Skip to main content
The Wazuh Dashboard integrates the MITRE ATT&CK framework to map security alerts to adversary tactics and techniques, providing context for threat analysis and incident response.

Overview

The MITRE ATT&CK framework is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. Wazuh Dashboard integration enables:
  • Automatic alert mapping to MITRE ATT&CK tactics and techniques
  • Visual dashboards displaying attack patterns and trends
  • Tactic-based filtering for focused threat analysis
  • Technique correlation across agents and time periods
  • Threat intelligence context for security events
Reference: plugins/main/common/wazuh-modules.ts:96

MITRE ATT&CK module

The MITRE ATT&CK module in Wazuh Dashboard provides dedicated views for analyzing security alerts mapped to the framework: 
mitre: {
  title: 'MITRE ATT&CK',
  appId: 'mitre-attack',
  description:
    'Explore security alerts mapped to adversary tactics and techniques for better threat understanding.',
}

Alert mapping structure

Wazuh rules are enriched with MITRE ATT&CK metadata that includes:

Tactic information

The high-level adversary goal: 
{
  "rule": {
    "mitre": {
      "tactic": "Initial Access"
    }
  }
}
Common tactics include:
  • Initial Access
  • Execution
  • Persistence
  • Privilege Escalation
  • Defense Evasion
  • Credential Access
  • Discovery
  • Lateral Movement
  • Collection
  • Command and Control
  • Exfiltration
  • Impact

Technique information

The specific method used by the adversary: 
{
  "rule": {
    "mitre": {
      "technique": "T1078",
      "tactic": "Initial Access"
    }
  }
}
Techniques are identified by unique identifiers (e.g., T1078 for “Valid Accounts”). Reference: plugins/main/public/components/overview/mitre/dashboard/dashboard-panels.ts:132

MITRE ATT&CK dashboard

The MITRE ATT&CK dashboard provides comprehensive visualization of attack patterns.

Dashboard configuration

The dashboard is defined using the dashboard configuration service: 
export class MitreOverviewDashboardConfig extends DashboardConfig {
  constructor(indexPatternId: string) {
    super(
      indexPatternId,
      new MitreOverviewDashboardLayoutDefinition(indexPatternId)
    );
  }

  protected override getId(): string {
    return 'mitre-overview-dashboard-tab';
  }

  protected override getTitle(): string {
    return 'MITRE overview dashboard';
  }

  protected override getDescription(): string {
    return 'Dashboard of the MITRE overview';
  }
}
Reference: plugins/main/common/dashboards/dashboard-definitions/overview/mitre/overview/dashboard.ts:66

Dashboard layout

The dashboard layout includes multiple visualization panels: 
export class MitreOverviewDashboardLayoutDefinition extends DashboardLayoutDefinition {
  constructor(indexPatternId: string) {
    super();
    this.setGridVisualizationPairs(
      {
        gridData: { w: 36, h: 12, x: 0, y: 0 },
        savedVis: getVisStateAlertsEvolution(indexPatternId),
      },
      {
        gridData: { w: 12, h: 12, x: 36, y: 0 },
        savedVis: getVisStateTopTactics(indexPatternId),
      },
      {
        gridData: { w: 16, h: 12, x: 0, y: 12 },
        savedVis: getVisStateAttacksByTechnique(indexPatternId),
      },
      {
        gridData: { w: 16, h: 12, x: 16, y: 12 },
        savedVis: getVisStateTopTacticsByAgent(indexPatternId),
      },
      {
        gridData: { w: 16, h: 12, x: 32, y: 12 },
        savedVis: getVisStateTechniqueByAgent(indexPatternId),
      }
    );
  }
}
Reference: plugins/main/common/dashboards/dashboard-definitions/overview/mitre/overview/dashboard.ts:13

Visualization components

Alerts evolution over time

Line chart displaying temporal distribution of alerts by technique: 
const getVisStateAlertsEvolution = (indexPatternId: string) => {
  return {
    id: 'Wazuh-App-Overview-MITRE-Alerts-Evolution',
    title: 'Alerts evolution over time',
    type: 'line',
    data: {
      aggs: [
        {
          id: '1',
          type: 'count',
          schema: 'metric',
        },
        {
          id: '3',
          type: 'terms',
          schema: 'group',
          params: {
            field: 'rule.mitre.technique',
            customLabel: 'Attack ID',
            orderBy: '1',
            order: 'desc',
            size: 5,
          },
        },
        {
          id: '2',
          type: 'date_histogram',
          schema: 'segment',
          params: {
            field: 'timestamp',
            timeRange: { from: 'now-7d', to: 'now' },
            interval: 'auto',
          },
        },
      ],
    },
  };
};
Reference: plugins/main/public/components/overview/mitre/dashboard/dashboard-panels.ts:4

Top tactics

Pie chart showing the distribution of alerts by tactic: 
const getVisStateTopTactics = (indexPatternId: string) => {
  return {
    id: 'Wazuh-App-Overview-MITRE-Top-Tactics',
    title: 'Top tactics',
    type: 'pie',
    params: {
      type: 'pie',
      isDonut: true,
    },
    data: {
      aggs: [
        {
          id: '1',
          type: 'count',
          schema: 'metric',
        },
        {
          id: '2',
          type: 'terms',
          schema: 'segment',
          params: {
            field: 'rule.mitre.tactic',
            orderBy: '1',
            order: 'desc',
            size: 10,
          },
        },
      ],
    },
  };
};
Reference: plugins/main/public/components/overview/mitre/dashboard/dashboard-panels.ts:163

Attacks by technique

Histogram displaying attack distribution across techniques and tactics: 
const getVisStateAttacksByTechnique = (indexPatternId: string) => {
  return {
    id: 'Wazuh-App-Overview-MITRE-Attacks-By-Technique',
    title: 'Attacks by technique',
    type: 'histogram',
    data: {
      aggs: [
        {
          id: '1',
          type: 'count',
          schema: 'metric',
        },
        {
          id: '2',
          type: 'terms',
          schema: 'group',
          params: {
            field: 'rule.mitre.technique',
            orderBy: '1',
            order: 'desc',
            size: 5,
          },
        },
        {
          id: '3',
          type: 'terms',
          schema: 'segment',
          params: {
            field: 'rule.mitre.tactic',
            orderBy: '1',
            order: 'desc',
            size: 5,
          },
        },
      ],
    },
  };
};
Reference: plugins/main/public/components/overview/mitre/dashboard/dashboard-panels.ts:249

Top tactics by agent

Area chart showing tactic distribution across monitored agents: 
const getVisStateTopTacticsByAgent = (indexPatternId: string) => {
  return {
    id: 'Wazuh-App-Overview-MITRE-Top-Tactics-By-Agent',
    title: 'Top tactics by agent',
    type: 'area',
    data: {
      aggs: [
        {
          id: '1',
          type: 'count',
          schema: 'metric',
        },
        {
          id: '3',
          type: 'terms',
          schema: 'group',
          params: {
            field: 'rule.mitre.tactic',
            orderBy: '1',
            order: 'desc',
            size: 5,
          },
        },
        {
          id: '4',
          type: 'terms',
          schema: 'segment',
          params: {
            field: 'wazuh.agent.name',
            orderBy: '1',
            order: 'desc',
            size: 5,
          },
        },
      ],
    },
  };
};
Reference: plugins/main/public/components/overview/mitre/dashboard/dashboard-panels.ts:394

MITRE techniques by agent

Pie chart displaying technique distribution by agent: 
const getVisStateTechniqueByAgent = (indexPatternId: string) => {
  return {
    id: 'Wazuh-App-Overview-MITRE-Attacks-By-Agent',
    title: 'Mitre techniques by agent',
    type: 'pie',
    data: {
      aggs: [
        {
          id: '1',
          type: 'count',
          schema: 'metric',
        },
        {
          id: '2',
          type: 'terms',
          schema: 'segment',
          params: {
            field: 'wazuh.agent.name',
            orderBy: '1',
            order: 'desc',
            size: 5,
          },
        },
        {
          id: '3',
          type: 'terms',
          schema: 'segment',
          params: {
            field: 'rule.mitre.technique',
            orderBy: '1',
            order: 'desc',
            size: 5,
          },
        },
      ],
    },
  };
};
Reference: plugins/main/public/components/overview/mitre/dashboard/dashboard-panels.ts:552

Querying MITRE ATT&CK data

Filtering by tactic

Query alerts for specific tactics: 
rule.mitre.tactic: "Credential Access"

Filtering by technique

Query alerts for specific techniques: 
rule.mitre.technique: "T1078"

Combined tactic and technique filters

rule.mitre.tactic: "Initial Access" AND rule.mitre.technique: "T1078"

Time-based analysis

rule.mitre.tactic: "Persistence" AND timestamp >= "now-24h"

Agent-specific queries

rule.mitre.technique: "T1547" AND wazuh.agent.name: "production-server-01"

Advanced analysis techniques

Attack chain reconstruction

Identify sequences of tactics indicating attack progression:
  1. Filter for Initial Access tactics
  2. Identify subsequent Execution or Persistence techniques on the same agent
  3. Trace Lateral Movement patterns across agents
  4. Detect Collection or Exfiltration activities

Threat hunting workflows

Proactive threat detection using MITRE ATT&CK:
  1. Hypothesis formation: Select tactics and techniques associated with specific threat actors
  2. Query construction: Build queries targeting identified techniques
  3. Result analysis: Examine matching alerts for suspicious patterns
  4. Context enrichment: Correlate findings with external threat intelligence
  5. Documentation: Record findings and update detection rules

Coverage analysis

Assess detection coverage across the MITRE ATT&CK matrix:
  1. Catalog which tactics and techniques generate alerts in your environment
  2. Identify gaps in coverage for critical techniques
  3. Develop or tune rules to address coverage gaps
  4. Validate detection effectiveness through testing

Integration with threat intelligence

Enhance MITRE ATT&CK analysis with external threat intelligence:

Threat actor profiling

Map observed techniques to known threat actor groups:
  1. Document tactics and techniques observed in your environment
  2. Cross-reference with threat intelligence reports
  3. Identify potential threat actor attribution
  4. Adjust monitoring priorities based on threat actor capabilities

Campaign detection

Identify coordinated attack campaigns:
  1. Analyze temporal clustering of related techniques
  2. Correlate techniques across multiple agents
  3. Assess alignment with known campaign patterns
  4. Escalate suspected campaign activity for investigation

Dashboard customization

Customize MITRE ATT&CK dashboards for specific use cases:

Focus on specific tactics

Modify queries to emphasize particular tactics: 
data: {
  searchSource: {
    query: {
      language: 'kuery',
      query: 'rule.mitre.tactic: ("Initial Access" OR "Execution" OR "Persistence")',
    },
  },
}

Agent group analysis

Filter visualizations for specific agent groups: 
data: {
  searchSource: {
    query: {
      language: 'kuery',
      query: 'wazuh.agent.groups: "production" AND rule.mitre.tactic: *',
    },
  },
}

Severity-based filtering

Focus on high-severity MITRE ATT&CK alerts: 
data: {
  searchSource: {
    query: {
      language: 'kuery',
      query: 'rule.level >= 10 AND rule.mitre.technique: *',
    },
  },
}

Best practices

Alert triage

  • Prioritize alerts based on tactic progression along the attack lifecycle
  • Focus immediate attention on tactics indicating active compromise (Lateral Movement, Exfiltration)
  • Investigate technique clusters suggesting coordinated activity
  • Correlate MITRE ATT&CK data with contextual information (user, asset, time)

Rule tuning

  • Verify MITRE ATT&CK mappings accurately reflect detection intent
  • Update mappings when techniques evolve or new sub-techniques are published
  • Document rationale for technique assignments in rule descriptions
  • Test rule effectiveness against known attack simulations

Knowledge management

  • Maintain internal documentation mapping custom rules to MITRE ATT&CK
  • Train analysts on framework navigation and interpretation
  • Share technique-specific playbooks for consistent response
  • Track coverage metrics over time

Metrics and reporting

  • Generate periodic reports on tactic and technique distribution
  • Trend analysis of technique prevalence over time
  • Compare attack patterns across different network segments or asset types
  • Measure detection coverage improvements following rule updates

Troubleshooting

Missing MITRE ATT&CK data

  • Verify rule definitions include MITRE ATT&CK mappings
  • Check index pattern includes rule.mitre.tactic and rule.mitre.technique fields
  • Confirm Wazuh ruleset version includes MITRE ATT&CK metadata
  • Review alert generation to ensure rules are triggering correctly

Dashboard not displaying data

  • Validate time range includes periods with MITRE ATT&CK alerts
  • Verify index pattern configuration is correct
  • Check query syntax for errors in custom filters
  • Confirm user permissions allow access to MITRE ATT&CK module

Incorrect technique mappings

  • Review rule definitions for mapping accuracy
  • Consult MITRE ATT&CK framework documentation for technique descriptions
  • Update rule metadata to correct mappings
  • Test rule behavior to validate mapping alignment
  • MITRE ATT&CK official framework: https://attack.mitre.org/
  • Custom dashboard creation for advanced MITRE ATT&CK visualizations
  • Threat hunting module for proactive detection using MITRE ATT&CK
  • Compliance dashboards demonstrating framework mapping (PCI DSS, NIST, HIPAA)

Build docs developers (and LLMs) love

Get started for freeTalk to us