Creating Custom Wazuh Dashboard [DL Series-8]

As we conclude the Detection Lab series, we arrive at an essential component of effective threat detection and analysis: building a custom Wazuh dashboard. This chapter ties together the insights and configurations from previous articles, providing a centralized, intuitive, and actionable view of your security environment.

Why Customize Your Dashboard?

A well-designed dashboard does more than display data; it simplifies decision-making. With custom visualizations, security teams can:

• Focus on critical alerts: Highlight high-priority threats and anomalies.
• Improve response time: Enable quick access to actionable data.
• Streamline workflows: Reduce noise and provide clear insights into specific metrics.

Prerequisites

Before diving into customization, ensure you have:

• A functional Wazuh environment.
• Logs flowing from multiple sources, such as Linux, macOS, Windows, or network monitoring tools like Suricata.

If you’ve followed the series, you should already have these components in place.

Planning Your Dashboard

Before creating visualizations, identify your key performance indicators (KPIs). Some useful metrics include:

• Agent Status: Number of connected/disconnected agents.
• Threat Trends: Frequency and types of alerts over time.
• Source-Specific Insights: Custom views for o365, SSH, or Suricata logs.

Let me take you through 3 dashboards that I created for this detection lab series.

1. High & Critical Alerts Dashboard

This dashboard focuses on high-severity and critical-severity alerts that require immediate attention. It includes the following visualizations to ensure comprehensive monitoring:

• EPS Count (Gauge): This gauge visualizes the average Events Per Second (EPS) count. It provides a real-time overview of log activity, helping identify baseline performance and potential anomalies.
• Top 3 Agents by Log Count (Pie Chart): By highlighting the top three agents with the highest log counts, this chart helps pinpoint potential sources of unusual activity during EPS spikes.
• Event — Location (Stacked Bar Chart): This visualization categorizes events by location, offering valuable context for investigating EPS spikes and tracking region-specific activities.
• Disconnected & Active Agents (Metric): A quick status of count of disconnected and active agents, aiding in operational monitoring and ensuring system coverage.
• High Alerts and Critical Alerts (Data Table): Displays alerts with rule levels categorized as high (10–12) and critical (13–15). This table ensures that no critical alerts are missed and security analysts can quickly identify the most severe issues.
• Successful Login: Non-Native (Critical) and O365 Successful Login: Non-Native (Critical) (Data Table): These actionable tables flag critical non-native logins. They are vital for detecting unauthorized access via SSH and O365, helping identify account compromise scenarios promptly.
• Discover Tab: This tab provides the ability to dive deeper into specific alerts, facilitating targeted investigations and allowing precise filtering of data for detailed analysis.

2. SSH Events Dashboard

This dashboard focuses on monitoring SSH-related events to enhance security and detect potential unauthorized access attempts. It includes the following visualizations to provide comprehensive oversight of SSH activity:

• Login Attempts: Non-native GeoLocation (Pie Chart): Identifies login attempts originating from non-native geolocations, highlighting potential threats.
• Successful Login: Non-Native (Critical) (Data Table): Lists critical successful login events from non-native locations, aiding in quick identification of account compromises.
• Login Attempts: Top 10 Usernames (Pie Chart): Displays the most frequently targeted usernames, helping identify brute force attempts.
• Top IPs of Successful Logins (Bar Chart): Highlights IP addresses responsible for successful logins, providing insights into potentially suspicious sources.
• ? SSH Alerts (Data Table): Consolidates all alerts related to SSH activities for centralized monitoring and efficient incident response.

3. O365 Compromise Detection

This dashboard is designed to detect and investigate potential compromises within O365 environments. It includes the following visualizations to provide clear insights into activities and alerts:

• Event Timeline (Vertical Bar): Maps key O365 operations — such as UserLoggedIn, ModifyFolderPermissions, and FileAccessed — on a timeline to simplify the analysis of post-compromise activities.
• O365 Triggered Alerts (Data Table): Lists all triggered alerts for centralized and efficient monitoring of suspicious activities.
• Failed & Success Logon Details (Data Table): Captures details of failed and successful logon attempts, assisting in the identification of unauthorized access.
• Discover Tab: Highlights important fields like DeviceProperties.Value and ExtendedProperties.Value, which are essential for investigating unauthorized access facilitated by agents like Raccoon and Axios.

Like this, you can custom build dashboards as per your use cases. Like this, we come to the end of Detection Lab.

Acknowledgments

I want to express my gratitude to those who made this series possible:

• Ashish Bansal : For motivating me to initiate this project.
• Santiago Bassett : for providing this powerful tool.
• The Wazuh Community: For the extensive documentation and invaluable support.
• 微软 : For making Sysmon available for Linux.
• Suricata Project | Open Information Security Foundation : For the high-performance network IDS, IPS, and network security monitoring engine, Suricata.
• My Readers: Thank you for following along on this journey.

Final Thoughts

I hope this Detection Lab series inspires and helps cybersecurity aspirants and professionals broaden their knowledge of the defensive side of the cyber world. Together, we can enhance our skills, contribute to the community, and build a safer digital environment.

Check out the links to the complete series in this article here: Not every interview ends with a job offer, but some end with a life-changing lesson

Feel free to connect with me Gibin K John for any discussions related to cybersecurity — I would love to learn more and exchange ideas with you. Let’s keep growing and pushing the boundaries of what’s possible!

#SecurityOps #WazuhDetection #SOCLab #CyberThreatIntel #WazuhAlerting #LogAnalysis #CyberDefense#MalwareDetection#SOCAnalysis#Cybersecurity#ThreatDetection#SOCEngineering#Wazuh#SysmonForLinux#Suricata#OpenSourceSecurity#InfoSecCommunity#LogMonitoring#IncidentResponse#DetectionLab#DashboardCustomization#LinuxSecurity#CyberDefense#SecurityEngineering