Issue with Security Controls Display in Compliance Dashboards (NIST, HIPAA, PCI DSS, TSC, IT Hygiene)

19 views
Skip to first unread message

Anas Rotbi

unread,
8:23 AM (12 hours ago) 8:23 AM
to Wazuh | Mailing List

Hello

I hope you are doing well.

I am currently experiencing an issue with the Security Operations controls display in the compliance dashboards. Specifically, for the following compliance standards:

  • NIST 800-53
  • HIPAA
  • TSC
  • IT Hygiene
  • PCI DSS

All controls are showing a value of 0, and no related events are being displayed.

Additionally, the dashboard graphs are not displaying correctly or appear empty.

Here are the details of my environment:

  • Wazuh agents are properly connected and up to date
  • Events are being generated correctly from the agents
  • All Wazuh services (manager, indexer, and dashboard) are running without any issues

Despite this, the compliance sections remain empty, and no controls or alerts are populated, and the graphs are not rendering as expected.

Could you please assist me in identifying the root cause of this issue or guide me through the necessary troubleshooting steps?

If needed, I can provide additional logs, screenshots, or configuration details.

Thank you in advance for your support.

Best regards,


dash1.jpg
dash2.jpg
dash3.jpg
dash4.jpg

Isaiah Daboh

unread,
9:39 AM (11 hours ago) 9:39 AM
to Wazuh | Mailing List
Hello,

Please note that I am taking a look at this. I will revert shortly.

Regards,

Isaiah Daboh

unread,
12:15 PM (8 hours ago) 12:15 PM
to Wazuh | Mailing List
Hello,

Regarding the screenshots of the dashboard, the index pattern used in the dashboard does not have the expected mapping types.

For example, the agent.name or NIST should be a keyword to allow the aggregation operation of the visualization. Same problem for the other fields with errors in the dashboard.

This could be due to one of the following:

- Wazuh template was not applied to the "alerts" indices:
- Template was not configured in Filebeat when the alert/s index were created.
- Template not configured in Filebeat to be indexed.
- Problem indexing the template.
- Filebeat-Wazuh indexer communication error.
- Usage of custom index pattern that does not have the expected mapping types of the fields for its usage in the dashboards.


Troubleshooting:
1. Ensure the `Wazuh` template is indexed

`GET _cat/templates/wazuh` (Using the Dev Tools - *Indexer management* > *Dev Tools*)

2. Review the Wazuh template (index patterns and mappings definitions)

`GET _template/wazuh` (Using the Dev Tools)

3. Review the fields that throws errors in the dashboard (NIST, agent.name etc.). They should be keyword. If they are 'text' then you need to change it to keyword.

For the used index pattern, check the field mappings:

(preferred) *Indexer management* > *Dev Tools*
GET <INDEX_PATTERN>/_mapping
GET <INDEX_PATTERN>/_mapping/field/<FIELD>

For example, if you are using the default wazuh-alerts-* index pattern:
GET wazuh-alerts-*/_mapping
GET wazuh-alerts-*/_mapping/field/agent.name

Dashboard management* > *Dashboard Management* > *Index pattern* and select the index pattern. This can be a little bit tricky because this does not display the mapping in the index as keyword and uses other terms as string with the `aggregatable attribute`.

Ensure the used index pattern has the expected mappings.

If using a custom index pattern for alerts, the matched indices could not match with the index pattern defined in the Wazuh template and not apply the expected index configuration defined in the wazuh template.

In this case the indices with wrong field mappings will need to be reindexed to indices with the expected mappings.

Let me know if this helps.

Regards
Reply all
Reply to author
Forward
0 new messages