Office 365 Integration

​

Overview

​

Monitored Office 365 Services

• Exchange Online - Email activities, mailbox access, message tracking
• SharePoint Online - Document access, sharing, and modifications
• OneDrive for Business - File operations and sharing activities
• Azure Active Directory - User authentication and authorization
• Microsoft Teams - Meeting and channel activities
• Power BI - Dashboard and report access
• Dynamics 365 - CRM activities
• Yammer - Social network activities
• Sway - Presentation activities
• Microsoft Stream - Video portal activities

​

Key Features

• Real-time event collection from Office 365 Management API
• Multi-tenant support
• Comprehensive activity logging
• User behavior analytics
• Data loss prevention (DLP) event monitoring
• Compliance event tracking
• Pre-built dashboards and visualizations

​

Data Source Configuration

const OFFICE_365_GROUP_KEY = 'wazuh.integration.name';
const OFFICE_365_GROUP_VALUE = 'o365';

​

Event Fields

• data.office365.UserType - Type of user (Regular, Admin, System, etc.)
• data.office365.AuditLogScope - Online or OnPremise
• event.type - Event action type
• data.office365.Operation - Specific operation performed
• data.office365.Workload - Office 365 service (Exchange, SharePoint, etc.)
• data.office365.UserId - User who performed the action
• data.office365.ClientIP - Client IP address
• data.office365.ResultStatus - Success or failure status

• plugins/main/public/components/overview/office/panel/config/helpers/helper-value-suggestion.ts:34
• plugins/main/public/components/overview/office/panel/config/visualizations.ts:69

​

User Type Values

• Regular (0) - Regular user
• Reserved (1) - Reserved
• Admin (2) - Administrator
• DcAdmin (3) - Microsoft datacenter operator
• System (4) - System account
• Application (5) - Application
• ServicePrincipal (6) - Service principal
• CustomPolicy (7) - Custom policy
• SystemPolicy (8) - System policy

​

Setup and Configuration

​

Prerequisites

• Office 365 subscription with appropriate license
• Global Administrator or Security Administrator role
• Azure AD application registration
• Wazuh manager with Office 365 module enabled

​

Configuration Steps

1. Register Azure AD Application
   • Sign in to Azure Portal
   • Navigate to Azure Active Directory > App registrations
   • Click “New registration”
   • Provide name (e.g., “Wazuh Office 365 Integration”)
   • Select “Accounts in this organizational directory only”
   • Register the application
2. Configure API Permissions Add the following Office 365 Management API permissions:
   • ActivityFeed.Read - Read activity data
   • ActivityFeed.ReadDlp - Read DLP policy events
   • ServiceHealth.Read - Read service health information
3. Create Client Secret
   • In the app registration, go to Certificates & secrets
   • Click “New client secret”
   • Add description and set expiration
   • Copy the secret value (save it securely)
4. Note Required Information Collect the following:
   • Application (client) ID
   • Directory (tenant) ID
   • Client secret value
5. Enable Office 365 Audit Logging
   # Connect to Exchange Online
   Connect-ExchangeOnline
   
   # Enable audit logging
   Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
   
6. Configure Wazuh Manager Edit /var/ossec/etc/ossec.conf:
   <wodle name="office365">
     <disabled>no</disabled>
     <interval>10m</interval>
     <curl_max_size>1M</curl_max_size>
     <only_future_events>yes</only_future_events>
     <api_auth>
       <tenant_id>your-tenant-id</tenant_id>
       <client_id>your-client-id</client_id>
       <client_secret>your-client-secret</client_secret>
     </api_auth>
     <subscriptions>
       <subscription>Audit.AzureActiveDirectory</subscription>
       <subscription>Audit.Exchange</subscription>
       <subscription>Audit.SharePoint</subscription>
       <subscription>Audit.General</subscription>
     </subscriptions>
   </wodle>
   
7. Verify Configuration
   • Restart Wazuh manager
   • Check /var/ossec/logs/ossec.log for connection success
   • Verify events appear in the dashboard

​

Dashboard Visualizations

​

Overview Dashboard

• Stats - Total events and event types
• Top Event Actions - Most frequent operations
• Events Over Time - Activity timeline
• Top Users - Most active users
• Top Operations - Most common operations
• Workload Distribution - Events by Office 365 service

​

Filtering Events

wazuh.integration.name: "o365"

• By user: data.office365.UserId: "user@domain.com"
• By operation: data.office365.Operation: "FileAccessed"
• By workload: data.office365.Workload: "SharePoint"
• By user type: data.office365.UserType: "2" (Admin)
• By status: data.office365.ResultStatus: "Failed"

​

Use Cases

​

Security Monitoring

• Unauthorized Access Detection
  • Monitor failed login attempts
  • Track access from unusual locations
  • Identify compromised accounts
• Privileged Activity Tracking
  • Monitor administrator actions
  • Track permission changes
  • Audit role assignments
• Data Access Monitoring
  • Track sensitive file access
  • Monitor external sharing activities
  • Detect unusual download patterns

​

Compliance and Auditing

• Regulatory Compliance
  • GDPR data access logging
  • HIPAA audit trail requirements
  • SOX financial record access
  • PCI DSS access control monitoring
• Data Loss Prevention
  • DLP policy violation tracking
  • Sensitive information sharing detection
  • External file sharing monitoring
• Retention and eDiscovery
  • Email retention compliance
  • Legal hold monitoring
  • Document retention tracking

​

Insider Threat Detection

• Mass file downloads
• Unusual access patterns
• After-hours activity
• Access to restricted resources
• Permission escalation attempts

​

Operational Monitoring

• User adoption tracking
• Service usage analytics
• Performance issue detection
• License utilization monitoring

​

Common Security Events

​

Authentication Events

• UserLoggedIn
• UserLoginFailed
• UserPasswordChanged
• UserPasswordReset
• UserAccountEnabled
• UserAccountDisabled

​

File and Document Events

• FileAccessed
• FileDownloaded
• FileModified
• FileDeleted
• FileMoved
• FileCopied
• FileShared
• FileSharedWithGuest

​

Email Events

• Send (email sent)
• SendAs (send as another user)
• SendOnBehalf (send on behalf of)
• MailboxLogin
• MessageDelivered
• MessageReceived

​

Administrative Events

• Add-RoleGroupMember
• Remove-RoleGroupMember
• Set-Mailbox
• New-InboundConnector
• Set-AdminAuditLogConfig

​

Troubleshooting

​

No Events Appearing

• Verify Azure AD app registration is complete
• Check API permissions are granted and consented
• Ensure Office 365 audit logging is enabled
• Verify client secret is valid and not expired
• Check tenant ID and client ID are correct
• Review Wazuh logs for authentication errors

​

Missing Events from Specific Services

• Verify subscription is configured for that service
• Check service audit logging is enabled
• Ensure appropriate license is assigned
• Verify API permissions include required scopes

​

Authentication Failures

• Check client secret hasn’t expired
• Verify tenant ID is correct
• Ensure admin consent was granted
• Check network connectivity to Office 365 API

​

Performance Issues

• Adjust polling interval to reduce API calls
• Limit subscriptions to required services only
• Increase curl_max_size if events are large
• Monitor API throttling limits

​

Security Best Practices

1. Secure Credentials - Store client secrets securely
2. Regular Key Rotation - Rotate client secrets periodically
3. Principle of Least Privilege - Grant minimum API permissions
4. Monitor the Monitor - Track integration access patterns
5. Enable MFA - Require MFA for admin accounts
6. Regular Audits - Review collected events regularly
7. Alert Configuration - Set up alerts for critical events
8. Retention Policies - Configure appropriate log retention

​

Advanced Configuration

​

Filtering Specific Events

<wodle name="office365">
  <only_future_events>yes</only_future_events>
  <api_auth>
    <!-- auth config -->
  </api_auth>
  <subscriptions>
    <subscription>Audit.AzureActiveDirectory</subscription>
  </subscriptions>
</wodle>

​

Multi-Tenant Monitoring

<wodle name="office365">
  <disabled>no</disabled>
  <interval>10m</interval>
  <api_auth>
    <tenant_id>tenant-1-id</tenant_id>
    <client_id>client-1-id</client_id>
    <client_secret>client-1-secret</client_secret>
  </api_auth>
  <!-- subscriptions -->
</wodle>

<wodle name="office365">
  <disabled>no</disabled>
  <interval>10m</interval>
  <api_auth>
    <tenant_id>tenant-2-id</tenant_id>
    <client_id>client-2-id</client_id>
    <client_secret>client-2-secret</client_secret>
  </api_auth>
  <!-- subscriptions -->
</wodle>

​

Related Resources

• Cloud Integrations Overview
• Microsoft Graph API Integration
• AWS Integration
• Compliance Modules