1. Expel Support Center
  2. Connect your technology
  3. SIEM integrations

Wazuh​ OpenDistro for Elasticsearch setup for Workbench

  • Updated

This article helps you connect your Wazuh​ OpenDistro for Elasticsearch instance to the Expel Workbench. You create a user account for Workbench, give the account the necessary level of access, activate archiving, and then connect the technology in Workbench.

Having read-only access to the interface of your technology allows Expel to dig deeper during incident investigations. Our device health team uses this access to investigate potential health issues with your tech.

To integrate the technology with Workbench, we need to create secure credentials to the API.

In this article

Step 1: Create a new user role

Note

Expel secures all login information our SOC analysts need about your devices in a MFA password product. Access to this login information is protected using our internal MFA processes. To learn more about the IP addresses all Expel traffic comes from, go here.

  1. Go to the Stack Management section of your Elasticsearch.

  2. Select Roles and then click Create role.

    Note

    Depending on the Elastic version number and/or the Wazuh installation process, Roles can also be found under Kibana > Roles.

  3. Give the new role these options:

    • Cluster Permissions: cluster_all. If you can’t find cluster_all, all works as well.

    • Index Permissions: add the index subheading an asterisk(*), with index permissions — search, get, read.

    • Tenant permissions: global_tenant with Read only.

  4. Click Save.

Step 2: Create a user account with the new role

This step varies depending upon your Elastic setup. If you can see the Users tab, follow these steps:

  1. Go to the Users tab and click Create User.

  2. Create a new internal user.

  3. Select the newly created internal user. The Edit User page appears.

  4. Select the newly created read-only role for this user.

If you can't see the Users tab, follow these steps:

  1. Go to the Roles tab and select Create Internal User under Mapped users.

  2. Create a new internal user.

  3. Go back to the Roles tab and select Map Users.

  4. Select the newly created user.

Step 3: Map the role to the Wazuh module in Elasticsearch

  1. Go to Wazuh > Security > Roles mapping.

  2. Create a new Role mapping with the following options:

    • Roles: select the newly created read-only role from the list.

    • Internal Users: select the newly created user from the list.

  3. In a new browser tab, open the Elasticsearch API address.

    Tip

    This is usually the server with the ES API port (9200 is default), such as: https://es-server-address.com:9200/.

  4. After an HTTP Basic Authentication window appears, type the credentials for the newly created user.

  5. If you receive a JSON object from the ES API, the mapping works. Here is an example:

    mceclip4.png

  6. If you don't receive a JSON object, contact your customer success engineer, or email devicehealth@expel.io for help.

Step 4: Enable Wazuh archives logging

To enable Workbench to log events from wazuh-archives-*, take these steps:

  1. Open the file /var/ossec/etc/ossec.conf in your Wazuh manager endpoint and toggle the logall_json field to yes as shown below.

    mceclip5.png

  2. Open the file /etc/filebeat/wazuh-template.json in your Wazuh manager endpoint and append the string “wazuh-archives-4.x-*” to the index_patterns list as shown below.

    mceclip6.png

  3. Open the file /etc/filebeat/filebeat.yml in your Wazuh manager endpoint and enable the archives module as shown below.

    mceclip7.png

  4. Restart the filebeat service and the Wazuh manager endpoint.

    • Systemd:

      • systemctl restart filebeat

      • systemctl restart wazuh-manager

    • SysV init:

      • service filebeat restart

      • service wazuh-manager restart

  5. Go to Kibana > Discover and change the index to wazuh-archives-*.

  6. Open your Kibana console and check the wazuh-archives-* index.

    • If you can see event logs in this index, go to Step 6.

    • If you can't see this index, go to Step 5.

Step 5: Create Kibana index pattern

  1. Go to Kibana > Index Patterns and select Create Index Pattern.

  2. Enter wazuh-archives-* as the pattern name, and click Next step.

    Note

    Kibana should list a few sources already.

  3. Select @timestamp as the Time Field, then click Create index pattern.

  4. Go to Kibana > Discover and change the index to wazuh-archives-*.

  5. Open your Kibana console and check the wazuh-archives-* index.

    • If you can see event logs in this index, go to Step 6.

    • If you can't see this index, contact your customer success engineer, or email devicehealth@expel.io for help.

Step 6: Connect your technology to Expel Workbench

Now that we have the correct access configured and noted the credentials, we can integrate your tech with Workbench.

  1. In a new browser tab, log into https://workbench.expel.io.

  2. On the console page, navigate to Settings and click Security Devices.

  3. At the top of the page, click Add Security Device.

  4. Search for and select your technology Wazuh.

  5. Complete all fields using the information you created in Step 2.

    mceclip2.png

    • Name: friendly name for the integration.

    • Location: where the Wazuh tech stack is placed within your organization.

    • Username: Username created in Step 2.

    • Password: Password created in Step 2.

    • Server address: type the Wazuh cloud server address with port number.

    • Is this a Wazuh cloud Instance?: N/A (Ignore).

  6. Click Save.

You can see if the device is healthy on the Security Devices page. It may take a few minutes to see the device listed as healthy.

To check if alerts are coming through, navigate to the Alerts Analysis page. Scroll to the device you want to check and click View alerts. Switch to grid view, then check the list for device alerts. It can take 36 to 72 hours for alerts to appear after setup, as we tune your device.

Tip

This article was accurate at the time of writing, but changes happen. If you find the instructions are outdated, leave a description in the comment field below and let us know!

  • Was this article helpful?

  • 0 out of 0 found this helpful

Related articles