Wazuh Cloud Security - Cloud Environment Monitoring
Wazuh 4.14 delivers security monitoring for cloud environments through native integration with major cloud providers and SaaS platforms. The cloud security modules collect audit logs, resource management events, and protection service alerts, enabling centralized threat analysis across hybrid and multi-cloud infrastructures.
Cloud Monitoring Architecture
Wazuh employs dedicated modules (wodles) for cloud provider integration. Each module periodically queries the cloud service API or reads logs from storage, normalizes the retrieved data, and forwards it to the Wazuh server for rule-based analysis.
The general workflow:
- The cloud service writes events to storage (S3, Blob Storage, Pub/Sub) or exposes an API
- The Wazuh module retrieves events on a schedule (controlled by the
intervalparameter) - Data is normalized and forwarded in JSON format to the Wazuh Server
- Detection rules analyze events and generate alerts
- Alerts are indexed in the Wazuh Indexer (OpenSearch) for visualization
Supported Platforms
AWS - Amazon Web Services
AWS service monitoring through the aws-s3 module. Supported sources include CloudTrail (API audit), VPC Flow Logs (network traffic), GuardDuty (threat detection), WAF (web traffic filtering), Config (configuration change tracking), Macie (data protection), Inspector (vulnerability assessment), KMS (key management), and Trusted Advisor (security recommendations). Integration via S3 buckets and SQS queues.
Azure - Microsoft Azure
Azure monitoring through the azure-logs module. Data sources include Activity Logs (activity journal), Log Analytics (analytical queries), and Microsoft Graph API (Microsoft Entra ID events). Supports Blob Storage for log collection and Microsoft Intune integration.
GCP - Google Cloud Platform
GCP monitoring through the gcp-pubsub module. Integration with Cloud Audit Logs via Pub/Sub subscriptions. Monitored events include data access, privileged actions, system events, and DNS queries.
Office 365
Microsoft 365 monitoring through the office365 module. Audit log collection via the Office 365 Management Activity API. Content types: Exchange, SharePoint, Azure Active Directory, DLP.
GitHub
GitHub organization monitoring through the github module. Audit event collection via the GitHub Audit Log API. Event types: repository management, teams, members, organization settings.
Common Configuration Principles
All cloud security modules are configured in ossec.conf on the Wazuh server or agent. The modules share several common parameters:
| Parameter | Description |
|---|---|
enabled / disabled | Enable or disable the module |
interval | Polling interval for the cloud API |
run_on_start | Execute on agent or manager startup |
only_future_events | Collect only new events after the first run |
Authentication uses provider-specific credentials: IAM roles and access keys for AWS, Azure AD app registrations for Azure and Office 365, service accounts with JSON key files for GCP, and personal access tokens for GitHub.
Related Sections
- Wazuh Capabilities - overview of all platform security modules
- Wazuh Log Data Collection - centralized log collection and normalization
- Wazuh Architecture - platform components and data flows