Grafana is known as a monitoring and observability tool. But when I started designing the SOC portal for Presidio, I realized Grafana could be much more than a simple metrics dashboard. With the right configuration, it can become the unified interface through which a SOC analyst sees everything: alerts, open cases, playbook status, intelligence feeds, and performance metrics.
The secret is in the datasources. Grafana can connect to practically everything: Elasticsearch (where Wazuh writes alerts), PostgreSQL (where DFIR-IRIS manages cases), the REST APIs of Shuffle and MISP. Every panel in the portal shows live data from a different source, but the analyst sees a single, coherent interface.
Dashboards that matter
The temptation with Grafana is to create beautiful but useless dashboards. Colorful graphs with numbers nobody needs. I learned to build dashboards starting from the question: "What does the analyst need to know in the first 30 seconds of their shift?" The answer: active alerts by severity, open cases and their status, running or failed playbooks, and trends over the last 24 hours.
Every dashboard in Presidio serves a specific purpose. The Executive Dashboard shows KPIs for management - MTTD, MTTR, alert volume, compliance status. The Analyst Dashboard shows the work to be done - untriaged alerts, cases in progress, pending enrichment. The Incident Dashboard activates during an incident - event timeline, correlated IOCs, actions in progress.
At 95% coverage, the SOC portal covers almost every aspect of security operations. The remaining 5% are edge cases requiring direct access to individual tools. But for daily operations, the analyst never has to leave Grafana. And that drastically reduces context switching, which is the silent killer of SOC productivity.
If you want to dive deeper into this topic or need specialized consulting, let us talk.
Let's talk →