Page Comparison

To access Wazuh, log into your Cloudaware account → in the main menu under your username click Cloudaware Launcher, OR log into Cloudaware Launcher directly and select the app.

...

The following modes are available for interaction with the data in Wazuh:

Dashboard UI

...

In the time picker in the upper right corner you can pick the time period you are interested in.

All the agents are identified using their AWS EC2 instance ID or Azure VM ID.

Here you can see the alert summary. The alert levels are the same as in OSAC and go from 1 to 12. By clicking the arrow near the count or level you can view it in an ascending or

descending order.

Top 5 agents will tell you which servers have the biggest count of alerts.

Click on the host using the donut chart or on the right list - and it will be automatically added as a filter. As a result, you will view the data related to the selected host.

To get more information about the machine - copy it’s ID and paste into CMDB search.

Actions with filter

Navigate to the filter. You can deactivate, pin, delete, edit or change to NOT by clicking the minus sign. After choosing NOT filter you will be able to view everything, except for the chosen criteria.

You can filter your date easily by clicking ‘plus’ or ‘minus’ signs near the string. For example, you can view all the events connected to the concrete rule ID:

Adding filters manually : in the left corner click ‘add filter’, fill in parameters and save.

You can easily disable the filter by unchecking the checkbox sign.

Raw data UI

For a more profound investigation, go to the ‘Discover’ tab. You will then drop into raw data user interface.

Click on the ‘triangle’ sign to expand the event.

Click on the ‘ open book sign ’ and this string will be added as a column in a table mode. By clicking the ‘X’ sign you can remove it from your table.

...

Security Events

Under the tab 'Overview' locate the section 'Security Information Management'. Select Security Events to open the dashboard.

...

The dashboard consists of several charts:

...

Alert level evolution

The chart displays IDS events by severity level over time. Read more about levels

Alerts

The chart displays the count of alerts over time.

Top 5 agents

The chart displays servers with Breeze that have the biggest count of alerts. Click on the host on the donut or pick the one in the list - the dashboard will be updated showing the data related to this selected host.

Note that a Wazuh agent can be identified by ID of the instance it was registered with, thus agents names can be changed.

Top 5 rule groups

The chart displays rules by groups.

Agents status

The charts demonstrates the health status of agents.

Alerts summary

The chart shows the pivot table of rules with 'Rule ID', 'Description', 'Level' (1-12, OSAC) and 'Count' columns. By clicking the arrows near the column names, you can sort alerts display in ascending or descending order.

Groups summary

The chart shows the pivot table of rule groups with 'Group' and 'Count' columns. By clicking the arrows near the column names, you can sort groups display in ascending or descending oder.

Time Picker

Use time picker in the upper right corner to select the time period for viewing events in question.

...

Search

Refer to the list of available fields on the left. Click on a field to expand details about its top-5 values. Click Add to add the field as a column into the log display table on the right to analyze data:

...

Filters

The following options can be used for filtering the information on the dashboard:

1. Click a chart element on the dashboard to add it as a filter.

...

2. Click Add a filter and select a field, an operator and a value manually. Click Save.

...

Hover the mouse on the filter to view additional options. You can disable filter(1), pin filter(2), exclude matches(3), remove filter(4) or edit filter(5):

...

3. Hover mouse to the values in the table charts to locate 'zoom in' and 'zoom out' icons. For example, click 'zoom in' near a rule ID to view all related events:

...

File Integrity Monitoring

Under the tab 'Overview' locate the section 'Security Information Management'. Select Integrity Monitoring to review important changes that occur on hosts specifically.

...

FIM keeps track of everything relevant and critical to the operating system (config files, binaries, patch installation, software upgrade, etc) monitoring events in real time.

Raw Data UI

Go to the tab 'Discover' to open events row data for a more profound investigation.

...

Scroll down to select the event in question. Click the 'arrow' icon to expand the details:

...

Click the 'open book' icon near a string to have it added as a column in a table mode:

...

Click on a trend chart to zoom into any specific time period you would like to investigate, even to a few seconds period.If you want to

...

To undo zooming, go to the time picker in the upper right corner, click on ‘quick’ the tab 'Quick' and select the a different time period you need.

Filters

In this raw row data UI you can also add filters by clicking 'zoom in' and 'zoom out signs ' icons or add them manually as mentioned above.

File integrity monitoring (FIM)

FIM monitors important changes that occur on the host itself.

It keeps track of everything relevant and critical to the operating system (config files, binaries, patch installation, software upgrade etc.).

For example, zoom into the data about a specific machine. Add a filter ‘agent.name is ’ and choose the machine ID (you can get and copy the id from the CMDB). You will be able to view all the events that occurred with this particular host.

File integrity monitoring records all the events in real time, the data couldn’t be deleted or adjusted.

In the ‘agents’ tab you can view your current status as far as the agents, the versions, who is connected, what platforms you have etc..  For example, locate a field in the list on the left. Click 'zoom in' to filter by this value. As a result, the value in question will be highlighted yellow:

...