Release 4.9.0 - Alpha 3 - E2E UX tests - Office365 integration

[davidjiglesias]

End-to-End (E2E) Testing Guideline

• Documentation: Always consult the development documentation for the current stage tag at this link. Be careful because some of the description steps might refer to a current version in production, always navigate using the current development documention for the stage under test. Also, visit the following pre-release package guide to understand how to modify certain links and urls for the correct testing of the development packages.
• Test Requirements: Ensure your test comprehensively includes a full stack and agent/s deployment as per the Deployment requirements, detailing the machine OS, installed version, and revision.
• Deployment Options: While deployments can be local (using VMs, Vagrant, etc) or on the aws-dev account, opt for local deployments when feasible. For AWS access, coordinate with the DevOps team through this link.
• External Accounts: If tests require third-party accounts (e.g., GitHub, Azure, AWS, GCP), request the necessary access through the DevOps team here.
• Alerts: Every test should generate a minimum of one end-to-end alert, from the agent to the dashboard, irrespective of test type.
• Multi-node Testing: For multi-node wazuh-manager tests, ensure agents are connected to both workers and the master node.
• Package Verification: Use the pre-release package that matches the current TAG you're testing. Confirm its version and revision.
• Filebeat Errors: If you encounter errors with Filebeat during testing, refer to this Slack discussion for insights and resolutions.
• Known Issues: Familiarize yourself with previously reported issues in the Known Issues section. This helps in identifying already recognized errors during testing.
• Reporting New Issues: Any new errors discovered during testing that aren't listed under Known Issues should be reported. Assign the issue to the corresponding team (QA if unsure), add the Release testing objective and Urgent priority. Communicate these to the team and QA via the c-release Slack channel.
• Test Conduct: It's imperative to be thorough in your testing, offering enough detail for reviewers. Incomplete tests might necessitate a redo.
• Documentation Feedback: Encountering documentation gaps, unclear guidelines, or anything that disrupts the testing or UX? Open an issue, especially if it's not listed under Known Issues. Please answer the feedback section, this is a mandatory step.
• Format: If this is your first time doing this, refer to the format (but not necessarily the content, as it may vary) of previous E2E tests, here you have an example https://github.com/wazuh/wazuh/issues/13994.
• Status and completion: Change the issue status within your team project accordingly. Once you finish testing and write the conclusions, move it to Pending review and notify the @wazuh/devel-agent-div2 team via Slack using the c-release channel. Beware that the reviewers might request additional information or task repetitions.
• For reviewers: Please move the issue to Pending final review and notify via Slack using the same thread if everything is ok, otherwise, perform an issue update with the requested changes and move it to On hold, increase the review_cycles in the team project by one and notify the issue assignee via Slack using the same thread.

For the conclusions and the issue testing and updates, use the following legend:

Status legend

• 🟢 All checks passed
• 🟡 Found a known issue
• 🔴 Found a new error

Issue delivery and completion

• Initial delivery: The issue's assignee must complete the testing and deliver the results by Jul 24, 2024 and notify the @wazuh/devel-agent-div2 team via Slack using the c-release channel
• Review: The @wazuh/devel-agent-div2 team will assign a reviewer and add it to the review_assignee field in the project. The reviewer must then review the test steps and results. Ensure that all iteration cycles are completed by Jul 25, 2024 date (issue must be in Pending final review status) and notify the QA team via Slack using the c-release channel.
• Auditor: The QA team must audit, validate the results, and close the issue by Jul 26, 2024.

Deployment requirements

Component	Installation	Type	OS
Indexer	Quickstart	-	Debian 11 x86_64
Server	Same as indexer, all-in-one	-	-
Dashboard	Same as indexer, all-in-one	-	-
Agent	Installing Wazuh agents	-	Debian 11 x86_64

Test description

https://documentation-dev.wazuh.com/v4.9.0-alpha3/cloud-security/office365/index.html Test different use cases on Office 365 events and check that alerts are generated and make sense.

The documentation asks to configure the SharePoint subscription, but use the following instead: The services added were the following:

Audit.AzureActiveDirectory Audit.Exchange Audit.General DLP.All

Known issues

There are no known issues.

Conclusions

Status	Test	Failure type	Notes
🟢	Test: Quickstart installation	-	-
🟢	Test: Agent installation (Debian 11 x86_64)	-	-
🟢	Test: Office integration	-	-

Feedback

We value your feedback. Please provide insights on your testing experience.

• Was the testing guideline clear? Were there any ambiguities?
  • The test guideline was clear. But the use cases only mention the configuration on the manager, not on agents. Even though it's possible, it's not clear for testing purposes
• Did you face any challenges not covered by the guideline?
  • The testing guideline did not contain instruction on how to modify links to access the dev packages.
• Suggestions for improvement:
  • In the use cases, mention that it's better to test in an agent, not in the server as stated

Append the following configuration to the /var/ossec/etc/ossec.conf file on the Wazuh server:

Reviewers validation

The criteria for completing this task is based on the validation of the conclusions and the test results by all reviewers.

All the checkboxes below must be marked in order to close this issue.

• [x] @rauldpm
• [x] @wazuh/devel-agent-div2

[natcastillo]

Environment setup

Host information

```command root@bullseye:~# cat /etc/os-release; ip a; PRETTY_NAME="Debian GNU/Linux 11 (bullseye)" NAME="Debian GNU/Linux" VERSION_ID="11" VERSION="11 (bullseye)" VERSION_CODENAME=bullseye ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/" 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 08:00:27:8d:c0:4d brd ff:ff:ff:ff:ff:ff altname enp0s3 inet 10.0.2.15/24 brd 10.0.2.255 scope global dynamic eth0 valid_lft 85626sec preferred_lft 85626sec inet6 fe80::a00:27ff:fe8d:c04d/64 scope link valid_lft forever preferred_lft forever 3: eth1: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 08:00:27:22:86:31 brd ff:ff:ff:ff:ff:ff altname enp0s8 inet 192.168.1.11/24 brd 192.168.1.255 scope global dynamic eth1 valid_lft 85641sec preferred_lft 85641sec ``` ```command root@bullseye:/home/vagrant# lscpu Architecture: x86_64 CPU op-mode(s): 32-bit, 64-bit Byte Order: Little Endian Address sizes: 39 bits physical, 48 bits virtual CPU(s): 2 On-line CPU(s) list: 0,1 Thread(s) per core: 1 Core(s) per socket: 2 Socket(s): 1 NUMA node(s): 1 Vendor ID: GenuineIntel CPU family: 6 Model: 140 Model name: 11th Gen Intel(R) Core(TM) i7-1165G7 @ 2.80GHz Stepping: 1 CPU MHz: 2803.212 BogoMIPS: 5606.42 Hypervisor vendor: KVM Virtualization type: full L1d cache: 96 KiB L1i cache: 64 KiB L2 cache: 2.5 MiB L3 cache: 24 MiB NUMA node0 CPU(s): 0,1 Vulnerability Gather data sampling: Not affected Vulnerability Itlb multihit: Not affected Vulnerability L1tf: Not affected Vulnerability Mds: Not affected Vulnerability Meltdown: Not affected Vulnerability Mmio stale data: Not affected Vulnerability Retbleed: Mitigation; Enhanced IBRS Vulnerability Spec rstack overflow: Not affected Vulnerability Spec store bypass: Vulnerable Vulnerability Spectre v1: Mitigation; usercopy/swapgs barriers and __user pointer sanitization Vulnerability Spectre v2: Mitigation; Enhanced IBRS, RSB filling, PBRSB-eIBRS SW sequence Vulnerability Srbds: Not affected Vulnerability Tsx async abort: Not affected Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx rdtscp lm constant_tsc rep_good nopl xtopology nonstop_t sc cpuid tsc_known_freq pni pclmulqdq ssse3 cx16 pcid sse4_1 sse4_2 movbe popcnt aes rdrand hypervisor lahf_lm abm 3dnowprefetch invpcid_single ibrs_enhanced fsgsbase b mi1 bmi2 invpcid rdseed clflushopt arat md_clear flush_l1d arch_capabilities ``` ```command root@bullseye:/home/vagrant# free -g total used free shared buff/cache available Mem: 1 0 0 0 1 1 Swap: 0 0 0 ``` ```command root@bullseye:/home/vagrant# lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT sda 8:0 0 100G 0 disk └─sda1 8:1 0 100G 0 part / ```

Agent

```command root@bullseye:~# cat /etc/os-release; ip a; PRETTY_NAME="Debian GNU/Linux 11 (bullseye)" NAME="Debian GNU/Linux" VERSION_ID="11" VERSION="11 (bullseye)" VERSION_CODENAME=bullseye ID=debian HOME_URL="https://www.debian.org/" SUPPORT_URL="https://www.debian.org/support" BUG_REPORT_URL="https://bugs.debian.org/" 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 08:00:27:8d:c0:4d brd ff:ff:ff:ff:ff:ff altname enp0s3 inet 10.0.2.15/24 brd 10.0.2.255 scope global dynamic eth0 valid_lft 85002sec preferred_lft 85002sec inet6 fe80::a00:27ff:fe8d:c04d/64 scope link valid_lft forever preferred_lft forever 3: eth1: mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 08:00:27:76:b3:fe brd ff:ff:ff:ff:ff:ff altname enp0s8 inet 192.168.1.13/24 brd 192.168.1.255 scope global dynamic eth1 valid_lft 85014sec preferred_lft 85014sec inet6 fe80::a00:27ff:fe76:b3fe/64 scope link valid_lft forever preferred_lft forever ```

[natcastillo]

Wazuh central components installation

Quickstart installation 🟢

The `Debian 11` OS is not in the recommended systems. Needed to use `-i` to ignore this check. Command used for installation 4.9.0: ```command curl -sO https://packages-dev.wazuh.com/4.9/wazuh-install.sh && sudo bash ./wazuh-install.sh -a -i ``` ```command root@bullseye:~# curl -sO https://packages-dev.wazuh.com/4.9/wazuh-install.sh && sudo bash ./wazuh-install.sh -a -i 23/07/2024 21:21:12 INFO: Starting Wazuh installation assistant. Wazuh version: 4.9.0 23/07/2024 21:21:12 INFO: Verbose logging redirected to /var/log/wazuh-install.log 23/07/2024 21:21:12 INFO: The recommended systems are: Red Hat Enterprise Linux 7, 8, 9; CentOS 7, 8; Amazon Linux 2; Ubuntu 16.04, 18.04, 20.04, 22.04. 23/07/2024 21:21:12 WARNING: The current system does not match with the list of recommended systems. The installation may not work properly. 23/07/2024 21:21:16 WARNING: Hardware checks ignored. 23/07/2024 21:21:19 INFO: Wazuh web interface port will be 443. 23/07/2024 21:21:26 INFO: Wazuh development repository added. 23/07/2024 21:21:26 INFO: --- Configuration files --- 23/07/2024 21:21:26 INFO: Generating configuration files. 23/07/2024 21:21:27 INFO: Generating the root certificate. 23/07/2024 21:21:27 INFO: Generating Admin certificates. 23/07/2024 21:21:27 INFO: Generating Wazuh indexer certificates. 23/07/2024 21:21:27 INFO: Generating Filebeat certificates. 23/07/2024 21:21:27 INFO: Generating Wazuh dashboard certificates. 23/07/2024 21:21:28 INFO: Created wazuh-install-files.tar. It contains the Wazuh cluster key, certificates, and passwords necessary for installation. 23/07/2024 21:21:28 INFO: --- Wazuh indexer --- 23/07/2024 21:21:28 INFO: Starting Wazuh indexer installation. 23/07/2024 21:21:41 INFO: Wazuh indexer installation finished. 23/07/2024 21:21:41 INFO: Wazuh indexer post-install configuration finished. 23/07/2024 21:21:41 INFO: Starting service wazuh-indexer. 23/07/2024 21:22:09 INFO: wazuh-indexer service started. 23/07/2024 21:22:09 INFO: Initializing Wazuh indexer cluster security settings. 23/07/2024 21:26:23 INFO: Wazuh indexer cluster security configuration initialized. 23/07/2024 21:26:23 INFO: Wazuh indexer cluster initialized. 23/07/2024 21:26:23 INFO: --- Wazuh server --- 23/07/2024 21:26:23 INFO: Starting the Wazuh manager installation. 23/07/2024 21:28:21 INFO: Wazuh manager installation finished. 23/07/2024 21:28:21 INFO: Wazuh manager vulnerability detection configuration finished. 23/07/2024 21:28:21 INFO: Starting service wazuh-manager. 23/07/2024 21:28:54 INFO: wazuh-manager service started. 23/07/2024 21:28:54 INFO: Starting Filebeat installation. 23/07/2024 21:29:18 INFO: Filebeat installation finished. 23/07/2024 21:29:53 INFO: Filebeat post-install configuration finished. 23/07/2024 21:29:56 INFO: Starting service filebeat. 23/07/2024 21:30:12 INFO: filebeat service started. 23/07/2024 21:30:12 INFO: --- Wazuh dashboard --- 23/07/2024 21:30:12 INFO: Starting Wazuh dashboard installation. 23/07/2024 21:41:09 INFO: Wazuh dashboard installation finished. 23/07/2024 21:41:17 INFO: Wazuh dashboard post-install configuration finished. 23/07/2024 21:41:17 INFO: Starting service wazuh-dashboard. 23/07/2024 21:41:18 INFO: wazuh-dashboard service started. 23/07/2024 21:41:20 INFO: Updating the internal users. 23/07/2024 21:41:38 INFO: A backup of the internal users has been saved in the /etc/wazuh-indexer/internalusers-backup folder. 23/07/2024 21:42:23 INFO: The filebeat.yml file has been updated to use the Filebeat Keystore username and password. 23/07/2024 21:43:57 INFO: Initializing Wazuh dashboard web application. 23/07/2024 21:43:58 INFO: Wazuh dashboard web application initialized. 23/07/2024 21:43:58 INFO: --- Summary --- 23/07/2024 21:43:58 INFO: You can access the web interface https://:443 User: admin Password: nMhiJ+zakXyRB*pO9nscYYzqO48bZI9x 23/07/2024 21:43:58 INFO: Installation finished. ```

Verify installation 🟢

```command root@bullseye:~# dpkg -l | grep wazuh ii wazuh-dashboard 4.9.0-1 amd64 Wazuh dashboard is a user interface and visualization tool for security-related data. This Wazuh central component enables exploring, visualizing, and analyzing the stored security alerts generated by the Wazuh server. Wazuh dashboard enables inspecting the status and managing the configurations of the Wazuh cluster and agents as well as creating and managing users and roles. In addition, it allows testing the ruleset and making calls to the Wazuh API. Documentation can be found at https://documentation.wazuh.com/current/getting-started/components/wazuh-dashboard.html ii wazuh-indexer 4.9.0-1 amd64 Wazuh indexer is a near real-time full-text search and analytics engine that gathers security-related data into one platform. ii wazuh-manager 4.9.0-1 amd64 Wazuh helps you to gain security visibility into your infrastructure by monitoring hosts at an operating system and application level. It provides the following capabilities: log analysis, file integrity monitoring, intrusions detection and policy and compliance monitoring ```

Manager verification 🟢

```command root@bullseye:~# /var/ossec/bin/wazuh-control status wazuh-clusterd not running... wazuh-modulesd is running... wazuh-monitord is running... wazuh-logcollector is running... wazuh-remoted is running... wazuh-syscheckd is running... wazuh-analysisd is running... wazuh-maild not running... wazuh-execd is running... wazuh-db is running... wazuh-authd is running... wazuh-agentlessd not running... wazuh-integratord not running... wazuh-dbd not running... wazuh-csyslogd not running... wazuh-apid is running... ```

Dashboard verification 🟢

  

[natcastillo]

Wazuh agent installation 🟢

```sh root@bullseye:~# wget https://packages-dev.wazuh.com/pre-release/apt/pool/main/w/wazuh-agent/wazuh-agent_4.9.0-1_amd64.deb && sudo WAZUH_MANAGER='192.168.1.11' WAZUH_AGENT_NAME='debian-agent' dpkg -i ./wazuh-agent_4.9.0-1_amd64.deb --2024-07-24 03:03:07-- https://packages-dev.wazuh.com/pre-release/apt/pool/main/w/wazuh-agent/wazuh-agent_4.9.0-1_amd64.deb Resolving packages-dev.wazuh.com (packages-dev.wazuh.com)... 18.155.252.106, 18.155.252.40, 18.155.252.114, ... Connecting to packages-dev.wazuh.com (packages-dev.wazuh.com)|18.155.252.106|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 10736556 (10M) [application/vnd.debian.binary-package] Saving to: ‘wazuh-agent_4.9.0-1_amd64.deb’ wazuh-agent_4.9.0-1_amd64.de 100%[============================================>] 10.24M 1.80MB/s in 7.3s 2024-07-24 03:03:15 (1.40 MB/s) - ‘wazuh-agent_4.9.0-1_amd64.deb’ saved [10736556/10736556] Selecting previously unselected package wazuh-agent. (Reading database ... 135696 files and directories currently installed.) Preparing to unpack .../wazuh-agent_4.9.0-1_amd64.deb ... Unpacking wazuh-agent (4.9.0-1) ... Setting up wazuh-agent (4.9.0-1) ... root@bullseye:~# systemctl daemon-reload systemctl enable wazuh-agent systemctl start wazuh-agent Created symlink /etc/systemd/system/multi-user.target.wants/wazuh-agent.service → /lib/systemd/system/wazuh-agent.service. ``` ```cmd root@bullseye:~# /var/ossec/bin/agent_control -l Wazuh agent_control. List of available agents: ID: 000, Name: bullseye (server), IP: 127.0.0.1, Active/Local ID: 001, Name: debian-agent, IP: any, Active List of agentless devices: ``` 

[natcastillo]

Configure Office365 Integration 🟢

1- Register App


2 - Certificate and Secret


3- API Permissions


[natcastillo]

Wazuh Configuration 🟢

Office 365 Documentation and Configuration

``` yes 1m 1M yes xxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxx xxxxxxxxxxxx commercial Audit.SharePoint Audit.AzureActiveDirectory Audit.Exchange Audit.General DLP.All ```

Office 365 dashboards 🟢

Dashboard alerts

 ```json { "_index": "wazuh-alerts-4.x-2024.07.24", "_id": "7ZlP5ZAB7S0DLqFLVwIq", "_score": 0, "_source": { "input": { "type": "log" }, "agent": { "name": "bullseye", "id": "000" }, "manager": { "name": "bullseye" }, "data": { "integration": "office365", "office365": { "AzureActiveDirectoryEventType": "1", "UserKey": "6bb2c710-4d86-4e70-a557-5ce822ba8721", "ActorIpAddress": "161.10.150.119", "Operation": "UserLoggedIn", "OrganizationId": "0fea4e03-8146-453b-b889-54b4bd11565b", "ExtendedProperties": [ { "Value": "Success", "Name": "ResultStatusDetail" }, { "Value": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36", "Name": "UserAgent" }, { "Value": "OAuth2:Authorize", "Name": "RequestType" } ], "IntraSystemId": "62bc94ea-cfcf-4bf9-a995-516623948300", "Target": [ { "Type": 0, "ID": "797f4846-ba00-4fd7-ba43-dac1f8f63013" } ], "RecordType": "15", "Version": "1", "ModifiedProperties": [], "Actor": [ { "Type": 0, "ID": "6bb2c710-4d86-4e70-a557-5ce822ba8721" }, { "Type": 5, "ID": "natalia.castillo@wazuh.com" } ], "DeviceProperties": [ { "Value": "Windows10", "Name": "OS" }, { "Value": "Chrome", "Name": "BrowserType" }, { "Value": "bc6dd324-ef1f-4f20-aa3e-b7e073379ffd", "Name": "SessionId" } ], "Subscription": "Audit.AzureActiveDirectory", "ActorContextId": "0fea4e03-8146-453b-b889-54b4bd11565b", "ResultStatus": "Success", "ObjectId": "797f4846-ba00-4fd7-ba43-dac1f8f63013", "ErrorNumber": "0", "ClientIP": "161.10.150.119", "Workload": "AzureActiveDirectory", "UserId": "natalia.castillo@wazuh.com", "TargetContextId": "0fea4e03-8146-453b-b889-54b4bd11565b", "CreationTime": "2024-07-24T15:10:26", "Id": "62bc94ea-cfcf-4bf9-a995-516623948300", "InterSystemsId": "1b4d9f79-fee8-426f-bd8f-6c55463de8f8", "ApplicationId": "c44b4083-3bb0-49c1-b47d-974e53cbdf3c", "UserType": "0" } }, "rule": { "firedtimes": 1, "mail": false, "level": 3, "hipaa": [ "164.312.a.2.I", "164.312.b", "164.312.d", "164.312.e.2.II" ], "pci_dss": [ "8.3", "10.6.1" ], "description": "Office 365: Secure Token Service (STS) logon events in Azure Active Directory.", "groups": [ "office365", "AzureActiveDirectoryStsLogon" ], "id": "91545" }, "location": "office365", "decoder": { "name": "json" }, "id": "1721834098.805987", "GeoLocation": { "city_name": "Barranquilla", "country_name": "Colombia", "region_name": "Atlántico", "location": { "lon": -74.7837, "lat": 10.9711 } }, "timestamp": "2024-07-24T15:14:58.759+0000" }, "fields": { "timestamp": [ "2024-07-24T15:14:58.759Z" ] } } ```

[jotacarma90]

LGTM!!

[mjcr99]

LGTM