Wazuh is Cloudaware HIDS application built on Kibana platform. The Breeze agent needs to be installed before access to Wazuh is provided in Cloudaware Launcher.
The following modes are available for data interaction in Wazuh:
Dashboard UI
Security Events
Under the tab 'Overview' locate the section 'Security Information Management'. Select Security Events to open the dashboard.
The dashboard consists of several charts:
Alert level evolution
The chart displays IDS events by severity level over time.
Alerts
The chart displays the count of alerts over time.
Top 5 agents
The chart displays servers with Breeze that have the biggest count of alerts.
Click on the host on the donut or on the right list, and it will be automatically added as a filter. As a result, the dashboard will be updated showing the data related to this selected host.
All agents can be identified by AWS EC2 Instance ID or Azure VM ID. Wazuh displays IDS agents with instance names they were registered with, thus agents names can be changed.
Top 5 rule groups
The chart displays rules by groups.
Agents status
The charts demonstrates the health status of agents.
Alerts summary
The chart shows the pivot table of rules with rule ID, Description, Level (1-12, OSAC) and Count columns. By clicking the arrows near the column names, you can sort alerts display by ascending or descending oder.
Groups summary
The chart shows the pivot table of rule groups with Group and Count columns. By clicking the arrows near the column names, you can sort groups display by ascending or descending oder.
Time Picker
Use time picker in the upper right corner to select the time period for viewing events in question.
Filters
Options:
1. Click a chart element on the dashboard to add it as a filter.
2. Click Add a filter and select a field, an operator and a value manually. Click Save.
Hover the mouse on the filter to view additional options. You can disable filter(1), pin filter(2), exclude matches(3), remove filter(4) or edit filter(5):
File Integrity Monitoring
Under the tab 'Overview' locate the section 'Security Information Management'. Select Integrity Monitoring to review important changes that occur on hosts specifically.
FIM keeps track of everything relevant and critical to the operating system (config files, binaries, patch installation, software upgrade, etc) monitoring events in real time - the data can not be deleted or adjusted.
Raw Data UI
Go to the tab 'Discover' to open events row data for a more profound investigation.
Scroll down to select the event in question. Click the 'arrow' sign to expand the details:
Click the 'open book' sign near a string to have it added as a column in a table mode:
Click on a trend chart to zoom into any specific time period you would like to investigate, even to a few seconds period.
To undo zooming, go to the time picker in the upper right corner, click the tab 'Quick' and select the time period in question.