Note
This module only works on Windows, Linux, and macOS. It is recommended to have it enabled only in one agent to avoid repeated logs.
XML section name
<office365>
</office365>Configuration options of the Office365 module.
- enabled
- only_future_events
- interval
- curl_max_size
- api_auth
- api_auth\\tenant_id
- api_auth\\client_id
- api_auth\\client_secret_path
- api_auth\\client_secret
- api_auth\\api_type
- subscriptions
- subscriptions\\subscription
| Options | Allowed values |
|---|---|
| enabled | yes, no |
| only_future_events | yes, no |
| interval | A positive number + suffix |
| curl_max_size | A positive number + suffix |
| api_auth | N/A |
| api_auth\\tenant_id | Any string |
| api_auth\\client_id | Any string |
| api_auth\\client_secret_path | Any string |
| api_auth\\client_secret | Any string |
| api_auth\\api_type | commercial, gcc, gcc-high |
| subscriptions | N/A |
| subscriptions\\subscription | Any string |
Enabled the Office365 wodle.
| Default value | yes |
| Allowed values | yes, no |
Set it to yes to collect events generated since the Wazuh manager was started.
By default, when Wazuh starts it will only read all log content from Office365 since the manager started.
| Default value | yes |
| Allowed values | yes, no |
The interval between Wazuh wodle executions.
Note
When Wazuh starts, it waits for the configured time interval before running the first scan, unless the module has already been running before and the only_future_events option is set to no.
| Default value | 10m |
| Allowed values | A positive number that should contain a suffix character indicating a time unit, such as, s (seconds), m (minutes), h (hours), d (days) |
Specifies the maximum size allowed for the Office365 API response.
| Default value | 1M |
| Allowed values | A positive number that should contain a suffix character indicating a size unit, such as b/B (bytes), k/K (kilobytes), m/M (megabytes), and g/G (gigabytes). |
This block configures the credential for the authentication with the Office365 REST API.
- api_auth\\tenant_id
- api_auth\\client_id
- api_auth\\client_secret_path
- api_auth\\client_secret
- api_auth\\api_type
Warning
In case of invalid configuration, after the third scan attempt, a warning message is generated in the log file and an alert is triggered.
| Options | Allowed values |
|---|---|
| api_auth\\tenant_id | Any string |
| api_auth\\client_id | Any string |
| api_auth\\client_secret_path | Any string |
| api_auth\\client_secret | Any string |
| api_auth\\api_type | commercial, gcc, gcc-high |
Tenant id of your application registered in Azure.
| Default value | N/A |
| Allowed values | Any string |
Client id of your application registered in Azure.
| Default value | N/A |
| Allowed values | Any string |
Path of the file that contains the client secret value of your application registered in Azure. Incompatible with client_secret option.
| Default value | N/A |
| Allowed values | Any string |
Client secret value of your application registered in Azure.
| Default value | N/A |
| Allowed values | Any string |
Type of Microsoft 365 subscription plan used by the tenant.
| Default value | commercial |
| Allowed values | commercial, gcc, gcc-high |
Note
This block can be repeated to give the possibility to connect with more than one tenant on Office 365.
This block configures the internal options in the Office365 REST API.
| Options | Allowed values |
|---|---|
| subscriptions\\subscription | Any string |
This section configures the content types from which to collect audit logs. These are the subscription types that can be configured:
- Audit.AzureActiveDirectory: User identity management.
- Audit.Exchange: Mail and calendaring server.
- Audit.SharePoint: Web-based collaborative platform.
- Audit.General: Includes all other workloads not included in the previous content types.
- DLP.All: Data loss prevention workloads.
| Default value | N/A |
| Allowed values | Any string |
<office365>
<enabled>yes</enabled>
<interval>1m</interval>
<curl_max_size>1M</curl_max_size>
<only_future_events>yes</only_future_events>
<api_auth>
<tenant_id>your_tenant_id</tenant_id>
<client_id>your_client_id</client_id>
<client_secret>your_client_secret</client_secret>
<api_type>commercial</api_type>
</api_auth>
<subscriptions>
<subscription>Audit.AzureActiveDirectory</subscription>
<subscription>Audit.General</subscription>
</subscriptions>
</office365><office365>
<enabled>yes</enabled>
<interval>1m</interval>
<curl_max_size>1M</curl_max_size>
<only_future_events>yes</only_future_events>
<api_auth>
<tenant_id>your_tenant_id</tenant_id>
<client_id>your_client_id</client_id>
<client_secret>your_client_secret</client_secret>
<api_type>commercial</api_type>
</api_auth>
<api_auth>
<tenant_id>your_tenant_id_2</tenant_id>
<client_id>your_client_id_2</client_id>
<client_secret>your_client_secret_2</client_secret>
<api_type>commercial</api_type>
</api_auth>
<subscriptions>
<subscription>Audit.AzureActiveDirectory</subscription>
<subscription>Audit.General</subscription>
</subscriptions>
</office365>