Skip to main content

Overview

Wazuh Dashboard Plugins provide a comprehensive suite of security modules organized into logical categories. Each module offers specialized dashboards, real-time monitoring, and detailed analytics for different aspects of security operations.

Module Categories

Modules are organized into categories that align with security operations workflows:

Endpoint Security

Protection and monitoring for endpoints including malware detection, FIM, and configuration assessment

Threat Intelligence

Advanced threat detection using MITRE ATT&CK, vulnerability scanning, and malware detection

Security Operations

Compliance frameworks (PCI DSS, GDPR, HIPAA, NIST), audit, and policy monitoring

Cloud Security

Multi-cloud monitoring for AWS, Azure, GCP, Office 365, and GitHub

Agent Management

Deploy, configure, and monitor Wazuh agents across your infrastructure

Server Management

Configure rules, decoders, groups, and manage cluster operations

Endpoint Security Modules

Configuration Assessment (SCA)

Module ID: configuration-assessment
Category: Endpoint Security
Order: 200
Security Configuration Assessment (SCA) performs automated audits of system configurations against security benchmarks and best practices.Key Features:
  • CIS benchmark compliance checks
  • Custom policy definition support
  • Policy compliance scoring
  • Failed check remediation guidance
  • Historical compliance trends
Data Source: wazuh-states-sca*

Malware Detection

Module ID: malware-detection
Category: Endpoint Security
Order: 201
Detects and analyzes malware infections through multiple detection engines including signature-based, behavioral, and integration with VirusTotal.Detection Methods:
  • File integrity monitoring anomalies
  • Rootcheck detection
  • VirusTotal integration
  • YARA rule matching
  • Behavioral analysis
Data Source: wazuh-events* (filtered by malware detection rules)

File Integrity Monitoring (FIM)

Module ID: file-integrity-monitoring
Category: Endpoint Security
Order: 202
Monitors file system changes in real-time to detect unauthorized modifications, additions, or deletions.Monitored Attributes:
  • File content (hash)
  • Permissions and ownership
  • Size and timestamps
  • Windows registry keys and values (Windows)
  • File attributes and ACLs
Data Sources:
  • wazuh-states-fim-files* - File states
  • wazuh-states-fim-registry-keys* - Registry keys (Windows)
  • wazuh-states-fim-registry-values* - Registry values (Windows)

Threat Intelligence Modules

Vulnerability Detection

Module ID: vulnerabilities
Category: Threat Intelligence
Order: 300
CVE Database Integration: Continuously updated vulnerability database correlates installed packages with known CVEs.
Identifies vulnerabilities in installed software packages by correlating with CVE databases.Features:
  • Automated vulnerability scanning
  • CVE severity scoring (CVSS)
  • Affected package identification
  • Patch availability tracking
  • Vulnerability trending
Data Source: wazuh-states-vulnerabilities*

MITRE ATT&CK

Module ID: mitre-attack
Category: Threat Intelligence
Order: 301 Maps detected security events to the MITRE ATT&CK framework for threat intelligence and attack pattern analysis. Framework Coverage:
  • Tactics: High-level adversary goals (Initial Access, Execution, Persistence, etc.)
  • Techniques: Methods to achieve tactical goals
  • Mitigations: Recommended countermeasures
  • Kill Chain Analysis: Attack progression visualization
Data Source: wazuh-events* (events tagged with MITRE ATT&CK IDs)

Docker Security

Module ID: docker
Category: Threat Intelligence
Order: 302 Monitors Docker containers and hosts for security events and configuration issues. Monitoring Capabilities:
  • Container lifecycle events
  • Image vulnerability scanning
  • Network activity monitoring
  • Resource usage anomalies
  • Docker daemon security events

Security Operations Modules

Regulatory Compliance

Multiple compliance framework modules help organizations meet regulatory requirements:
Module ID: pci-dss
Standard: Payment Card Industry Data Security StandardCoverage:
  • 12 requirements mapping
  • Cardholder data protection
  • Network security controls
  • Access control measures
  • Security testing procedures
Dashboard: Real-time requirement compliance status
Module ID: gdpr
Regulation: General Data Protection RegulationCoverage:
  • Data processing activities
  • User consent tracking
  • Data subject rights
  • Breach notification
  • Privacy by design
Dashboard: GDPR article compliance view
Module ID: hipaa
Standard: Health Insurance Portability and Accountability ActCoverage:
  • PHI access controls
  • Audit trail requirements
  • Integrity controls
  • Transmission security
  • Administrative safeguards
Dashboard: HIPAA safeguard compliance
Module ID: nist-800-53
Framework: NIST Special Publication 800-53Coverage:
  • 18 control families
  • Risk management framework
  • Security control assessment
  • Continuous monitoring
  • Authorization processes
Dashboard: Control family compliance status
Module ID: tsc
Standard: Trust Services CriteriaCoverage:
  • Security (CC6)
  • Availability (A1)
  • Processing integrity (PI1)
  • Confidentiality (C1)
  • Privacy (P1-P8)
Dashboard: TSC criteria compliance

Audit and Policy Monitoring

Module ID: policy-monitoring
Category: Security Operations Monitors system audit logs and enforces security policies. Capabilities:
  • Linux audit system integration
  • Windows audit policy monitoring
  • Policy violation detection
  • User activity auditing
  • Privileged command tracking

Cloud Security Modules

Amazon Web Services (AWS)

Module ID: aws
Category: Cloud Security
Order: 500
  • CloudTrail: API activity and governance
  • GuardDuty: Threat detection findings
  • IAM: Identity and access management events
  • VPC Flow Logs: Network traffic analysis
  • Config: Resource configuration changes
  • WAF: Web application firewall events
  • Inspector: Vulnerability assessment findings

Microsoft Azure

Module ID: azure
Category: Cloud Security
Order: 501 Integration Points:
  • Azure Active Directory logs
  • Azure Security Center alerts
  • Activity logs
  • Resource health events
  • Policy compliance data

Google Cloud Platform (GCP)

Module ID: google-cloud
Category: Cloud Security
Order: 502 Monitoring:
  • Cloud Audit Logs
  • Security Command Center
  • IAM policy changes
  • Compute Engine events
  • Cloud Storage access

Office 365

Module ID: office-365
Category: Cloud Security
Order: 503 Tracked Activities:
  • Exchange mailbox access
  • SharePoint file operations
  • Azure AD sign-ins
  • Teams activity
  • OneDrive file sharing

GitHub

Module ID: github
Category: Cloud Security
Order: 504 Monitored Events:
  • Repository creation/deletion
  • Branch protection changes
  • Webhook configurations
  • Organization membership
  • Security alerts

IT Hygiene (Inventory) Module

Module ID: it-hygiene
Category: Endpoint Security
Order: 203
IT Hygiene provides comprehensive visibility into system inventories and configurations across your infrastructure.

Inventory Categories

The IT Hygiene module tracks multiple inventory types:
System Information:
  • OS details and versions
  • Hostname and architecture
  • Kernel information
Hardware:
  • CPU details
  • Memory (total, free, used, usage %)
  • Board manufacturer and serial
Data Sources:
  • wazuh-states-inventory-system*
  • wazuh-states-inventory-hardware*

Field Formatting

IT Hygiene applies special formatting to inventory fields: 
// From plugin.ts:303-315
mapFieldsFormat({
  'destination.port': 'integer',
  'host.memory.free': 'bytes',
  'host.memory.total': 'bytes',
  'host.memory.used': 'bytes',
  'host.memory.usage': 'percent',
  'host.network.egress.bytes': 'bytes',
  'host.network.ingress.bytes': 'bytes',
  'package.size': 'bytes',
  'process.parent.pid': 'integer',
  'process.pid': 'integer',
  'source.port': 'integer',
})

Module Organization

Application Order Convention

From the source code documentation: 
/* Applications
Convention: the order of each application must according to the order of the category
that is included.

Example:
Category order of the application: 100
Application order: one of 100-199 range: 100, 101, 102, etc...
*/

/* Categories ID
Wazuh:
Home: 0
Explore: 100
Endpoint security: 200
Threat intelligence: 300
Security operations: 400
Cloud security: 500
Agents management: 600
Server management: 700
Indexer management: 9000
*/

Module Visibility

Each module defines where it appears: 
export const moduleExample = {
  // ...
  showInOverviewApp: true,    // Appears in overview module list
  showInAgentMenu: true,      // Appears in agent detail view
};

Event Categorization

Events are categorized into specialized index patterns for optimized querying:

System Activity

wazuh-events-v5-system-activity*Process execution, system calls, kernel events

Security Events

wazuh-events-v5-security*Authentication, authorization, security violations

Access Management

wazuh-events-v5-access-management*User authentication, authorization, access control

Applications

wazuh-events-v5-applications*Application-specific events and logs

Network Activity

wazuh-events-v5-network-activity*Network connections, traffic, firewall events

Other Events

wazuh-events-v5-other*Uncategorized or miscellaneous events

Module Constants

From constants.ts:507-526: 
export enum WAZUH_MODULES_ID {
  SECURITY_EVENTS = 'general',
  INTEGRITY_MONITORING = 'fim',
  AMAZON_WEB_SERVICES = 'aws',
  OFFICE_365 = 'office',
  GOOGLE_CLOUD_PLATFORM = 'gcp',
  POLICY_MONITORING = 'pm',
  SECURITY_CONFIGURATION_ASSESSMENT = 'sca',
  AUDITING = 'azure-audit',
  VULNERABILITIES = 'vuls',
  DOCKER = 'docker',
  MITRE_ATTACK = 'mitre',
  PCI_DSS = 'pci',
  HIPAA = 'hipaa',
  NIST_800_53 = 'nist',
  TSC = 'tsc',
  VIRUSTOTAL = 'virustotal',
  GDPR = 'gdpr',
  GITHUB = 'github',
}

Dashboard Architecture

Each module typically provides:
  1. Overview Dashboard: High-level metrics and trends
  2. Events Dashboard: Real-time event stream and filtering
  3. Inventory Dashboard: Current state data (where applicable)
  4. Agent-Specific Views: Per-agent details and metrics
Dashboard ID Convention: 
// Overview dashboards
export const MODULE_DASHBOARD_ID = 'module-overview-dashboard';

// Agent-specific dashboards
export const MODULE_AGENT_DASHBOARD_ID = 'module-pinned-agent-dashboard';

// Inventory dashboards
export const MODULE_INVENTORY_ID = 'module-inventory-dashboard';

Data Source Filters

Modules apply controlled filters to focus on relevant data: 
// From constants.ts:550-583
export const DATA_SOURCE_FILTER_CONTROLLED_EXCLUDE_SERVER = 'hidden-exclude-server';
export const DATA_SOURCE_FILTER_CONTROLLED_PINNED_AGENT = 'pinned-agent';
export const DATA_SOURCE_FILTER_CONTROLLED_CLUSTER_MANAGER = 'cluster-manager';
export const DATA_SOURCE_FILTER_CONTROLLED_REGULATORY_COMPLIANCE_REQUIREMENT =
  'hidden-regulatory-compliance-requirement';
export const DATA_SOURCE_FILTER_CONTROLLED_VULNERABILITIES_RULE_GROUP =
  'vulnerabilities-rule-group';
export const DATA_SOURCE_FILTER_CONTROLLED_MITRE_ATTACK_RULE =
  'mitre-attack-rule';
export const DATA_SOURCE_FILTER_CONTROLLED_AWS_RULE_GROUP = 'aws-rule-group';
export const DATA_SOURCE_FILTER_CONTROLLED_AZURE_RULE_GROUP = 'azure-rule-group';
export const DATA_SOURCE_FILTER_CONTROLLED_FIM_RULE_GROUP = 'fim-rule-group';
// ... and more

Architecture

System architecture and component overview

Data Sources

Index patterns and data organization details

Plugin System

Plugin lifecycle and development

API Reference

Module APIs and interfaces