Share via

office365 logs to wazuh

OLUWATOSIN EMMANUEL ODEKOYA 0 Reputation points
2025-02-21T19:55:10.7933333+00:00

Sending logs to wazuh from office 365 via app registration not working 

Feb 21, 2025 @ 23:02:32.000 wazuh-modulesd:office365 WARNING  Sending Office365 internal message: '{"integration":"office365","office365":{"actor":"wazuh","tenant_id":"XXXXXXXXXXXXXXX","subscription_name":"Audit.AzureActiveDirectory","response":"{\"error\":{\"code\":\"StartSubscription [CorrId=5f89c3d0-a924-4b2b-86c2-8a1f58baa34c][TenantId=XOXOXOXOXOXOXOXOX,ContentType=Audit.AzureActiveDirectory,ApplicationId=XOXOXOXOXOXOXOXOX,PublisherId=00000000-0000-0000-0000-000000000000][AppId\",\"message\":\"fe9ef7a-9f4d-48da-a554-0ce1c843ac56] failed. Exception: Microsoft.Office.Compliance.Audit.DataServiceException: Tenant XXXXXXXXXXXXXXX does not exist.\\r\\n   at Microsoft.Office.Compliance.Audit.API.AzureManager.<GetSubscriptionTableClientForTenantAsync>d__52.MoveNext() in F:\\\\dbs\\\\el\\\\82cc\\\\sources\\\\dev\\\\AuditAPIService\\\\Common\\\\AzureManager.cs:line 2118\\r\\n--- End of stack trace from previous location where exception was thrown ---\\r\\n   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\\r\\n   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\\r\\n   at Microsoft.Office.Compliance.Audit.API.AzureManager.<GetAPISubscriptionAsync>d__22.MoveNext() in F:\\\\dbs\\\\el\\\\82cc\\\\sources\\\\dev\\\\AuditAPIService\\\\Common\\\\AzureManager.cs:line 555\\r\\n--- End of stack trace from previous location where exception was thrown ---\\r\\n   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\\r\\n   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\\r\\n   at Microsoft.Office.Compliance.Audit.API.StartController.<StartSubscription>d__0.MoveNext() in F:\\\\dbs\\\\el\\\\82cc\\\\sources\\\\dev\\\\AuditAPIService\\\\APIFrontEndServiceRole\\\\Controllers\\\\StartController.cs:line 76\"}}"}}'
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,425 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Kancharla Saiteja 945 Reputation points Microsoft Vendor
    2025-02-26T07:22:09.39+00:00

    Hi @OLUWATOSIN EMMANUEL ODEKOYA ,

    Thank you for posting your query on Microsoft Q&A. I am Saiteja from Q&A will be assisting you with your query.

    Based on the error, I understand that you have an issue while retrieving the logs from Azure to Wazuh.

    As per the error, I see the O365 management API exception errors while retrieving the logs. This issue occurs when you do not have proper licenses to retrieve the details from Azure. For O365 API, we need at least Premium P1 or Premium P2. I would request you to check if you can get any of the following licenses and try the same.

    Also, if your application calls for Unified logs, you need to ensure to turn on the logs using the following document: https://learn.microsoft.com/en-us/office/office-365-management-api/troubleshooting-the-office-365-management-activity-api#enable-unified-audit-logging-in-office-365.

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.