Help Needed: Creating a Custom Dashboard with Click-Through Alert Details and Custom Rules in Wazuh
77 views
Skip to first unread message
Jack Martin
Apr 20, 2026, 9:33:26 AM (4 days ago) Apr 20
to Wazuh | Mailing List
Hello Wazuh Community,
My name is Jack, and I am working as an L1 SOC analyst using Wazuh as our primary SIEM platform. I am reaching out to seek guidance on building a custom dashboard that mirrors the functionality of the default Wazuh Overview dashboard.
Specifically, I need help with the following three areas:
1. Custom Dashboard Creation
I would like to create a custom dashboard in OpenSearch Dashboards (within Wazuh) that displays alert summaries — similar to the default Overview page — but scoped to our specific custom detection rules. These rules cover areas such as Windows brute force detection, web shell detection, LOLBin execution, USB device monitoring, PowerShell abuse, ransomware indicators, and more.
2. Click-Through to Full Alert Details
In the default Wazuh dashboards, clicking on an alert navigates the user into full alert details (a deep-dive view showing all fields, rule metadata, MITRE ATT&CK mapping, agent info, etc.). I would like to replicate this same click-through behavior in my custom dashboard so that analysts can drill down into alert details directly from the custom panels.
3. Using Custom Rules in Dashboard Panels
I have a set of custom Wazuh rules (local_rules.xml) and I would like to build dashboard visualizations that are driven by these specific rule IDs and groups — rather than relying only on default Wazuh rule categories.
Could the community please advise on:
- The recommended approach to build such a custom dashboard in OpenSearch Dashboards?
- How to configure the click-through / drilldown behavior to replicate the default Wazuh alert detail view?
- Any index patterns, saved searches, or visualization types best suited for custom rule-based panels?
my custom: <group name="restart,"> <rule id="100002" level="12"> <if_sid>550</if_sid> <match>ossec.conf</match> <description>Changes made to the agent configuration file - $(file)</description> </rule> </group> <group name="pam,syslog,"> <rule id="120100" level="10" frequency="3" timeframe="120"> <if_matched_sid>5503</if_matched_sid> <description>Possible password guess on $(dstuser): 3 failed logins in a short period of time</description> <mitre><id>T1110</id></mitre> </rule> </group> <group name="process_monitor,"> <rule id="100012" level="6"> <if_sid>530</if_sid> <match>^ossec: output: 'ps -auxw'</match> <description>Cron process not running.</description> </rule> <rule id="100013" level="0"> <if_sid>100012</if_sid> <match>/usr/sbin/cron</match> <description>Cron process is running as expected.</description> </rule> </group> <group name="linux, webshell, windows,"> <rule id="100500" level="12"> <if_sid>554</if_sid> <field name="file" type="pcre2">(?i)\.(php|phtml|php3|php4|php5|phps|phar|asp|aspx|jsp|cshtml|vbhtml)$</field> <description>[File creation]: Possible web shell scripting file ($(file)) created</description> </rule> <rule id="100501" level="12"> <if_sid>550</if_sid> <field name="file" type="pcre2">(?i)\.(php|phtml|php3|php4|php5|phps|phar|asp|aspx|jsp|cshtml|vbhtml)$</field> <description>[File modification]: Possible web shell content added in $(file)</description> </rule> <rule id="100502" level="15"> <if_sid>100501</if_sid> <field name="changed_content" type="pcre2">(?i)passthru|exec|eval|shell_exec|assert|str_rot13|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile|show_source|proc_open|pcntl_exec|execute|WScript\.Shell|WScript\.Network|FileSystemObject|Adodb\.stream</field> <description>[File Modification]: File $(file) contains a web shell</description> </rule> </group> <group name="windows-usb-detect,"> <rule id="111119" level="6"> <if_sid>60009</if_sid> <field name="win.system.channel">^Microsoft-Windows-DriverFrameworks-UserMode/Operational$</field> <field name="win.system.eventID">^2102$</field> <field name="win.uMDFHostDeviceRequest.requestMinorCode">^2$</field> <description>Windows: USB storage disconnected (minor=2) InstanceId=$(win.uMDFHostDeviceRequest.instanceId) on $(win.system.compute)</description> <options>no_full_log</options> </rule> </group> <group name="windows,bruteforce,"> <rule id="100015" level="10" frequency="3" timeframe="60"> <if_matched_sid>60122</if_matched_sid> <same_field>win.eventdata.targetUserName</same_field> <description> Windows: 3 consecutive failed login attempts detected. Triggering host isolation. </description> <group>authentication_failures,active_response_trigger</group> </rule> </group> <group name="windows-usb-detect,"> <rule id="111000" level="7"> <if_sid>60227</if_sid> <field name="win.system.eventID">^6416$</field> <match>USBSTOR\\Disk</match> <options>no_full_log</options> <description>Windows: A PNP device $(win.eventdata.deviceDescription) was connected to $(win.system.computer)</description> </rule> <rule id="111001" level="5"> <if_sid>111000</if_sid> <options>no_full_log</options> <description>Windows: Authorized PNP device $(win.eventdata.deviceDescription) was connected to $(win.system.computer).</description> </rule> <rule id="111002" level="8"> <if_sid>111000</if_sid> <list field="win.eventdata.deviceId" lookup="not_match_key">etc/lists/usb-drives</list> <options>no_full_log</options> <description>Windows: Unauthorized PNP device $(win.eventdata.deviceDescription) was connected to $(win.system.computer).</description> </rule> </group> <group name="windows,logoff,"> <rule id="111120" level="3"> <if_sid>67023</if_sid> <description>Non-service account $(win.eventdata.targetUserName) logged off from $(win.system.computer).</description> </rule> </group> <group name="windows,auth,"> <rule id="100005" level="16" ignore="10"> <if_sid>60122</if_sid> <description>Windows login failed for user</description> <group>authentication_failed,windows,</group> </rule> </group> <group name="windows,logon,success,authentication_success"> <rule id="111121" level="10" ignore="10"> <if_sid>60118</if_sid> <field name="win.eventdata.logonType">^2$</field> <description> Interactive logon success: User $(win.eventdata.targetUserName) logged on to $(win.system.computer) </description> <options>no_full_log</options> </rule> </group> <group name="user_created"> <rule id="100401" level="12"> <if_sid>60109</if_sid> <description> Unauthorized local user account creation by user: $(win.eventdata.subjectUserName) (new account: $(win.eventdata.targetUserName)) </description> </rule> </group> <group name="user_created"> <rule id="100402" level="12"> <if_sid>60111</if_sid> <description>User account deleted: $(win.eventdata.targetUserName)</description> </rule> </group> <group name="windows,privilege_use"> <rule id="104673" level="8"> <if_sid>67028</if_sid> <description>Successful privileged service was called (Windows Event ID 4672)User=$(win.eventdata.subjectUserName)</description> </rule> </group> <group name="windows,privilege_escalation,admin_group"> <rule id="110001" level="12"> <if_sid>60154</if_sid> <field name="win.system.eventID">4732</field> <description> User added to local Administrators group by $(win.eventdata.subjectUserName) </description> </rule> </group> <group name="windows,group_changes,local"> <rule id="100100" level="13" frequency="2" timeframe="10"> <if_sid>60154</if_sid> <field name="win.system.eventID">4733</field> <description>Security Enabled Local Group Member Removed: $(win.eventdata.memberSid) by $(win.eventdata.subjectUserName)</description> <options>no_full_log</options> <group> group_changed, win_group_changed, pci_dss_8.1.2, pci_dss_10.2.5, gpg13_7.10, gdpr_IV_35.7.d, gdpr_IV_32.2, hipaa_164.312.a.2.I, hipaa_164.312.a.2.II, hipaa_164.312.b, nist_800_53_AC.2, nist_800_53_IA.4, nist_800_53_AU.14, nist_800_53_AC.7, tsc_CC6.8, tsc_CC7.2, tsc_CC7.3 </group> <mitre> <id>T1484</id> </mitre> </rule> </group> <group name="windows,process_creation,lolbins,"> <rule id="200001" level="10"> <if_sid>18107</if_sid> <field name="data.win.eventdata.newProcessName" type="pcre2"> (?i)\\(powershell|certutil|rundll32|mshta|wmic)\.exe$ </field> <description>LOLBin execution detected: $(data.win.eventdata.newProcessName)</description> </rule> </group> <group name="process_monitor,"> <rule id="100010" level="6"> <decoded_as>tasklist</decoded_as> <regex type="pcre2">(?i)notepad.exe</regex> <description>Notepad.exe is running.</description> </rule> </group> <group name="windows,sysmon,lolbins,attack"> <rule id="100701" level="12"> <if_matched_sid>61603</if_matched_sid> <field name="win.eventdata.image" type="pcre2"> (?i)(powershell\.exe|cmd\.exe|certutil\.exe|mshta\.exe|rundll32\.exe|wmic\.exe) </field> <description> Suspicious LOLBin execution detected via Sysmon (Process Create) </description> <mitre> <id>T1059</id> <id>T1218</id> </mitre> </rule> </group> <group name="windows,log_clearing"> <rule id="110006" level="12"> <if_sid>63103</if_sid> <description> CRITICAL: Windows Security Audit Log Cleared by $(win.logFileCleared.subjectUserName) </description> <mitre> <id>T1070.001</id> </mitre> </rule> </group> <group name="windows,log_clearing"> <rule id="110007" level="12"> <if_sid>63104</if_sid> <description> CRITICAL: Windows $(win.logFileCleared.channel) Log Cleared by $(win.logFileCleared.subjectUserName) </description> <mitre> <id>T1070</id> </mitre> </rule> </group> <group name="windows,lateral_movement,rdp"> <rule id="105100" level="12"> <if_group>windows</if_group> <field name="win.system.eventID">^1149$</field> <description>RDP LOGON DETECTED (Event 1149): User $(win.userdata.param1) connected from IP $(win.userdata.param3)</description> <mitre> <id>T1021.001</id> </mitre> </rule> </group> <group name="windows,lateral_movement,smb"> <rule id="100021" level="12"> <if_group>windows</if_group> <field name="win.system.eventID">^4624$</field> <field name="win.eventdata.logonType">^3$</field> <description>SMB LOGON DETECTED: Possible lateral movement on Win 10 Pro</description> <mitre> <id>T1021.002</id> </mitre> </rule> </group> <group name="windows,powershell,"> <rule id="100201" level="8"> <if_sid>60009</if_sid> <field name="win.eventdata.payload" type="pcre2">(?i)CommandInvocation</field> <field name="win.system.message" type="pcre2">(?i)EncodedCommand|FromBase64String|EncodedArguments|-e\b|-enco\b|-en\b</field> <description>Encoded command executed via PowerShell.</description> <mitre> <id>T1059.001</id> <id>T1562.001</id> </mitre> </rule> <rule id="100202" level="4"> <if_sid>60009</if_sid> <field name="win.system.message" type="pcre2">(?i)blocked by your antivirus software</field> <description>Windows Security blocked malicious command executed via PowerShell.</description> <mitre> <id>T1059.001</id> </mitre> </rule> <rule id="100203" level="10"> <if_sid>60009</if_sid> <field name="win.eventdata.payload" type="pcre2">(?i)CommandInvocation</field> <field name="win.system.message" type="pcre2">(?i)Add-Persistence|Find-AVSignature|Get-GPPAutologon|Get-GPPPassword|Get-HttpStatus|Get-Keystrokes|Get-SecurityPackages|Get-TimedScreenshot|Get-VaultCredential|Get-VolumeShadowCopy|Install-SSP|Invoke-CredentialInjection|Invoke-DllInjection|Invoke-Mimikatz|Invoke-NinjaCopy|Invoke-Portscan|Invoke-ReflectivePEInjection|Invoke-ReverseDnsLookup|Invoke-Shellcode|Invoke-TokenManipulation|Invoke-WmiCommand|Mount-VolumeShadowCopy|New-ElevatedPersistenceOption|New-UserPersistenceOption|New-VolumeShadowCopy|Out-CompressedDll|Out-EncodedCommand|Out-EncryptedScript|Out-Minidump|PowerUp|PowerView|Remove-Comments|Remove-VolumeShadowCopy|Set-CriticalProcess|Set-MasterBootRecord</field> <description>Risky CMDLet executed. Possible malicious activity detected.</description> <mitre> <id>T1059.001</id> </mitre> </rule> <rule id="100204" level="8"> <if_sid>91802</if_sid> <field name="win.eventdata.scriptBlockText" type="pcre2">(?i)mshta.*GetObject|mshta.*new ActiveXObject</field> <description>Mshta used to download a file. Possible malicious activity detected.</description> <mitre> <id>T1059.001</id> </mitre> </rule> <rule id="100205" level="5"> <if_sid>60009</if_sid> <field name="win.eventdata.contextInfo" type="pcre2">(?i)ExecutionPolicy bypass|exec bypass</field> <description>PowerShell execution policy set to bypass.</description> <mitre> <id>T1059.001</id> </mitre> </rule> <rule id="100206" level="5"> <if_sid>60009</if_sid> <field name="win.eventdata.contextInfo" type="pcre2">(?i)Invoke-WebRequest|IWR.*-url|IWR.*-InFile</field> <description>Invoke Webrequest executed, possible download cradle detected.</description> <mitre> <id>T1059.001</id> </mitre> </rule> </group> <group name="windows,certutil"> <rule id="180005" level="12" ignore="120"> <if_group>windows</if_group> <match>certutil.exe</match> <description>Suspicious Certutil.exe execution on $(win.system.computer)</description> <mitre> <id>T1105</id> </mitre> </rule> </group> <group name="windows,rundll32"> <rule id="180006" level="10" ignore="120"> <if_group>windows</if_group> <match>rundll32.exe</match> <description>LOLBAS: Rundll32.exe execution detected on $(win.system.computer)</description> <mitre> <id>T1218.011</id> </mitre> </rule> </group> <group name="windows,MSHTA"> <rule id="180007" level="12" ignore="120"> <if_group>windows</if_group> <match>mshta.exe</match> <field name="win.eventdata.commandLine" type="pcre2">(?i)(http|script|about:)</field> <description>LOLBAS: Suspicious MSHTA execution on $(win.system.computer)</description> <mitre> <id>T1218.005</id> </mitre> </rule> </group> <group name="windows,WMIC"> <rule id="180008" level="12" ignore="120"> <if_group>windows</if_group> <match>wmic.exe</match> <field name="win.eventdata.commandLine" type="pcre2">(?i)(process\s+call\s+create|product\s+where\s+name|shadowcopy\s+delete)</field> <description>LOLBAS: Suspicious WMIC execution on $(win.system.computer)</description> <mitre> <id>T1047</id> </mitre> </rule> </group> <group name="windows,Powershell"> <rule id="180009" level="12"> <if_group>windows</if_group> <match>powershell.exe</match> <field name="win.eventdata.commandLine" type="pcre2">(?i)(-enc|-EncodedCommand|-ExecutionPolicy\s+Bypass|-ep\s+bypass|-WindowStyle\s+Hidden)</field> <description>LOLBAS: Suspicious PowerShell execution on $(win.system.computer)</description> <mitre> <id>T1059.001</id> </mitre> </rule> </group> <group name="fim,ransomware,windows"> <rule id="100510" level="15" frequency="100" timeframe="60"> <if_matched_sid>550</if_matched_sid> <description> Possible ransomware: 100 file modifications in 60 seconds </description> <mitre> <id>T1486</id> </mitre> </rule> <rule id="100512" level="10" frequency="50" timeframe="60"> <if_matched_sid>553</if_matched_sid> <description> High rate of file deletion detected </description> </rule> </group> .
I would greatly appreciate any documentation links, sample configurations, or step-by-step guidance from community members who have implemented something similar.
Thank you very much for your time and support.
Best regards,
Jack
L1 SOC Analyst
My name is Jack, and I am working as an L1 SOC analyst using Wazuh as our primary SIEM platform. I am reaching out to seek guidance on building a custom dashboard that mirrors the functionality of the default Wazuh Overview dashboard.
Specifically, I need help with the following three areas:
1. Custom Dashboard Creation
I would like to create a custom dashboard in OpenSearch Dashboards (within Wazuh) that displays alert summaries — similar to the default Overview page — but scoped to our specific custom detection rules. These rules cover areas such as Windows brute force detection, web shell detection, LOLBin execution, USB device monitoring, PowerShell abuse, ransomware indicators, and more.
2. Click-Through to Full Alert Details
In the default Wazuh dashboards, clicking on an alert navigates the user into full alert details (a deep-dive view showing all fields, rule metadata, MITRE ATT&CK mapping, agent info, etc.). I would like to replicate this same click-through behavior in my custom dashboard so that analysts can drill down into alert details directly from the custom panels.
3. Using Custom Rules in Dashboard Panels
I have a set of custom Wazuh rules (local_rules.xml) and I would like to build dashboard visualizations that are driven by these specific rule IDs and groups — rather than relying only on default Wazuh rule categories.
Could the community please advise on:
- The recommended approach to build such a custom dashboard in OpenSearch Dashboards?
- How to configure the click-through / drilldown behavior to replicate the default Wazuh alert detail view?
- Any index patterns, saved searches, or visualization types best suited for custom rule-based panels?
my custom: <group name="restart,"> <rule id="100002" level="12"> <if_sid>550</if_sid> <match>ossec.conf</match> <description>Changes made to the agent configuration file - $(file)</description> </rule> </group> <group name="pam,syslog,"> <rule id="120100" level="10" frequency="3" timeframe="120"> <if_matched_sid>5503</if_matched_sid> <description>Possible password guess on $(dstuser): 3 failed logins in a short period of time</description> <mitre><id>T1110</id></mitre> </rule> </group> <group name="process_monitor,"> <rule id="100012" level="6"> <if_sid>530</if_sid> <match>^ossec: output: 'ps -auxw'</match> <description>Cron process not running.</description> </rule> <rule id="100013" level="0"> <if_sid>100012</if_sid> <match>/usr/sbin/cron</match> <description>Cron process is running as expected.</description> </rule> </group> <group name="linux, webshell, windows,"> <rule id="100500" level="12"> <if_sid>554</if_sid> <field name="file" type="pcre2">(?i)\.(php|phtml|php3|php4|php5|phps|phar|asp|aspx|jsp|cshtml|vbhtml)$</field> <description>[File creation]: Possible web shell scripting file ($(file)) created</description> </rule> <rule id="100501" level="12"> <if_sid>550</if_sid> <field name="file" type="pcre2">(?i)\.(php|phtml|php3|php4|php5|phps|phar|asp|aspx|jsp|cshtml|vbhtml)$</field> <description>[File modification]: Possible web shell content added in $(file)</description> </rule> <rule id="100502" level="15"> <if_sid>100501</if_sid> <field name="changed_content" type="pcre2">(?i)passthru|exec|eval|shell_exec|assert|str_rot13|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile|show_source|proc_open|pcntl_exec|execute|WScript\.Shell|WScript\.Network|FileSystemObject|Adodb\.stream</field> <description>[File Modification]: File $(file) contains a web shell</description> </rule> </group> <group name="windows-usb-detect,"> <rule id="111119" level="6"> <if_sid>60009</if_sid> <field name="win.system.channel">^Microsoft-Windows-DriverFrameworks-UserMode/Operational$</field> <field name="win.system.eventID">^2102$</field> <field name="win.uMDFHostDeviceRequest.requestMinorCode">^2$</field> <description>Windows: USB storage disconnected (minor=2) InstanceId=$(win.uMDFHostDeviceRequest.instanceId) on $(win.system.compute)</description> <options>no_full_log</options> </rule> </group> <group name="windows,bruteforce,"> <rule id="100015" level="10" frequency="3" timeframe="60"> <if_matched_sid>60122</if_matched_sid> <same_field>win.eventdata.targetUserName</same_field> <description> Windows: 3 consecutive failed login attempts detected. Triggering host isolation. </description> <group>authentication_failures,active_response_trigger</group> </rule> </group> <group name="windows-usb-detect,"> <rule id="111000" level="7"> <if_sid>60227</if_sid> <field name="win.system.eventID">^6416$</field> <match>USBSTOR\\Disk</match> <options>no_full_log</options> <description>Windows: A PNP device $(win.eventdata.deviceDescription) was connected to $(win.system.computer)</description> </rule> <rule id="111001" level="5"> <if_sid>111000</if_sid> <options>no_full_log</options> <description>Windows: Authorized PNP device $(win.eventdata.deviceDescription) was connected to $(win.system.computer).</description> </rule> <rule id="111002" level="8"> <if_sid>111000</if_sid> <list field="win.eventdata.deviceId" lookup="not_match_key">etc/lists/usb-drives</list> <options>no_full_log</options> <description>Windows: Unauthorized PNP device $(win.eventdata.deviceDescription) was connected to $(win.system.computer).</description> </rule> </group> <group name="windows,logoff,"> <rule id="111120" level="3"> <if_sid>67023</if_sid> <description>Non-service account $(win.eventdata.targetUserName) logged off from $(win.system.computer).</description> </rule> </group> <group name="windows,auth,"> <rule id="100005" level="16" ignore="10"> <if_sid>60122</if_sid> <description>Windows login failed for user</description> <group>authentication_failed,windows,</group> </rule> </group> <group name="windows,logon,success,authentication_success"> <rule id="111121" level="10" ignore="10"> <if_sid>60118</if_sid> <field name="win.eventdata.logonType">^2$</field> <description> Interactive logon success: User $(win.eventdata.targetUserName) logged on to $(win.system.computer) </description> <options>no_full_log</options> </rule> </group> <group name="user_created"> <rule id="100401" level="12"> <if_sid>60109</if_sid> <description> Unauthorized local user account creation by user: $(win.eventdata.subjectUserName) (new account: $(win.eventdata.targetUserName)) </description> </rule> </group> <group name="user_created"> <rule id="100402" level="12"> <if_sid>60111</if_sid> <description>User account deleted: $(win.eventdata.targetUserName)</description> </rule> </group> <group name="windows,privilege_use"> <rule id="104673" level="8"> <if_sid>67028</if_sid> <description>Successful privileged service was called (Windows Event ID 4672)User=$(win.eventdata.subjectUserName)</description> </rule> </group> <group name="windows,privilege_escalation,admin_group"> <rule id="110001" level="12"> <if_sid>60154</if_sid> <field name="win.system.eventID">4732</field> <description> User added to local Administrators group by $(win.eventdata.subjectUserName) </description> </rule> </group> <group name="windows,group_changes,local"> <rule id="100100" level="13" frequency="2" timeframe="10"> <if_sid>60154</if_sid> <field name="win.system.eventID">4733</field> <description>Security Enabled Local Group Member Removed: $(win.eventdata.memberSid) by $(win.eventdata.subjectUserName)</description> <options>no_full_log</options> <group> group_changed, win_group_changed, pci_dss_8.1.2, pci_dss_10.2.5, gpg13_7.10, gdpr_IV_35.7.d, gdpr_IV_32.2, hipaa_164.312.a.2.I, hipaa_164.312.a.2.II, hipaa_164.312.b, nist_800_53_AC.2, nist_800_53_IA.4, nist_800_53_AU.14, nist_800_53_AC.7, tsc_CC6.8, tsc_CC7.2, tsc_CC7.3 </group> <mitre> <id>T1484</id> </mitre> </rule> </group> <group name="windows,process_creation,lolbins,"> <rule id="200001" level="10"> <if_sid>18107</if_sid> <field name="data.win.eventdata.newProcessName" type="pcre2"> (?i)\\(powershell|certutil|rundll32|mshta|wmic)\.exe$ </field> <description>LOLBin execution detected: $(data.win.eventdata.newProcessName)</description> </rule> </group> <group name="process_monitor,"> <rule id="100010" level="6"> <decoded_as>tasklist</decoded_as> <regex type="pcre2">(?i)notepad.exe</regex> <description>Notepad.exe is running.</description> </rule> </group> <group name="windows,sysmon,lolbins,attack"> <rule id="100701" level="12"> <if_matched_sid>61603</if_matched_sid> <field name="win.eventdata.image" type="pcre2"> (?i)(powershell\.exe|cmd\.exe|certutil\.exe|mshta\.exe|rundll32\.exe|wmic\.exe) </field> <description> Suspicious LOLBin execution detected via Sysmon (Process Create) </description> <mitre> <id>T1059</id> <id>T1218</id> </mitre> </rule> </group> <group name="windows,log_clearing"> <rule id="110006" level="12"> <if_sid>63103</if_sid> <description> CRITICAL: Windows Security Audit Log Cleared by $(win.logFileCleared.subjectUserName) </description> <mitre> <id>T1070.001</id> </mitre> </rule> </group> <group name="windows,log_clearing"> <rule id="110007" level="12"> <if_sid>63104</if_sid> <description> CRITICAL: Windows $(win.logFileCleared.channel) Log Cleared by $(win.logFileCleared.subjectUserName) </description> <mitre> <id>T1070</id> </mitre> </rule> </group> <group name="windows,lateral_movement,rdp"> <rule id="105100" level="12"> <if_group>windows</if_group> <field name="win.system.eventID">^1149$</field> <description>RDP LOGON DETECTED (Event 1149): User $(win.userdata.param1) connected from IP $(win.userdata.param3)</description> <mitre> <id>T1021.001</id> </mitre> </rule> </group> <group name="windows,lateral_movement,smb"> <rule id="100021" level="12"> <if_group>windows</if_group> <field name="win.system.eventID">^4624$</field> <field name="win.eventdata.logonType">^3$</field> <description>SMB LOGON DETECTED: Possible lateral movement on Win 10 Pro</description> <mitre> <id>T1021.002</id> </mitre> </rule> </group> <group name="windows,powershell,"> <rule id="100201" level="8"> <if_sid>60009</if_sid> <field name="win.eventdata.payload" type="pcre2">(?i)CommandInvocation</field> <field name="win.system.message" type="pcre2">(?i)EncodedCommand|FromBase64String|EncodedArguments|-e\b|-enco\b|-en\b</field> <description>Encoded command executed via PowerShell.</description> <mitre> <id>T1059.001</id> <id>T1562.001</id> </mitre> </rule> <rule id="100202" level="4"> <if_sid>60009</if_sid> <field name="win.system.message" type="pcre2">(?i)blocked by your antivirus software</field> <description>Windows Security blocked malicious command executed via PowerShell.</description> <mitre> <id>T1059.001</id> </mitre> </rule> <rule id="100203" level="10"> <if_sid>60009</if_sid> <field name="win.eventdata.payload" type="pcre2">(?i)CommandInvocation</field> <field name="win.system.message" type="pcre2">(?i)Add-Persistence|Find-AVSignature|Get-GPPAutologon|Get-GPPPassword|Get-HttpStatus|Get-Keystrokes|Get-SecurityPackages|Get-TimedScreenshot|Get-VaultCredential|Get-VolumeShadowCopy|Install-SSP|Invoke-CredentialInjection|Invoke-DllInjection|Invoke-Mimikatz|Invoke-NinjaCopy|Invoke-Portscan|Invoke-ReflectivePEInjection|Invoke-ReverseDnsLookup|Invoke-Shellcode|Invoke-TokenManipulation|Invoke-WmiCommand|Mount-VolumeShadowCopy|New-ElevatedPersistenceOption|New-UserPersistenceOption|New-VolumeShadowCopy|Out-CompressedDll|Out-EncodedCommand|Out-EncryptedScript|Out-Minidump|PowerUp|PowerView|Remove-Comments|Remove-VolumeShadowCopy|Set-CriticalProcess|Set-MasterBootRecord</field> <description>Risky CMDLet executed. Possible malicious activity detected.</description> <mitre> <id>T1059.001</id> </mitre> </rule> <rule id="100204" level="8"> <if_sid>91802</if_sid> <field name="win.eventdata.scriptBlockText" type="pcre2">(?i)mshta.*GetObject|mshta.*new ActiveXObject</field> <description>Mshta used to download a file. Possible malicious activity detected.</description> <mitre> <id>T1059.001</id> </mitre> </rule> <rule id="100205" level="5"> <if_sid>60009</if_sid> <field name="win.eventdata.contextInfo" type="pcre2">(?i)ExecutionPolicy bypass|exec bypass</field> <description>PowerShell execution policy set to bypass.</description> <mitre> <id>T1059.001</id> </mitre> </rule> <rule id="100206" level="5"> <if_sid>60009</if_sid> <field name="win.eventdata.contextInfo" type="pcre2">(?i)Invoke-WebRequest|IWR.*-url|IWR.*-InFile</field> <description>Invoke Webrequest executed, possible download cradle detected.</description> <mitre> <id>T1059.001</id> </mitre> </rule> </group> <group name="windows,certutil"> <rule id="180005" level="12" ignore="120"> <if_group>windows</if_group> <match>certutil.exe</match> <description>Suspicious Certutil.exe execution on $(win.system.computer)</description> <mitre> <id>T1105</id> </mitre> </rule> </group> <group name="windows,rundll32"> <rule id="180006" level="10" ignore="120"> <if_group>windows</if_group> <match>rundll32.exe</match> <description>LOLBAS: Rundll32.exe execution detected on $(win.system.computer)</description> <mitre> <id>T1218.011</id> </mitre> </rule> </group> <group name="windows,MSHTA"> <rule id="180007" level="12" ignore="120"> <if_group>windows</if_group> <match>mshta.exe</match> <field name="win.eventdata.commandLine" type="pcre2">(?i)(http|script|about:)</field> <description>LOLBAS: Suspicious MSHTA execution on $(win.system.computer)</description> <mitre> <id>T1218.005</id> </mitre> </rule> </group> <group name="windows,WMIC"> <rule id="180008" level="12" ignore="120"> <if_group>windows</if_group> <match>wmic.exe</match> <field name="win.eventdata.commandLine" type="pcre2">(?i)(process\s+call\s+create|product\s+where\s+name|shadowcopy\s+delete)</field> <description>LOLBAS: Suspicious WMIC execution on $(win.system.computer)</description> <mitre> <id>T1047</id> </mitre> </rule> </group> <group name="windows,Powershell"> <rule id="180009" level="12"> <if_group>windows</if_group> <match>powershell.exe</match> <field name="win.eventdata.commandLine" type="pcre2">(?i)(-enc|-EncodedCommand|-ExecutionPolicy\s+Bypass|-ep\s+bypass|-WindowStyle\s+Hidden)</field> <description>LOLBAS: Suspicious PowerShell execution on $(win.system.computer)</description> <mitre> <id>T1059.001</id> </mitre> </rule> </group> <group name="fim,ransomware,windows"> <rule id="100510" level="15" frequency="100" timeframe="60"> <if_matched_sid>550</if_matched_sid> <description> Possible ransomware: 100 file modifications in 60 seconds </description> <mitre> <id>T1486</id> </mitre> </rule> <rule id="100512" level="10" frequency="50" timeframe="60"> <if_matched_sid>553</if_matched_sid> <description> High rate of file deletion detected </description> </rule> </group> .
I would greatly appreciate any documentation links, sample configurations, or step-by-step guidance from community members who have implemented something similar.
Thank you very much for your time and support.
Best regards,
Jack
L1 SOC Analyst
Message has been deleted
Farouk Musa
Apr 20, 2026, 2:56:56 PM (4 days ago) Apr 20
to Wazuh | Mailing List
Hello Jack,
2. Click-Through to Full Alert Details - this is the default behavior for the dashboard items. Once you click on it, it will drill down to the details.
1. Custom Dashboard Creation - you can create a visualization out of any data that is contained within your Wazuh setup.
2. Click-Through to Full Alert Details - this is the default behavior for the dashboard items. Once you click on it, it will drill down to the details.
3. Using Custom Rules in Dashboard Panels - You only need to apply the appropriate filter that identifies your data. You will need to have a unique field that easily identifies your custom rules. for example you can have a prefix of "custom" in the description of the rules then in your visualization you can do a filter to select the rule. you can also use DQL which is more robust. for example see the below, this will match all triggered alerts that have the keyword "custom" in them - representing your custom rules.
{
"query": {
"wildcard": {
"rule.description": "*custom*"
}
}
}
"query": {
"wildcard": {
"rule.description": "*custom*"
}
}
}
Jack Martin
Apr 20, 2026, 4:53:25 PM (4 days ago) Apr 20
to Wazuh | Mailing List
Please reply me it's very arrgant
Farouk Musa
Apr 20, 2026, 4:56:58 PM (4 days ago) Apr 20
to Wazuh | Mailing List
Hi Jack,
2. Click-Through to Full Alert Details - this is the default behavior for the dashboard items. Once you click on it, it will drill down to the details.
You might have missed my earlier response. I will paste it below again
1. Custom Dashboard Creation - you can create a visualization out of any data that is contained within your Wazuh setup.
2. Click-Through to Full Alert Details - this is the default behavior for the dashboard items. Once you click on it, it will drill down to the details.
3. Using Custom Rules in Dashboard Panels - You only need to apply the appropriate filter that identifies your data. You will need to have a unique field that easily identifies your custom rules. for example you can have a prefix of "custom" in the description of the rules then in your visualization you can do a filter to select the rule. you can also use DQL which is more robust. for example see the below, this will match all triggered alerts that have the keyword "custom" in them - representing your custom rules.
{
"query": {
"wildcard": {
"rule.description": "*custom*"
}
}
}
"query": {
"wildcard": {
"rule.description": "*custom*"
}
}
}
Jack Martin
Apr 21, 2026, 12:13:59 AM (4 days ago) Apr 21
to Wazuh | Mailing List
Thank you for your response. I apologize for not clearly explaining my task earlier.
I would like to create a dashboard like this, specifically for custom rules, where users can only view relevant rule data and not other information. Additionally, when a user clicks on an item, it should drill down to display the detailed logs related to that rule.
Is it possible to implement this in Wazuh?
Thank you for your help.
Jack Martin
Apr 21, 2026, 9:52:53 AM (3 days ago) Apr 21
to Wazuh | Mailing List
is we do this or not tell me than i west my time in this
Farouk Musa
Apr 21, 2026, 10:03:56 AM (3 days ago) Apr 21
to Wazuh | Mailing List
Thanks for the further update. Creating that exact Dashboard is not very possible, the Out-of-the-Box dashboard is not customizable. You can however you can achieve similar dashboard based on the available options. Navigate to Explore > Visualize > Create new visualization to see the options available.
For example, in the image below, a bar graph is used to show ranges in rule.level
Jack Martin
Apr 21, 2026, 11:12:02 AM (3 days ago) Apr 21
to Farouk Musa, Wazuh | Mailing List
Thanks for replying me and I test this my main doubts you tell me that me using drill-drop but my Wazuh has new version in this i cannot find anywhere this thing my sir main problem tell me that he won a custome dashboard and than in this custome dashboard when he clicked the alert than he go with like when we open wazuh than see alert than click on example High than go with discover page and see alert full details same this type we have to do with custome dashboard can we do this and drill drop not work my wazuh was latest ok
--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/bed27d69-0f28-471a-ad1b-ce47ca57cc1cn%40googlegroups.com.
Jack Martin
Apr 21, 2026, 12:23:28 PM (3 days ago) Apr 21
to Farouk Musa, Wazuh | Mailing List
Please tell me this because this was my main task to do upper i explain all things
Farouk Musa
Apr 21, 2026, 4:45:59 PM (3 days ago) Apr 21
to Wazuh | Mailing List
For that dashboard, it wont be possible to drill down.
Reply all
Reply to author
Forward
0 new messages