Custom Wazuh rules for security in Active Directory and Office365
Following the post Find the machine that locked a user in Active Directory via PowerShell, after a few months I was tasked with deploying Wazuh to meet part of a cyber insurance requirement for a SIEM/XDR.
What is Wazuh?
Wazuh is an open source security platform that combines:
- HIDS (Host Intrusion Detection System)
- File integrity monitoring
- Vulnerability detection
- Log analysis and event correlation
- Incident response
It integrates easily with Windows, Linux, Cloud (Azure, AWS, GCP) and services like Office365, enabling centralized alerting and automated response.
Custom rules in local_rules.xml
We created a set of custom rules to monitor security in Active Directory. These rules detect:
- Failed login attempts
- User account lockouts
- Kerberos authentication errors
- Security group changes
- Critical system events (time, firewall, etc.)
Example rule for login failures:
<rule id="100010" level="5">
<if_sid>60123</if_sid>
<field name="eventdata.targetUserName">.+</field>
<description>Failed login attempt on Windows — User: $(eventdata.targetUserName)</description>
</rule>
Example rule for locked user:
<rule id="100020" level="8">
<if_sid>60123</if_sid>
<field name="eventdata.targetUserName">.+</field>
<description>User account locked — User: $(eventdata.targetUserName)</description>
</rule>
Main EventIDs configured
The following Windows EventIDs were added to monitoring:
- 4740 — User account locked
- 4767 — User account unlocked
- 4771 — Kerberos pre-authentication failure (authentication failure)
- 4782 — Password change on user account
- 532 — Logon failure: account expired
- 4616 — System time change (possible log manipulation)
- 5025 — Windows Firewall has stopped unexpectedly
- 4727 / 4735 / 4737 — Security group creation or modification
With these rules we get real-time alerts on critical events affecting Active Directory security.
Office365 integration
In addition to the Windows layer, we configured Wazuh to receive Office365 logs, detecting:
- Login failures in Exchange, SharePoint and Teams
- Suspicious access from unusual locations
- MFA-related events
This gives a unified view: Windows + Office365 centralized in a single security dashboard.
Conclusion
Thanks to Wazuh and custom rules in local_rules.xml we achieved:
- Detecting failed authentication attempts in Active Directory
- Receiving alerts when a user is locked out
- Monitoring critical events on Windows
- Extending monitoring to the Office365 ecosystem
All managed from our Kibana dashboards, with full visibility of infrastructure security.
