Skip to main content
CoPilot Searches is a library of ready-to-run detection queries designed for threat hunting in your Wazuh Indexer. Instead of writing queries from scratch, you browse a curated catalog, pick a rule, fill in a few parameters, and execute — all without leaving CoPilot. The detection rules are maintained in a public GitHub repository: CoPilot automatically fetches and caches the latest rules from this repository so your catalog stays up to date.

What it is

A searchable, filterable catalog of detection rules that you can:
  • Browse by platform (Linux, Windows, PowerShell), severity, status, or MITRE ATT&CK technique
  • Filter by CVE to find rules that detect exploitation of specific vulnerabilities
  • Search by keyword across rule names and descriptions
  • Execute directly against your Wazuh Indexer to hunt for matching activity
  • Generate Graylog queries for rules that include a Graylog query template
  • Provision as Graylog alerts to turn any rule into a recurring, automated alert
Each rule includes:
  • A description of what the rule detects
  • The MITRE ATT&CK mapping
  • Required parameters (customer code, agent name, time range, etc.)
  • The underlying search query
  • Severity and risk score
  • References and known false positives

Why this is a power feature

Threat hunting is most effective once your core stack is stable — alerts are flowing, agents are reporting, and your indexer contains meaningful data. CoPilot Searches builds on that foundation by giving operators a structured way to proactively look for threats rather than waiting for alerts to fire. It’s especially valuable when:
  • you want to investigate a specific CVE across your fleet
  • you need to validate whether a MITRE technique is visible in your environment
  • you’re responding to a new threat advisory and want to check historical data
  • you want to turn a hunt into a recurring Graylog alert

Where it lives in the UI

Menu path: Agents → CoPilot Searches The page shows the full rule catalog with:
  • A search bar for free-text search across rule names and descriptions
  • A filter panel with dropdowns for Platform, Severity, Status, and a Graylog-only toggle
  • Rule cards showing the name, description, severity badge, platform, MITRE mappings, and CVE tags
Clicking a rule card opens the full detail view where you can review the query and execute it.

Operator workflows

Hunt for a specific threat

  1. Navigate to Agents → CoPilot Searches
  2. Use the search bar or filters to find a relevant rule (e.g., search for “brute force” or filter by MITRE technique T1110)
  3. Click the rule to open its details
  4. Fill in the required parameters:
    • Index pattern (e.g., wazuh-alerts-*)
    • Customer code and/or agent name to scope the search
    • Time range (start/end)
  5. Click Execute to run the query against your Wazuh Indexer
  6. Review the results — each hit links back to the original indexed event
  1. Open the filter panel and select CVE from the Platform dropdown
  2. The list narrows to rules that detect exploitation of specific CVEs
  3. Each CVE rule card shows the associated CVE IDs (e.g., CVE-2024-1234)
  4. Click a rule and execute it to check whether any matching activity exists in your environment

Filter by platform

Use the Platform filter to narrow rules to:
  • Linux — rules targeting Linux-specific telemetry (auditd, syslog, etc.)
  • Windows — rules targeting Windows event logs, Sysmon, etc.
  • PowerShell — rules focused on PowerShell script block logging, command-line activity, etc.

Generate a Graylog query

Some rules include a pre-built Graylog query template. These are marked with a Graylog indicator in the rule list.
  1. Filter for Graylog-compatible rules using the Graylog Only checkbox
  2. Open a rule and use the Graylog query section to generate a query with your parameters substituted
  3. Copy the query into Graylog search, or provision it as an alert directly from CoPilot

Provision a Graylog alert from a rule

Turn any Graylog-compatible rule into a recurring alert:
  1. Open a rule that has a Graylog query
  2. Click Provision Graylog Alert
  3. Configure:
    • Search window — how far back each execution looks (default: 5 minutes)
    • Execution interval — how often the alert runs (default: 5 minutes)
    • Priority — Low, Normal, or High
    • Streams — optionally limit to specific Graylog streams
  4. Submit — CoPilot creates the Graylog event definition for you
Once provisioned, the alert runs automatically in Graylog and routes matches into your normal incident pipeline.

Rule details

When you open a rule, you’ll see:
FieldDescription
NameHuman-readable rule name
Statusproduction, experimental, or deprecated
Severitylow, medium, high, or critical
Risk scoreNumeric risk score (0–100)
PlatformLinux, Windows, or PowerShell
MITRE ATT&CKMapped technique IDs (e.g., T1136.001)
CVEAssociated CVE IDs, if any
DescriptionWhat the rule detects and why it matters
How to implementAny prerequisites or data source requirements
Known false positivesWhen this rule might fire on benign activity
ReferencesLinks to related advisories or documentation

Setup checklist

CoPilot Searches works out of the box with no additional configuration:
  • CoPilot is running (the rules are fetched automatically from GitHub)
  • Your Wazuh Indexer is connected (required to execute searches)
  • Optionally, Graylog is connected (required for Graylog query generation and alert provisioning)
The rule catalog refreshes automatically every 30 minutes. You can also manually refresh from the UI to pull the latest rules immediately.

Safety / guardrails

  • Searches run read-only queries against your Wazuh Indexer — they do not modify any data.
  • Graylog alert provisioning creates event definitions in Graylog. Review the query and parameters before provisioning.
  • Rules are community-maintained. Treat results as indicators for investigation, not definitive verdicts — always validate before acting.
  • Scope searches to specific customers/agents when possible to reduce noise and execution time.