To monitor Office 365 with Wazuh, register an application in Azure AD with log-read permissions, configure the office365 module in the Wazuh Manager with your credentials and create custom rules to detect logins from disallowed countries, massive failed sign-ins and file deletions in SharePoint.
How do you monitor Office 365 with Wazuh in real time?
Migrating to the cloud with Office 365 has brought flexibility, but also new attack vectors. Without centralized monitoring, critical events such as anomalous access from abroad, massive login attempts or file deletion in SharePoint go unnoticed. The solution is to integrate Office 365, Exchange and SharePoint logs into Wazuh, turning scattered data into actionable alerts against phishing, account compromise and data loss.
What is the real use case for integrating Office 365 with Wazuh?
A company based in Spain noticed strange activity in its SharePoint. After investigating with Wazuh, they discovered that a user account had been compromised through a phishing email. The attacker, from an IP in a country with no operations, accessed the account and mass-deleted critical documents from a SharePoint library. Thanks to the custom rules, the SOC received an alert within minutes, allowing them to revoke access, reverse the deletion and contain the threat before it spread.
What do you need to monitor Office 365 with Wazuh?
- Office 365 tenant with global or security administrator permissions.
- Wazuh Manager (version 4.3 or higher) installed and operational.
- Access to Azure Active Directory to create an app registration.
- Wazuh agent installed on a server with connectivity to the Microsoft Graph API.
How do you configure the Office 365 integration in Wazuh step by step?
The first step is to register an application in Azure AD so Wazuh obtains log-read permissions. Then you configure the Office 365 module in the Wazuh Manager.
# 1. On the Wazuh Manager server, edit the module configuration file
sudo nano /var/ossec/etc/office365.conf
# 2. Insert the basic configuration with your credentials
<office365>
"app_id": "YOUR_APPLICATION_ID",
"app_secret": "YOUR_SECRET",
"tenant_domain": "yourdomain.onmicrosoft.com"
</office365>Then, enable and restart the integrator module in the manager.
sudo systemctl restart wazuh-integratordWhich rules should you create to detect anomalous access in Office 365?
With the logs flowing, you create custom rules in Wazuh. For example, to detect access from outside the country, you analyze the 'location' field of the sign-in logs. For mass deletion in SharePoint, you monitor the 'FileDeleted' operation.
<!-- Example rule to detect access from a list of disallowed countries -->
<group name="office365,attack,">
<rule id="100100" level="10">
<if_sid>87000</if_sid>
<field name="office365.UserId">.+</field>
<field name="office365.location.country" negate="yes">ES|PT|FR|DE</field>
<description>Office 365 access from an unusual location: $(office365.location.country)</description>
</rule>
<!-- Rule for many failed login attempts -->
<rule id="100101" level="12" frequency="10" timeframe="300">
<if_matched_sid>100100</if_matched_sid>
<same_field>office365.UserId</same_field>
<description>Multiple anomalous access attempts for the account: $(office365.UserId)</description>
</rule>
</group>These rules will generate alerts in the Wazuh dashboard, enabling fast investigation and immediate response.
Conclusion
Proactive monitoring of Office 365 with Wazuh is no longer a luxury, it is a cybersecurity necessity. Centralizing logs from Exchange, SharePoint and general activity lets you detect attack patterns such as phishing, brute-force login attempts and data leaks or deletion. Turn the massive amount of data from your tenant into actionable intelligence, strengthening your cloud security posture. Need help implementing this solution in your organization? Request a free consultation with our experts.
Need to implement this solution? Request a free consultation here.