Windows 365 Integration with Wazuh Manager

[Nithu Johnson]

Hello Team,

I have a query concerning how to collect logs from Windows 365 for Wazuh. Scenario: Multiple users are utilizing the Cloud PC environment to access applications and their respective client environment. 

We need to retrieve Authentication and Access Logs, Application and Service Logs, Identity and User Activity Logs, Authentication and Identity Provider Logs, Audit Logs, and Endpoint Protection Logs, among others. 

Could you please provide guidance on how to fetch logs from the Cloud PCs?

[Nicolas Zapata]

Hi Nithu thanks for using wazuh!

To collect logs from Windows 365 for Wazuh, you can use the Wazuh module that allows you to collect all the logs from Office 365 using its API. The Office 365 logs conform to the JSON schema and Wazuh will automatically decode them, you can retrieve Authentication and Access Logs, Application and Service Logs, Identity and User Activity Logs, Authentication and Identity Provider Logs, Audit Logs, and Endpoint Protection Logs, among others

•  https://documentation.wazuh.com/current/cloud-security/office365/monitoring-office365-activity.html
• https://wazuh.com/blog/monitor-office-365-with-wazuh/
• https://documentation.wazuh.com/current/cloud-security/office365/index.html
  

Then you can collect Windows logs, you can use the Log Data Collection capability of Wazuh. Wazuh can monitor classic Windows event logs, as well as the newer Windows event channels. To monitor a Windows event log, it is necessary to provide the format as "eventlog" and the location as the name of the event log. To monitor logs generated by a specific source with the eventchannel format, the configuration file should include the location of the source.

• https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-to-collect-wlogs.html
  
• https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/how-it-works.html
  

I hope this helps! 

Regards