Leveraging Wazuh for Compliance with Bank Indonesia and OJK Cybersecurity Regulation (Part 2) —…

Leveraging Wazuh for Compliance with Bank Indonesia and OJK Cybersecurity Regulation (Part 2) — Auditor Guidelines

This article is part of a multi-part series on leveraging Wazuh to meet Bank Indonesia and OJK cybersecurity requirements. If you haven’t read the first installment, which introduces the regulatory landscape and explains how Wazuh aligns with those mandates, you can access it here: https://medium.com/cyberkarta/leveraging-wazuh-for-compliance-with-bank-indonesia-and-ojk-cybersecurity-regulation-part-1-2e6fd3b0a780.

Hi, I’m Ismail — CEO of Cyberkarta, one of the fastest-growing cybersecurity companies in Indonesia. If you have ideas, insights, or challenges in cybersecurity that you’d like to explore together, feel free to reach out through the comments or connect with me on LinkedIn. I’d love to hear from you and collaborate on building a safer and more resilient digital ecosystem.

LinkedIn Profile — https://www.linkedin.com/in/ismail-hakim/
Company Website — https://cyberkarta.com

Introduction

In the context of a Cybersecurity & Information System Resilience audit, reviewing the configuration of a Security Information and Event Management (SIEM) platform is a critical step. A SIEM is more than just a centralized log repository — its configuration determines how effectively it can detect, alert, and respond to potential threats in real time. An improperly tuned SIEM may still collect data, but it could fail to generate actionable alerts, leaving security incidents undetected until it’s too late.

Wazuh exemplifies this broader role. Beyond basic log collection, it provides a comprehensive security monitoring framework that includes threat detection, vulnerability assessment, compliance monitoring, and active response capabilities. This combination makes Wazuh a pivotal tool for organizations aiming to meet regulatory obligations while enhancing their security posture.

From a regulatory standpoint, Indonesia’s financial and payment system sectors operate under stringent security requirements. Regulations such as PBI №2/2024 and PADG №24/2024 from Bank Indonesia, along with POJK №11/03/2022, SEOJK №21/MRTI, and SEOJK №29/SEOJK.03/2022 from Otoritas Jasa Keuangan (OJK), explicitly mandate robust security event monitoring and incident detection capabilities. These rules aim to ensure that financial institutions can swiftly identify, analyze, and respond to threats — objectives that a properly configured Wazuh deployment is well-suited to fulfill.

Understanding the Auditor’s Objective

When assessing Wazuh as part of a Cybersecurity & Information System Resilience audit, the auditor’s primary goal is to determine whether the platform is deployed, configured, and maintained in a way that meets both regulatory obligations and organizational security needs.

1. A key focus is on coverage. Wazuh must actively monitor all critical assets — including servers, endpoints, network devices, and applications — to ensure no blind spots exist in the organization’s security posture. This requires verifying not just the presence of agents, but also their proper configuration and operational status.
2. From an audit perspective, it is also important to classify assets based on their business function and criticality. For example, core banking systems, payment gateways, and customer data repositories will require a higher level of monitoring and alerting sensitivity compared to non-critical systems.
3. Finally, the evaluation should go beyond simply confirming that Wazuh is running. The real test is in its effectiveness — whether it detects relevant security events, generates timely alerts, and supports appropriate responses. A fully operational Wazuh instance that fails to catch actual threats offers a false sense of security and would be considered non-compliant from both a regulatory and operational standpoint.

Audit Preparation

Before conducting the technical review, an auditor should ensure that the necessary context, documentation, and baseline information are in place. This preparation phase is essential for understanding the current Wazuh deployment, identifying potential compliance gaps, and focusing the audit on the most critical areas.

1. Request the Wazuh Architecture Diagram
   Obtain a clear visual representation of the Wazuh environment, including servers, indexers, dashboards, and agents. This will help verify whether the deployment matches the organization’s documented design and supports high availability, scalability, and security requirements.
2. Ask for the List of Monitored Assets & Agent Coverage
   Request an inventory of all monitored assets and confirm the Wazuh agent installation status for each. The goal is to ensure complete coverage of critical systems, including servers, endpoints, network devices, and business-critical applications, with no unmonitored gaps.
3. Obtain Policies & Procedures
   Review documented alert management, tuning, and escalation procedures. This ensures that Wazuh alerts are handled consistently, false positives are managed effectively, and critical events receive timely attention.
4. Check Regulatory Requirements vs. Implementation
   Compare regulatory requirements (e.g., PBI 2/2024, PADG 24/2024, POJK 11/03/2022, SEOJK guidelines) with the company’s current security monitoring practices. Note that Wazuh and other security tools can complement each other in fulfilling compliance requirements, so it is important to assess them as an integrated monitoring ecosystem.
5. Check Version & Update History
   Verify the version and update history for both the Wazuh server and agents. Outdated versions may have known vulnerabilities and lack features required for effective monitoring and compliance reporting.

Audit Scope and Audit Controls

This audit scope focuses on evaluating the deployment, configuration, and operational effectiveness of Wazuh as part of the organization’s security monitoring and incident detection framework based on PBI №2/2024 and PADG №24/2024 from Bank Indonesia, along with POJK №11/03/2022, SEOJK №21/MRTI, and SEOJK №29/SEOJK.03/2022 from Otoritas Jasa Keuangan (OJK). It covers core deployment checks to verify system health, coverage, secure communications, and infrastructure readiness; configuration reviews of agents, groups, and server settings to ensure alignment with security requirements; rules and detection capabilities to confirm coverage of organization-specific threats and detection accuracy; compliance and vulnerability modules to validate regulatory alignment and vulnerability identification; and alert management and response processes to assess classification, notification, escalation, and automated response effectiveness. This scope ensures Wazuh is not only running but delivering actionable, compliant, and timely security intelligence. The following audit controls are designed to guide auditors in systematically evaluating Wazuh’s deployment.

Audit Evidence Collection

To ensure transparency, traceability, and verifiability of audit findings, auditors should collect and retain supporting evidence for each control tested. This documentation not only substantiates audit conclusions but also provides a reference for remediation and follow-up reviews. For each audit check performed, evidence should include:

1. Screenshot from Wazuh Dashboard
   Capture relevant screens showing system status, configurations, alerts, or scan results. Screenshots should clearly display timestamps, asset identifiers, and any relevant filter criteria applied.
2. Configuration File Excerpt
   Extract the specific portion of the configuration file (e.g., /var/ossec/etc/ossec.conf, decoder XML files, rules) that demonstrates the control setting or parameter being audited. Redact any sensitive information not essential to the audit record.
3. Command Output (with Date/Time)
   Include terminal output from commands executed during the audit (e.g., cluster status checks, service health commands, rule validation tests). Ensure that the output includes the date and time to confirm the context and validity of the evidence.

Common Audit Findings

During Wazuh configuration and effectiveness audits, several recurring issues are often identified. These findings highlight gaps that can reduce the platform’s ability to provide timely and accurate threat detection:

1. Missing Agent on Critical Systems
   Critical servers, endpoints, or network devices are not covered by a Wazuh agent, creating blind spots in monitoring and alerting.
2. FIM Not Monitoring Sensitive Application Directories
   File Integrity Monitoring (<syscheck>) is either disabled or not configured to cover critical application paths, allowing unauthorized changes to go undetected.
3. Outdated or Unmaintained Detection Rules
   Wazuh still operates with the initial ruleset configuration without periodic updates, resulting in missed detection of new threats or vulnerabilities.
4. Outdated Wazuh Version
   Running an older version of Wazuh exposes the environment to known vulnerabilities and prevents access to the latest detection capabilities and features.
5. Alerts Not Integrated into Incident Response Workflow
   Generated alerts are not linked to documented escalation or response processes, leading to delays in containment and remediation efforts.

Conclusion and Recommendations

A well-configured and actively maintained Wazuh deployment is essential for meeting regulatory requirements and ensuring strong Cybersecurity & Information System Resilience. Continuous monitoring and periodic configuration reviews are critical to sustaining detection accuracy, reducing false positives, and maintaining full asset coverage.

It is recommended to conduct quarterly Wazuh health checks to validate deployment status, review rule effectiveness, and confirm alignment with evolving threats and compliance obligations. This should include checks on version currency, agent coverage, ruleset updates, and integration with incident response processes.

To improve oversight and executive awareness, organizations should also implement automated compliance reporting within Wazuh. These reports can provide management with a clear view of monitoring coverage, detected vulnerabilities, and compliance posture, enabling informed decisions and proactive risk mitigation.

---

Leveraging Wazuh for Compliance with Bank Indonesia and OJK Cybersecurity Regulation (Part 2) —… was originally published in Cyberkarta on Medium, where people are continuing the conversation by highlighting and responding to this story.