Wazuh Dashboard question

[dwoodshpsi]

I am trying to setup the NIST 800-53 dashboard and noticed that It wasn't easily found, also attempted to work with the Stack Management Saved Objects and can't find anything specific to NIST standards. I was able to import the PCI object, but that's not required for what I'm working on now in order to have a more CMMC friendly environment and dashboards.

[aarz-snl]

We currently do not have a NIST 800-53 dashboard. You may be looking at Wazuh's documentation. Which they do provide one for their Application that sits in front of opensearch.

What that dashboard does is assign each alert they get to the NIST 800-53 security control its mapped to. That doesn't mean you actually have any requirements in place that satisfy that control -- just that event is mapped to that control. I think some people see this as a "If I have this dashboard I can tell my ISSO this is the coverage we have with this installed" when thats not actually the case. With or without that dashboard you still have the same security controls in place with an install of LME -- which is mostly Audit related.

In example you could have an alert thats triggering - you could have failed logons that are mapped in Wazuh to AC-7... but that doesn't mean you have any controls in place that are actually limiting logon attempts.

Would you still find this functionality useful? We could also build our own dashboard around it - but we would probably want to do something a little more useful with it.

[aarz-snl]

If you're just looking for a mapping -- Wazuh provides a well made one here that shows you what you can map to if you implement LME w/ wazuh agent:

https://wazuh.com/resources/Wazuh-NIST-800-53-guide.pdf

Notice for example AC-7 on this mapping. Just having the install isn't enough. You have to go further and utilize their active response capabilities, or in a different case some kind of group policy that limits logon attempts.

[dan157]

You're absolutely right — I was initially hoping to rely on the out-of-the-box Wazuh dashboards and rules, rather than taking on the full responsibility of building and maintaining them myself. I reviewed the NIST 800-53 implementation guide Wazuh provides, and I noticed that it also references controls from NIST 800-171r2, which is useful for broader CMMC alignment.

Many of the controls in both 800-53 and 800-171r2 require organizations to not only have technical enforcement in place, but also to demonstrate that the control is monitored, logged, and that corrective action can be or has been taken. This is where a solid dashboard becomes especially valuable — providing a management-friendly way to show historical enforcement, monitoring, and remediation activity.

As for the AC-7 control you mentioned, I agree — it's not enough to install Wazuh; it has to be configured to track and respond to failed login attempts. One way to show that such enforcement is in place could be to monitor GPO changes in on-prem AD that configure lockout policies. If AD is being used, that data could be ingested into the LME environment for correlation. And for environments using Entra ID (formerly Azure AD), similar monitoring could be set up via Azure logs and Intune policy auditing to show equivalent enforcement.

Ultimately, the goal is to present verifiable evidence of both control implementation and operational oversight — and a dashboard-driven approach helps communicate that to both technical and non-technical stakeholders.

[aarz-snl]

Thanks for that -- I will take a look at this.

[aarz-snl]

One you can do pretty easily by yourself is make a new vis... like so:

In the wazuh dashboards section create new visualization

Ensure everything matches like so -- in this example we will do a basic piechart. On the left search for rule.nist -- should see something in there called rule.nist_800_53 to some effect - drag and drop that into the middle square:

Now you have a piechart that shows NIST 800-53 triggers. - This defaults to Top 5. On the right you can play with "slice by" settings

I recommend you play around in this vis tool a bit. It's pretty simple.... You can then search for new fields like. On the left when its not filtered you'll see all the different fields you can visualize. For another example i can then add.. agent.name to add that information to view:

Switching from pie to bar vertical stacked

Let me know if you have questions..