Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

Wazuh is a Kibana-based application used by Cloudaware to provide HIDS services. The Wazuh application is available Cloudaware Launcher once IDS is enabled.

Use the following modes to interact with data in Wazuh:

Security Events

Under the tab ‘Overview’ click Security Events to access the dashboard.

In the time picker in the upper right corner you can pick the time period you are interested in.

All the agents are identified using their AWS EC2 instance ID or Azure VM ID.

Here you can see the alert summary. The alert levels are the same as in OSAC and go from 1 to 12. By clicking the arrow near the count or level you can view it in an ascending or

descending order.

Top 5 agents will tell you which servers have the biggest count of alerts.

Click on the host using the donut chart or on the right list - and it will be automatically added as a filter. As a result, you will view the data related to the selected host.

To get more information about the machine - copy it’s ID and paste into CMDB search.

Actions with filter

Navigate to the filter. You can deactivate, pin, delete, edit or change to NOT by clicking the minus sign. After choosing NOT filter you will be able to view everything, except for the chosen criteria.

You can filter your date easily by clicking ‘plus’ or ‘minus’ signs near the string. For example, you can view all the events connected to the concrete rule ID:

Adding filters manually : in the left corner click ‘add filter’, fill in parameters and save.

You can easily disable the filter by unchecking the checkbox sign.

File integrity monitoring (FIM)

FIM monitors important changes that occur on the host itself.

It keeps track of everything relevant and critical to the operating system (config files, binaries, patch installation, software upgrade etc.).

For example, zoom into the data about a specific machine. Add a filter ‘agent.name is ’ and choose the machine ID (you can get and copy the id from the CMDB). You will be able to view all the events that occurred with this particular host.

File integrity monitoring records all the events in real time, the data couldn’t be deleted or adjusted.

Go to Discover tab

For a more profound investigation, go to the ‘Discover’ tab. You will then drop into raw data user interface.

Click on the ‘triangle’ sign to expand the event.

Click on the ‘ open book sign ’ and this string will be added as a column in a table mode. By clicking the ‘X’ sign you can remove it from your table.

You can also zoom into a specific time period. On the time diagram mark the period by left-clicking the mouse and holding it. You can zoom into a whatever specific time period you want to investigate, even to a few seconds period.

If you want to undo zooming , go to the time picker in the upper right corner, click on ‘quick’ and select the time period you need.

In this raw data UI you can also add filters by clicking zoom in and out signs or add them manually as mentioned above.

In the ‘agents’ tab you can view your current status as far as the agents, the versions, who is connected, what platforms you have etc.

  • No labels