Daily Operations

SIEM Dashboard Operations

The SIEM Dashboard (Wazuh-based) provides agent-driven security monitoring with dedicated dashboards per security domain.

Daily Security Monitoring

Step 1: Review the Overview Dashboard

  1. Navigate to the SIEM Overview dashboard.

  2. Check the “Total Alerts” chart for unusual spikes.

  3. Review “Top 5 Alerts” for immediate priorities.

  4. Use the severity level slider to filter by event priority.

Step 2: Investigate High-Priority Areas

  1. Click the relevant dashboard card based on detected issues (e.g., Windows, Vulnerabilities, Audit).

  2. Use filters to focus on affected systems or time ranges.

  3. Review related events in the MITRE ATT&CK dashboard for attack technique mapping.

Wazuh Rule Levels

The SIEM Dashboard uses Wazuh rule levels (1–15) to classify event severity:

Level range

Priority

Recommended action

1–3

Informational

Archive for compliance and audit trails

4–7

Low to medium

Review weekly for trends

8–11

High

Investigate promptly

12–15

Critical

Immediate response required

Use the severity slider on the Overview dashboard to filter events by level and reduce noise during daily monitoring.

Compliance Monitoring

  1. From the main SIEM dashboard, click the relevant compliance card:

    • PCI DSS — payment card processing environments

    • HIPAA — healthcare and patient data

    • GDPR — EU personal data processing

    • NIST 800-53 — government and federal standards

    • TSC — SOC 2 trust services assessments

  2. Review the compliance dashboard for current status, violations, and gaps.

  3. Export reports for documentation and audit purposes.

Alerts Operations

The native Alerts interface provides alert rule management, incident handling, and risk-based prioritization.

Daily Alert Review

Step 1: Check Alert Status

  1. Navigate to SIEM → Alert Status.

  2. Verify the alert module status is “RUNNING”.

  3. Review processing times and event counts for anomalies.

Step 2: Review Incidents

  1. Navigate to SIEM → Incidents.

  2. Filter by status “New” to see unhandled incidents.

  3. Prioritize incidents by risk value — higher scores indicate higher risk.

  4. Assign incidents to team members and update statuses.

Step 3: Risk-based Prioritization

  1. Navigate to SIEM → Risks.

  2. Review risk entries for high-value categories.

  3. Cross-reference with recent incidents to identify recurring high-risk entities.

Incident Investigation

  1. Open the incident from the Incidents tab.

  2. Click View document to inspect the original alert data.

  3. Use the Discover URL (if generated by the alert rule) to view related events in context.

  4. Add investigation notes to the incident.

  5. Verify suspicious fields against the blacklist.

  6. Update the incident status as the investigation progresses (New → Ongoing → Solved or False).

Creating Alerts for New Threats

  1. Navigate to SIEM → Create Alert Rule.

  2. Enter a descriptive name and select the appropriate rule type.

  3. Set the index pattern and click “Read Fields” to load available fields.

  4. Write the YAML rule definition with detection logic.

  5. Configure the alert method (Email, Slack, Jira, etc.).

  6. Optionally enable risk scoring and associate playbooks.

  7. Use “Test Rule” to validate before saving.

  8. Submit the rule.