Skip to main content

Overview

Compliance monitoring ensures your infrastructure meets regulatory and industry security requirements. Wazuh Dashboard provides comprehensive compliance tracking, reporting, and evidence collection for multiple frameworks.

Supported Compliance Frameworks

Wazuh Dashboard monitors compliance with:

PCI DSS

Payment Card Industry Data Security Standard - Requirements for organizations handling credit card data.

GDPR

General Data Protection Regulation - EU data privacy and protection requirements.

HIPAA

Health Insurance Portability and Accountability Act - Healthcare data protection requirements.

NIST 800-53

National Institute of Standards and Technology - Security and privacy controls for federal systems.

TSC

Trust Services Criteria - Framework for security, availability, confidentiality, privacy, and processing integrity.

GDPR

General Data Protection Regulation - European data protection and privacy law.

Understanding Compliance Dashboards

Common Dashboard Elements

All compliance modules share similar structures:
High-level summary showing:
  • Total requirements monitored
  • Compliance percentage/score
  • Requirements by status (passed, failed, not applicable)
  • Trend over time
  • Critical violations
Detailed view of individual requirements:
  • Requirement ID and description
  • Control objectives
  • Current compliance status
  • Number of events per requirement
  • Affected agents
  • Related security events
Identifies systems with most compliance issues:
  • Agent names and IDs
  • Violation counts
  • Most common requirement failures
  • Trend analysis
Detailed event listing:
  • Event timestamp and description
  • Mapped requirements
  • Severity and risk level
  • Affected resources
  • Remediation guidance

PCI DSS Compliance

Overview

PCI DSS applies to any organization that stores, processes, or transmits cardholder data. The standard includes 12 requirements across 6 control objectives.

Accessing PCI DSS Dashboard

  1. Navigate to PCI DSS in the main menu
  2. Select time range for compliance review
  3. Optionally filter by specific agent or agent group

Key PCI DSS Requirements Monitored

1

Requirement 1: Firewall Configuration

Control: Install and maintain firewall configuration to protect cardholder data.Wazuh Monitors:
  • Firewall rule changes
  • Network configuration modifications
  • Unauthorized network access attempts
Example Events:
rule.pci_dss:"1.1.1" OR rule.pci_dss:"1.2"
2

Requirement 2: Default Passwords

Control: Do not use vendor-supplied defaults for system passwords and security parameters.Wazuh Monitors:
  • Default account usage detection
  • Weak password configurations
  • Insecure default settings
Common Violations:
  • Default admin accounts still enabled
  • Unchanged default passwords
  • Default SNMP community strings
3

Requirement 8: User Identification

Control: Identify and authenticate access to system components.Wazuh Monitors:
  • Failed authentication attempts
  • Account creation and deletion
  • Privileged account usage
  • Multi-factor authentication status
Search Query:
rule.pci_dss:"8.1" OR rule.pci_dss:"8.2" OR rule.pci_dss:"8.3"
4

Requirement 10: Access Logging

Control: Track and monitor all access to network resources and cardholder data.Wazuh Monitors:
  • All user access to cardholder data environment
  • Administrative actions
  • Access to audit logs
  • Failed access attempts
Critical Events:
  • Audit log deletion or modification
  • Logging service failures
  • Unauthorized access to log files
5

Requirement 11: Security Testing

Control: Regularly test security systems and processes.Wazuh Monitors:
  • Vulnerability scan results
  • File integrity monitoring
  • Security configuration changes
  • Intrusion detection events

PCI DSS Compliance Workflow

1

Daily Monitoring

Review the PCI DSS dashboard daily:
  1. Check for new violations
  2. Review failed requirements
  3. Identify affected systems
  4. Prioritize remediation
2

Investigate Violations

For each violation:
  1. Click the requirement to see details
  2. Review related security events
  3. Identify root cause
  4. Document findings
3

Remediate Issues

Take corrective action:
  1. Apply security configurations
  2. Patch vulnerabilities
  3. Update access controls
  4. Enhance monitoring rules
4

Verify Remediation

Confirm fixes:
  1. Monitor for recurrence
  2. Verify compliance status improves
  3. Update documentation
  4. Close compliance tickets

Generating PCI DSS Reports

Regular reporting demonstrates ongoing compliance to auditors and stakeholders.
  1. Set appropriate time range (typically quarterly or annually)
  2. Export compliance data:
    • Requirements summary
    • Violation details
    • Trend analysis
    • Remediation evidence
  3. Include in compliance documentation

GDPR Compliance

Overview

GDPR focuses on data protection and privacy for EU citizens. Key principles include lawfulness, fairness, transparency, and data subject rights.

GDPR Requirements in Wazuh

Wazuh maps security events to GDPR articles:
Requirement: Implement appropriate technical and organizational measures.Monitored Activities:
  • Encryption status and changes
  • Access control violations
  • Data breach indicators
  • System security configurations
Example Search:
rule.gdpr:"IV_32"
Requirement: Maintain records of processing activities.Monitored Activities:
  • Data access logging
  • Processing activity tracking
  • Audit trail completeness
  • Log retention compliance
Requirement: Report data breaches within 72 hours.Monitored Activities:
  • Unauthorized data access
  • Data exfiltration attempts
  • System compromises
  • Privilege escalations
Critical Events: Any event indicating potential personal data exposure.
Requirement: Conduct impact assessments for high-risk processing.Monitored Activities:
  • High-risk system changes
  • New data processing activities
  • Security control modifications
  • Privacy control effectiveness

GDPR Breach Detection

Set up alerts for potential GDPR breaches: 
rule.gdpr:"IV_32" AND rule.level:>=10
Immediate investigation required for:
  • Unauthorized access to personal data
  • Data exfiltration attempts
  • Encryption failures
  • Access control bypasses

HIPAA Compliance

Overview

HIPAA protects Protected Health Information (PHI) in healthcare environments.

HIPAA Security Rule Monitoring

1

Administrative Safeguards

Wazuh Coverage:
  • Security management processes
  • Assigned security responsibility
  • Workforce security and training
  • Access authorization and establishment
Key Events:
  • Administrative account usage
  • Policy violations
  • Training compliance tracking
2

Physical Safeguards

Wazuh Coverage:
  • Facility access controls
  • Workstation security
  • Device and media controls
Monitoring:
  • Physical access logs
  • Unauthorized device connections
  • Media handling violations
3

Technical Safeguards

Wazuh Coverage:
  • Access controls (164.312.a.1)
  • Audit controls (164.312.b)
  • Integrity controls (164.312.c.1)
  • Transmission security (164.312.e.1)
Search Query:
rule.hipaa:"164.312"

PHI Access Monitoring

Critical for HIPAA compliance:
  1. Track all PHI access:
    • User identification
    • Timestamp
    • Data accessed
    • Action performed (view, modify, delete)
  2. Monitor for violations:
    • Unauthorized access attempts
    • Access outside normal patterns
    • Bulk data access
    • After-hours access
  3. Audit regularly:
    • Review access logs monthly
    • Investigate anomalies
    • Document findings
    • Report violations

NIST 800-53 Compliance

Overview

NIST 800-53 provides comprehensive security and privacy controls for federal systems and organizations.

Control Families

Wazuh maps events to NIST control families:

AC - Access Control

User authentication, authorization, and account management.

AU - Audit and Accountability

Security event logging, monitoring, and audit review.

CM - Configuration Management

Baseline configurations, change control, security settings.

IA - Identification and Authentication

User and device identification, authentication mechanisms.

SI - System and Information Integrity

Malware protection, integrity monitoring, vulnerability management.

SC - System and Communications Protection

Network security, encryption, boundary protection.

NIST Compliance Dashboard

Navigate to NIST 800-53 to view:
  1. Control Coverage: Which controls are monitored
  2. Compliance Status: Current compliance levels per control
  3. Top Violations: Most frequently failed controls
  4. Control Effectiveness: Trend analysis over time

Example: Implementing AC-2 (Account Management)

Control Description: Organizations must manage information system accounts.Wazuh Implementation:
  1. Monitor account creation: 
    rule.nist_800_53:"AC.2" AND rule.groups:"account_changed"
  2. Track account modifications:
    • Password changes
    • Group membership changes
    • Permission modifications
  3. Detect account misuse:
    • Disabled accounts being used
    • Shared account access
    • Privileged account abuse
  4. Review regularly:
    • Weekly account status review
    • Quarterly access recertification
    • Annual compliance assessment

TSC (Trust Services Criteria)

Overview

TSC framework covers five principles:
  1. Security: Protection against unauthorized access
  2. Availability: System availability for operation and use
  3. Processing Integrity: Complete, valid, accurate, timely processing
  4. Confidentiality: Protection of confidential information
  5. Privacy: Collection, use, retention, disclosure, and disposal of personal information

TSC Monitoring in Wazuh

Common Criteria 6: Logical and physical access controlsWazuh Monitors:
  • Authentication events
  • Authorization violations
  • Network access controls
  • System access logging
Key Metrics:
  • Failed login attempts
  • Unauthorized access attempts
  • Privilege escalations
Availability Criteria: System availability and recoveryWazuh Monitors:
  • Service availability
  • System resource usage
  • Backup completion status
  • Disaster recovery capabilities
Confidentiality Criteria: Protection of confidential dataWazuh Monitors:
  • Data access controls
  • Encryption status
  • Data transmission security
  • Confidential data handling

Security Configuration Assessment (SCA)

Overview

SCA provides automated configuration compliance scanning based on security benchmarks.

Accessing SCA

  1. Navigate to Security Configuration Assessment
  2. Select an agent or view all agents
  3. Choose a security policy

SCA Policy Structure

1

Policy Selection

SCA includes policies for:
  • CIS Benchmarks: Industry-standard security configurations
  • Operating Systems: Linux, Windows, macOS
  • Applications: Web servers, databases, containers
  • Compliance: PCI DSS, HIPAA, NIST configurations
2

Check Results

Each policy contains checks with results:
  • Passed: Configuration meets requirement
  • Failed: Configuration does not meet requirement
  • Not Applicable: Check doesn’t apply to this system
Score Calculation: (Passed / (Passed + Failed)) × 100
3

Check Details

Click a check to view:
  • Requirement description
  • Rationale
  • Remediation steps
  • Compliance mappings
  • Current configuration
4

Remediation

For failed checks:
  1. Review remediation guidance
  2. Test changes in non-production
  3. Apply configuration changes
  4. Wait for next SCA scan
  5. Verify check now passes

SCA Best Practices

Establish approved baseline:
  1. Run SCA scans on reference systems
  2. Document intentional deviations
  3. Mark expected failures as exceptions
  4. Use baselines for new deployments
Configure SCA scan frequency:
  • Daily: Production systems and critical infrastructure
  • Weekly: Development and test environments
  • On-demand: After configuration changes
Focus on:
  1. Critical security controls first
  2. Systems with most failures
  3. Compliance-required configurations
  4. Recently introduced failures
Monitor SCA scores over time:
  • Set target compliance percentages
  • Track score trends
  • Report on improvement
  • Identify regression

Compliance Reporting

Report Types

Executive Summary

High-level compliance status for leadership and auditors.

Detailed Findings

Complete violation list with evidence and remediation.

Trend Analysis

Compliance posture over time showing improvement or decline.

Audit Evidence

Specific events and configurations demonstrating controls.

Creating Compliance Reports

1

Define Scope

Determine report parameters:
  • Compliance framework
  • Time period (month, quarter, year)
  • Systems included
  • Requirements covered
2

Gather Data

From the compliance dashboard:
  1. Set time range
  2. Apply agent filters if needed
  3. Export requirement status
  4. Export violation details
  5. Capture screenshots of key visualizations
3

Analyze Results

Summarize findings:
  • Overall compliance percentage
  • Top violations
  • Most affected systems
  • Trend compared to previous period
  • Critical issues requiring attention
4

Document Remediation

For each violation:
  • Description and impact
  • Root cause analysis
  • Corrective actions taken
  • Preventive measures implemented
  • Evidence of resolution
5

Present Findings

Format report for audience:
  • Executive: High-level summary, trends, risks
  • Technical: Detailed findings, remediation steps
  • Auditors: Evidence, controls, testing results

Audit Preparation

Pre-Audit Checklist

1

Verify Coverage

Ensure all systems are monitored:
  • All agents active and reporting
  • Compliance modules enabled
  • Index patterns configured
  • Data retention meets requirements
2

Review Compliance Status

Check current posture:
  • Review compliance dashboards
  • Address critical violations
  • Document exceptions
  • Update remediation status
3

Prepare Evidence

Gather documentation:
  • Compliance reports
  • SCA scan results
  • Violation remediation records
  • Change management documentation
  • Incident response records
4

Test Audit Queries

Verify you can demonstrate:
  • All access is logged
  • Failed access attempts are detected
  • Configuration changes are tracked
  • Security events are monitored
  • Incidents are investigated

Common Auditor Requests

Show comprehensive access tracking:
rule.groups:"authentication" OR rule.groups:"access"
Filter by specific timeframe and system as requested.
Evidence of access control enforcement:
rule.groups:"authentication_failed"
Demonstrate detection and alerting on violations.
File integrity and configuration monitoring:Navigate to File Integrity Monitoring and show:
  • Monitored files and directories
  • Change detection
  • Change approval process
  • Rollback capabilities
Show systematic vulnerability handling:
  1. Navigate to Vulnerability Detection
  2. Show scan frequency and coverage
  3. Demonstrate risk prioritization
  4. Show remediation tracking
  5. Prove patching timelines

Continuous Compliance

Maintaining Compliance

Daily Reviews

  • Check compliance dashboards
  • Review new violations
  • Verify agent status
  • Monitor critical systems

Weekly Analysis

  • Review compliance trends
  • Update remediation tracking
  • Test key controls
  • Update documentation

Monthly Reporting

  • Generate compliance reports
  • Executive briefings
  • Exception reviews
  • Policy updates

Quarterly Assessments

  • Comprehensive compliance review
  • Gap analysis
  • Control effectiveness testing
  • Audit preparation

Automation Opportunities

  • Automated Remediation: Fix common misconfigurations automatically
  • Alert Integration: Send compliance violations to ticketing systems
  • Scheduled Reports: Generate and distribute reports automatically
  • Dashboard Monitoring: Alert on compliance score degradation

Tips and Best Practices

Different frameworks have different priorities:
  • PCI DSS: Focus on cardholder data protection
  • HIPAA: Emphasize PHI access controls and encryption
  • GDPR: Prioritize data subject rights and breach detection
  • NIST: Comprehensive controls across all security domains
Many controls satisfy multiple frameworks:
  • Access logging (PCI DSS 10, HIPAA 164.312.b, GDPR Article 30)
  • Encryption (PCI DSS 3, HIPAA 164.312.a, GDPR Article 32)
  • Vulnerability management (PCI DSS 6, NIST SI-2)
Maximize efficiency by implementing controls that provide broad coverage.
Maintain thorough documentation:
  • Compliance policies and procedures
  • Control implementation details
  • Exception approvals and justifications
  • Remediation activities and timelines
  • Testing and validation results
Don’t wait for audits:
  • Conduct internal compliance reviews
  • Test controls regularly
  • Perform gap assessments
  • Update configurations proactively
Keep stakeholders informed:
  • Regular compliance status updates
  • Immediate notification of critical violations
  • Trend reporting and analysis
  • Audit readiness status

Next Steps

Compliance is an ongoing process, not a one-time achievement. Regular monitoring, continuous improvement, and proactive remediation are essential for maintaining compliance.

Build docs developers (and LLMs) love

Get started for freeTalk to us