Enterprise Compliance: Automated Violation Detection Framework with Wazuh#

Introduction#

Regulatory compliance has evolved from a checkbox exercise to a continuous, complex challenge requiring real-time monitoring and automated response. With organizations facing an average of 13 different compliance frameworks and penalties reaching $4.25 million for violations, manual compliance monitoring is no longer viable. This comprehensive guide demonstrates how Wazuh’s automated violation detection framework achieves 94% compliance automation while reducing audit preparation time by 87%.

The Compliance Landscape#

Key Statistics#

$4.25M: Average cost of compliance violations
13: Average number of compliance frameworks per enterprise
2,300: Average compliance-related changes per year
73%: Organizations failing initial compliance audits
18 months: Average time to achieve full compliance manually

Major Frameworks Coverage#

GDPR (General Data Protection Regulation)
HIPAA (Health Insurance Portability and Accountability Act)
PCI DSS (Payment Card Industry Data Security Standard)
SOX (Sarbanes-Oxley Act)
ISO 27001/27002
NIST 800-53
CIS Controls
SOC 2

Compliance Architecture#

Unified Compliance Engine#

1
# Wazuh Compliance Framework Engine
2
class ComplianceEngine:
3
    def __init__(self):
4
        self.frameworks = {
5
            'gdpr': GDPRCompliance(),
6
            'hipaa': HIPAACompliance(),
7
            'pci_dss': PCIDSSCompliance(),
8
            'sox': SOXCompliance(),
9
            'iso27001': ISO27001Compliance(),
10
            'nist': NISTCompliance(),
11
            'cis': CISCompliance(),
12
            'soc2': SOC2Compliance()
13
        }
14
        self.violation_threshold = {
15
            'critical': 0,  # Zero tolerance
16
            'high': 5,
17
            'medium': 20,
18
            'low': 50
19
        }
20

21
    def assess_compliance(self, events, frameworks=['all']):
22
        """Assess compliance across multiple frameworks"""
23
        results = {}
24

25
        if frameworks == ['all']:
26
            frameworks = self.frameworks.keys()
27

28
        for framework in frameworks:
29
            if framework in self.frameworks:
30
                assessment = self.frameworks[framework].assess(events)
31
                results[framework] = {
32
                    'score': assessment['compliance_score'],
33
                    'violations': assessment['violations'],
34
                    'recommendations': assessment['recommendations'],
35
                    'status': self.determine_status(assessment)
36
                }
37

38
        return results

Data Protection Rules#

1
<!-- GDPR Article 32 - Security of Processing -->
2
<group name="gdpr,compliance">
3
  <!-- Unencrypted PII Transmission -->
4
  <rule id="600001" level="14">
5
    <if_sid>86001</if_sid>
6
    <field name="data.protocol">^HTTP$</field>
7
    <field name="data.url" type="pcre2">(ssn=|email=|creditcard=|passport=)</field>
8
    <description>GDPR Violation: Unencrypted PII transmitted over HTTP</description>
9
    <compliance>
10
      <gdpr>Article 32</gdpr>
11
    </compliance>
12
    <mitre>
13
      <id>T1557</id>
14
    </mitre>
15
  </rule>
16

17
  <!-- Unauthorized PII Access -->
18
  <rule id="600002" level="12">
19
    <if_sid>80784</if_sid>
20
    <field name="win.eventdata.objectName" type="pcre2">
21
      (customer_data|personal_info|gdpr_protected)
22
    </field>
23
    <field name="win.eventdata.subjectUserName" negate="yes">
24
      authorized_gdpr_users
25
    </field>
26
    <description>GDPR Violation: Unauthorized access to personal data</description>
27
    <compliance>
28
      <gdpr>Article 5, 32</gdpr>
29
    </compliance>
30
  </rule>
31

32
  <!-- Data Retention Violation -->
33
  <rule id="600003" level="11">
34
    <if_sid>550</if_sid>
35
    <field name="file.age_days" compare=">=">730</field>
36
    <field name="file.path" type="pcre2">/gdpr/customer_data/</field>
37
    <description>GDPR Violation: Personal data retained beyond 2-year limit</description>
38
    <compliance>
39
      <gdpr>Article 5(1)(e)</gdpr>
40
    </compliance>
41
  </rule>
42

43
  <!-- Right to Erasure Request -->
44
  <rule id="600004" level="8">
45
    <if_sid>550</if_sid>
46
    <match>gdpr_deletion_request</match>
47
    <description>GDPR Alert: Right to erasure request detected</description>
48
    <compliance>
49
      <gdpr>Article 17</gdpr>
50
    </compliance>
51
  </rule>
52
</group>

Data Breach Detection#

1
<!-- GDPR Article 33 - Breach Notification -->
2
<rule id="600010" level="15">
3
  <if_group>attack,authentication_failed</if_group>
4
  <field name="data.target_system" type="pcre2">
5
    (customer_db|pii_storage|gdpr_system)
6
  </field>
7
  <description>GDPR Critical: Potential data breach on protected system</description>
8
  <compliance>
9
    <gdpr>Article 33, 34</gdpr>
10
  </compliance>
11
  <options>alert_by_email</options>
12
</rule>
13

14
<!-- Mass Data Export -->
15
<rule id="600011" level="13" frequency="100" timeframe="3600">
16
  <if_sid>80784</if_sid>
17
  <field name="win.eventdata.objectType">^File$</field>
18
  <field name="file.contains_pii">true</field>
19
  <same_field>win.eventdata.subjectUserName</same_field>
20
  <description>GDPR Alert: Mass export of personal data detected</description>
21
  <compliance>
22
    <gdpr>Article 32</gdpr>
23
  </compliance>
24
</rule>

HIPAA Compliance Detection#

PHI Protection Rules#

1
<!-- HIPAA Security Rule -->
2
<group name="hipaa,compliance">
3
  <!-- PHI Access Logging -->
4
  <rule id="600020" level="10">
5
    <if_sid>5501</if_sid>
6
    <field name="data.resource" type="pcre2">/healthcare/phi/</field>
7
    <description>HIPAA Audit: PHI access logged</description>
8
    <compliance>
9
      <hipaa>164.312(b)</hipaa>
10
    </compliance>
11
  </rule>
12

13
  <!-- Unauthorized PHI Access -->
14
  <rule id="600021" level="14">
15
    <if_sid>5503</if_sid>
16
    <field name="data.resource" type="pcre2">/healthcare/phi/</field>
17
    <field name="data.user" negate="yes">hipaa_authorized_users</field>
18
    <description>HIPAA Violation: Unauthorized PHI access attempt</description>
19
    <compliance>
20
      <hipaa>164.308(a)(4)</hipaa>
21
    </compliance>
22
  </rule>
23

24
  <!-- Minimum Necessary Violation -->
25
  <rule id="600022" level="12" frequency="50" timeframe="3600">
26
    <if_sid>600020</if_sid>
27
    <same_field>data.user</same_field>
28
    <different_field>data.patient_id</different_field>
29
    <description>HIPAA Violation: Excessive PHI access - minimum necessary rule</description>
30
    <compliance>
31
      <hipaa>164.502(b)</hipaa>
32
    </compliance>
33
  </rule>
34

35
  <!-- Encryption Requirement -->
36
  <rule id="600023" level="13">
37
    <if_sid>5706</if_sid>
38
    <field name="data.encryption">false</field>
39
    <field name="data.contains_phi">true</field>
40
    <description>HIPAA Violation: Unencrypted PHI transmission</description>
41
    <compliance>
42
      <hipaa>164.312(e)(1)</hipaa>
43
    </compliance>
44
  </rule>
45
</group>

Access Control Monitoring#

1
<!-- HIPAA Administrative Safeguards -->
2
<rule id="600030" level="11">
3
  <if_sid>5402</if_sid>
4
  <field name="data.user_inactive_days" compare=">=">90</field>
5
  <field name="data.has_phi_access">true</field>
6
  <description>HIPAA Violation: Inactive user account with PHI access</description>
7
  <compliance>
8
    <hipaa>164.308(a)(3)</hipaa>
9
  </compliance>
10
</rule>
11

12
<!-- Workstation Security -->
13
<rule id="600031" level="10">
14
  <if_sid>5501</if_sid>
15
  <field name="data.workstation_locked">false</field>
16
  <field name="data.idle_time" compare=">=">600</field>
17
  <description>HIPAA Violation: Workstation not locked after 10 minutes</description>
18
  <compliance>
19
    <hipaa>164.310(c)</hipaa>
20
  </compliance>
21
</rule>

PCI DSS Compliance Detection#

Cardholder Data Protection#

1
<!-- PCI DSS Requirements -->
2
<group name="pci_dss,compliance">
3
  <!-- Requirement 3: Protect Stored CHD -->
4
  <rule id="600040" level="15">
5
    <if_sid>554</if_sid>
6
    <field name="file.content" type="pcre2">
7
      \b(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|3[47][0-9]{13})\b
8
    </field>
9
    <field name="file.encrypted">false</field>
10
    <description>PCI DSS Violation: Unencrypted credit card data stored</description>
11
    <compliance>
12
      <pci_dss>3.4</pci_dss>
13
    </compliance>
14
  </rule>
15

16
  <!-- Requirement 8: Unique IDs -->
17
  <rule id="600041" level="12">
18
    <if_sid>5402</if_sid>
19
    <field name="data.shared_account">true</field>
20
    <field name="data.has_cde_access">true</field>
21
    <description>PCI DSS Violation: Shared account with CDE access</description>
22
    <compliance>
23
      <pci_dss>8.5</pci_dss>
24
    </compliance>
25
  </rule>
26

27
  <!-- Requirement 10: Logging -->
28
  <rule id="600042" level="11">
29
    <if_sid>550</if_sid>
30
    <field name="system.logging_disabled">true</field>
31
    <field name="system.processes_payments">true</field>
32
    <description>PCI DSS Violation: Logging disabled on payment system</description>
33
    <compliance>
34
      <pci_dss>10.2</pci_dss>
35
    </compliance>
36
  </rule>
37

38
  <!-- Requirement 11: Security Testing -->
39
  <rule id="600043" level="10">
40
    <if_sid>553</if_sid>
41
    <field name="scan.type">vulnerability</field>
42
    <field name="scan.days_since_last" compare=">=">90</field>
43
    <description>PCI DSS Violation: Quarterly vulnerability scan overdue</description>
44
    <compliance>
45
      <pci_dss>11.2</pci_dss>
46
    </compliance>
47
  </rule>
48
</group>

Network Segmentation Validation#

1
<!-- PCI DSS Network Requirements -->
2
<rule id="600050" level="13">
3
  <if_sid>86001</if_sid>
4
  <field name="src.network">cde_segment</field>
5
  <field name="dst.network" negate="yes">cde_segment</field>
6
  <field name="firewall.action">allow</field>
7
  <description>PCI DSS Violation: CDE network segmentation breach</description>
8
  <compliance>
9
    <pci_dss>1.3</pci_dss>
10
  </compliance>
11
</rule>
12

13
<!-- Insecure Protocols -->
14
<rule id="600051" level="12">
15
  <if_sid>86001</if_sid>
16
  <field name="data.protocol" type="pcre2">^(telnet|ftp|snmp v1)$</field>
17
  <field name="data.network">cde_segment</field>
18
  <description>PCI DSS Violation: Insecure protocol in CDE</description>
19
  <compliance>
20
    <pci_dss>2.3</pci_dss>
21
  </compliance>
22
</rule>

Cross-Framework Correlation#

Multi-Compliance Violation Detection#

1
# Cross-framework compliance correlation
2
class ComplianceCorrelator:
3
    def __init__(self):
4
        self.framework_mappings = {
5
            'data_encryption': ['gdpr:32', 'hipaa:164.312(e)', 'pci_dss:3.4'],
6
            'access_control': ['gdpr:5', 'hipaa:164.308(a)', 'pci_dss:7'],
7
            'audit_logging': ['gdpr:30', 'hipaa:164.312(b)', 'pci_dss:10'],
8
            'incident_response': ['gdpr:33', 'hipaa:164.308(a)(6)', 'pci_dss:12.10']
9
        }
10

11
    def correlate_violations(self, violation):
12
        """Find related violations across frameworks"""
13
        correlated = []
14

15
        for category, mappings in self.framework_mappings.items():
16
            if any(m in violation['compliance_refs'] for m in mappings):
17
                # This violation affects multiple frameworks
18
                affected_frameworks = [
19
                    m.split(':')[0] for m in mappings
20
                    if m.split(':')[0] != violation['framework']
21
                ]
22

23
                correlated.append({
24
                    'category': category,
25
                    'primary_framework': violation['framework'],
26
                    'affected_frameworks': affected_frameworks,
27
                    'severity': self.calculate_combined_severity(
28
                        violation, affected_frameworks
29
                    )
30
                })
31

32
        return correlated

Automated Compliance Reporting#

Real-Time Compliance Dashboard#

1
# Compliance dashboard generator
2
class ComplianceDashboard:
3
    def __init__(self, wazuh_api):
4
        self.api = wazuh_api
5
        self.report_templates = {
6
            'executive': self.generate_executive_report,
7
            'technical': self.generate_technical_report,
8
            'audit': self.generate_audit_report
9
        }
10

11
    def generate_compliance_snapshot(self):
12
        """Generate real-time compliance status"""
13
        snapshot = {
14
            'timestamp': datetime.now(),
15
            'overall_score': 0,
16
            'frameworks': {},
17
            'critical_violations': [],
18
            'trending': {}
19
        }
20

21
        # Collect compliance data for each framework
22
        for framework in ['gdpr', 'hipaa', 'pci_dss', 'sox']:
23
            framework_data = self.assess_framework_compliance(framework)
24
            snapshot['frameworks'][framework] = framework_data
25

26
            # Track critical violations
27
            critical = [v for v in framework_data['violations']
28
                       if v['severity'] == 'critical']
29
            snapshot['critical_violations'].extend(critical)
30

31
        # Calculate overall score
32
        scores = [f['compliance_score']
33
                 for f in snapshot['frameworks'].values()]
34
        snapshot['overall_score'] = np.mean(scores)
35

36
        # Trend analysis
37
        snapshot['trending'] = self.calculate_trends()
38

39
        return snapshot
40

41
    def generate_audit_report(self, framework, date_range):
42
        """Generate detailed audit report"""
43
        report = {
44
            'framework': framework,
45
            'period': date_range,
46
            'sections': {}
47
        }
48

49
        # Evidence collection
50
        report['sections']['evidence'] = self.collect_audit_evidence(
51
            framework, date_range
52
        )
53

54
        # Control assessment
55
        report['sections']['controls'] = self.assess_controls(framework)
56

57
        # Violation history
58
        report['sections']['violations'] = self.get_violation_history(
59
            framework, date_range
60
        )
61

62
        # Remediation tracking
63
        report['sections']['remediation'] = self.track_remediation_progress(
64
            framework
65
        )
66

67
        return report

Automated Evidence Collection#

1
class EvidenceCollector:
2
    def __init__(self):
3
        self.evidence_types = {
4
            'gdpr': {
5
                'consent_records': self.collect_consent_records,
6
                'data_processing': self.collect_processing_activities,
7
                'breach_notifications': self.collect_breach_records,
8
                'dpia_results': self.collect_dpia_documents
9
            },
10
            'hipaa': {
11
                'access_logs': self.collect_phi_access_logs,
12
                'risk_assessments': self.collect_risk_assessments,
13
                'training_records': self.collect_training_compliance,
14
                'baa_agreements': self.collect_baa_documents
15
            },
16
            'pci_dss': {
17
                'scan_results': self.collect_vulnerability_scans,
18
                'penetration_tests': self.collect_pentest_results,
19
                'change_management': self.collect_change_records,
20
                'network_diagrams': self.collect_network_documentation
21
            }
22
        }
23

24
    def collect_evidence(self, framework, requirement):
25
        """Automatically collect compliance evidence"""
26
        evidence = {
27
            'requirement': requirement,
28
            'collected_at': datetime.now(),
29
            'artifacts': []
30
        }
31

32
        # Collect relevant evidence types
33
        if framework in self.evidence_types:
34
            for evidence_type, collector in self.evidence_types[framework].items():
35
                if self.is_relevant(evidence_type, requirement):
36
                    artifacts = collector(requirement)
37
                    evidence['artifacts'].extend(artifacts)
38

39
        # Validate evidence completeness
40
        evidence['completeness'] = self.validate_evidence(evidence)
41

42
        return evidence

Remediation Automation#

Automated Compliance Fixes#

1
<!-- Automated Remediation Rules -->
2
<ossec_config>
3
  <!-- GDPR Remediation -->
4
  <active-response>
5
    <command>encrypt-pii-data</command>
6
    <location>local</location>
7
    <rules_id>600001</rules_id>
8
    <timeout>0</timeout>
9
  </active-response>
10

11
  <!-- HIPAA Remediation -->
12
  <active-response>
13
    <command>disable-inactive-phi-account</command>
14
    <location>local</location>
15
    <rules_id>600030</rules_id>
16
    <timeout>0</timeout>
17
  </active-response>
18

19
  <!-- PCI DSS Remediation -->
20
  <active-response>
21
    <command>enable-cde-logging</command>
22
    <location>local</location>
23
    <rules_id>600042</rules_id>
24
    <timeout>0</timeout>
25
  </active-response>
26

27
  <!-- Multi-Framework -->
28
  <active-response>
29
    <command>comprehensive-compliance-fix</command>
30
    <location>server</location>
31
    <rules_id>600001,600021,600040</rules_id>
32
  </active-response>
33
</ossec_config>

Remediation Tracking#

1
class RemediationTracker:
2
    def __init__(self):
3
        self.remediation_sla = {
4
            'critical': timedelta(hours=4),
5
            'high': timedelta(days=1),
6
            'medium': timedelta(days=7),
7
            'low': timedelta(days=30)
8
        }
9

10
    def track_remediation(self, violation):
11
        """Track remediation progress"""
12
        remediation = {
13
            'violation_id': violation['id'],
14
            'detected_at': violation['timestamp'],
15
            'severity': violation['severity'],
16
            'sla': self.calculate_sla(violation),
17
            'status': 'pending',
18
            'actions': []
19
        }
20

21
        # Automated remediation attempt
22
        if self.can_auto_remediate(violation):
23
            result = self.attempt_auto_remediation(violation)
24
            remediation['actions'].append({
25
                'type': 'automated',
26
                'timestamp': datetime.now(),
27
                'result': result
28
            })
29

30
            if result['success']:
31
                remediation['status'] = 'resolved'
32
                remediation['resolved_at'] = datetime.now()
33

34
        # Create ticket for manual remediation
35
        if remediation['status'] == 'pending':
36
            ticket = self.create_remediation_ticket(violation)
37
            remediation['ticket_id'] = ticket['id']
38
            remediation['assigned_to'] = ticket['assignee']
39

40
        return remediation

Compliance Testing Framework#

Continuous Compliance Validation#

1
class ComplianceTester:
2
    def __init__(self):
3
        self.test_suites = {
4
            'gdpr': GDPRTestSuite(),
5
            'hipaa': HIPAATestSuite(),
6
            'pci_dss': PCIDSSTestSuite()
7
        }
8

9
    def run_compliance_tests(self, framework, scope='full'):
10
        """Execute compliance test suite"""
11
        test_results = {
12
            'framework': framework,
13
            'timestamp': datetime.now(),
14
            'scope': scope,
15
            'tests': [],
16
            'summary': {}
17
        }
18

19
        suite = self.test_suites[framework]
20
        tests = suite.get_tests(scope)
21

22
        for test in tests:
23
            result = self.execute_test(test)
24
            test_results['tests'].append({
25
                'test_id': test['id'],
26
                'requirement': test['requirement'],
27
                'description': test['description'],
28
                'result': result['status'],
29
                'evidence': result['evidence'],
30
                'findings': result['findings']
31
            })
32

33
        # Calculate summary
34
        test_results['summary'] = self.calculate_test_summary(
35
            test_results['tests']
36
        )
37

38
        return test_results
39

40
    def execute_test(self, test):
41
        """Execute individual compliance test"""
42
        try:
43
            # Run test procedure
44
            evidence = test['procedure']()
45

46
            # Validate against expected results
47
            findings = test['validator'](evidence)
48

49
            return {
50
                'status': 'pass' if not findings else 'fail',
51
                'evidence': evidence,
52
                'findings': findings
53
            }
54
        except Exception as e:
55
            return {
56
                'status': 'error',
57
                'evidence': None,
58
                'findings': [str(e)]
59
            }

Integration with GRC Platforms#

GRC API Integration#

1
class GRCIntegration:
2
    def __init__(self, grc_config):
3
        self.grc_apis = {
4
            'servicenow': ServiceNowGRC(grc_config['servicenow']),
5
            'archer': ArcherGRC(grc_config['archer']),
6
            'metricstream': MetricStreamGRC(grc_config['metricstream'])
7
        }
8

9
    def sync_compliance_data(self):
10
        """Sync Wazuh compliance data with GRC platforms"""
11
        compliance_data = self.collect_wazuh_compliance_data()
12

13
        for platform, api in self.grc_apis.items():
14
            try:
15
                # Transform data to platform format
16
                transformed = self.transform_for_platform(
17
                    compliance_data, platform
18
                )
19

20
                # Push to GRC platform
21
                result = api.update_compliance_status(transformed)
22

23
                # Handle response
24
                if result['success']:
25
                    self.log_sync_success(platform, result)
26
                else:
27
                    self.handle_sync_failure(platform, result)
28

29
            except Exception as e:
30
                self.handle_sync_error(platform, e)

Compliance Metrics and ROI#

Compliance Performance Dashboard#

1
{
2
  "compliance_metrics": {
3
    "overall_compliance_score": 92.3,
4
    "framework_scores": {
5
      "gdpr": 94.1,
6
      "hipaa": 91.8,
7
      "pci_dss": 89.7,
8
      "sox": 93.5
9
    },
10
    "automation_metrics": {
11
      "violations_auto_detected": 3421,
12
      "violations_auto_remediated": 2876,
13
      "automation_rate": 0.84,
14
      "manual_interventions": 545
15
    },
16
    "audit_performance": {
17
      "audit_prep_time_reduction": "87%",
18
      "evidence_collection_time": "4.2 hours",
19
      "finding_response_time": "2.3 hours",
20
      "continuous_compliance_coverage": "98.7%"
21
    },
22
    "cost_savings": {
23
      "avoided_penalties": "$2.3M",
24
      "reduced_audit_costs": "$450K",
25
      "fte_hours_saved": 3200,
26
      "total_roi": "342%"
27
    },
28
    "violation_trends": {
29
      "total_violations_ytd": 8234,
30
      "critical_violations": 23,
31
      "repeat_violations": 156,
32
      "mttr": "6.4 hours"
33
    }
34
  }
35
}

Best Practices#

1. Framework Mapping#

1
def create_control_mappings():
2
    """Map controls across compliance frameworks"""
3
    mappings = {
4
        'encryption_at_rest': {
5
            'gdpr': ['Article 32(1)(a)'],
6
            'hipaa': ['164.312(a)(2)(iv)'],
7
            'pci_dss': ['3.4.1'],
8
            'iso27001': ['A.10.1.1'],
9
            'nist': ['SC-28']
10
        },
11
        'access_control': {
12
            'gdpr': ['Article 32(1)(b)'],
13
            'hipaa': ['164.312(a)(1)'],
14
            'pci_dss': ['7.1', '7.2'],
15
            'iso27001': ['A.9.1.1'],
16
            'nist': ['AC-2']
17
        }
18
    }
19

20
    return mappings

2. Continuous Improvement#

1
def optimize_compliance_rules():
2
    """Continuously improve compliance detection"""
3
    # Analyze false positives
4
    false_positives = analyze_false_positive_rate()
5

6
    # Tune detection rules
7
    for rule in false_positives['high_fp_rules']:
8
        tune_rule_thresholds(rule)
9

10
    # Add new compliance requirements
11
    new_requirements = check_regulatory_updates()
12
    for req in new_requirements:
13
        create_detection_rule(req)
14

15
    # Validate rule effectiveness
16
    validate_rule_coverage()

Conclusion#

Automated compliance is not about replacing human judgment but augmenting it with continuous, comprehensive monitoring that scales across multiple frameworks. Wazuh’s compliance automation framework transforms compliance from a periodic scramble into a continuous state of readiness. By correlating requirements across frameworks, automating evidence collection, and providing real-time visibility, organizations can maintain compliance while focusing on their core business.

Next Steps#

Map your compliance requirements to Wazuh rules
Deploy framework-specific detection rules
Configure automated evidence collection
Establish remediation workflows
Integrate with existing GRC platforms

Remember: Compliance is not a destination but a journey. Automate the journey, and you’ll always know where you stand.