Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Office365 integration scan messages enrichment #13958

Merged
merged 3 commits into from
Jul 21, 2022
Merged

Office365 integration scan messages enrichment #13958

merged 3 commits into from
Jul 21, 2022

Conversation

cborla
Copy link
Member

@cborla cborla commented Jun 23, 2022
edited
Loading

Related issue Documentation Manual Testing
#14091 Documentation wazuh/wazuh-qa#3049

Description

The goal of this change is encrease the information about how Office365 integration works.
2 new messages are added, one when first scan runs, with the legend Bookmark updated to '2022-06-16T18:21:58Z' for tenant <TenatanID> and subscription <SubscriptionID>, waiting '60' seconds to run first scan, where the first date is the UTC date as the API request to Office365 server, and the '60' seconds are the interval time. Second message is similar than first, it only change the word next instead the word first, and it shows when bookmark is updated. '2022-06-16T18:21:58Z' for tenant <TenatanID> and subscription <SubscriptionID>, waiting '60' seconds to run first scan

Configuration options

ossec.conf

  <office365>
    <enabled>yes</enabled>
    <interval>1m</interval>
    <curl_max_size>1M</curl_max_size>
    <only_future_events>no</only_future_events>
    <api_auth>
        <tenant_id>tenant_id</tenant_id>
        <client_id>client_id</client_id>
        <client_secret>client_secret</client_secret>
    </api_auth>
    <subscriptions>
        <subscription>Audit.SharePoint</subscription>
        <subscription>Audit.AzureActiveDirectory</subscription>
        <subscription>Audit.Exchange</subscription>
        <subscription>Audit.General</subscription>
    </subscriptions>
  </office365>

Logs example

2022/06/22 21:55:20 wazuh-modulesd:office365[142854] wm_office365.c:472 at wm_office365_execute_scan(): DEBUG: Bookmark updated to '2022-06-23T00:55:18Z' for tenant '0fea4e03-8146-453b-b889-54b4bd11565b' and subscription 'Audit.SharePoint', waiting '60' seconds to run next scan.
  • Compilation without warnings in every supported platform
    • Linux
    • Windows
    • MAC OS X
  • Source installation
  • Package installation
  • Source upgrade
  • Package upgrade
  • Review logs syntax and correct language
  • Memory tests for Linux
    • Coverity
    • Valgrind (memcheck and descriptor leaks check)

@cborla cborla mentioned this pull request Jun 23, 2022
Merged
5 tasks
@TomasTurina TomasTurina linked an issue Jun 30, 2022 that may be closed by this pull request
Review the Office365 integration Interval parameter implementation #14091
Closed
sdvendramini
sdvendramini approved these changes Jun 30, 2022
View reviewed changes
Copy link
Member

@sdvendramini sdvendramini left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@jmv74211
Copy link
Contributor

jmv74211 commented Jul 21, 2022
edited
Loading

QA review

@vikman90 vikman90 merged commit 9ece9cf into 4.3 Jul 21, 2022
@vikman90 vikman90 deleted the dev-office365-first-scan-message branch July 21, 2022 17:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sdvendramini sdvendramini sdvendramini approved these changes

@TomasTurina TomasTurina TomasTurina approved these changes

Assignees
No one assigned
Labels
module/office365
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Review the Office365 integration Interval parameter implementation
5 participants
@cborla @jmv74211 @sdvendramini @TomasTurina @vikman90