By following these steps, you create a user account for Expel which keeps Expel activity separate from other activity on the Wazuh console.


This guide is for on-premises installations of Wazuh. For cloud installations, see the Wazuh cloud article.

Step 1: Create an account in Elasticsearch


Expel secures all login information our SOC analysts need about your devices in an MFA password product. Access to this login information is protected using our internal MFA processes. To learn more about the IP addresses all Expel traffic comes from, go here.

  1. Open the Elasticsearch console and select Stack Management from the Management menu.

  2. Select Users and click Create user.

    • For Username type expel_svc.

    • Set the Password.

    • For Full name type Expel Service Account.

    • For Email type soc+<Your_Organization_Name>


      Yes, the "+" sign is part of the email address, and it's important. Click here to find out why.

    • For Roles select kibana_admin.

  3. Click Create user.


Note the Elasticsearch server address and port number (the default port is 9200) for later use.

Step 2: Configure the technology in Workbench

  1. In a new browser tab, login to You may be asked to log into Workbench.

  2. Fill in the form like this:

    • For Where is your device? select On-prem.

    • For Assembler select the assembler you want to route the Wazuh traffic through.

    • For Name and Location type a name and location that are meaningful to you.

    • For Username and Password type the username and password created in Step 1.

    • For Server address type the server address with the port number from above.

    • For Is this a Wazuh cloud instance? select Yes or No, depending on whether you're onboarding a Wazuh-hosted device.


This article was accurate at the time of writing, but changes happen. If you find the instructions are outdated, leave a description in the comment field below and let us know!