office365
New in version 4.3.0.
Note
This module only works on Windows, Linux, and macOS. It is recommended to have it enabled only in one agent to avoid repeated logs.
XML section name
<office365>
</office365>
Configuration options of the Office365 module.
Options
Options |
Allowed values |
|---|---|
yes, no |
|
yes, no |
|
A positive number + suffix |
|
A positive number + suffix |
|
N/A |
|
Any string |
|
Any string |
|
Any string |
|
Any string |
|
N/A |
|
Any string |
only_future_events
Set it to yes to collect events generated since the Wazuh manager was started.
By default, when Wazuh starts it will only read all log content from Office365 since the manager started.
Default value |
yes |
Allowed values |
yes, no |
interval
The interval between Wazuh wodle executions.
Note
When Wazuh starts, it waits for the configured time interval before running the first scan, unless the module has already been running before and the only_future_events option is set to no.
Default value |
10m |
Allowed values |
A positive number that should contain a suffix character indicating a time unit, such as, s (seconds), m (minutes), h (hours), d (days) |
api_auth
This block configures the credential for the authentication with the Office365 REST API.
Warning
In case of invalid configuration, after the third scan attempt, a warning message is generated in the log file and an alert is triggered.
Options |
Allowed values |
|---|---|
Any string |
|
Any string |
|
Any string |
|
Any string |
api_auth\tenant_id
Tenant id of your application registered in Azure.
Default value |
N/A |
Allowed values |
Any string |
api_auth\client_id
Client id of your application registered in Azure.
Default value |
N/A |
Allowed values |
Any string |
subscriptions
This block configures the internal options in the Office365 REST API.
Options |
Allowed values |
|---|---|
Any string |
subscriptions\subscription
This section configures the content types from which to collect audit logs. These are the subscription types that can be configured:
Audit.AzureActiveDirectory: User identity management.
Audit.Exchange: Mail and calendaring server.
Audit.SharePoint: Web-based collaborative platform.
Audit.General: Includes all other workloads not included in the previous content types.
DLP.All: Data loss prevention workloads.
Default value |
N/A |
Allowed values |
Any string |
Example of configuration
<office365>
<enabled>yes</enabled>
<interval>1m</interval>
<curl_max_size>1M</curl_max_size>
<only_future_events>yes</only_future_events>
<api_auth>
<tenant_id>your_tenant_id</tenant_id>
<client_id>your_client_id</client_id>
<client_secret>your_client_secret</client_secret>
</api_auth>
<subscriptions>
<subscription>Audit.AzureActiveDirectory</subscription>
<subscription>Audit.General</subscription>
</subscriptions>
</office365>
Example of multiple tenants
<office365>
<enabled>yes</enabled>
<interval>1m</interval>
<curl_max_size>1M</curl_max_size>
<only_future_events>yes</only_future_events>
<api_auth>
<tenant_id>your_tenant_id</tenant_id>
<client_id>your_client_id</client_id>
<client_secret>your_client_secret</client_secret>
</api_auth>
<api_auth>
<tenant_id>your_tenant_id_2</tenant_id>
<client_id>your_client_id_2</client_id>
<client_secret>your_client_secret_2</client_secret>
</api_auth>
<subscriptions>
<subscription>Audit.AzureActiveDirectory</subscription>
<subscription>Audit.General</subscription>
</subscriptions>
</office365>