Scribd
Upload
963 views11 pages

Office365 Integration With Wazuh-1

Uploaded by

kevohoc688
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
963 views11 pages

Office365 Integration With Wazuh-1

Uploaded by

kevohoc688
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

WAZUH – OFFICE 365

INTEGRATION

LAB CREATED BY : SAYED WAQAR ALI BACHA


Introduction:
Integrating Office 365 with Wazuh enables centralized monitoring and security
management of Office 365 activities within your organization's SIEM environment.
By doing so, you can track user activities, monitor login attempts, and detect
suspicious behavior in real time.
The integration allows Wazuh to collect and analyze security events from Office
365, providing insights into potential threats and compliance issues. This setup
enhances the overall security posture by ensuring that events from Office 365,
such as logins, file access, and administrative actions, are continuously monitored
and correlated with other security events within Wazuh.

Prerequisites:
• You must have an active Office 365 subscription.
• Ensure that Wazuh is already installed and configured in your environment.
• Create and configure an Azure AD application in the Azure portal.
• Grant the necessary API permissions to the Azure AD application for
accessing Office 365 logs.
• Install and configure the Wazuh Office 365 integration module.
Registering an app via the Azure portal :

1) Sign in to your Azure portal.


2) Click ON Microsoft Entra ID.
3) Click on New registration in the Microsoft Azure portal app registrations section.

4) Fill in the name of your application, choose the desired account type, and click on the
Register button.

5) Click on the Overview tab on the menu to view and copy the application’s client and
tenant IDs.
Creating certificates and secrets :
The application requires a certificate and secret to use during the authentication
process.

1) Navigate to the Certificates & secrets menu and click the New client secret button. Then,
fill in the Description and Expires fields of the new secret under the Add a client secret
section.
1) Copy and save the value of the secret under the Client secrets section.
Note: Make sure you write it down because the web interface won’t let you copy it
afterward.

Enabling API permissions :


Navigate to the API permissions menu and choose Add a permission.
• Select the Office 365 Management APIs and click on Application permissions.
• Add the following permissions under the ActivityFeed group:
• [Link]: Read activity data for your organization.
• [Link]: Read DLP policy events including detected sensitive data.
• Click on the Add permissions button.

NOTE : Admin consent is required for API permission changes.

Configuring Wazuh with Office 365 APIs :


1) Go To /var/ossec/etc/[Link] in wazuh server and paste this lines below logging
section.
<ossec_config>
<office365>
<enabled>yes</enabled>
<interval>1m</interval>
<curl_max_size>1M</curl_max_size>
<only_future_events>yes</only_future_events>
<api_auth>
<tenant_id><YOUR_TENANT_ID></tenant_id>
<client_id><YOUR_CLIENT_ID></client_id>
<client_secret><YOUR_CLIENT_SECRET></client_secret>
<api_type>commercial</api_type>
</api_auth>
<subscriptions>
<subscription>[Link]</subscription>
</subscriptions>
</office365>
</ossec_config>

2) After that make changes in Tennant id, Client id and Client secret ……

3) Save the configuration and restart wazuh manager.


➢ IF YOUR INTEGRATION IS SUCCESFULL YOU WILL SEE LOGS ON YOUR DASHBOARD..
• Regards:
✓ SAYED WAQAR ALI BACHA

• Follow Me On Linkedin:
✓ [Link]
8a5b6b228/
• Contact Number:
✓ +92-3466052414
• Gmail:
✓ Wqrali713@[Link]

You might also like