This article helps you connect your Wazuh OpenDistro for Elasticsearch instance to the Expel Workbench. You create a user account for Workbench, give the account the necessary level of access, activate archiving, and then connect the technology in Workbench.
Step 1: Create a new user role
Note
Expel secures all login information our SOC analysts need about your devices in an MFA password product. Access to this login information is protected using our internal MFA processes. To learn more about the IP addresses all Expel traffic comes from, go here.
-
Go to the Stack Management section of your Elasticsearch.
-
Select Roles and then click Create role.
Note
Depending on the Elastic version number and/or the Wazuh installation process, Roles can also be found under Kibana > Roles.
-
Give the new role these options:
-
Cluster Permissions: cluster_all. If you can’t find cluster_all, all works as well.
-
Index Permissions: add the index subheading an asterisk(*), with index permissions — search, get, read.
-
Tenant permissions: global_tenant with Read only.
-
Step 2: Create a user account with the new role
This step varies depending upon your Elastic setup. If you can see the Users tab, follow these steps:
-
Go to the Users tab and click Create User.
-
Create a new internal user.
-
Select the newly created internal user. The Edit User page appears.
-
Select the newly created read-only role for this user.
If you can't see the Users tab, follow these steps:
-
Go to the Roles tab and select Create Internal User under Mapped users.
-
Create a new internal user.
-
Go back to the Roles tab and select Map Users.
-
Select the newly created user.
Step 3: Map the role to the Wazuh module in Elasticsearch
-
Go to Wazuh > Security > Roles mapping.
-
Create a new Role mapping with the following options:
-
Roles: select the newly created read-only role from the list.
-
Internal Users: select the newly created user from the list.
-
-
In a new browser tab, open the Elasticsearch API address.
Tip
This is usually the server with the ES API port (9200 is default), such as: https://es-server-address.com:9200/.
-
After an HTTP Basic Authentication window appears, type the credentials for the newly created user.
-
If you receive a JSON object from the ES API, the mapping works. Here is an example:
-
If you don't receive a JSON object, contact support.
Step 4: Enable Wazuh archives logging
To enable Workbench to log events from wazuh-archives-*, take these steps:
-
Open the file /var/ossec/etc/ossec.conf in your Wazuh manager endpoint and toggle the logall_json field to yes as shown below.
-
Open the file /etc/filebeat/wazuh-template.json in your Wazuh manager endpoint and append the string “wazuh-archives-4.x-*” to the index_patterns list as shown below.
-
Open the file /etc/filebeat/filebeat.yml in your Wazuh manager endpoint and enable the archives module as shown below.
-
Restart the filebeat service and the Wazuh manager endpoint.
-
Systemd:
-
systemctl restart filebeat
-
systemctl restart wazuh-manager
-
-
SysV init:
-
service filebeat restart
-
service wazuh-manager restart
-
-
-
Go to Kibana > Discover and change the index to wazuh-archives-*.
-
Open your Kibana console and check the wazuh-archives-* index.
-
If you can see event logs in this index, go to Step 6.
-
If you can't see this index, go to Step 5.
-
Step 5: Create Kibana index pattern
-
Go to Kibana > Index Patterns and select Create Index Pattern.
-
Enter wazuh-archives-* as the pattern name, and click Next step.
Note
Kibana should list a few sources already.
-
Select @timestamp as the Time Field, then click Create index pattern.
-
Go to Kibana > Discover and change the index to wazuh-archives-*.
-
Open your Kibana console and check the wazuh-archives-* index.
-
If you can see event logs in this index, go to Step 6.
-
If you can't see this index, contact support.
-
Step 6: Connect your technology to Expel Workbench
-
In a new browser tab, log into https://workbench.expel.io.
-
On the console page, navigate to Settings and click Security Devices.
-
At the top of the page, click Add Security Device.
-
Search for and select your technology Wazuh.
-
Complete all fields using the information you created in Step 2.
-
Name: friendly name for the integration.
-
Location: where the Wazuh tech stack is placed within your organization.
-
Username: Username created in Step 2.
-
Password: Password created in Step 2.
-
Server address: type the Wazuh cloud server address with port number.
-
Is this a Wazuh cloud Instance?: N/A (Ignore).
-