Wazuh is Cloudaware HIDS application built on Kibana platform. The Breeze agent needs to be installed before access to Wazuh is provided in Cloudaware Launcher.
The following modes are available for data interaction in Wazuh:
Dashboard UI
Security Events
Under the tab 'Overview' locate the section 'Security Information Management'. Select Security Events to open the dashboard.
The dashboard consists of several charts:
Alert level evolution
The chart displays IDS events by severity level over time.
Alerts
The chart displays the count of alerts over time.
Top 5 agents
The chart displays servers with Breeze that have the biggest count of alerts.
Click on the host in the donut or on the right list, and it will be automatically added as a filter. As a result, the dashboard will be updated showing the the data related to this selected host.
All agents can be identified by AWS EC2 Instance ID or Azure VM ID. Wazuh displays IDS agents with instance names they were registered with, thus agents names can be changed.
Top 5 rule groups
The chart displays rules by groups.
Agents status
The charts demonstrates the health status of agents.
Alerts summary
The chart shows the pivot table of rules with rule ID, Description, Level (1-12, OSAC) and Count columns. By clicking the arrows near the column names, you can sort alerts display by ascending or descending oder.
Groups summary
The chart shows the pivot table of rule groups with Group and Count columns. By clicking the arrows near the column names, you can sort groups display by ascending or descending oder.
Time Picker
Use time picker in the upper right corner to select the time period for viewing events in question.
Filters
Options:
1. Click a chart element on the dashboard to add it as a filter.
2. Click Add a filter and select a field, an operator and a value. Click Save.
Hover the mouse on the filter to view additional options:
You can disable filter(1), pin filter(2), exclude matches(3), remove filter(4) or edit filter(5).
change to NOT by clicking the minus sign. After choosing NOT filter you will be able to view everything, except for the chosen criteria.
You can filter your date easily by clicking ‘plus’ or ‘minus’ signs near the string. For example, you can view all the events connected to the concrete rule ID:
Adding filters manually : in the left corner click ‘add filter’, fill in parameters and save.
You can easily disable the filter by unchecking the checkbox sign.
File Integrity Monitoring (FIM)
Under the tab 'Overview' locate the section 'Security Information Management'. Select Integrity Monitoring to review important changes that occur on hosts specifically.
FIM keeps track of everything relevant and critical to the operating system (config files, binaries, patch installation, software upgrade, etc) monitoring events in real time - the data can not be deleted or adjusted.
For example, zoom into the data about a specific machine. Add a filter ‘agent.name is ’ and choose the machine ID (you can get and copy the id from the CMDB). You will be able to view all the events that occurred with this particular host.
Raw Data UI
Go to the tab 'Discover' to open events row data for a more profound investigation.
Scroll down to select the event in question. Click the triangle' sign to expand the details.
Click the 'open book' sign and this string will be added as a column in a table mode. By clicking the 'X’ sign you can remove it from your table.
You can also zoom into a specific time period. On the time diagram mark the period by left-clicking the mouse and holding it. You can zoom into a whatever specific time period you want to investigate, even to a few seconds period.
If you want to undo zooming , go to the time picker in the upper right corner, click on ‘quick’ and select the time period you need.
In this raw data UI you can also add filters by clicking zoom in and out signs or add them manually as mentioned above.
Agents
Go to the tab 'Agents' to view the summary about IDS agents in place, their versions, who is connected, what platforms you have, etc.