Having read-only access to the interface of your technology allows Expel to dig deeper when performing incident investigations. Our device health team uses this access to investigate potential health issues with your tech.
By following these steps, you create a user account for Expel which keeps Expel activity separate from other activity on the Wazuh console. Note: This guide is for on-premises installations of Wazuh. For cloud installations, see the Wazuh cloud getting started guide.
Step 1: Create an account in Elasticsearch
- Open the Elasticsearch console and select Stack Management from the Management menu.
- Select Users and click Create user.
- For Username type expel_svc
- For Full name type Expel Service Account.
- For Email type soc+<yourcompanyname>@expel.io.
- For Roles select kibana_admin.
- Set ta Password.
- Click Create user.
- Note the Elasticsearch server address and port number (the default port is 9200) for later use.
Step 2: Configure the technology in Workbench
Now that we have the correct access configured we can integrate Wazuh with Expel Workbench.
- In a new browser tab, login to https://workbench.expel.io.
- On the console page, navigate to Settings and click Security Devices.
- At the top right of the page, click Add Security Device.
- Search for and select Wazuh.
Enter your user credentials as follows:
- For Where is your device? select On-prem.
- For Assembler select <?>.
- For Name and Location enter Wazuh and <?>.
- For Username and Password enter the username and password created in Step 1.
- For Server address enter the server address with the port number.
- For Is this a Wazuh cloud instance? enter <?>.
After a few minutes, refresh the Security Devices page and you see your device status reporting as Healthy, or if there is an issue, you see details of what the issue may be.
To check if alerts are coming through, navigate to Alerts on the console page. Click the icon in the upper right to switch to grid view, then check the list for device alerts.