Key Takeaways
- Wazuh has a native cloud module that pulls AWS, Azure, GCP, Office 365 and Google Workspace logs without installing agents on cloud control planes.
- AWS coverage: CloudTrail (API activity), GuardDuty (threat findings), VPC Flow Logs, S3 access logs, AWS Config and Inspector, all ingested via SQS or direct bucket polling.
- Azure coverage: Activity Log, Microsoft Entra ID sign-ins, Azure Monitor and Microsoft Defender alerts via Event Hub or the Graph and Log Analytics APIs.
- Container monitoring: Wazuh ingests Docker events and Kubernetes audit logs, and runs CIS Benchmark assessment against container hosts and clusters.
- Why it matters: cloud breaches usually start with identity and API abuse, not malware. CloudTrail and Activity Log correlation catches the early signals commercial cloud SIEM charges heavily to retain.
The Wazuh Cloud Module: How It Pulls Cloud Logs
Cloud services do not run Wazuh agents. Instead Wazuh uses dedicated module integrations that poll cloud-native log sources on a schedule and feed the events into the same decoder, rule and alerting pipeline used for endpoints. This means a single Wazuh manager correlates an endpoint event with a cloud API event in the same rule engine, which is exactly where cross-domain attacks become visible.
On the manager you configure the integration block in the Wazuh configuration. For AWS the aws-s3 module reads logs that CloudTrail, GuardDuty, VPC Flow and similar services write to an S3 bucket, optionally driven by an SQS queue for near real-time delivery. For Azure the azure-logs module queries the Graph API, Log Analytics and storage, and for Microsoft 365 the office365 module reads the Unified Audit Log via the Management Activity API.
Each integration uses a scoped, least-privilege credential. For AWS that is an IAM role or user with read access to the specific log buckets and the GuardDuty and Config APIs. For Azure it is an app registration in Microsoft Entra ID with the minimum Graph and Log Analytics read permissions. Wazuh never needs write access to your cloud, which keeps the monitoring footprint safe even if the manager itself is compromised.
AWS Monitoring: CloudTrail, GuardDuty and VPC Flow
CloudTrail is the foundation of AWS detection. Every API call (console, CLI, SDK) is recorded, so CloudTrail ingestion lets Wazuh detect root account usage, IAM policy changes, disabled CloudTrail, new access keys, public S3 bucket exposure, security group changes that open ports to the internet, and unusual cross-region activity. Wazuh ships default rules for many of these, and our SOC engineers add account-specific rules for sensitive resources.
GuardDuty is AWS native threat detection. Rather than duplicate its detection logic, Wazuh ingests GuardDuty findings as enriched events, so credential exfiltration, cryptomining, anomalous API calls and reconnaissance findings land in the same console and case workflow as everything else. This turns GuardDuty from an isolated AWS panel into a correlated SOC signal.
VPC Flow Logs give network-layer visibility: connections to known-bad IPs, data exfiltration volume spikes, lateral movement between subnets, and traffic to unexpected geographies. Combined with MISP threat intelligence feeds, Wazuh flags flows to indicators of compromise. AWS Config and Inspector findings round out the posture and vulnerability picture for cloud workloads.
Need a Managed SOC Built on Wazuh?
Codesecure runs Managed SOC on the Wazuh + TheHive + n8n + Cortex + MISP open source stack. 24x7 named analysts, fixed monthly retainer, no per-GB licensing. ISO/IEC 27001:2022 certified delivery across India, Singapore, UAE and Malaysia.
See SOC Services →Azure and Microsoft 365 Monitoring
The Azure Activity Log is the control-plane equivalent of CloudTrail: it records resource creation, deletion, role assignments and policy changes across the subscription. Wazuh ingestion catches privilege escalation through role assignments, deletion of diagnostic settings (a classic anti-forensics move), and creation of unexpected resources that often signal cryptomining or persistence.
Microsoft Entra ID sign-in and audit logs are where identity attacks surface. Wazuh correlates impossible-travel sign-ins, repeated MFA failures or fatigue prompts, sign-ins from anonymising infrastructure, and changes to conditional access policies. For most Azure tenants, identity is the real perimeter, and these logs are the highest-value source you can feed a SIEM.
Delivery is typically through an Event Hub: Azure Monitor and Microsoft Defender stream logs to the Event Hub, and Wazuh consumes from it. Microsoft 365 is covered separately through the office365 module, which surfaces mailbox rule creation, mass download, suspicious OAuth grants and admin changes. Together these give a single pane over Azure infrastructure, Entra identity and the M365 productivity layer.
Container and Kubernetes Monitoring
Containers move fast and disappear, which defeats traditional agent models. Wazuh handles this two ways. First, an agent on the container host (or as a privileged DaemonSet pod on each Kubernetes node) monitors the Docker daemon, capturing container create, start, stop and exec events, image pulls and mounts. Suspicious patterns such as a shell spawned inside a running container or a container started in privileged mode generate alerts.
Second, Wazuh ingests the Kubernetes audit log, which records every API server request. This catches exec into pods, secret access, service account token misuse, creation of privileged workloads and RBAC changes. For clusters running on EKS or AKS, these audit logs flow through the same cloud integrations described above, unifying cluster activity with the rest of the cloud account.
On top of event monitoring, Wazuh runs CIS Benchmark configuration assessment against container hosts, Docker and Kubernetes, scoring them against hardening guidance. This produces the configuration evidence auditors expect for SOC 2 CC8 and ISO 27001 control objectives, and it flags drift such as an exposed Docker socket or an over-permissive cluster role.
High-Value Cloud Detection Use Cases
A practical Wazuh cloud detection set focuses on the techniques attackers actually use rather than trying to alert on everything. These map cleanly to MITRE ATT&CK for Cloud.
- Identity abuse: root or global admin login, new access keys, MFA disabled, conditional access policy weakened, impossible travel.
- Persistence: new IAM users or roles, OAuth app consent grants, scheduled tasks via cloud functions, unexpected service principals.
- Defense evasion: CloudTrail or Activity Log diagnostic settings disabled, log buckets deleted, GuardDuty or Defender suspended.
- Exfiltration: large S3 or Blob downloads, public bucket exposure, snapshot sharing to external accounts, VPC flow spikes to unknown destinations.
- Cryptomining: sudden spin-up of large compute instances, GuardDuty cryptocurrency findings, container started with mining images.
- Reconnaissance: enumeration of IAM, buckets or secrets, API error spikes indicating brute-force discovery.
Want Your Wazuh Deployment Tuned Properly?
Whether you run Wazuh in-house or want it operated for you, our SOC engineers handle rule tuning, detection engineering, threat hunting and response playbooks. Book a 30-minute scoping call with a named SOC lead.
Talk to a SOC Lead →Operating Cloud Monitoring in Practice
Cloud logs are voluminous and noisy. CloudTrail in an active AWS account can generate millions of events per day, most of them routine automation. The first 30 days of any cloud monitoring rollout are dominated by tuning: suppressing expected automation identities, scoping alerts to sensitive resources, and setting thresholds that separate a human attacker from a Terraform pipeline. Without this discipline analysts drown and real alerts get missed.
Retention is a deliberate decision. Hot-search retention of 30 to 90 days in the Wazuh indexer covers most investigations, while colder snapshots to S3 or Blob storage satisfy compliance retention at a fraction of the cost commercial cloud SIEM charges. Because Wazuh has no per-GB ingestion fee, you can afford to keep the full CloudTrail and Activity Log history that incident response often needs.
Codesecure deploys Wazuh cloud monitoring as part of a managed SOC engagement: we connect each cloud account with least-privilege credentials, tune the detection set to your environment, wire findings into TheHive cases and n8n response playbooks, and operate it 24x7. For teams running Wazuh themselves, we deliver the cloud integration design, rule pack and tuning as a fixed-scope project with handover.
Frequently Asked Questions
Do I need a Wazuh agent on every cloud server?
Not for control-plane monitoring. The Wazuh cloud module pulls CloudTrail, GuardDuty, Azure Activity Log and similar sources via API without any agent. You do install agents on individual cloud virtual machines and container hosts when you want host-level telemetry such as file integrity monitoring, process events and vulnerability detection on those workloads.
Can Wazuh replace AWS GuardDuty or Microsoft Defender?
It complements them rather than replacing them. GuardDuty and Defender are strong native threat detectors for their own clouds. Wazuh ingests their findings and correlates them with everything else (endpoints, network, other clouds, identity) in one console and one case workflow. You keep the native detection and gain unified correlation and retention.
How does Wazuh handle multi-account AWS or multi-subscription Azure?
You configure one cloud integration per account or subscription, each with its own least-privilege read credential, all feeding a single Wazuh manager. For large AWS Organizations, centralising CloudTrail and GuardDuty to a logging account and pointing Wazuh at that account is the cleanest pattern. Codesecure designs the collection topology during scoping.
What does cloud monitoring with Wazuh cost compared to commercial cloud SIEM?
Wazuh has no per-GB ingestion or per-event licensing, so cost is infrastructure plus operations. Cloud SIEM products typically price on ingestion volume, which makes high-volume sources like CloudTrail and VPC Flow expensive to retain. For most organisations a Wazuh-based stack plus a managed service lands well below commercial cloud SIEM while retaining more data.
Does Wazuh cover Kubernetes running on EKS, AKS or GKE?
Yes. Wazuh ingests the Kubernetes audit log to monitor API server activity, runs agents as a DaemonSet for node and container telemetry, and performs CIS Benchmark assessment against the cluster and hosts. On managed Kubernetes, the audit logs flow through the same cloud log integrations used for the rest of the account.
Can Codesecure set up and run Wazuh cloud monitoring for us?
Yes. Codesecure connects your AWS, Azure, GCP and Microsoft 365 sources with least-privilege credentials, builds and tunes the cloud detection rule pack, integrates findings with TheHive and n8n, and operates the SOC 24x7. We also deliver the cloud integration as a project with handover for teams running Wazuh in-house. ISO/IEC 27001:2022 certified delivery.
Get Unified Cloud Security Monitoring on Wazuh
Codesecure connects AWS, Azure, GCP and Microsoft 365 to a single Wazuh-based SOC, tunes the cloud detection set and operates it 24x7 with named analysts. ISO/IEC 27001:2022 certified delivery, no per-GB licensing, predictable monthly retainer.
