Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 11 Next »

Wazuh is Cloudaware HIDS application built on Kibana platform. The Breeze agent needs to be installed before access to Wazuh is provided in Cloudaware Launcher.

The following modes are available for data interaction in Wazuh:

Under the tab 'Overview' locate the section 'Security Information Management'. Select Security Events to open the dashboard.

The dashboard consists of several charts:

Alert level evolution

The chart displays IDS events by severity level over time.

Read more about levels

Alerts

The chart displays the count of alerts over time.

Top 5 agents

The chart displays servers with Breeze that have the biggest count of alerts.

Click on the host on the donut or on the right list, and it will be automatically added as a filter. As a result, the dashboard will be updated showing the data related to this selected host.

All agents can be identified by AWS EC2 Instance ID or Azure VM ID. Wazuh displays IDS agents with instance names they were registered with, thus agents names can be changed.


Top 5 rule groups

The chart displays rules by groups.

Agents status

The charts demonstrates the health status of agents.

Alerts summary

The chart shows the pivot table of rules with rule ID, Description, Level (1-12, OSAC) and Count columns. By clicking the arrows near the column names, you can sort alerts display by ascending or descending oder.

Groups summary

The chart shows the pivot table of rule groups with Group and Count columns. By clicking the arrows near the column names, you can sort groups display by ascending or descending oder.

Use time picker in the upper right corner to select the time period for viewing events in question.

Options:

1. Click a chart element on the dashboard to add it as a filter.

2. Click Add a filter and select a field, an operator and a value manually. Click Save.

Hover the mouse on the filter to view additional options. You can disable filter(1), pin filter(2), exclude matches(3), remove filter(4) or edit filter(5):

Under the tab 'Overview' locate the section 'Security Information Management'. Select Integrity Monitoring to review important changes that occur on hosts specifically.

FIM keeps track of everything relevant and critical to the operating system (config files, binaries, patch installation, software upgrade, etc) monitoring events in real time - the data can not be deleted or adjusted.

Go to the tab 'Discover' to open events row data for a more profound investigation.

Scroll down to select the event in question. Click the 'arrow' sign to expand the details:

Click the 'open book' sign near a string to have it added as a column in a table mode:

Click on a trend chart to zoom into any specific time period you would like to investigate, even to a few seconds period.

To undo zooming, go to the time picker in the upper right corner, click the tab 'Quick' and select the time period in question.

  • No labels