Skip to main content

Overview

Effective threat analysis is crucial for maintaining security posture. This guide covers practical workflows for detecting, investigating, and responding to security threats using Wazuh Dashboard.

Understanding Security Events

Event Structure

Wazuh security events contain rich contextual information:
  • Rule Information: Rule ID, level, description, and groups
  • Agent Details: Agent ID, name, IP address, and OS
  • Event Data: Source data including logs, alerts, and system information
  • MITRE ATT&CK: Mapped tactics and techniques (when applicable)
  • Compliance Mapping: Regulatory framework references
  • GeoIP Data: Geographic location information for network events

Event Severity Levels

LevelSeverityUse Case
0-3InformationalNormal system activity
4-7Low to MediumSuspicious activity requiring review
8-11HighSecurity incidents requiring action
12-15CriticalSevere threats requiring immediate response

Threat Hunting Dashboard

Accessing Threat Hunting

Navigate to Threat Hunting in the main menu to access comprehensive threat detection capabilities.

Key Dashboard Sections

High-level metrics showing:
  • Total alerts over time period
  • Alert distribution by severity level
  • Top alerting agents
  • Most triggered rules
  • Alert trends and patterns
Best Practice: Review this section daily to identify unusual spikes or patterns.
Visualizations highlighting:
  • Most common attack types
  • Authentication failures
  • Network anomalies
  • File integrity violations
  • Malicious IP addresses
Use Case: Quickly identify the most prevalent threats in your environment.
Time-series visualization showing:
  • Alert volume over time
  • Event clustering
  • Anomaly detection
  • Correlation patterns
Tip: Use the time picker to zoom in on suspicious time periods.
Comprehensive event listing with:
  • Full event details
  • Sortable columns
  • Search and filter capabilities
  • Drill-down options
  • Export functionality

Incident Investigation Workflow

1

Identify the Alert

Start with a high-severity alert or unusual pattern:
  1. Open Threat Hunting dashboard
  2. Filter by severity level >= 8
  3. Review recent high-severity events
  4. Identify alerts requiring investigation
rule.level:>=8
2

Gather Initial Context

Click on the alert to view details:
  • When: Exact timestamp of the event
  • Where: Affected agent and system
  • What: Rule description and categorization
  • Why: Rule logic that triggered the alert
Note key information:
  • Agent ID and name
  • Source IP addresses
  • User accounts involved
  • Files or processes affected
3

Expand the Investigation

Search for related events:By Agent:
agent.id:"001" AND timestamp:[now-1h TO now]
By Source IP:
data.srcip:"192.168.1.100"
By User:
data.dstuser:"suspicious-account"
By Rule Group:
rule.groups:"authentication_failed"
4

Analyze the Pattern

Look for indicators of compromise:
  • Volume: Unusual number of similar events
  • Timing: Events clustered in short time periods
  • Sequence: Ordered progression of attack stages
  • Scope: Multiple agents or systems affected
  • Geography: Connections from unusual locations
5

Correlate with Other Data

Check related modules:
  • File Integrity Monitoring: Any file changes on the affected system?
  • Vulnerability Detection: Are there known vulnerabilities on the agent?
  • MITRE ATT&CK: What tactics and techniques are involved?
  • System Inventory: What applications are running?
6

Document Findings

Create a summary of your investigation:
  • Affected systems and accounts
  • Timeline of events
  • Potential impact assessment
  • Recommended actions
Use the Export feature to save relevant events.

Common Threat Scenarios

Brute Force Attack Detection

An attacker is attempting to guess passwords through repeated authentication attempts.Indicators:
  • Multiple authentication failures from same source
  • Short time interval between attempts
  • Targeting multiple user accounts
  1. Identify the pattern: 
    rule.groups:"authentication_failed"
  2. Find the source:
    • Check data.srcip field for attacking IP
    • Review geographic origin in GeoIP visualization
  3. Assess the scope:
    • Count unique targeted usernames
    • Calculate attempts per minute
    • Check if any attempts succeeded
  4. Take action:
    • Block source IP at firewall
    • Enable account lockout policies
    • Force password reset for targeted accounts
    • Enable MFA for affected services

Malware Detection Response

Malware or potentially unwanted software detected on an endpoint.Indicators:
  • Malware detection alerts (rule.groups:“malware”)
  • Suspicious process execution
  • Unauthorized file modifications
  • Unusual network connections
  1. Isolate the affected system:
    • Identify the agent in alert details
    • Consider network isolation
  2. Review detection details: 
    agent.id:"XXX" AND rule.groups:"malware"
    • Malware name and family
    • File path and hash
    • Detection method
  3. Check for lateral movement:
    • Search for same file hash on other agents
    • Review network connections from affected host
    • Check for similar processes across infrastructure
  4. Assess file integrity:
    • Navigate to File Integrity Monitoring
    • Filter by affected agent
    • Look for unauthorized changes
  5. Remediate:
    • Remove malicious files
    • Scan system with anti-malware tools
    • Review and close attack vector
    • Update security controls

Privilege Escalation Detection

User or process attempting to gain elevated privileges.Indicators:
  • Sudo usage alerts
  • Unauthorized privilege changes
  • Exploitation attempts
  • Unusual administrative actions
  1. Identify the escalation attempt: 
    rule.groups:"privilege_escalation" OR rule.groups:"sudo"
  2. Review user context:
    • Who initiated the action (data.dstuser)
    • What command was executed
    • From which system (agent)
    • Success or failure status
  3. Check authorization:
    • Is this user authorized for sudo?
    • Is the action within normal responsibilities?
    • Was it expected or scheduled?
  4. Look for persistence mechanisms:
    • Check for new cron jobs
    • Review startup scripts
    • Examine user account changes
    • Search for SSH key additions
  5. Respond accordingly:
    • If unauthorized: disable account, force password reset
    • Review and update sudo policies
    • Enable additional logging
    • Investigate potential account compromise

MITRE ATT&CK Integration

Understanding MITRE Mapping

Wazuh maps detected events to the MITRE ATT&CK framework, providing standardized threat intelligence.

Accessing MITRE Dashboard

  1. Navigate to MITRE ATT&CK in the main menu
  2. View the attack matrix with highlighted tactics and techniques
  3. Click on tactics to see detected techniques
  4. Click on techniques for detailed events

MITRE-Based Investigation

1

Start with Tactics

Review which tactics are active in your environment:
  • Initial Access: How attackers got in
  • Execution: Code execution methods
  • Persistence: How attackers maintain access
  • Privilege Escalation: Elevation attempts
  • Defense Evasion: Anti-detection techniques
  • Credential Access: Password and credential theft
  • Discovery: Network and system reconnaissance
  • Lateral Movement: Spreading through network
  • Collection: Data gathering
  • Exfiltration: Data theft
  • Impact: Destructive actions
2

Drill into Techniques

Click a tactic to see specific techniques detected:
  • Number of events per technique
  • Affected agents
  • Recent occurrences
  • Technique descriptions and mitigations
3

Analyze Event Chains

Look for technique sequences that indicate attack progression:Example: Ransomware attack chain
  1. Initial Access (T1566 - Phishing)
  2. Execution (T1204 - User Execution)
  3. Defense Evasion (T1562 - Impair Defenses)
  4. Impact (T1486 - Data Encrypted for Impact)
4

Apply Recommended Mitigations

Each technique includes:
  • Detection methods
  • Mitigation strategies
  • References to security controls
  • Links to MITRE documentation

Advanced Search Techniques

Query Language Examples

Find failed SSH logins: 
rule.groups:"sshd" AND rule.groups:"authentication_failed"
Search for specific CVE: 
data.vulnerability.cve:"CVE-2024-1234"
Events from external IPs: 
data.srcip:* AND NOT data.srcip:10.* AND NOT data.srcip:192.168.* AND NOT data.srcip:172.16.*
High severity events last hour: 
rule.level:>=10 AND timestamp:[now-1h TO now]
Web attack patterns: 
rule.groups:"web" AND (rule.groups:"attack" OR rule.groups:"sqli" OR rule.groups:"xss")
Combine multiple conditions: 
agent.name:"production-web-*" AND rule.level:>=8 AND rule.groups:"authentication_failed"

Using Wildcards and Regex

Wildcard search: 
data.dstuser:admin*
Negation: 
NOT rule.groups:"syslog"
Range queries: 
rule.level:[8 TO 12]
timestamp:[2026-03-01 TO 2026-03-04]

Visualization Best Practices

Creating Custom Visualizations

While Wazuh provides pre-built dashboards, you can create custom views:
Create a data table showing:
  • Source IP addresses
  • Count of events
  • Geographic location
  • Latest activity
Sort by count to identify top offenders.
Visualize alert patterns:
  • By hour of day
  • By day of week
  • Identify attack windows
  • Plan monitoring coverage
Create metrics comparing:
  • Alert count per agent
  • Severity distribution
  • Vulnerability count
  • Compliance score
Identify agents requiring attention.

Response and Remediation

Active Response Actions

Wazuh can execute automated responses:
  • Firewall blocks: Automatically block attacking IPs
  • Process termination: Kill malicious processes
  • Account lockout: Disable compromised accounts
  • File quarantine: Isolate suspicious files
Active responses can impact legitimate services. Test thoroughly in non-production environments and use with caution.

Creating Response Playbooks

Document standard response procedures:
  1. Alert Triage Criteria: What requires immediate attention?
  2. Escalation Paths: Who to notify and when?
  3. Investigation Steps: Standard investigation workflow
  4. Remediation Actions: Approved response actions
  5. Documentation Requirements: What to record

Threat Intelligence Integration

Using External Threat Feeds

Enhance detection with threat intelligence:
  • IP Reputation: Known malicious IP addresses
  • File Hashes: Malware signatures
  • Domain Reputation: Suspicious domains
  • CVE Feeds: Vulnerability intelligence

Correlation with External Events

Consider external context:
  • Recent vulnerability disclosures
  • Active malware campaigns
  • Sector-specific threats
  • Geopolitical events

Reporting and Metrics

Key Security Metrics

Track these indicators:

Mean Time to Detect (MTTD)

How quickly are threats identified after occurrence?

Mean Time to Respond (MTTR)

How fast are incidents contained and remediated?

Alert Volume Trends

Is your security posture improving over time?

False Positive Rate

Are rules properly tuned to reduce noise?

Exporting Investigation Data

Export events for further analysis:
  1. Apply filters to show relevant events
  2. Click Export button
  3. Choose format:
    • CSV: For spreadsheet analysis
    • JSON: For programmatic processing
  4. Include in incident reports

Tips and Best Practices

Begin investigations with wide time ranges and loose filters. Progressively narrow scope as you understand the incident.
Save commonly used queries:
  • Daily security review searches
  • Compliance audit queries
  • Critical alert filters
  • Investigation templates
Don’t investigate in isolation:
  • Check FIM for file changes
  • Review vulnerabilities for exposure
  • Examine system inventory
  • Consider compliance impacts
Maintain investigation notes:
  • Timeline of discovery
  • Evidence collected
  • Actions taken
  • Lessons learned

Next Steps

Practice threat hunting regularly, even when no incidents are apparent. Proactive hunting often discovers threats that passive monitoring misses.

Build docs developers (and LLMs) love

Get started for freeTalk to us