Monitoring Azure Active Directory Domain Services

Something like this?

1.Enable Auditing in AADDS: Enable security auditing on your Azure Active Directory Domain Services. This would include enabling audit policies for logon events. The policies you would be most interested in are: “Audit account logon events” and “Audit logon events”.

2.Set Up Azure Log Analytics: Configure Azure Log Analytics to collect the logs. You can send the logs generated by AADDS to Azure Log Analytics. This provides a centralized location where logs can be stored and analyzed.

3.Configure Azure Function to send logs to Wazuh: Azure Functions is a serverless solution that allows you to write less code, maintain less infrastructure, and save costs. You can use an Azure Function to retrieve the logs from Log Analytics and then send them to the Wazuh manager.

4.Configure Wazuh Rules: The Wazuh rules need to be configured to understand and process the logs that are being received from Azure AD. Rules should be set up to alert on events of interest, such as logon events.

Kindly,

Martin