Securing cloud workloads with Wazuh – an open source, SIEM and XDR platform

Organizations rapidly adopt the cloud as they rely heavily on data and technology to drive their businesses. These organizations utilize highly scalable cloud services that manage computing, storage, and networking operations.

A cloud workload is an IT asset that runs in a cloud environment and consumes resources. Examples of cloud workloads include virtual machines, databases, microservices, storage, networks, and applications.

Cloud workload security is a practice that ensures all cloud workloads are adequately monitored and protected. We can use cloud security solutions to achieve this practice. Cloud security solutions assist in protecting against threats targeting cloud infrastructure thereby lowering risk, improving application reliability, and ensuring regulatory compliance. Furthermore, a cloud workload security solution can give an organization visibility of its cloud infrastructure.

Cloud workload security challenges

  1. Large attack surface: The more IT resources are spread across several off-premises sites, the larger the risk and attack surface. Having a cloud presence comes with the added obligation of protecting virtual servers, remote applications, containers, and network interactions between environments.
  2. Multicloud security: Most organizations use more than one cloud service provider (CSP) to increase reliability and efficiency. However, it presents a challenge as these  CSPs have unique requirements when integrating cloud workload security solutions. This challenge might compel organizations with multiple CSPs to monitor their workloads with different cloud security solutions. Furthermore, having a central pane of view of the organization’s overall security posture might be difficult.
  3. Regulatory compliance: Compliance is essential when dealing with sensitive information such as healthcare and financial data. As numerous regulations change, enterprises must ensure that their cloud service providers and infrastructure are certified to handle sensitive data.
  4. Misconfigurations: As cloud environments continuously evolve, it increases the risk of misconfiguration which can expose organizations to attacks that lead to data breaches. For example, weak data transmission protocols and improperly configured access management systems might expose a cloud workload to intrusions. Misconfigurations might occur as a result of cloud migration difficulties or configuration fatigue.

Importance of cloud workload security solution

A cloud security solution can protect diverse workload environments. When analyzing cloud workload protection, consider the following benefits:

  1. Vulnerability management: Cloud security solutions automate some risk assessment and prioritization processes that will assist security teams in eliminating critical risks with minimal effort. Regarding vulnerability assessment on workload, it is best to prioritize and remediate the most severe vulnerabilities among the thousands that emerge each year.
  2. Regulatory compliance: Data privacy and security are crucial elements of an organization’s Information Security Management System (ISMS). Cloud security solutions provide robust security for organization workloads to meet compliance requirements like customers’ personal and financial data.
  3. Protection: Cloud workload security solutions protect cloud workloads against various threats, such as viruses, worms, trojans, and sophisticated attacks. With less time between initial intrusion and lateral movement, the swift detection time is essential to an organization’s security.
  4. Simplified and centralized management: Cloud security solutions provide automated detection and response across an organization’s entire cloud environment while offering as little overhead as possible. This helps an organization have a single pane of view that provides visibility into the condition of workloads and overall security posture.

Wazuh for cloud security

is a free, open source security platform that offers Unified XDR and SIEM capabilities. It helps provide security across workloads on cloud and on-premises environments. It provides a centralized view for monitoring, detecting, and alerting security events and incidents on monitored endpoints and cloud workloads.

Wazuh offers several capabilities organizations can implement to detect and defend against security threats. This section highlights several Wazuh capabilities that protect workloads on cloud platforms like AWS, Azure, GCP, and Office 365. This can be achieved by installing the Wazuh agent on virtual instances or collecting logs from cloud services via the various CSPs modules.

The Wazuh agent supports several operating systems, including Windows, Linux, Solaris, BSD, and macOS. The agent collects security event data from the virtual instances and forwards these events to the Wazuh central components, where log analysis, correlation, and alerting are carried out.

It is worth noting that Wazuh offers an out-of-the-box ruleset to detect suspicious events across all the cloud solutions discussed in this section.

Wazuh dashboard showing Amazon AWS, Google Cloud Platform, and Office 365 modules
Figure 1: Wazuh dashboard showing Amazon AWS, Google Cloud Platform, and Office 365 modules

Monitoring AWS with Wazuh

Wazuh helps to increase the security of an AWS infrastructure in two different ways that complement each other, as described below:

  • Using the Wazuh AWS module: Wazuh can monitor AWS services to collect and analyze infrastructure log data and generate alerts based on events collected. Thanks to the AWS module, these logs provide comprehensive and detailed information about the infrastructure, such as instance configuration, unusual activities, data saved on S3 buckets, and more. Some supported services include CloudTrail, VPC, Config, WAF, Macie, GuardDuty, CloudWatch Logs, Amazon ECR Image Scanning, Cisco Umbrella, and Trusted Advisor. Wazuh can monitor account activity across an organization’s AWS infrastructure, the configuration of AWS resources, unusual API calls, and more.

To find more information about the supported services and the configuration options, visit the Wazuh .

The Wazuh dashboard showing AWS CloudTrail events
Figure 2: The Wazuh dashboard showing AWS CloudTrail events

Monitoring Azure with Wazuh

Workloads on Microsoft Azure can be adequately protected against attacks using Wazuh in the following ways:

  • Using the Wazuh Azure module: The Wazuh module for Azure allows organizations to monitor their cloud infrastructure’s activities, services, and Azure Active Directory (Azure AD). Azure Monitor Logs collects and organizes these activity logs and performance data. Wazuh receives these logs through Azure Log Analytics API or directly accessing the logs stored on an Azure storage account. Please refer to the Wazuh for further information on the configuration options and the different use cases you can define for effective monitoring.

Wazuh can monitor Azure AD activities to discover how Azure AD services are accessed and used. Azure AD is an identity and management service that combines essential directory services, application access management, and identity protection in a single solution. Wazuh uses the activity reports from Microsoft Graph REST API to monitor Azure AD. For more information, you can visit Wazuh .

Monitoring GCP with Wazuh

Wazuh provides security monitoring to workloads on GCP by collecting and analyzing log data. You can achieve this in three ways:

  • Using the Wazuh Pub/Sub integration module for GCP: The Google Cloud Pub/Sub messaging and ingestion service is commonly utilized for event-driven systems and streaming analytics. It allows applications to send and receive messages. The Wazuh module for GCP uses it to obtain several events from the GCP services supported by Wazuh. The GCP services supported by Wazuh include audited resources, DNS queries, VPC Flow logs, firewall rules logging, and HTTPS load balancing logging. In Wazuh , you can find further information on these services and how Wazuh processes their logs for adequate monitoring. Wazuh can monitor events like admin activity, data access, system events, and more.
  • Using the Wazuh Storage integration module for GCP: Wazuh can process storage and usage logs using the GCP-buckets module and monitor access control settings, latency information of requests, and more. You can find further information on the integration of the Storage module in this .
  • Wazuh agent installation on virtual instances: The Wazuh agent makes it possible to monitor and protect virtual instances with several Wazuh capabilities like , , and .

Monitoring Office 365 with Wazuh

Microsoft Office 365 is a suite of collaboration and productivity cloud-based services offered by Microsoft. As a result, tracking user behavior in Microsoft Office 365 can be beneficial. Microsoft Office 365 audit logs record information on system configuration changes and access events, including the activity’s user, time, and location.

The Wazuh module for Office 365 enables you to collect all the audit logs using its API. The Office 365 Management Activity API groups events into tenant-specific content blobs based on the kind and source of their content. The audit log allows Wazuh to monitor user activity in Exchange Online, Admin activity in SharePoint Online, User and admin activity in Dynamics 365, and more. Visit Wazuh to learn more about monitoring Office 365 with Wazuh.


Opportunistic threat actors targeting cloud workloads take advantage of cloud environments being vast and complicated, requiring extensive configuration and administration. Organizations must select the best cloud security technology to complement their security strategy.

is a free, open source SIEM and XDR solution that offers comprehensive security for organizations. As discussed in this post, Wazuh offers excellent flexibility in integrating with several cloud solution providers and offers all its capabilities to provide visibility and robust security.

Wazuh has over 10 million annual downloads and provides extensive support to its users through a constantly growing open source .

Sponsored and written by