Versions Compared

Old Version 6

changes.mady.by.user Daria Lebedeva

Saved on

compared with

New Version 7

changes.mady.by.user Daria Lebedeva

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info

Wazuh is a Kibana-based application used by Cloudaware to provide HIDS services. The Wazuh application is available Cloudaware Launcher once IDS is enabled.

...

HIDS application built on Kibana platform. The Breeze agent needs to be installed before access to Wazuh is provided in Cloudaware Launcher.

The following modes are available for data interaction in Wazuh:

Table of Contents

Under the tab ‘Overview’ click 'Overview' locate the section 'Security Information Management'. Select Security Events to access open the dashboard.

In the time picker in the upper right corner you can pick the time period you are interested in.

All the agents are identified using their AWS EC2 instance ID or Azure VM ID.

Here you can see the alert summary. The alert levels are the same as in OSAC and go from 1 to 12. By clicking the arrow near the count or level you can view it in an ascending or

descending order.

...

The dashboard consists of several charts:

...

Alert level evolution

The chart displays IDS events by severity level over time.

Read more about levels

Alerts

The chart displays the count of alerts over time.

Top 5 agents

The chart displays servers with Breeze that have the biggest count of alerts.

Click on the host using in the donut chart or on the right list - , and it will be automatically added as a filter. As a result, you will view the dashboard will be updated showing the the data related to the this selected host.

To get more information about the machine - copy it’s ID and paste into CMDB search.

Actions with filter

Navigate to the filter. You can deactivate, pin, delete, edit or All agents can be identified by AWS EC2 Instance ID or Azure VM ID. Wazuh displays IDS agents with instance names they were registered with, thus agents names can be changed.


Top 5 rule groups

The chart displays rules by groups.

Agents status

The charts demonstrates the health status of agents.

Alerts summary

The chart shows the pivot table of rules with rule ID, Description, Level (1-12, OSAC) and Count columns. By clicking the arrows near the column names, you can sort alerts display by ascending or descending oder.

Groups summary

The chart shows the pivot table of rule groups with Group and Count columns. By clicking the arrows near the column names, you can sort groups display by ascending or descending oder.

Use time picker in the upper right corner to select the time period for viewing events in question.

...

Options:

1. Click a chart element on the dashboard to add it as a filter.

...

2. Click Add a filter and select a field, an operator and a value. Click Save.

...

Hover the mouse on the filter to view additional options:

...

You can disable filter(1), pin filter(2), exclude matches(3), remove filter(4) or edit filter(5).

change to NOT by clicking the minus sign. After choosing NOT filter you will be able to view everything, except for the chosen criteria.

...

You can easily disable the filter by unchecking the checkbox sign.

...

FIM monitors Under the tab 'Overview' locate the section 'Security Information Management'. Select Integrity Monitoring to review important changes that occur on the host itselfhosts specifically.

It FIM keeps track of everything relevant and critical to the operating system (config files, binaries, patch installation, software upgrade, etc.)) monitoring events in real time - the data can not be deleted or adjusted.

For example, zoom into the data about a specific machine. Add a filter ‘agent.name is ’ and choose the machine ID (you can get and copy the id from the CMDB). You will be able to view all the events that occurred with this particular host.File integrity monitoring records all the events in real time, the data couldn’t be deleted or adjusted.

...

Go to Discover tabFor the tab 'Discover' to open events row data for a more profound investigation, go to the ‘Discover’ tab. You will then drop into raw data user interface.Click on the ‘triangle’ .

...

Scroll down to select the event in question. Click the triangle' sign to expand the eventdetails.

Click on the 'open book' sign and this string will be added as a column in a table mode. By clicking the ‘X’ 'X’ sign you can remove it from your table.

...

In this raw data UI you can also add filters by clicking zoom in and out signs or add them manually as mentioned above.

In Go to the ‘agents’ tab you can view your current status as far as the agents, the tab 'Agents' to view the summary about IDS agents in place, their versions, who is connected, what platforms you have, etc.