By following these steps, you create a user account for Expel which keeps Expel activity separate from other activity on the Wazuh console.
Note
This guide is for on-premises installations of Wazuh. For cloud installations, see the Wazuh cloud article.
In this article
Step 1: Create an account in Elasticsearch
-
Open the Elasticsearch console and select Stack Management from the Management menu.
-
Select Users and click Create user.
-
For Username, type expel_svc.
-
Set the Password.
-
For Full name, type Expel Service Account.
-
For Email, type soc+<Your_Organization_Name>@expel.io.
Note
Yes, the "+" sign is part of the email address, and it's important. Click here to find out why. -
For Roles, select kibana_admin.
-
-
Click Create user.
Note
Note the Elasticsearch server address and port number (the default port is 9200) for later use.
Step 2: Configure the technology in Workbench
-
In a new browser tab, log in to https://workbench.expel.io/settings/security-devices?setupIntegration=wazuh. You may be asked to log into Workbench.
-
Fill in the form like this:
-
For Where is your device?, select On-prem.
-
For Assembler, select the assembler you want to route the Wazuh traffic through.
-
For Name, and Location type a name and location that are meaningful to you.
-
For Username and Password, type the username and password created in Step 1.
-
For Server address, type the server address with the port number from above.
-
For Is this a Wazuh cloud instance? select Yes or No, depending on whether you're onboarding a Wazuh-hosted device.
-
- Click Save.