MITRE ATT&CK graph not showing
maksudur rahman
Bony V John
Bony V John
Hi,
The MITRE ATT&CK dashboard not showing data may be related to a field mapping issue.
First, please check and confirm whether you are able to view alerts in the Events tab of the MITRE ATT&CK dashboard.
Also, in the Threat Hunting dashboard Events tab, check whether the rule.mitre.id and rule.mitre.tactic fields are present in the alerts. Not all alerts contain MITRE fields. Usually, only alerts triggered by default Wazuh rules with MITRE mappings, for example rule ID 5760, will contain those fields.
Also, in the MITRE ATT&CK dashboard, change the timestamp filter from Last 24 hours to Last 7 days or another larger time range and check whether the data appears. This will help confirm whether the issue is related to field mapping or not.
Have you made any changes before encountering this issue? If yes, please let us know.
Please check the data type of today’s index for the rule.mitre.* fields.
On the Wazuh dashboard, go to: Hamburger menu > Indexer Management > Dev Tools
Then run:
GET wazuh-alerts-4.x-2026.05.07/_mapping/field/rule.mitre.*This will print the data types for the rule.mitre.* fields. Please ensure that the fields are mapped as keyword.
Also, check whether there are any Filebeat errors:
cat /var/log/filebeat/filebeat | grep -iE "error|warn"Also check the Wazuh indexer logs:
cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -iE "error|warn"Check the indexer health by running the below command on the indexer server:
curl -k -u admin:<password> "https://127.0.0.1:9200/_cluster/health?pretty"Also, please share the Wazuh Filebeat template file from the Wazuh manager server: /etc/filebeat/wazuh-template.json
Please share the full output of the above commands and files with us. Also let us know the version of your Wazuh environment. This will help us analyze the issue further.