Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info

Wazuh is Cloudaware HIDS application built on Kibana platform. The Breeze agent needs to be installed before access to Wazuh is provided in Cloudaware Launcher.

...

The following modes are available for interaction with the data interaction in Wazuh:

Table of Contents

...

The chart displays IDS events by severity level over time. Read more about levels

Alerts

...

The chart displays servers with Breeze that have the biggest count of alerts. Click on the host on the donut or on pick the one in the right list, and it will be automatically added as a filter. As a result, list - the dashboard will be updated showing the data related to this selected host.

All agents Note that a Wazuh agent can be identified by AWS EC2 Instance ID or Azure VM ID. Wazuh displays IDS agents with instance names they were ID of the instance it was registered with, thus agents names can be changed.

...

The chart shows the pivot table of rules with rule 'Rule ID', 'Description', 'Level' (1-12, OSAC) and 'Count' columns. By clicking the arrows near the column names, you can sort alerts display by in ascending or descending oderorder.

Groups summary

The chart shows the pivot table of rule groups with 'Group' and 'Count' columns. By clicking the arrows near the column names, you can sort groups display by in ascending or descending oder.

...

Use time picker in the upper right corner to select the time period for viewing events in question.

...

Refer to the list of available fields on the left. Click on a field to expand details about its top-5 values. Click Add to add the field as a column into the log display table on the right to analyze data:

...

The following options can be used for filtering the information on the dashboard:

...

2. Click Add a filter and select a field, an operator and a value manually. Click Save.

...

Hover the mouse on the filter to view additional options. You can disable filter(1), pin filter(2), exclude matches(3), remove filter(4) or edit filter(5):

...

FIM keeps track of everything relevant and critical to the operating system (config files, binaries, patch installation, software upgrade, etc) monitoring events in real time - the data can not be deleted or adjusted.

Go to the tab 'Discover' to open events row data for a more profound investigation.

...

Scroll down to select the event in question. Click the 'arrow' sign icon to expand the details:

...

Click the 'open book' sign icon near a string to have it added as a column in a table mode:

...

To undo zooming, go to the time picker in the upper right corner, click the tab 'Quick' and select the a different time period in question.

In row data UI you can add filters by clicking 'zoom in' and 'zoom out' signs icons or add them manually.  For example, refer to locate a field in the list of available fields on the left. Click on a field to expand details about top-5 values. Click Add to add the field as a column into the log display table on the right to analyze data.

...

Click 'zoom in' to filter by this value. As a result, the value in question will be highlighted yellow:

...