By following these steps, you create a user account for Expel which keeps Expel activity separate from other activity on the Wazuh console.
Note
This guide is for cloud installations of Wazuh. For on-premises installations, see the Wazuh on-prem article.
Step 1: Get the Elastic API
-
Ask Wazuh support (cloud@wazuh.com) to expose the Elastic API and allow list these 6 IPs:
-
Write down the exposed Elastic API. Your API URL should be similar to https://<cloud_instance>.cloud.wazuh.com/api/elastic/. Notify your engagement manager if your URL doesn't end with the suffix
/api/elastic
.
Step 2: Create an account in Elastic
This step configures a user with a read-only role for Expel to access this API.
Note
Expel secures all login information our SOC analysts need about your devices in a MFA password product. Access to this login information is protected using our internal MFA processes. To learn more about the IP addresses all Expel traffic comes from, go here.
-
Go to Open Distro for Elasticsearch > Security > Roles > Create > Role.
-
Create a role with these options:
-
Cluster Permissions: cluster_all.
-
Index Permissions: Add the index - * , with index permissions - search, get, read.
-
Tenant permissions: global_tenant with Read only.
-
-
Go to the Mapped Users tab and select Create Internal User.
-
Type a username and password for the new user and write them down.
-
Go back to the Roles screen and click Map users.
-
Select the newly created user and click Save.
-
Go to Wazuh > Security > Roles mapping.
-
Create a new Role mapping with these options:
-
Roles: readonly.
-
Internal users: select the newly created user from the list.
-
Step 3: Setup the archives index
This step sets up the Wazuh-archives index.
-
Go to Wazuh > Management > Configuration > Edit Configuration.
-
Change the logall_json setting to yes.
<ossec_config> <ossec_config> <global> <jsonout_output>yes</jsonout_output> <alerts_log>yes</alerts_log> <logall>no</logall> <logall_json>yes</logall_json> </global>
-
After you configure the archive, the archive file goes to cold storage. For investigative purposes, we want to query this index in real-time. The next step is to reach out to your Wazuh support team to change this index to hot storage. This is a change to the filebeat.yml file which must be done by the Wazuh cloud support team.
Step 4. Configure the technology in Workbench
-
In a new browser tab, log into https://workbench.expel.io/settings/security-devices?setupIntegration=wazuh. You may be asked to log into Workbench.
-
Fill out the form like this:
-
Where is your device? Cloud.
-
Name: any name for the integration.
-
Location: Cloud.
-
Username: Username for the newly created user.
-
Password: Password for the newly created user.
-
Server address: type the Wazuh cloud server address.
Note
Don't type the Elastic API address.
-
Is this a Wazuh cloud Instance?: select Yes.
-
-
You can set up console access now or use the instructions below to set it up later.
Comments
0 comments
Article is closed for comments.