Wazuh Azure modules

[Max]

Hi all,

I just wanted to ask what the differences are between these two azure modules:
ms-graph-module

https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/ms-graph-module.html

wodle-azure-logs

https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/wodle-azure-logs.html

from what I know the "wodle-azure-logs" can also ingest graph api logs but to what extent? I do not know.

Any answers are appreciated.

best regards,
Max

[Md. Nazmur Sakib]

Hi Max,

Based on my findings, you can use the Wazuh module for Azure or the Wazuh module for Microsoft Graph to collect Microsoft Graph activity logs from multiple Azure services.

In Wazuh version 4.6 Wazuh module for Microsoft Graph was added.

The Wazuh module for Microsoft Graph allows you to monitor the following using the Microsoft Graph API 

• Microsoft Entra ID Protection

• Microsoft 365 Defender

• Microsoft Defender for Cloud Apps

• Microsoft Defender for Endpoint

• Microsoft Defender for Identity

• Microsoft Defender for Office 365

• Microsoft Purview eDiscovery

• Microsoft Purview Data Loss Prevention (DLP)

Ref: Monitoring Microsoft Graph services with Wazuh

We planned to deprecate the Wazuh module for Azure
Ref: https://github.com/wazuh/wazuh/issues/30909

But based on the research, it was decided not to depricate the Wazuh module for Azure as the Wazuh module for Microsoft Graph cannot monitor the Azure Storage logs and Azure Analytics Logs.
Ref: https://github.com/wazuh/wazuh/issues/31123

I will suggest you use the Wazuh module for Microsoft Graph to collect information with the Microsoft Graph API and use the Wazuh module for Azure for monitoring Microsoft Azure Log Analytics and Microsoft Azure Storage.

Let me know if you need any further information.