Tip
This article was accurate at the time of writing, but changes happen. If you find the instructions are outdated, leave a description in the comment field below and let us know!
By following these steps, you create a user account for Expel which keeps Expel activity separate from other activity on the Wazuh console.
Note
This guide is for on-premises installations of Wazuh. For cloud installations, see the Wazuh cloud getting started guide.
Step 1: Create an account in Elasticsearch
-
Open the Elasticsearch console and select Stack Management from the Management menu.
-
Select Users and click Create user.
-
For Username type expel_svc.
-
Set the Password.
-
For Full name type Expel Service Account.
-
For Email type soc+<Your_Organization_Name>@expel.io.
Tip
Yes, the "+" sign is part of the email address (as in soc+megacorp@expel.io) and it's important. Click here to find out why.
-
For Roles select kibana_admin.
-
-
Click Create user.
Note
Note the Elasticsearch server address and port number (the default port is 9200) for later use.
Step 2: Configure the technology in Workbench
Now that we have the correct access configured, we can integrate Wazuh with Workbench.
-
In a new browser tab, login to https://workbench.expel.io.
-
On the console page, navigate to Settings and click Security Devices.
-
At the top right of the page, click Add Security Device.
-
Search for and select Wazuh.
-
Enter your user credentials as follows:
-
For Where is your device? select On-prem.
-
For Assembler select <?>.
-
For Name and Location enter Wazuh and <?>.
-
For Username and Password enter the username and password created in Step 1.
-
For Server address enter the server address with the port number.
-
For Is this a Wazuh cloud instance? enter <?>.
-
Comments
0 comments
Please sign in to leave a comment.