Open Al19172 opened 2 years ago
Hi @LeftHater ,
Happy to know that this feature is useful and working! :smile: QQ: what do you mean by location of a office 365 event?
I look forward to your comments!
I am also looking for geoIP location enhancement of data.office365.ClientIP in the office365 module events.
V4.3.0 with Wazuh indexer
Hi @LeftHater and @washingon ,
You need to edit /usr/share/filebeat/module/wazuh/alerts/ingest/pipeline.json
and add a block that aims to ingest data.office365.ClientIP
as a location
{
"geoip": {
"field": "data.office365.ClientIP",
"target_field": "GeoLocation",
"properties": ["city_name", "country_name", "region_name", "location"],
"ignore_missing": true,
"ignore_failure": true
}
}
Filebeat should be restarted after this change
No change.
Exact change made as requested on wazuh-manager. Restarted filebeats. And wazuh-manager. I have 1 wazuh-manager, 3 wazuh-indexer nodes.
No geoIP fields in newly added office365 events. No events showing on the map.
Hi @LeftHater and @washingon ,
You need to edit
/usr/share/filebeat/module/wazuh/alerts/ingest/pipeline.json
and add a block that aims to ingestdata.office365.ClientIP
as a location{ "geoip": { "field": "data.office365.ClientIP", "target_field": "GeoLocation", "properties": ["city_name", "country_name", "region_name", "location"], "ignore_missing": true, "ignore_failure": true } }
Filebeat should be restarted after this change
Hello, In theory it works, but in practice it doesn't because ClientIP is always the server ip from what I saw.
@washingon
Let me do some extra validations and I'll be back ASAP
@Al19172 according to Detailed properties in the audit log, ClientIP
is available for some services (Azure Active Directory, Exchange, SharePoint) and could be
My office365 event records have valid and accurate public IP in the data.office365.ClientIP
@Al1917,2 I placed the indicated /usr/share/filebeat/module/wazuh/alerts/ingest/pipelin.json
code restarted filebeat with systemctl restart filebeat
but I am not seeing any geolocation data.
I am a complete newbie to Wazuh and a casual user of linux and was hoping for some specific help to figure out how to debug this to figure out what is missing... If this is the wrong place I also have a thread on wazuh slack Thanks
@washingon
Let me do some extra validations and I'll be back ASAP
@Al19172 according to Detailed properties in the audit log,
ClientIP
is available for some services (Azure Active Directory, Exchange, SharePoint) and could be* The IP address of the device that was used when the activity was logged. * For some services, the value displayed in this property might be the IP address for a trusted application (for example, Office on the web apps) calling into the service on behalf of a user and not the IP address of the device used by person who performed the activity. * For admin activity (or activity performed by a system account) for Azure Active Directory-related events, the IP address isn't logged and the value for the ClientIP property is null.
Hello i still dont get the geolocation data after doing what you said. I'm waiting for your answer and thanks for the help
Hi all,
Filebeat restart is not enough to load the new ingest pipeline. The following command should also be executed
filebeat setup --pipelines
This could be validated by using the Wazuh Dashboard Dev Tool
Now, new events should appear with the proper Geolocalization
Hello @jnasselle Thanks ! it's already working. Can you tell me if I can create a table with the locations? I know that you can create a dashboard but I couldn't find the GeoIP data. Thanks for the help
Hello, I'm on a project for my company and i am trying to add office 365 to wazuh and its working but i need to get the location of a office 365 event. If you can help me i will be thankful.