multi tenant internal user not showing vulnerability detection data

112 views
Skip to first unread message

Saad khattak

unread,
Aug 21, 2025, 4:59:40 PMAug 21
to Wazuh | Mailing List
I am trying to create a multi tenant system but i am having issue with vulnerability detection i am getting vulnerability data in admin but not in the internal user that i have created for multi tenant infra Here is how 

ADMIN SIDE

Role index permissions
Wazuh - Google Chrome 8_21_2025 9_58_30 PM.png

Admin side vulnerability detection Dashboard
Wazuh - Google Chrome 8_21_2025 10_01_09 PM.png

Internal User side vulnerability detection dashboard
Wazuh - School - Microsoft​ Edge 8_21_2025 10_01_46 PM.png
Ive tried adding labels, changing index permissions etc but noting seems to work altough the events are coming in internal user vuln dashboard it is not enriching the dasboard and inventory

Internal User events section

Wazuh - School - Microsoft​ Edge 8_21_2025 10_04_59 PM.png

Jorge Eduardo Silva Jackson

unread,
Aug 21, 2025, 7:43:10 PMAug 21
to Wazuh | Mailing List
Hi Saad:

From what I can see, your internal user can see vulnerability events, because the role has access to wazuh-alerts-*, but the Dashboard and Inventory stay empty because the role cannot read from wazuh-states-vulnerabilities-* or the Document Level Security filter is excluding those documents).

As a first step, please update the internal user’s role to include:

  • read + view_index_metadata permissions on wazuh-states-*, especially wazuh-states-vulnerabilities-*.

  • Align the DLS filter with a field that exists in both alerts and state indices, e.g., cluster.name.

After that change, the Vulnerability Dashboard and Inventory should start populating correctly. Please test and let us know.


BONUS TRACK

If this does not work, could you share some concrete evidence of your current configuration so we can confirm where the problem is? Specifically, we would need:

  1. JSON of the internal role’s index permissions.

  2. The role mapping showing how this role is assigned to the user.

  3. The DLS query/filter currently applied to the role, if any.

  4. Any error messages shown in the Dashboards UI when opening Vulnerability Detection.

With that information we’ll be able to pinpoint the exact root cause.


Saad khattak

unread,
Aug 22, 2025, 12:29:53 AMAug 22
to Wazuh | Mailing List
I  have tried as you said but not working i dont have view_index_metadata in my wazuh4.12 and here is what you have asked for 

1JSON for internal user roles index permissions
```    "index_permissions": [
        {
            "index_patterns": [
                "wazuh-states-vulnerabilities-*","wazuh-monitoring-*","wazuh-alerts-*"
            ],
            "dls": "{\n  \"bool\": {\n    \"must\": {\n      \"match\": {\n        \"agent.labels.group\": \"GROUP2\"\n      }\n    }\n  }\n}",
            "fls": [],
            "masked_fields": [],
            "allowed_actions": [
                "data_access",
                "delete",
                "manage_aliases",
                "crud",
                "get",
                "search",
                "indices_all",
                "write",
                "manage_data_streams",
                "index",
                "create_index",
                "read",
                "manage",
                "suggest",
                "manage_point_in_time",
                "indices_monitor",
                "unlimited"
            ]
        },
]```

2 ROLE MAPPING  
Opensearch Role mapping 

Wazuh - Google Chrome 8_21_2025 7_25_40 PM.png
Wazuh Side Policies and role mapping 
Wazuh - Google Chrome 8_21_2025 7_22_55 PM.png
Wazuh - Google Chrome 8_21_2025 7_22_34 PM.png

The DLS is this 
{
  "bool": {
    "must": {
      "match": {
        "agent.labels.group": "GROUP2"
      }
    }
  }
}

4 No error is shown just this 
No results match your search criteria


Another informatinon in the discovery the wazuh-alerts* are coming but not the wazuh-statics* and wazuh-states* and wazuh-monitor* Like here in the image and also the wazuh-alerts* events have DLS group but not the other statics or states or monitor do not have these

ADMIN SIDE DISCOVERY 
Wazuh - Google Chrome 8_21_2025 7_29_43 PM.png
Below image not showing group label

Wazuh - Google Chrome 8_21_2025 7_30_10 PM.png



Wazuh - Google Chrome 8_21_2025 7_29_57 PM.png



Internal user side discovery

Wazuh - School - Microsoft​ Edge 8_21_2025 7_31_17 PM.png

Not showing state vulnerabilites

Wazuh - School - Microsoft​ Edge 8_21_2025 7_31_23 PM.png

Saad khattak

unread,
Aug 22, 2025, 2:35:14 AMAug 22
to Wazuh | Mailing List
read this as well https://github.com/wazuh/wazuh/issues/24118

Jorge Eduardo Silva Jackson

unread,
Aug 22, 2025, 4:55:24 PMAug 22
to Wazuh | Mailing List
Let me see.

Jorge Eduardo Silva Jackson

unread,
Aug 22, 2025, 5:50:57 PMAug 22
to Wazuh | Mailing List

Hi Saad,

I’ve confirmed internally, that the vulnerability filtering feature with DLS by agent.labels.group is not available in the current Wazuh version. The wazuh-states-vulnerabilities-* indices don’t include the group label yet, so DLS cannot be applied there.

At this point, there are only two possible approaches:

  1. Block tenant users from accessing the vulnerabilities dashboard (safest option to avoid data exposure).

  2. Allow full visibility of vulnerabilities to all tenants (no filtering by group).

This is a known limitation already tracked by the Wazuh team, and will be addressed in a future release.

Another alternative some users apply is DLS by agent IDs, which works but requires manual maintenance and doesn’t scale wel

As a side note, a “hacky” workaround, could be to enrich the vulnerability documents, via Logstash, using agent → group mapping from the Wazuh API, so DLS might work — I haven’t tested it, but in theory it could.  There is a non-official and not tested workaround:

sau sau

unread,
Nov 8, 2025, 5:37:10 AM (3 days ago) Nov 8
to Wazuh | Mailing List
Hi Jorge,
I wanted to know if there is any updates regarding this issue?
Reply all
Reply to author
Forward
0 new messages