The integration of Microsoft cloud services is directly support by means of the Wazuh component. To perform the integration, some configuration is required on the Office365/Azure platform.
To perform the integration, the steps outlined in https://docs.siemonster.com/current/office-365-logging-app-configuration should already have been completed. You will need the following to configure the integration:
To configure Wazuh to ingest the logs, a Wodle configuration needs to be added to the ossec.conf on any of the Wazuh managers in your cluster. It is recommended doing so on the hydra.
Please follow these steps:
SSH to your Hydra
Type sudo -s and Press [ENTER]
Type docker exec -it wazuh bash and Press [ENTER]
Type vim /var/ossec/etc/ossec.conf and Press [ENTER]
Press forward Slash (/) and then Type osquery in lower case and Press [ENTER]
Using the arrow keys, move the cursor to the end of the line that is </wodle> and Press [ENTER] twice. It should look like below.
Copy and Paste the code block below into your preferred codesafe editor (not notepad.exe or word)XML
<office365> <enabled>yes</enabled> <interval>15m</interval> <curl_max_size>2G</curl_max_size> <only_future_events>no</only_future_events> <api_auth> <tenant_id>xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx</tenant_id> <client_id>xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx</client_id> <client_secret>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</client_secret> </api_auth> <subscriptions> <subscription>Audit.AzureActiveDirectory</subscription> <subscription>Audit.General</subscription> <subscription>Audit.Exchange</subscription> <subscription>Audit.SharePoint</subscription> <subscription>DLP.All</subscription> </subscriptions> </office365>
Edit the XML copied from above by replacing the x’s in the tenant_id, client_id and client_secret with the corresponding values that were saved after configuring the Office 365 logging.
Copy the edited XML code block and Paste it at the cursor location that was set in step 7
It should look like the screenshot below when you are done.
Press [ESC] and then Type :wq and Press [ENTER]
Perform a restart of the Wazuh manager service by Typing the command wazuh-control restart. Wait for the restart to complete. If it gives and error and won’t restart, remove the lines you have added, save the file and restart Wazuh manager again.
If a non-codesecure editor is used incorrect line endings or artifacts can prevent the system from reading the configuration and won’t allow the service to start.
Once restarted check the wazuh log file /var/ossec/logs/ossec.log for any errors relating to the office_365 module.
NOTE: It is not required to have all the subscriptions enabled, you only have to enable those that you like or need and remove any of the lines you don’t need.
<subscription>Audit.AzureActiveDirectory</subscription> <subscription>Audit.General</subscription> <subscription>Audit.Exchange</subscription> <subscription>Audit.SharePoint</subscription> <subscription>DLP.All</subscription>