Setup for Ingesting Entra ID & M365 Logs into Wazuh (No API Method)
Dex Perry
Hi team,
I'm new to Wazuh and infrastructure in general, and I need help setting up a push-based method to ingest Microsoft Entra ID (Azure AD) and Microsoft 365 logs into Wazuh.
I'm not using the Office 365 API/polling method — instead, I want to know if there's a way to forward logs in real time to Wazuh, similar to how firewalls send logs directly.
Could someone please guide me on:
-
How to forward M365/Entra logs.
-
Any example setups or best practices
Please keep the explanation simple — I’m still learning and really appreciate any clear guidance you can share.
Thanks so much!
Best regards,
Md. Nazmur Sakib
Hi Dex Perry,
Firewalls or other network devices have remote syslog log forwarding capability.
If Microsoft services can forward the logs in a similar way the firewall forwards the logs, Wazuh has the capability to process those logs.
https://documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/syslog.html
https://documentation.wazuh.com/current/cloud-service/your-environment/send-syslog-data.html
As far as I am aware of Microsoft services don't have remote syslog forwarding capability.
They utilize the API to forward the logs and Data to the SIEM.
These Microsoft services logs can be forwarded by the Microsoft Graph REST API and the Office 365 Management Activity API
https://docs.microsoft.com/en-us/graph/overview
You can check these documents for reference
https://documentation.wazuh.com/current/cloud-security/azure/monitoring-ms-graph.html
Microsoft Entra ID use case
https://documentation.wazuh.com/current/cloud-security/office365/index.html
Monitoring Office 365 audit logs
Additionally, you can check the Microsoft site for more information
https://learn.microsoft.com/en-us/answers/questions/
https://learn.microsoft.com/en-us/microsoft-365/?view=o365-worldwide
Let me know if you need any further information on this.
Dex Perry
Hi Md. Nazmur Sakib,
Thank you for clarifying how Microsoft 365/Entra ID logs are typically collected via API polling.
However, I’ve seen examples like the SentinelOne integration, where logs are forwarded using a syslog or webhook-like push method directly into Wazuh. Is it truly not possible to achieve something similar with Microsoft 365 or Entra ID—for example, by having Microsoft push logs to a syslog or webhook endpoint on Wazuh, instead of periodic API polling?
If Microsoft does not natively support this, are there any known workarounds, third-party solutions, or Microsoft-native features (like event hubs, logic apps, or other connectors) that could enable near real-time log forwarding to Wazuh?
Any additional clarification or best practices would be appreciated!
Best regards,
Dex Perry
Md. Nazmur Sakib
The only way to export logs remotely for Microsoft 365/Entra ID logs is via the API. I cannot find any reference or workaround for forwarding logs via remote syslog.
You can also check the Microsoft community to learn more:
https://learn.microsoft.com/en-us/answers/questions/
Let me know if you need any further information on this.