SIEM Interface Overview

The SIEM module consists of two main components: the SIEM Dashboard (agent-based security monitoring powered by Wazuh) and the Alerts Interface (native alerting, incident management, and risk scoring).

SIEM Dashboard

The SIEM Dashboard provides security monitoring through agents installed on monitored hosts. It presents data as a set of dashboard cards organized in four sections.

Note

The SIEM Dashboard requires Wazuh agents to be installed and connected on monitored systems. Without active agents, dashboard cards will show no data.

Security Information Management

Card	Description
Security Events	Browse security alerts and threats detected in your environment
Integrity Monitoring	File change monitoring — alerts on permission, content, ownership, and attribute changes

Auditing and Policy Monitoring

Card	Description
Policy Monitoring	Security policy compliance verification against a defined baseline
System Auditing	User activity tracking — command execution, file access, and behavior monitoring
Security Configuration Assessment	System configuration scanning for security issues and misconfigurations

Threat Detection and Response

Card	Description
Vulnerabilities	Known vulnerability detection across applications in your environment
MITRE ATT&CK	Security event mapping to MITRE ATT&CK framework techniques

Regulatory Compliance

Card	Description
PCI DSS	Payment Card Industry Data Security Standard compliance monitoring
NIST 800-53	Federal security controls compliance tracking
TSC	Trust Services Criteria (SOC 2) compliance monitoring
GDPR	EU General Data Protection Regulation compliance monitoring
HIPAA	Healthcare data protection (Protected Health Information) compliance monitoring

Each card links to a dedicated dashboard with detailed views, filters, and visualizations for the respective security domain.

Alerts Interface

Navigation: ELS Console → SIEM

The native Alerts interface provides alerting, incident management, risk scoring, and playbook capabilities. It consists of six tabs:

Tab	Description	Details
Incidents	Manage triggered alert incidents — assign, update status, add notes	See Incident Management
Risks	Create risk categories and map field values to risk scores	See Risk Management
Playbook	Define response procedures and scripts for alert rules	See Playbooks
Alert Rules	Create, manage, enable/disable, and test alert rules	See Alerting System
Alert Status	Monitor alert processing — activation status, event counts, run times	See Alerts Status
Create Alert Rule	Single-page form for defining new alert rules	See Alert Creation

Workflow

The tabs work together in a detection-to-response workflow:

1. Alert Rules define detection logic and notification methods.

2. When a rule triggers, an Incident is created automatically.

3. Playbooks associated with the rule provide response guidance and scripts.

4. Risk scoring prioritizes incidents based on entity risk categories.

SIEM Navigation Links

The SIEM section in the sidebar provides quick-access links:

• Status — redirects to the main SIEM overview dashboard

• Vulnerability — redirects to the vulnerability management dashboard

• FIM — redirects to the File Integrity Monitoring dashboard

• Alerts — opens the Alerts interface

• Risk — opens the Risks tab directly