GeoLocation
Jorge Moya Albarran
We have created this rule to try to filter logs based on the GeoLocation.country_name tag to detect a specific country in M365:
<rule id="82010" level="12">
<if_sid>91537</if_sid>
<field name="GeoLocation.country_name">^Spain$</field>
<description>O365: SOC TESTS</description>
</rule>
We have tried to filter the field name with that tag but have not received any results. Can you help us detect a specific country, please?
Thank you, best regards.
Bony V John
Bony V John
Based on your input, it seems that you are trying to use the GeoLocation.country_name field, which is visible in the Wazuh dashboard alert.
However, this field cannot be used to create a rule because it is added by the Filebeat module during indexing to enrich the alert. It does not exist in the raw log by default. Rules can only be created using fields that are available in the decoded logs.
If there is another field present in the raw log that indicates the country name, we can use that field to write a rule as described. If possible, please share a sample raw log of this event with us so we can review it and assist you further in identifying whether such a field is available.
Jorge Moya Albarran
Thank you very much for your response. At first, we were unable to correlate it with another section, but here is a complete log for you to review:
GeoLocation.city_name
Atlanta
GeoLocation.country_name
United States
GeoLocation.location
{ "lon": -84.3871, "lat": 33.7485 }
GeoLocation.region_name
Georgia
_index
wazuh-alerts-4.x-2025.09.24
agent.id
8
agent.ip
172.16.0.230
agent.labels.Server_Linux
Server_Linux
agent.name
PRUEBASERVER
data.integration
office365
data.office365.ActorInfoString
OUTLOOK.EXE/16.0.19127.20240
data.office365.ClientIP
177.233.13.237
data.office365.ClientIPAddress
177.233.13.237
data.office365.ClientInfoString
Client=MSExchangeRPC
data.office365.ClientProcessName
OUTLOOK.EXE
data.office365.ClientRequestId
{5A15FE7F-BC16-48C7-BC60-4D5B598DAFE1}
data.office365.ClientVersion
16.0.19127.20240
data.office365.CreationTime
2025-09-24T12:15:17
data.office365.ExternalAccess
false
data.office365.Id
843cf095-982c-4a47-78f1-08ddfb64062f
data.office365.InternalLogonType
0
data.office365.Item.Attachments
CV trabajo nuevo.pdf (16959b); image001.png (46785b)
data.office365.Item.Id
RgAAAABuKE3xKNe/Q414gmrBy8VTBwDI7OWKQyyxTbhhwLnrr6VBAAAAAAELAADI7OWKQyyxTbhhwLnrr6VBAAGXGPsOAAAJ
data.office365.Item.ImmutableId
LgAAAAAdhAMRqmYRzZvIAKoAL8RaDQDI7OWKQyyxTbhhwLnrr6VBAAGXG3T9AAAJ
data.office365.Item.InternetMessageId
<VI1PR09MB4301C84C16...@VI1PR09MB4301.eurprd09.prod.outlook.com>
data.office365.Item.ParentFolder.Id
LgAAAABuKE3xKNe/Q414gmrBy8VTAQDI7OWKQyyxTbhhwLnrr6VBAAAAAAELAAAB
data.office365.Item.ParentFolder.Path
\Bandeja de salida
data.office365.Item.SizeInBytes
78798
data.office365.Item.Subject
CV trabajo nuevo- Reacondicionamiento lanzadores
data.office365.LogonType
0
data.office365.LogonUserSid
S-1-5-21-2990884641-1351431507-3353385887-27459362
data.office365.MailboxGuid
44e6b39d-91af-4456-b55e-2a4460685af7
data.office365.MailboxOwnerSid
S-1-5-21-2990884641-1351431507-3353385887-27459362
data.office365.MailboxOwnerUPN
Usuario...@dominio.prueba.com
data.office365.Operation
Send
data.office365.OrganizationId
e4d319aa-66b9-4067-9fba-1977f3449124
data.office365.OrganizationName
ac6357250.onmicrosoft.com
data.office365.OriginatingServer
VI1PR09MB4301 (15.20.4200.000)
data.office365.RecordType
2
data.office365.ResultStatus
Succeeded
data.office365.SaveToSentItems
true
data.office365.SessionId
00212479-d088-077e-6f44-25b173e5f869
data.office365.Subscription
Audit.Exchange
data.office365.UserId
Usuario...@dominio.prueba.com
data.office365.UserKey
1003200342D298A9
data.office365.UserType
0
data.office365.Version
1
data.office365.Workload
Exchange
decoder.name
json
id
1.758.716.287.319.660.000
input.type
log
location
office365
manager.name
wazuhsiem
rule.description
Office 365: Sent message
rule.firedtimes
20
rule.groups
office365, Exchange
rule.hipaa
164.312.b
rule.id
91707
rule.level
4
rule.mail
false
rule.mitre.id
T1114.003
rule.mitre.tactic
Collection
rule.mitre.technique
Email Forwarding Rule
rule.pci_dss
10.6.2
timestamp
Sep 24, 2025 @ 14:18:07.422
Is there any other way to fix this?
Best regards.
Bony V John
-
Open Visualization Panel
-
Click on the hamburger icon (top left) > Explore > Visualize > Create Visualization
-
-
Choose Visualization Type
-
Select Data Table
-
Choose the wazuh-alerts index
-
-
Configure Buckets
-
First Split (Rule ID)
-
Buckets > Add > Split rows
-
Aggregation: Terms
-
Field: rule.id
-
Size: set based on your requirement (number of entries to display)
-
Custom label: Rule ID
-
Click Update
-
-
Second Split (Description)
-
Buckets > Add > Split rows
-
Aggregation: Terms
-
Field: rule.description
-
Size: set based on your requirement
-
Custom label: Description
-
Click Update
-
-
Third Split (GeoLocation)
-
Buckets > Add > Split rows
-
Aggregation: Terms
-
Field: GeoLocation.country_name
-
Size: set based on your requirement
-
Custom label: GeoLocation
-
Click Update
-
You can also use fields like data.srcip or others depending on your requirement.
-
-
Apply Filters
-
On the top left, click on Add filter
-
Field: select rule.group or rule.id depending on which alerts you want to display
-
Operator: choose is or is one of (for multiple values)
-
Value: add the specific rule ID(s) or group(s)
-
Click Save to apply the filter
-
-
Save the Visualization
-
Click the Save icon at the top and give it a name
-
I have created one sample and attached a screenshot for reference. You can build more visualizations based on your needs.
For further details, you can also check the Wazuh custom dashboard creation documentation.
Jorge Moya Albarran
Okay, thank you very much for your response. We will look into that option to see if it is feasible to implement it in our environment.
Best regards.