How to get location of a office 365 event

[Al19172]

Hello, I'm on a project for my company and i am trying to add office 365 to wazuh and its working but i need to get the location of a office 365 event. If you can help me i will be thankful.

[jnasselle]

Hi @LeftHater ,

Happy to know that this feature is useful and working! :smile: QQ: what do you mean by location of a office 365 event?

I look forward to your comments!

[washingon]

I am also looking for geoIP location enhancement of data.office365.ClientIP in the office365 module events.

V4.3.0 with Wazuh indexer

[jnasselle]

Hi @LeftHater and @washingon ,

You need to edit /usr/share/filebeat/module/wazuh/alerts/ingest/pipeline.json and add a block that aims to ingest data.office365.ClientIP as a location

    {
      "geoip": {
        "field": "data.office365.ClientIP",
        "target_field": "GeoLocation",
        "properties": ["city_name", "country_name", "region_name", "location"],
        "ignore_missing": true,
        "ignore_failure": true
      }
    }

Filebeat should be restarted after this change

[washingon]

No change.

Exact change made as requested on wazuh-manager. Restarted filebeats. And wazuh-manager. I have 1 wazuh-manager, 3 wazuh-indexer nodes.

No geoIP fields in newly added office365 events. No events showing on the map.

[Al19172]

Hi @LeftHater and @washingon ,

You need to edit /usr/share/filebeat/module/wazuh/alerts/ingest/pipeline.json and add a block that aims to ingest data.office365.ClientIP as a location

    {
      "geoip": {
        "field": "data.office365.ClientIP",
        "target_field": "GeoLocation",
        "properties": ["city_name", "country_name", "region_name", "location"],
        "ignore_missing": true,
        "ignore_failure": true
      }
    }

Filebeat should be restarted after this change

Hello, In theory it works, but in practice it doesn't because ClientIP is always the server ip from what I saw.

[jnasselle]

@washingon

Let me do some extra validations and I'll be back ASAP

@Al19172 according to Detailed properties in the audit log, ClientIP is available for some services (Azure Active Directory, Exchange, SharePoint) and could be

• The IP address of the device that was used when the activity was logged.
• For some services, the value displayed in this property might be the IP address for a trusted application (for example, Office on the web apps) calling into the service on behalf of a user and not the IP address of the device used by person who performed the activity.
• For admin activity (or activity performed by a system account) for Azure Active Directory-related events, the IP address isn't logged and the value for the ClientIP property is null.

[washingon]

My office365 event records have valid and accurate public IP in the data.office365.ClientIP

[ahaer11]

@Al1917,2 I placed the indicated /usr/share/filebeat/module/wazuh/alerts/ingest/pipelin.json code restarted filebeat with systemctl restart filebeat but I am not seeing any geolocation data.

I am a complete newbie to Wazuh and a casual user of linux and was hoping for some specific help to figure out how to debug this to figure out what is missing... If this is the wrong place I also have a thread on wazuh slack Thanks

[Al19172]

@washingon

Let me do some extra validations and I'll be back ASAP

@Al19172 according to Detailed properties in the audit log, ClientIP is available for some services (Azure Active Directory, Exchange, SharePoint) and could be

* The IP address of the device that was used when the activity was logged.

* For some services, the value displayed in this property might be the IP address for a trusted application (for example, Office on the web apps) calling into the service on behalf of a user and not the IP address of the device used by person who performed the activity.

* For admin activity (or activity performed by a system account) for Azure Active Directory-related events, the IP address isn't logged and the value for the ClientIP property is null.

Hello i still dont get the geolocation data after doing what you said. I'm waiting for your answer and thanks for the help

[jnasselle]

Hi all,

Filebeat restart is not enough to load the new ingest pipeline. The following command should also be executed

filebeat setup --pipelines

This could be validated by using the Wazuh Dashboard Dev Tool

Now, new events should appear with the proper Geolocalization

[Al19172]

Hello @jnasselle Thanks ! it's already working. Can you tell me if I can create a table with the locations? I know that you can create a dashboard but I couldn't find the GeoIP data. Thanks for the help