office365
New in version 4.3.0.
Note
This module only works on Windows, Linux, and macOS. It is recommended to have it enabled only in one agent to avoid repeated logs.
XML section name
<office365>
</office365>
Configuration options of the Office365 module.
Options
Options |
Allowed values |
---|---|
yes, no |
|
yes, no |
|
A positive number + suffix |
|
A positive number + suffix |
|
N/A |
|
Any string |
|
Any string |
|
Any string |
|
Any string |
|
N/A |
|
Any string |
only_future_events
Set it to yes to collect events generated since the Wazuh manager was started.
By default, when Wazuh starts it will only read all log content from Office365 since the manager started.
Default value |
yes |
Allowed values |
yes, no |
api_auth
This block configures the credential for the authentication with the Office365 REST API.
Options |
Allowed values |
---|---|
Any string |
|
Any string |
|
Any string |
|
Any string |
api_auth\tenant_id
Tenant id of your application registered in Azure.
Default value |
N/A |
Allowed values |
Any string |
api_auth\client_id
Client id of your application registered in Azure.
Default value |
N/A |
Allowed values |
Any string |
subscriptions
This block configures the internal options in the Office365 REST API.
Options |
Allowed values |
---|---|
Any string |
subscriptions\subscription
This section configures the content types from which to collect audit logs. These are the subscription types that can be configured:
Audit.AzureActiveDirectory: User identity management.
Audit.Exchange: Mail and calendaring server.
Audit.SharePoint: Web-based collaborative platform.
Audit.General: Includes all other workloads not included in the previous content types.
DLP.All: Data loss prevention workloads.
Default value |
N/A |
Allowed values |
Any string |
Example of configuration
<office365>
<enabled>yes</enabled>
<interval>1m</interval>
<curl_max_size>1M</curl_max_size>
<only_future_events>yes</only_future_events>
<api_auth>
<tenant_id>your_tenant_id</tenant_id>
<client_id>your_client_id</client_id>
<client_secret>your_client_secret</client_secret>
</api_auth>
<subscriptions>
<subscription>Audit.AzureActiveDirectory</subscription>
<subscription>Audit.General</subscription>
</subscriptions>
</office365>
Example of multiple tenants
<office365>
<enabled>yes</enabled>
<interval>1m</interval>
<curl_max_size>1M</curl_max_size>
<only_future_events>yes</only_future_events>
<api_auth>
<tenant_id>your_tenant_id</tenant_id>
<client_id>your_client_id</client_id>
<client_secret>your_client_secret</client_secret>
</api_auth>
<api_auth>
<tenant_id>your_tenant_id_2</tenant_id>
<client_id>your_client_id_2</client_id>
<client_secret>your_client_secret_2</client_secret>
</api_auth>
<subscriptions>
<subscription>Audit.AzureActiveDirectory</subscription>
<subscription>Audit.General</subscription>
</subscriptions>
</office365>