By following these steps, you create a user account for Expel which keeps Expel activity separate from other activity on the Wazuh console.
Note
This guide is for on-premises installations of Wazuh. For cloud installations, see the Wazuh cloud article.
Step 1: Create an account in Elasticsearch
Note
Expel secures all login information our SOC analysts need about your devices in a MFA password product. Access to this login information is protected using our internal MFA processes. To learn more about the IP addresses all Expel traffic comes from, go here.
-
Open the Elasticsearch console and select Stack Management from the Management menu.
-
Select Users and click Create user.
-
For Username type expel_svc.
-
Set the Password.
-
For Full name type Expel Service Account.
-
For Email type soc+<Your_Organization_Name>@expel.io.
Tip
Yes, the "+" sign is part of the email address, and it's important. Click here to find out why.
-
For Roles select kibana_admin.
-
-
Click Create user.
Note
Note the Elasticsearch server address and port number (the default port is 9200) for later use.
Step 2: Configure the technology in Workbench
-
In a new browser tab, login to https://workbench.expel.io/settings/security-devices?setupIntegration=wazuh. You may be asked to log into Workbench.
-
Fill in the form like this:
-
For Where is your device? select On-prem.
-
For Assembler select the assembler you want to route the Wazuh traffic through.
-
For Name and Location type a name and location that are meaningful to you.
-
For Username and Password type the username and password created in Step 1.
-
For Server address type the server address with the port number from above.
-
For Is this a Wazuh cloud instance? select Yes or No, depending on whether you're onboarding a Wazuh-hosted device.
-