Integration with Microsoft Defender
374 views
Skip to first unread message
Vando Nascimento
Jun 7, 2023, 5:02:47 PM6/7/23
to Wazuh mailing list
Hello,
Recently I was able to complete integration between Wazuh and Office365, and also with Azure AD both following the documentation. Now I'd like to receive data coming from cloud based Microsoft Defender, but I didn't find specific instructions. Is it possible to do that? I've found the following documentation describing that Microsoft Defender is compatible with Graph, just like Azure AD:
https://learn.microsoft.com/en-us/graph/api/resources/security-api-overview?view=graph-rest-1.0
I saw some videos from Microsoft showing how to use this API using powershell scripts, but it would be perfect if there was something that works directly with Wazuh.
Thanks in advance.
https://learn.microsoft.com/en-us/graph/api/resources/security-api-overview?view=graph-rest-1.0
I saw some videos from Microsoft showing how to use this API using powershell scripts, but it would be perfect if there was something that works directly with Wazuh.
Thanks in advance.
Nicolas Zapata
Jun 8, 2023, 9:53:39 PM6/8/23
to Wazuh mailing list
Hello Vando thanks for using wazuh!
I think you can use the wazuh azure integratrion with Azure Log Analytics this collects and organizes logs and performance data from monitored resources, including Azure services, virtual machines, and applications. This insight can be sent to Wazuh using the Azure Log Analytics REST API or directly accessing the contents of an Azure Storage account.
Vando Nascimento
Jun 16, 2023, 10:18:09 AM6/16/23
to Wazuh mailing list
Hello,
Thank you Nicolas for your reply.
In the last days I managed to complete the powershell script that gets the Defender logs I'm interested in from Microsoft Graph in JSON format. Now I'm trying to send these logs to Wazuh but I found a new problem. At the moment I'm trying to do that using the Windows Agent. I changed the agent's configuration including the following lines:
<localfile>
<log_format>json</log_format>
<location>C:\Users\my_user\Documents\LatestIncidents</location>
</localfile>
<localfile>
<log_format>json</log_format>
<location>C:\Users\my_user\Documents\LatestIncidents</location>
</localfile>
I've also changed the logall_json to yes on manager's side and restarted it. But on my agent's log I see the following messages:
2023/06/16 10:39:25 wazuh-agent: ERROR: (1103): Could not open file 'C:\Users\my_user\Documents\LatestIncidents' due to [(5)-(Access is denied.)].
2023/06/16 10:39:25 wazuh-agent: INFO: (1950): Analyzing file: 'C:\Users\my_user\Documents\LatestIncidents'.
2023/06/16 10:39:25 wazuh-agent: INFO: (1950): Analyzing file: 'C:\Users\my_user\Documents\LatestIncidents'.
There's a file with json extension on this folder but it's not mentioned on the logs. I tried to give full control permission on this folder for everyone but the result was the same.
What would be the necessary permissions for the agent to be able to read these logs?
Also, if there's a better way to send these logs to Wazuh please let me know. This is the only idea I had so far.
Thanks in advance.
Vando Nascimento
Jun 16, 2023, 6:03:50 PM6/16/23
to Wazuh mailing list
Quick update:
After informing the full path, including the file, the agent read the log. So, this part is solved. But if possible I'll still accept some tips on the best way to deal with this type of log on Windows, in case I'm not using the best method.
Thanks a lot.
Reply all
Reply to author
Forward
0 new messages