What You'll Learn
- Build 4 operational SOC dashboard visualizations from raw Wazuh alert data
- Create a severity heatmap that reveals which agents are generating critical alerts
- Design a Top Attackers panel that ranks external IPs by threat volume
- Build a timeline visualization showing attack progression over time
- Assemble a unified SOC dashboard that a shift lead would check every morning
Lab Overview
| Detail | Value |
|---|---|
| Lab Profile | lab-wazuh |
| Containers | Wazuh Manager, Wazuh Indexer, Wazuh Dashboard |
| Estimated Time | 60–75 minutes |
| Difficulty | Intermediate |
| Browser Access | Wazuh Dashboard (Web UI) |
| Pre-Loaded Data | 505 alerts across 10 log sources, 4 agents |
| Deliverable | A 4-panel SOC Operations Dashboard saved in Wazuh |
Why Dashboards Matter. A SOC without dashboards is like a cockpit without instruments. You can fly the plane, but you can't see altitude, speed, or fuel. SOC dashboards transform thousands of raw alerts into visual patterns that reveal threats in seconds. This is how shift leads prioritize work and how managers measure the team's effectiveness.
The Scenario
Your SOC manager says: "We've been running Wazuh for a week, but nobody's built dashboards yet. Everyone's reading alerts one by one. I need you to build our first operational dashboard — something I can pull up in our morning standup and show the team: what happened overnight, which systems are hottest, and who's attacking us."
You have 505 alerts from a realistic 24-hour period. Your job is to build 4 visualizations that answer the questions every SOC team asks every day.
Part 1: Severity Distribution — "How Bad Is It?"
The first thing any SOC lead wants to know is the overall threat level. You'll build a pie chart showing alert distribution by severity.
Step 1: Open the Visualization Builder
- In the Wazuh Dashboard, click Visualize (compass icon) in the left sidebar
- Click Create new visualization
- Select Pie Chart
- Choose the wazuh-alerts-* index pattern as your data source
Step 2: Configure the Severity Breakdown
- Under Buckets, click Add > Split Slices
- Aggregation: Terms
- Field: rule.level
- Order By: Count
- Size: 15 (to capture all severity levels)
- Click the ▶ Play button to generate the chart
Step 3: Interpret the Results
You should see a pie chart with slices for each severity level present in your data. Record:
| Severity Level | Count | Percentage | Example Rule |
|---|---|---|---|
| Level 3 | ??? | ???% | Agent heartbeats |
| Level 5-7 | ??? | ???% | Authentication events |
| Level 10-12 | ??? | ???% | Brute force, suspicious activity |
| Level 15 | ??? | ???% | Audit log cleared |
Step 4: Save the Visualization
Click Save and name it: SOC - Severity Distribution
Reading the Pie. In a healthy environment, the pie should be dominated by low-severity slices (level 3-5). If high-severity slices (12+) make up more than 10% of total alerts, something unusual is happening. In your lab, the pre-loaded attack scenario will skew this — that's intentional.
Part 2: Alert Heatmap by Agent — "Who's Under Attack?"
Next, you need to see which systems are generating the most alerts and at what severity. A heatmap is perfect for this.
Step 1: Create the Heatmap
- Create a new visualization: Data Table (we'll build a heatmap-style table)
- Source: wazuh-alerts-* index
Step 2: Configure Rows and Columns
- Under Metrics, keep Count as the metric
- Under Buckets, add Split Rows:
- Aggregation: Terms
- Field: agent.name
- Size: 10
- Add another Split Rows sub-bucket:
- Sub-Aggregation: Range
- Field: rule.level
- Ranges: 0-3 (Info), 4-7 (Low), 8-11 (Medium), 12-15 (Critical)
- Click ▶ Play
Step 3: Analyze the Agent Distribution
Your table should show each agent with alert counts per severity range:
| Agent | Info (0-3) | Low (4-7) | Medium (8-11) | Critical (12-15) |
|---|---|---|---|---|
| linux-web-01 | ??? | ??? | ??? | ??? |
| WIN-SERVER-01 | ??? | ??? | ??? | ??? |
| dns-server-01 | ??? | ??? | ??? | ??? |
| fw-edge-01 | ??? | ??? | ??? | ??? |
Key questions to answer:
- Which agent has the most critical alerts?
- Which agent is the "noisiest" (most total alerts)?
- Is there an agent with zero critical alerts? (That might be normal, or it might mean monitoring gaps.)
Step 4: Save
Save as: SOC - Agent Severity Matrix
Part 3: Top Attackers — "Who Is Hitting Us?"
Every SOC needs a "Top Talkers" panel showing which external IPs are generating the most alerts. This helps you identify persistent attackers, botnets, and scanning campaigns.
Step 1: Create a Horizontal Bar Chart
- Create new visualization: Horizontal Bar
- Source: wazuh-alerts-*
Step 2: Configure the Top Attackers View
- Y-Axis (Metrics): Count
- X-Axis (Buckets): Terms
- Field: data.srcip
- Size: 10
- Order: Descending by count
- Click ▶ Play
Step 3: Identify the Attackers
You should see the most active source IPs in your environment. From the pre-loaded data, expect to see:
| IP | Expected Role | Alert Count |
|---|---|---|
| 185.220.101.42 | SSH brute force + C2 | High |
| 91.234.99.87 | Windows brute force | Medium |
| 203.0.113.50 | SQL injection | Low |
| 10.0.x.x addresses | Internal traffic | Varies |
Internal IPs in the Top Attackers List. If internal IPs (10.x, 172.16.x, 192.168.x) appear high in the list, don't dismiss them. An internal IP generating many alerts could mean: (1) a compromised host being used as a pivot, (2) a misconfigured system, or (3) legitimate scanning tools. Context matters.
Step 4: Save
Save as: SOC - Top Source IPs
Part 4: Attack Timeline — "When Did It Happen?"
The most powerful dashboard panel is the timeline. It shows alert volume over time, revealing attack waves, quiet periods, and the moment an incident began.
Step 1: Create a Line Chart
- Create new visualization: Line Chart (or Area Chart for better visual impact)
- Source: wazuh-alerts-*
Step 2: Configure the Timeline
- Y-Axis (Metrics): Count
- X-Axis (Buckets): Date Histogram
- Field: timestamp
- Minimum Interval: Minute (or Auto)
- Add Split Series to color-code by severity:
- Sub-Aggregation: Range
- Field: rule.level
- Ranges: 0-7 (Low), 8-11 (Medium), 12-15 (Critical)
- Click ▶ Play
Step 3: Read the Timeline
Your timeline should show alert activity over the 24-hour period. Look for:
- Spikes — Sudden increases in alert volume indicate attack phases
- Color shifts — Periods where critical (red) alerts appear signal high-severity incidents
- Quiet periods — Gaps in alerting could mean the attack stopped, or monitoring was disrupted
Record the key events you observe:
TIMELINE OBSERVATIONS:
Spike 1: [time] — [what rule/agent caused the spike]
Spike 2: [time] — [what rule/agent caused the spike]
Quiet period: [time range] — [possible explanation]
Step 4: Save
Save as: SOC - Alert Timeline
Part 5: Assemble the Unified Dashboard
Now combine all 4 visualizations into a single dashboard.
Step 1: Create the Dashboard
- Click Dashboard in the left sidebar
- Click Create new dashboard
- Click Add (top menu bar)
Step 2: Add Your Panels
Add each saved visualization:
SOC - Severity Distribution(top-left)SOC - Agent Severity Matrix(top-right)SOC - Top Source IPs(bottom-left)SOC - Alert Timeline(bottom, full-width)
Step 3: Arrange the Layout
Drag panels to create a logical flow:
- Top row: Overview (severity pie + agent matrix) — answers "How bad?" and "Where?"
- Bottom row: Detail (top IPs + timeline) — answers "Who?" and "When?"
Step 4: Save the Dashboard
Save as: SOC Morning Standup Dashboard
Real-World Parallel. This 4-panel layout mirrors what production SOC teams use. Some teams add more panels (alert closure rate, mean time to triage, analyst workload), but severity distribution, affected systems, top attackers, and timeline are universal.
Part 6: Dashboard Briefing
Write a 3-paragraph briefing as if you're presenting this dashboard in a morning standup:
Paragraph 1 — Threat Level: Summarize the severity distribution. What percentage of alerts are critical? Is this normal?
Paragraph 2 — Hottest Systems: Which agents are taking the most heat? What types of attacks are they facing?
Paragraph 3 — Action Items: Based on the top attackers and timeline, what are the top 3 things the SOC team should focus on today?
Deliverable Checklist
Before completing the lab, ensure you have:
- Severity Distribution Pie Chart — saved as
SOC - Severity Distribution - Agent Severity Matrix — saved as
SOC - Agent Severity Matrix - Top Source IPs Bar Chart — saved as
SOC - Top Source IPs - Alert Timeline — saved as
SOC - Alert Timeline - Unified Dashboard — all 4 panels combined in
SOC Morning Standup Dashboard - Dashboard Briefing — 3-paragraph standup summary
Key Takeaways
- SOC dashboards transform raw alert data into actionable intelligence visible at a glance
- The 4 essential panels are: severity distribution, agent heatmap, top attackers, and alert timeline
- Dashboards reveal patterns invisible in individual alerts — attack waves, system targeting, and attacker persistence
- A well-built dashboard answers the daily SOC questions: How bad? Where? Who? When?
- The dashboard is a living document — refine it as you learn what matters most for your environment
What's Next
In Lab 2.4 — Hunt by Query, you'll go beyond dashboards and learn to write custom search queries in Wazuh. Dashboards show you the big picture — queries let you drill into specific hypotheses and hunt for threats that dashboards might miss.
Lab Challenge: Build a SOC Dashboard
10 questions · 70% to pass
In your Severity Distribution pie chart, which rule.level has the highest count of alerts? Navigate to your saved visualization to check.
Open your Agent Severity Matrix. Which agent has the most critical (level 12-15) alerts?
In your Top Source IPs bar chart, which IP address has the highest alert count?
When creating the alert timeline visualization, what Date Histogram field do you use for the X-axis?
You add a severity split to your timeline and notice a cluster of red (level 12-15) alerts in a specific time window. What does this pattern indicate?
In the visualization builder, what aggregation type do you use to group alerts by agent.name?
Why is it important to include a severity Range aggregation (0-3, 4-7, 8-11, 12-15) rather than showing individual rule.level values in the agent matrix?
Your timeline shows a sudden 15-minute gap where no alerts appear from any agent. What are two possible explanations a SOC analyst should consider?
You're presenting your SOC Morning Standup Dashboard. The manager asks: 'What is the single most important insight from this dashboard?' Based on the pre-loaded data, what would you highlight?
After building your dashboard, you want to add a filter so it only shows the last 4 hours. Where do you set this time range in the Wazuh Dashboard?
0/10 answered