mailing List
Hi Eduardo,

Thankyou for getting back to me so quickly. It looked like the field data.office365.UserID was auto populating the users id starting with a lower case letter and the addresses started with and upper case letter. It was case sensitivity that was throwing my results.

Many Thanks
Paul
Reply all
Reply to author
Forward
0 new messages