By following these steps, you create a user account for Expel which keeps Expel activity separate from other activity on the Wazuh console.

Note
This guide is for on-premises installations of Wazuh. For cloud installations, see the Wazuh cloud article.

In this article

Step 1: Create an account in Elasticsearch

  1. Open the Elasticsearch console and select Stack Management from the Management menu.

  2. Select Users and click Create user.

    • For Username, type expel_svc.

    • Set the Password.

    • For Full name, type Expel Service Account.

    • For Email, type soc+<Your_Organization_Name>@expel.io.

      Note
      Yes, the "+" sign is part of the email address, and it's important. Click here to find out why.

    • For Roles, select kibana_admin.

  3. Click Create user.

    Note
    Note the Elasticsearch server address and port number (the default port is 9200) for later use.

Step 2: Configure the technology in Workbench

  1. In a new browser tab, log in to https://workbench.expel.io/settings/security-devices?setupIntegration=wazuh. You may be asked to log into Workbench.

  2. Fill in the form like this:

    mceclip3.png
    • For Where is your device?, select On-prem.

    • For Assembler, select the assembler you want to route the Wazuh traffic through.

    • For Name, and Location type a name and location that are meaningful to you.

    • For Username and Password, type the username and password created in Step 1.

    • For Server address, type the server address with the port number from above.

    • For Is this a Wazuh cloud instance? select Yes or No, depending on whether you're onboarding a Wazuh-hosted device.

  3. Click Save.