Multiple365 logins from different IP in a small timerange
333 views
Skip to first unread message
Giovanni
Nov 13, 2024, 11:13:52 AM11/13/24
to Wazuh | Mailing List
Hi,
I am trying to create a rule that alert me if an Office365 account, within 10 minutes, logs in multiple times from different IPs.
This would be used to identify, for example, if an account might be compromised.
I have created these two rules in the local_rules more or less following the official guide but it would seem that the events don't get created, so I'm probably misconfiguring, could anyone tell me where I'm going wrong and how to fix it?
I am trying to create a rule that alert me if an Office365 account, within 10 minutes, logs in multiple times from different IPs.
This would be used to identify, for example, if an account might be compromised.
I have created these two rules in the local_rules more or less following the official guide but it would seem that the events don't get created, so I'm probably misconfiguring, could anyone tell me where I'm going wrong and how to fix it?
<rule id="100034" level="14" frequency="2" timeframe="600">
<if_matched_sid>91545</if_matched_sid> <!-- Office 365: Secure Token Service (STS) logon events in Azure Active Directory. -->
<same_field>data.office365.UserId</same_field>
<group>authentication, multiple_auth, multiple_auth_office365</group>
<description>Multiple Office365 Logins</description>
</rule>
<rule id="100035" level="14" frequency="2" timeframe="600">
<if_matched_sid>100034</if_matched_sid> <!-- Office 365: Secure Token Service (STS) logon events in Azure Active Directory. -->
<different_field>data.office365.ClientIP</different_field>
<group>authentication, multiple_auth, multiple_auth_office365</group>
<description>Multiple Office365 Logins from different IPs</description>
</rule>
<if_matched_sid>91545</if_matched_sid> <!-- Office 365: Secure Token Service (STS) logon events in Azure Active Directory. -->
<same_field>data.office365.UserId</same_field>
<group>authentication, multiple_auth, multiple_auth_office365</group>
<description>Multiple Office365 Logins</description>
</rule>
<rule id="100035" level="14" frequency="2" timeframe="600">
<if_matched_sid>100034</if_matched_sid> <!-- Office 365: Secure Token Service (STS) logon events in Azure Active Directory. -->
<different_field>data.office365.ClientIP</different_field>
<group>authentication, multiple_auth, multiple_auth_office365</group>
<description>Multiple Office365 Logins from different IPs</description>
</rule>
Thanks,
Giovanni
Isaiah Daboh
Nov 13, 2024, 11:54:23 AM11/13/24
to Wazuh | Mailing List
Hello,
I am taking a look at this and would revert shortly.
Regards,
Isaiah Daboh
Nov 13, 2024, 12:12:07 PM11/13/24
to Wazuh | Mailing List
Hi Giovanni,
Please can you enable archiving of logs temporarily (consumes space) and share a sample rule ID 91545 log with me.
To enable full logs:
1. Edit the Wazuh manager configuration file /var/ossec/etc/ossec.conf and set the value of the highlighted fields below to yes.
<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
<logall_json>yes</logall_json>
...
</ossec_config>
2. Restart the Wazuh manager to apply the configuration changes:
sudo systemctl restart wazuh-manager
Please share the events related to rule ID 91545 from /var/ossec/logs/archives/archives.json here.
Note: Kindly replace sensitive information (credentials, account IDs, tenant ID, etc.), with random similar string.
Giovanni
Nov 18, 2024, 7:07:21 AM11/18/24
to Wazuh | Mailing List
Hi Isaiah,
cat /var/ossec/logs/archives/archives.json | grep '"id":"91545"' | grep "XXXXXX"
{"timestamp":"2024-11-18T12:47:21.611+0100","rule":{"level":3,"description":"Office 365: Secure Token Service (STS) logon events in Azure Active Directory.","id":"91545","firedtimes":264,"mail":false,"groups":["office365","AzureActiveDirectoryStsLogon"],"hipaa":["164.312.a.2.I","164.312.b","164.312.d","164.312.e.2.II"],"pci_dss":["8.3","10.6.1"]},"agent":{"id":"000","name":"Monitoring"},"manager":{"name":"Monitoring"},"id":"1731930441.4549643809","full_log":"{\"integration\":\"office365\",\"office365\":{\"CreationTime\":\"2024-11-18T11:42:25\",\"Id\":\"6bd8f98f-1042-48f6-81ff-c67d9e850800\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"TENANTID\",\"RecordType\":15,\"ResultStatus\":\"Success\",\"UserKey\":\"UserKey\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\",\"ClientIP\":\"IPADDRESS1\",\"ObjectId\":\"4765445b-32c6-49b0-83e6-1d93765276ca\",\"UserId\":\"XXXXXX...@mydomain.com\",\"AzureActiveDirectoryEventType\":1,\"ExtendedProperties\":[{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.140\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"}],\"ModifiedProperties\":[],\"Actor\":[{\"ID\":\"UserKey\",\"Type\":0},{\"ID\":\"XXXXXX...@mydomain.com\",\"Type\":5}],\"ActorContextId\":\"TENANTID\",\"ActorIpAddress\":\"IPADDRESS1\",\"InterSystemsId\":\"91cde6d5-1a53-439b-adb5-403dd7b7418b\",\"IntraSystemId\":\"6bd8f98f-1042-48f6-81ff-c67d9e850800\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"4765445b-32c6-49b0-83e6-1d93765276ca\",\"Type\":0}],\"TargetContextId\":\"TENANTID\",\"ApplicationId\":\"4765445b-32c6-49b0-83e6-1d93765276ca\",\"DeviceProperties\":[{\"Name\":\"OS\",\"Value\":\"Windows8Dot1\"},{\"Name\":\"BrowserType\",\"Value\":\"Edge\"},{\"Name\":\"SessionId\",\"Value\":\"0ec2c38e-9c06-45e8-b12c-fb8895642a98\"}],\"ErrorNumber\":\"0\",\"Subscription\":\"Audit.AzureActiveDirectory\"}}","decoder":{"name":"json"},"data":{"integration":"office365","office365":{"CreationTime":"2024-11-18T11:42:25","Id":"6bd8f98f-1042-48f6-81ff-c67d9e850800","Operation":"UserLoggedIn","OrganizationId":"TENANTID","RecordType":"15","ResultStatus":"Success","UserKey":"UserKey","UserType":"0","Version":"1","Workload":"AzureActiveDirectory","ClientIP":"IPADDRESS1","ObjectId":"4765445b-32c6-49b0-83e6-1d93765276ca","UserId":"XXXXXX...@mydomain.com","AzureActiveDirectoryEventType":"1","ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Success"},{"Name":"UserAgent","Value":"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.140"},{"Name":"RequestType","Value":"OAuth2:Authorize"}],"ModifiedProperties":[],"Actor":[{"ID":"UserKey","Type":0},{"ID":"XXXXXX...@mydomain.com","Type":5}],"ActorContextId":"TENANTID","ActorIpAddress":"IPADDRESS1","InterSystemsId":"91cde6d5-1a53-439b-adb5-403dd7b7418b","IntraSystemId":"6bd8f98f-1042-48f6-81ff-c67d9e850800","Target":[{"ID":"4765445b-32c6-49b0-83e6-1d93765276ca","Type":0}],"TargetContextId":"TENANTID","ApplicationId":"4765445b-32c6-49b0-83e6-1d93765276ca","DeviceProperties":[{"Name":"OS","Value":"Windows8Dot1"},{"Name":"BrowserType","Value":"Edge"},{"Name":"SessionId","Value":"0ec2c38e-9c06-45e8-b12c-fb8895642a98"}],"ErrorNumber":"0","Subscription":"Audit.AzureActiveDirectory"}},"location":"office365"}
{"timestamp":"2024-11-18T12:48:35.732+0100","rule":{"level":3,"description":"Office 365: Secure Token Service (STS) logon events in Azure Active Directory.","id":"91545","firedtimes":302,"mail":false,"groups":["office365","AzureActiveDirectoryStsLogon"],"hipaa":["164.312.a.2.I","164.312.b","164.312.d","164.312.e.2.II"],"pci_dss":["8.3","10.6.1"]},"agent":{"id":"000","name":"Monitoring"},"manager":{"name":"Monitoring"},"id":"1731930515.4562257545","full_log":"{\"integration\":\"office365\",\"office365\":{\"CreationTime\":\"2024-11-18T11:42:22\",\"Id\":\"2a75531c-6752-4d3e-b855-6b8e23c20a00\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"TENANTID\",\"RecordType\":15,\"ResultStatus\":\"Success\",\"UserKey\":\"UserKey\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\",\"ClientIP\":\"IPADDRESS1\",\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"UserId\":\"XXXXXX...@mydomain.com\",\"AzureActiveDirectoryEventType\":1,\"ExtendedProperties\":[{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"true\"},{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.140\"},{\"Name\":\"RequestType\",\"Value\":\"SAS:ProcessAuth\"}],\"ModifiedProperties\":[],\"Actor\":[{\"ID\":\"UserKey\",\"Type\":0},{\"ID\":\"XXXXXX...@mydomain.com\",\"Type\":5}],\"ActorContextId\":\"TENANTID\",\"ActorIpAddress\":\"IPADDRESS1\",\"InterSystemsId\":\"e615a06e-112d-4997-8432-f7bffbaf2861\",\"IntraSystemId\":\"2a75531c-6752-4d3e-b855-6b8e23c20a00\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"TENANTID\",\"ApplicationId\":\"10fa57ef-4895-4ab2-872c-8c3613d4f7fb\",\"DeviceProperties\":[{\"Name\":\"OS\",\"Value\":\"Windows8Dot1\"},{\"Name\":\"BrowserType\",\"Value\":\"Edge\"},{\"Name\":\"SessionId\",\"Value\":\"0ec2c38e-9c06-45e8-b12c-fb8895642a98\"}],\"ErrorNumber\":\"50140\",\"Subscription\":\"Audit.AzureActiveDirectory\"}}","decoder":{"name":"json"},"data":{"integration":"office365","office365":{"CreationTime":"2024-11-18T11:42:22","Id":"2a75531c-6752-4d3e-b855-6b8e23c20a00","Operation":"UserLoggedIn","OrganizationId":"TENANTID","RecordType":"15","ResultStatus":"Success","UserKey":"UserKey","UserType":"0","Version":"1","Workload":"AzureActiveDirectory","ClientIP":"IPADDRESS1","ObjectId":"00000003-0000-0000-c000-000000000000","UserId":"XXXXXX...@mydomain.com","AzureActiveDirectoryEventType":"1","ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Success"},{"Name":"KeepMeSignedIn","Value":"true"},{"Name":"UserAgent","Value":"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.140"},{"Name":"RequestType","Value":"SAS:ProcessAuth"}],"ModifiedProperties":[],"Actor":[{"ID":"UserKey","Type":0},{"ID":"XXXXXX...@mydomain.com","Type":5}],"ActorContextId":"TENANTID","ActorIpAddress":"IPADDRESS1","InterSystemsId":"e615a06e-112d-4997-8432-f7bffbaf2861","IntraSystemId":"2a75531c-6752-4d3e-b855-6b8e23c20a00","Target":[{"ID":"00000003-0000-0000-c000-000000000000","Type":0}],"TargetContextId":"TENANTID","ApplicationId":"10fa57ef-4895-4ab2-872c-8c3613d4f7fb","DeviceProperties":[{"Name":"OS","Value":"Windows8Dot1"},{"Name":"BrowserType","Value":"Edge"},{"Name":"SessionId","Value":"0ec2c38e-9c06-45e8-b12c-fb8895642a98"}],"ErrorNumber":"50140","Subscription":"Audit.AzureActiveDirectory"}},"location":"office365"}
{"timestamp":"2024-11-18T12:48:35.732+0100","rule":{"level":3,"description":"Office 365: Secure Token Service (STS) logon events in Azure Active Directory.","id":"91545","firedtimes":304,"mail":false,"groups":["office365","AzureActiveDirectoryStsLogon"],"hipaa":["164.312.a.2.I","164.312.b","164.312.d","164.312.e.2.II"],"pci_dss":["8.3","10.6.1"]},"agent":{"id":"000","name":"Monitoring"},"manager":{"name":"Monitoring"},"id":"1731930515.4562261163","full_log":"{\"integration\":\"office365\",\"office365\":{\"CreationTime\":\"2024-11-18T11:42:22\",\"Id\":\"2a75531c-6752-4d3e-b855-6b8e23c20a00\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"TENANTID\",\"RecordType\":15,\"ResultStatus\":\"Success\",\"UserKey\":\"UserKey\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\",\"ClientIP\":\"IPADDRESS1\",\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"UserId\":\"XXXXXX...@mydomain.com\",\"AzureActiveDirectoryEventType\":1,\"ExtendedProperties\":[{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"true\"},{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.140\"},{\"Name\":\"RequestType\",\"Value\":\"SAS:ProcessAuth\"}],\"ModifiedProperties\":[],\"Actor\":[{\"ID\":\"UserKey\",\"Type\":0},{\"ID\":\"XXXXXX...@mydomain.com\",\"Type\":5}],\"ActorContextId\":\"TENANTID\",\"ActorIpAddress\":\"IPADDRESS1\",\"InterSystemsId\":\"e615a06e-112d-4997-8432-f7bffbaf2861\",\"IntraSystemId\":\"2a75531c-6752-4d3e-b855-6b8e23c20a00\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"TENANTID\",\"ApplicationId\":\"10fa57ef-4895-4ab2-872c-8c3613d4f7fb\",\"DeviceProperties\":[{\"Name\":\"OS\",\"Value\":\"Windows8Dot1\"},{\"Name\":\"BrowserType\",\"Value\":\"Edge\"},{\"Name\":\"SessionId\",\"Value\":\"0ec2c38e-9c06-45e8-b12c-fb8895642a98\"}],\"ErrorNumber\":\"50140\",\"Subscription\":\"Audit.AzureActiveDirectory\"}}","decoder":{"name":"json"},"data":{"integration":"office365","office365":{"CreationTime":"2024-11-18T11:42:22","Id":"2a75531c-6752-4d3e-b855-6b8e23c20a00","Operation":"UserLoggedIn","OrganizationId":"TENANTID","RecordType":"15","ResultStatus":"Success","UserKey":"UserKey","UserType":"0","Version":"1","Workload":"AzureActiveDirectory","ClientIP":"IPADDRESS1","ObjectId":"00000003-0000-0000-c000-000000000000","UserId":"XXXXXX...@mydomain.com","AzureActiveDirectoryEventType":"1","ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Success"},{"Name":"KeepMeSignedIn","Value":"true"},{"Name":"UserAgent","Value":"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.140"},{"Name":"RequestType","Value":"SAS:ProcessAuth"}],"ModifiedProperties":[],"Actor":[{"ID":"UserKey","Type":0},{"ID":"XXXXXX...@mydomain.com","Type":5}],"ActorContextId":"TENANTID","ActorIpAddress":"IPADDRESS1","InterSystemsId":"e615a06e-112d-4997-8432-f7bffbaf2861","IntraSystemId":"2a75531c-6752-4d3e-b855-6b8e23c20a00","Target":[{"ID":"00000003-0000-0000-c000-000000000000","Type":0}],"TargetContextId":"TENANTID","ApplicationId":"10fa57ef-4895-4ab2-872c-8c3613d4f7fb","DeviceProperties":[{"Name":"OS","Value":"Windows8Dot1"},{"Name":"BrowserType","Value":"Edge"},{"Name":"SessionId","Value":"0ec2c38e-9c06-45e8-b12c-fb8895642a98"}],"ErrorNumber":"50140","Subscription":"Audit.AzureActiveDirectory"}},"location":"office365"}
here's the logs:
cat /var/ossec/logs/archives/archives.json | grep '"id":"91545"' | grep "XXXXXX"
{"timestamp":"2024-11-18T12:47:21.611+0100","rule":{"level":3,"description":"Office 365: Secure Token Service (STS) logon events in Azure Active Directory.","id":"91545","firedtimes":264,"mail":false,"groups":["office365","AzureActiveDirectoryStsLogon"],"hipaa":["164.312.a.2.I","164.312.b","164.312.d","164.312.e.2.II"],"pci_dss":["8.3","10.6.1"]},"agent":{"id":"000","name":"Monitoring"},"manager":{"name":"Monitoring"},"id":"1731930441.4549643809","full_log":"{\"integration\":\"office365\",\"office365\":{\"CreationTime\":\"2024-11-18T11:42:25\",\"Id\":\"6bd8f98f-1042-48f6-81ff-c67d9e850800\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"TENANTID\",\"RecordType\":15,\"ResultStatus\":\"Success\",\"UserKey\":\"UserKey\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\",\"ClientIP\":\"IPADDRESS1\",\"ObjectId\":\"4765445b-32c6-49b0-83e6-1d93765276ca\",\"UserId\":\"XXXXXX...@mydomain.com\",\"AzureActiveDirectoryEventType\":1,\"ExtendedProperties\":[{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.140\"},{\"Name\":\"RequestType\",\"Value\":\"OAuth2:Authorize\"}],\"ModifiedProperties\":[],\"Actor\":[{\"ID\":\"UserKey\",\"Type\":0},{\"ID\":\"XXXXXX...@mydomain.com\",\"Type\":5}],\"ActorContextId\":\"TENANTID\",\"ActorIpAddress\":\"IPADDRESS1\",\"InterSystemsId\":\"91cde6d5-1a53-439b-adb5-403dd7b7418b\",\"IntraSystemId\":\"6bd8f98f-1042-48f6-81ff-c67d9e850800\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"4765445b-32c6-49b0-83e6-1d93765276ca\",\"Type\":0}],\"TargetContextId\":\"TENANTID\",\"ApplicationId\":\"4765445b-32c6-49b0-83e6-1d93765276ca\",\"DeviceProperties\":[{\"Name\":\"OS\",\"Value\":\"Windows8Dot1\"},{\"Name\":\"BrowserType\",\"Value\":\"Edge\"},{\"Name\":\"SessionId\",\"Value\":\"0ec2c38e-9c06-45e8-b12c-fb8895642a98\"}],\"ErrorNumber\":\"0\",\"Subscription\":\"Audit.AzureActiveDirectory\"}}","decoder":{"name":"json"},"data":{"integration":"office365","office365":{"CreationTime":"2024-11-18T11:42:25","Id":"6bd8f98f-1042-48f6-81ff-c67d9e850800","Operation":"UserLoggedIn","OrganizationId":"TENANTID","RecordType":"15","ResultStatus":"Success","UserKey":"UserKey","UserType":"0","Version":"1","Workload":"AzureActiveDirectory","ClientIP":"IPADDRESS1","ObjectId":"4765445b-32c6-49b0-83e6-1d93765276ca","UserId":"XXXXXX...@mydomain.com","AzureActiveDirectoryEventType":"1","ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Success"},{"Name":"UserAgent","Value":"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.140"},{"Name":"RequestType","Value":"OAuth2:Authorize"}],"ModifiedProperties":[],"Actor":[{"ID":"UserKey","Type":0},{"ID":"XXXXXX...@mydomain.com","Type":5}],"ActorContextId":"TENANTID","ActorIpAddress":"IPADDRESS1","InterSystemsId":"91cde6d5-1a53-439b-adb5-403dd7b7418b","IntraSystemId":"6bd8f98f-1042-48f6-81ff-c67d9e850800","Target":[{"ID":"4765445b-32c6-49b0-83e6-1d93765276ca","Type":0}],"TargetContextId":"TENANTID","ApplicationId":"4765445b-32c6-49b0-83e6-1d93765276ca","DeviceProperties":[{"Name":"OS","Value":"Windows8Dot1"},{"Name":"BrowserType","Value":"Edge"},{"Name":"SessionId","Value":"0ec2c38e-9c06-45e8-b12c-fb8895642a98"}],"ErrorNumber":"0","Subscription":"Audit.AzureActiveDirectory"}},"location":"office365"}
{"timestamp":"2024-11-18T12:48:35.732+0100","rule":{"level":3,"description":"Office 365: Secure Token Service (STS) logon events in Azure Active Directory.","id":"91545","firedtimes":302,"mail":false,"groups":["office365","AzureActiveDirectoryStsLogon"],"hipaa":["164.312.a.2.I","164.312.b","164.312.d","164.312.e.2.II"],"pci_dss":["8.3","10.6.1"]},"agent":{"id":"000","name":"Monitoring"},"manager":{"name":"Monitoring"},"id":"1731930515.4562257545","full_log":"{\"integration\":\"office365\",\"office365\":{\"CreationTime\":\"2024-11-18T11:42:22\",\"Id\":\"2a75531c-6752-4d3e-b855-6b8e23c20a00\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"TENANTID\",\"RecordType\":15,\"ResultStatus\":\"Success\",\"UserKey\":\"UserKey\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\",\"ClientIP\":\"IPADDRESS1\",\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"UserId\":\"XXXXXX...@mydomain.com\",\"AzureActiveDirectoryEventType\":1,\"ExtendedProperties\":[{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"true\"},{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.140\"},{\"Name\":\"RequestType\",\"Value\":\"SAS:ProcessAuth\"}],\"ModifiedProperties\":[],\"Actor\":[{\"ID\":\"UserKey\",\"Type\":0},{\"ID\":\"XXXXXX...@mydomain.com\",\"Type\":5}],\"ActorContextId\":\"TENANTID\",\"ActorIpAddress\":\"IPADDRESS1\",\"InterSystemsId\":\"e615a06e-112d-4997-8432-f7bffbaf2861\",\"IntraSystemId\":\"2a75531c-6752-4d3e-b855-6b8e23c20a00\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"TENANTID\",\"ApplicationId\":\"10fa57ef-4895-4ab2-872c-8c3613d4f7fb\",\"DeviceProperties\":[{\"Name\":\"OS\",\"Value\":\"Windows8Dot1\"},{\"Name\":\"BrowserType\",\"Value\":\"Edge\"},{\"Name\":\"SessionId\",\"Value\":\"0ec2c38e-9c06-45e8-b12c-fb8895642a98\"}],\"ErrorNumber\":\"50140\",\"Subscription\":\"Audit.AzureActiveDirectory\"}}","decoder":{"name":"json"},"data":{"integration":"office365","office365":{"CreationTime":"2024-11-18T11:42:22","Id":"2a75531c-6752-4d3e-b855-6b8e23c20a00","Operation":"UserLoggedIn","OrganizationId":"TENANTID","RecordType":"15","ResultStatus":"Success","UserKey":"UserKey","UserType":"0","Version":"1","Workload":"AzureActiveDirectory","ClientIP":"IPADDRESS1","ObjectId":"00000003-0000-0000-c000-000000000000","UserId":"XXXXXX...@mydomain.com","AzureActiveDirectoryEventType":"1","ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Success"},{"Name":"KeepMeSignedIn","Value":"true"},{"Name":"UserAgent","Value":"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.140"},{"Name":"RequestType","Value":"SAS:ProcessAuth"}],"ModifiedProperties":[],"Actor":[{"ID":"UserKey","Type":0},{"ID":"XXXXXX...@mydomain.com","Type":5}],"ActorContextId":"TENANTID","ActorIpAddress":"IPADDRESS1","InterSystemsId":"e615a06e-112d-4997-8432-f7bffbaf2861","IntraSystemId":"2a75531c-6752-4d3e-b855-6b8e23c20a00","Target":[{"ID":"00000003-0000-0000-c000-000000000000","Type":0}],"TargetContextId":"TENANTID","ApplicationId":"10fa57ef-4895-4ab2-872c-8c3613d4f7fb","DeviceProperties":[{"Name":"OS","Value":"Windows8Dot1"},{"Name":"BrowserType","Value":"Edge"},{"Name":"SessionId","Value":"0ec2c38e-9c06-45e8-b12c-fb8895642a98"}],"ErrorNumber":"50140","Subscription":"Audit.AzureActiveDirectory"}},"location":"office365"}
{"timestamp":"2024-11-18T12:48:35.732+0100","rule":{"level":3,"description":"Office 365: Secure Token Service (STS) logon events in Azure Active Directory.","id":"91545","firedtimes":304,"mail":false,"groups":["office365","AzureActiveDirectoryStsLogon"],"hipaa":["164.312.a.2.I","164.312.b","164.312.d","164.312.e.2.II"],"pci_dss":["8.3","10.6.1"]},"agent":{"id":"000","name":"Monitoring"},"manager":{"name":"Monitoring"},"id":"1731930515.4562261163","full_log":"{\"integration\":\"office365\",\"office365\":{\"CreationTime\":\"2024-11-18T11:42:22\",\"Id\":\"2a75531c-6752-4d3e-b855-6b8e23c20a00\",\"Operation\":\"UserLoggedIn\",\"OrganizationId\":\"TENANTID\",\"RecordType\":15,\"ResultStatus\":\"Success\",\"UserKey\":\"UserKey\",\"UserType\":0,\"Version\":1,\"Workload\":\"AzureActiveDirectory\",\"ClientIP\":\"IPADDRESS1\",\"ObjectId\":\"00000003-0000-0000-c000-000000000000\",\"UserId\":\"XXXXXX...@mydomain.com\",\"AzureActiveDirectoryEventType\":1,\"ExtendedProperties\":[{\"Name\":\"ResultStatusDetail\",\"Value\":\"Success\"},{\"Name\":\"KeepMeSignedIn\",\"Value\":\"true\"},{\"Name\":\"UserAgent\",\"Value\":\"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.140\"},{\"Name\":\"RequestType\",\"Value\":\"SAS:ProcessAuth\"}],\"ModifiedProperties\":[],\"Actor\":[{\"ID\":\"UserKey\",\"Type\":0},{\"ID\":\"XXXXXX...@mydomain.com\",\"Type\":5}],\"ActorContextId\":\"TENANTID\",\"ActorIpAddress\":\"IPADDRESS1\",\"InterSystemsId\":\"e615a06e-112d-4997-8432-f7bffbaf2861\",\"IntraSystemId\":\"2a75531c-6752-4d3e-b855-6b8e23c20a00\",\"SupportTicketId\":\"\",\"Target\":[{\"ID\":\"00000003-0000-0000-c000-000000000000\",\"Type\":0}],\"TargetContextId\":\"TENANTID\",\"ApplicationId\":\"10fa57ef-4895-4ab2-872c-8c3613d4f7fb\",\"DeviceProperties\":[{\"Name\":\"OS\",\"Value\":\"Windows8Dot1\"},{\"Name\":\"BrowserType\",\"Value\":\"Edge\"},{\"Name\":\"SessionId\",\"Value\":\"0ec2c38e-9c06-45e8-b12c-fb8895642a98\"}],\"ErrorNumber\":\"50140\",\"Subscription\":\"Audit.AzureActiveDirectory\"}}","decoder":{"name":"json"},"data":{"integration":"office365","office365":{"CreationTime":"2024-11-18T11:42:22","Id":"2a75531c-6752-4d3e-b855-6b8e23c20a00","Operation":"UserLoggedIn","OrganizationId":"TENANTID","RecordType":"15","ResultStatus":"Success","UserKey":"UserKey","UserType":"0","Version":"1","Workload":"AzureActiveDirectory","ClientIP":"IPADDRESS1","ObjectId":"00000003-0000-0000-c000-000000000000","UserId":"XXXXXX...@mydomain.com","AzureActiveDirectoryEventType":"1","ExtendedProperties":[{"Name":"ResultStatusDetail","Value":"Success"},{"Name":"KeepMeSignedIn","Value":"true"},{"Name":"UserAgent","Value":"Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Edg/109.0.1518.140"},{"Name":"RequestType","Value":"SAS:ProcessAuth"}],"ModifiedProperties":[],"Actor":[{"ID":"UserKey","Type":0},{"ID":"XXXXXX...@mydomain.com","Type":5}],"ActorContextId":"TENANTID","ActorIpAddress":"IPADDRESS1","InterSystemsId":"e615a06e-112d-4997-8432-f7bffbaf2861","IntraSystemId":"2a75531c-6752-4d3e-b855-6b8e23c20a00","Target":[{"ID":"00000003-0000-0000-c000-000000000000","Type":0}],"TargetContextId":"TENANTID","ApplicationId":"10fa57ef-4895-4ab2-872c-8c3613d4f7fb","DeviceProperties":[{"Name":"OS","Value":"Windows8Dot1"},{"Name":"BrowserType","Value":"Edge"},{"Name":"SessionId","Value":"0ec2c38e-9c06-45e8-b12c-fb8895642a98"}],"ErrorNumber":"50140","Subscription":"Audit.AzureActiveDirectory"}},"location":"office365"}
Isaiah Daboh
Nov 20, 2024, 3:45:03 AM11/20/24
to Wazuh | Mailing List
Hi Giovani,
<group>authentication, multiple_auth, multiple_auth_office365</group>
<description>Multiple Office365 Logins from different IPs</description>
</rule>
<group>authentication, multiple_auth, multiple_auth_office365</group>
<description>Multiple Office365 Logins</description>
</rule>
The rule below worked for the situations you described:
<rule id="100034" level="14" frequency="2" timeframe="600">
<if_matched_sid>91545</if_matched_sid>
<if_matched_sid>91545</if_matched_sid>
<same_field>office365.UserId</same_field>
<different_field>office365.ClientIP</different_field>
<different_field>office365.ClientIP</different_field>
<group>authentication, multiple_auth, multiple_auth_office365</group>
<description>Multiple Office365 Logins from different IPs</description>
</rule>
<rule id="100035" level="14" frequency="2" timeframe="600">
<if_matched_sid>91545</if_matched_sid>
<same_field>office365.UserId</same_field>
<same_field>office365.UserId</same_field>
<group>authentication, multiple_auth, multiple_auth_office365</group>
<description>Multiple Office365 Logins</description>
</rule>
Note: The field should be office365.UserId and not data.office365.UserId.
**Phase 3: Completed filtering (rules).
id: '100035'
level: '14'
description: 'Multiple Office365 Logins'
groups: '['local', 'syslog', 'sshd', 'authentication', ' multiple_auth', ' multiple_auth_office365']'
firedtimes: '1'
frequency: '2'
mail: 'True'
**Alert to be generated.
id: '100035'
level: '14'
description: 'Multiple Office365 Logins'
groups: '['local', 'syslog', 'sshd', 'authentication', ' multiple_auth', ' multiple_auth_office365']'
firedtimes: '1'
frequency: '2'
mail: 'True'
**Alert to be generated.
**Phase 3: Completed filtering (rules).
id: '100034'
level: '14'
description: 'Multiple Office365 Logins from different IPs'
groups: '['local', 'syslog', 'sshd', 'authentication', ' multiple_auth', ' multiple_auth_office365']'
firedtimes: '3'
frequency: '2'
mail: 'True'
**Alert to be generated.
id: '100034'
level: '14'
description: 'Multiple Office365 Logins from different IPs'
groups: '['local', 'syslog', 'sshd', 'authentication', ' multiple_auth', ' multiple_auth_office365']'
firedtimes: '3'
frequency: '2'
mail: 'True'
**Alert to be generated.
Regards,
Giovanni
Nov 27, 2024, 4:38:35 AM11/27/24
to Wazuh | Mailing List
Hi Isaiah,
thanks for the reply.
Yes, it seems to work, but, here's an example, these are the logs for rule 100034, there are no filters:
Is it my impression or for the individual user there are no different IPs?
Let's take the first two cases; same user, same IP, gets flagged! how come?
Also, most of the usernames are not taken as can be seen from the next ones!
Let's take the first two cases; same user, same IP, gets flagged! how come?
Also, most of the usernames are not taken as can be seen from the next ones!
Isaiah Daboh
Dec 4, 2024, 12:41:30 AM12/4/24
to Wazuh | Mailing List
Hi Giovani,
This is a known issue with the current engine. This is because the history counter doesn't reset after the first match of 100034, the manager checks the history and if the condition is still met (two different IPs), it keeps triggering. However, this will be taken care of in the new engine alongside other inconsistencies with the aggregation rules as mentioned here.
Please confirm from Archive logs that the username field is not empty, if it is from the log source then you might have to consider another field that is unique and consistent.
Regards,
Reply all
Reply to author
Forward
0 new messages