Key Takeaways
- Wazuh dashboards run on OpenSearch Dashboards (a Kibana fork). You build visualisations from indexed alert data and assemble them into role-specific dashboards.
- Analyst views are operational: live alert queues, top sources, failed logins, rule-level detail. Executive views are summarised: trends, risk posture, coverage, KPIs.
- Good KPIs are actionable: alert volume trend, mean time to triage, top noisy rules, agent coverage percentage, critical alerts by status. Vanity counts impress nobody.
- Filters and index patterns are the foundation. Most dashboard problems trace back to a wrong index pattern, a too-broad time range, or an unfiltered noisy rule.
- Scheduled reports export dashboards to dated PDFs for boards and auditors. Codesecure ships a standard set of analyst, manager and executive dashboards per engagement.
The Wazuh Dashboard Stack
The Wazuh dashboard is a fork of OpenSearch Dashboards, which is itself the open source continuation of Kibana. Everything you build sits on top of the Wazuh indexer (an OpenSearch fork). Understanding this lineage matters because most of the visualisation tooling, query syntax and report features are inherited from OpenSearch, and the broader documentation for those projects applies.
Data flows in as alerts written by the Wazuh manager to the wazuh-alerts index, plus monitoring and statistics indices. You build visualisations (a single chart, table or metric) from these indices, then assemble visualisations into dashboards (a panel of charts answering a coherent set of questions). Index patterns tell the dashboard which indices to read and how fields are typed.
The default Wazuh app already ships modules for security events, integrity monitoring, vulnerabilities, MITRE ATT&CK and the compliance frameworks. These are a strong starting point, but they are generic. The value of custom dashboards is tailoring views to your environment, your assets and the specific questions your analysts and executives keep asking.
Choosing the Right Visualisations
The mistake teams make is reaching for the most visually impressive chart rather than the clearest one. Pick the visualisation that answers the question with the least cognitive load. A few patterns cover most SOC needs.
Time series line and area charts for trends: alert volume over time, failed logins per hour, events per agent. These reveal spikes and anomalies at a glance. Data tables for detail an analyst will act on: top source IPs, top users by failed login, rules firing most often. Tables are unglamorous and indispensable. Metric and gauge visualisations for single headline numbers: open critical alerts, agent coverage percentage, mean time to triage.
Bar charts for categorical comparison: alerts by severity level, events by rule group, top MITRE ATT&CK techniques observed. Pie and donut charts sparingly, only when you have a small number of categories and proportion is the point. Avoid stuffing twenty slices into a pie that nobody can read. Heat maps work well for hour-of-day by day-of-week patterns, which surface unusual off-hours activity.
Need a Wazuh-Based Managed SOC?
Codesecure deploys and operates Wazuh, TheHive, n8n, Cortex and MISP as a managed SOC. 24x7 named analysts, detection engineering, tuned dashboards and audit-ready compliance reporting. No commercial SIEM licensing.
See Managed SOC →Analyst (Operational) Dashboards
An analyst dashboard exists to drive triage. It should answer: what needs my attention right now, what is the context, and what changed. Keep the default time range short (last 24 hours or last shift) so the view reflects current operations rather than historical aggregate.
The core analyst panels we deploy: a live high and critical alert queue with rule, agent, source and status; top authentication failures by user and by source IP to catch brute force and password spraying; new or rare events that have not been seen before, which often indicate novel activity; FIM changes on monitored critical paths; and a MITRE ATT&CK technique panel so analysts can reason about adversary behaviour rather than isolated alerts.
Crucially, the analyst dashboard should make noisy rules obvious. A panel of top rules by volume lets the analyst and the detection engineer spot a rule that is drowning the queue. Tuning that one rule often does more for SOC effectiveness than adding ten new detections.
Executive (Strategic) Dashboards
An executive dashboard answers entirely different questions: are we improving, are we covered, and where is the risk. Executives do not want a live alert queue, they want trends, posture and assurance. The time range here is long: 30, 60 or 90 days.
The panels that resonate with leadership: alert volume and severity trend over the quarter (is the noise going up or down); agent coverage as a percentage of the known asset estate (are we monitoring everything we should); mean time to triage and mean time to respond as efficiency indicators; critical incidents by status, showing nothing serious is sitting unhandled; and compliance posture per framework so the board can see PCI, HIPAA or ISO 27001 monitoring is operating.
The discipline is restraint. An executive view with five clear KPIs and three trend charts communicates more than a wall of thirty panels. Each panel should map to a decision or a reassurance the leadership actually needs. If a panel does not change a decision, it does not belong on the executive dashboard.
KPIs Worth Tracking
Metrics shape behaviour, so choose KPIs that drive the right behaviour. The strongest SOC KPIs are operational and improvable, not vanity counts. Total events ingested is a vanity metric; it goes up forever and means nothing about security. Mean time to triage is an operational metric; it tells you whether the team is keeping pace.
- Agent coverage: monitored assets as a percentage of known assets. The single most important coverage KPI.
- Mean time to triage (MTTT): how long alerts wait before an analyst assesses them.
- Mean time to respond (MTTR): how long from detection to containment for confirmed incidents.
- False positive rate: proportion of alerts dispositioned as benign. Drives tuning priorities.
- Top noisy rules: the handful of rules generating most volume, ranked for tuning.
- Critical alerts by status: open, in progress, resolved. Surfaces anything stuck.
- Silent agents: agents that have stopped reporting, indicating a blind spot.
Want Help With Detection Engineering?
Whether you run Wazuh in-house or want a fully managed service, our SOC engineers build custom rules, dashboards and integrations tuned to your environment. ISO/IEC 27001:2022 certified delivery, fixed-fee monthly retainer.
Talk to a SOC Engineer →From Dashboards to Scheduled Reports
Dashboards are live and interactive; reports are dated, static and distributable. Boards, clients and auditors want the report. The Wazuh dashboard generates reports from saved searches and dashboards as PDF, and supports scheduling so they generate and distribute on a cadence without manual effort.
A practical reporting calendar: a daily operational summary for the SOC team, a weekly manager report covering alert trends, tuning actions and coverage, and a monthly executive report aligning to the executive dashboard plus a written narrative. The narrative matters: a chart shows what happened, a sentence explains why it matters and what was done. Auditors in particular value evidence that someone reviewed the data and acted.
Codesecure delivers a standard dashboard and report set per managed SOC engagement: analyst operational dashboards, a SOC manager dashboard, an executive posture dashboard, and the scheduled report calendar that feeds all three audiences. Everything is tuned to the client's asset inventory and compliance scope so the views reflect reality rather than defaults.
Frequently Asked Questions
What technology do Wazuh dashboards run on?
The Wazuh dashboard is a fork of OpenSearch Dashboards, which is the open source continuation of Kibana. It reads from the Wazuh indexer, an OpenSearch fork. You build visualisations from the alert and monitoring indices and assemble them into dashboards. Most OpenSearch Dashboards features and query syntax apply directly.
What is the difference between an analyst dashboard and an executive dashboard?
An analyst dashboard is operational: short time range, live alert queues, top sources, failed logins and rule-level detail, designed to drive fast triage. An executive dashboard is strategic: long time range, trends, KPIs, coverage and compliance posture, designed to support decisions and provide assurance. They serve different audiences and should not be merged.
Which KPIs should a SOC actually track?
Favour actionable operational metrics over vanity counts. Agent coverage as a percentage of the asset estate, mean time to triage, mean time to respond, false positive rate, top noisy rules, critical alerts by status and silent-agent count are all improvable and meaningful. Total events ingested is a vanity metric that never goes down and tells you nothing about security.
Why do my dashboards show no data or wrong data?
Most often it is the index pattern, the time range or an unfiltered noisy rule. Confirm the visualisation reads the correct index pattern (typically wazuh-alerts), widen or correct the time range, and check that a single dominant rule is not crowding out everything else. Field type mismatches in the index pattern also cause aggregation errors.
Can Wazuh schedule reports for boards and auditors?
Yes. The Wazuh dashboard generates PDF reports from saved searches and dashboards and can schedule them to run and distribute automatically. A common cadence is a daily SOC summary, a weekly manager report and a monthly executive report. Pairing each report with a short written narrative makes it far more useful to leadership and auditors.
Does Codesecure build custom dashboards as part of a managed SOC?
Yes. Every Codesecure managed SOC engagement includes a tuned dashboard and report set: analyst operational dashboards, a SOC manager dashboard, an executive posture dashboard and a scheduled report calendar. All views are tuned to the client's asset inventory and compliance scope. ISO/IEC 27001:2022 certified delivery with named consultants.
Get Dashboards Your Analysts And Board Will Actually Use
Codesecure builds and tunes Wazuh dashboards and executive reports as part of managed SOC for businesses across India, Singapore, UAE and Malaysia. Operational, manager and executive views, scheduled reporting, ISO/IEC 27001:2022 certified delivery.
