Add Visualization

[MH]

Hello

I was reading this document and it shows a  Visualization  towards the bottom https://wazuh.com/blog/using-wazuh-to-monitor-sysmon-events/

There is a downloadable json file https://wazuh.com/resources/PowerShell_Dashboard.json.zip

Just wondering how/where I add this to my Wazuh setup to be able to use it.

[Julio Gasco]

Hi Michael,

That visualization is outdated and it´s not supported anymore in actual versions. I have reproduced a similar dashboard which you can import that is attached to this message (Powershell_Dashboard.ndjson)

The new dashboard has 4 visualizations: 

Agent IDs: Agent IDs that have sysmon alerts

Users: Users that triggered sysmon alerts

Parent Process: Parent Process of the sysmon alerts triggered.

Evolution of powershell events: Area map with powershell alerts triggered.

This is how it looks on my lab

To import the dashboard follow the next steps:

• Log into your wazuh instance and in the left menu go to Management -> Stack Management

• Under the stack management menu go to saved objects 

• On the saved objects menu at the left press Import

• In the import menu that open press the Import icon

• Browse through your files and select the ndjson attached to this message and then press below Import

Once the dashboard and the visualizations is imported you can access it in the left menu on the Dashboard menu.

You can edit the dashboard and the visualizations if desired to better fit your requirements. The basic filter for all the visualizations is data.win.system.channel is Microsoft-Windows-Sysmon/Operational which captures incoming sysmon alerts.

Let me know if this helps-

Regards!