Integrating AI with Wazuh for Advanced Threat Detection

Cybersecurity threats are evolving rapidly, and traditional Security Information and Event Management (SIEM) solutions like Wazuh can struggle to detect zero-day attacks, advanced persistent threats (APT), and insider threats. By integrating AI models such as DeepSeek-R1, BERT, or Autoencoders, security teams can enhance Wazuh’s threat detection capabilities with machine learning and natural language processing (NLP).

Want hands-on cybersecurity skills? Learn how to simulate attacks, monitor threats, and build a real-world defense lab using free tools like GNS3, Wazuh, and Docker.
🔧 Build Your Own Cybersecurity Lab with GNS3 + Wazuh + Docker – Train, Detect, and Defend in One Platform

Looking for an affordable SIEM that actually works? Discover how Wazuh helps companies monitor, detect, and respond to threats—without breaking the bank.
🛡️ Strengthen Your Cybersecurity Posture with Wazuh – A Scalable & Cost-Effective SIEM Solution

Before you deploy Wazuh, get to know how it works. This deep-dive explains Wazuh’s internal architecture, key use cases, and how to apply it in real-world scenarios.
📚 Understanding Wazuh: Architecture, Use Cases, and Real-World Applications

This blog post will guide you through integrating AI-based threat detection into Wazuh, using real-time log analysis to identify anomalies and classify security events.

Why Use AI with Wazuh?

While Wazuh is excellent for log collection, rule-based detection, and compliance, it has limitations:
✅ Rule-based detection may fail against new attack patterns.\
✅ High false positive rates can overwhelm security teams.\
✅ Manual threat analysis is slow and inefficient.

🔹 AI can automate log analysis, detect anomalies, and reduce false positives.

Architecture: AI + Wazuh Workflow

The workflow integrates Wazuh’s event logging system with an AI-powered threat detection engine, classifying logs as benign or malicious.

flowchart TD
    A[Wazuh Logs] -->|Fetch Logs| B[AI Processing]
    B -->|Threat Classification| C{Threat Detected?}
    C -->|Yes| D[Send AI Alert to Wazuh]
    C -->|No| E[Mark as Benign]
    D --> F[Security Team Notification]
    E --> G[Log Entry Stored]

Step 1: Fetching Wazuh Logs

Wazuh provides an API to retrieve security logs. Using Python, we can pull these logs for AI processing:

import requests

API_URL = "https://wazuh-server:55000/agents/000/logs"
HEADERS = {"Authorization": "Bearer YOUR_API_KEY"}

response = requests.get(API_URL, headers=HEADERS, verify=False)
logs = response.json()

log_texts = [log["message"] for log in logs["data"]]
print(log_texts)

🔹 This fetches real-time logs from Wazuh for analysis.

Step 2: AI-Powered Log Classification

We use a pre-trained AI model to classify logs as benign or malicious.

from transformers import pipeline

model = pipeline("text-classification", model="deepseek-ai/deepseek-r1")

log_entry = "User admin failed login from suspicious IP 192.168.1.100"
result = model(log_entry)

print(result)  # Output: ['malicious' or 'benign']

🔹 Use Case: Detect brute-force attacks, phishing, and malware activity.

Step 3: Detecting Anomalies in Logs

For unknown attack patterns, we use an Isolation Forest model for anomaly detection.

from sklearn.ensemble import IsolationForest
import numpy as np

log_data = np.random.rand(1000, 10)  # Simulated log feature vectors
model = IsolationForest(contamination=0.05)
model.fit(log_data)

anomalies = model.predict(log_data[-10:])
print(anomalies)  # -1 = anomaly, 1 = normal

🔹 Use Case: Identify zero-day attacks, insider threats, and unusual activity.

Step 4: Sending AI Alerts to Wazuh

Once a threat is detected, we send an alert back to Wazuh for further action.

alert = {
    "rule": {"description": "AI detected anomaly", "id": 9999},
    "location": "AI Model",
    "full_log": "Suspicious activity detected in logs"
}

response = requests.post("https://wazuh-server:55000/alerts", headers=HEADERS, json=alert, verify=False)
print(response.status_code)  # 200 means success

🔹 The AI alert is now visible in Wazuh’s dashboard.

Step 5: Automating AI Integration with Wazuh

Option 1: Automate AI Log Analysis with a Cron Job

To schedule log analysis every 5 minutes, add this to your cron job:

crontab -e

Add:

*/5 * * * * python3 /home/user/ai_threat_detection.py

Option 2: Deploy AI as an API for Wazuh

For real-time log analysis, deploy an AI-powered API.

from fastapi import FastAPI, Request
from transformers import pipeline

app = FastAPI()
model = pipeline("text-classification", model="deepseek-ai/deepseek-r1")

@app.post("/analyze_log/")
async def analyze_log(request: Request):
    data = await request.json()
    log_entry = data["log"]
    result = model(log_entry)
    return {"verdict": result[0]["label"]}

🔹 Now, Wazuh can send logs to the API for real-time AI-based analysis.

Final Thoughts

🔹 AI-powered security improves threat detection and response by reducing false positives and detecting unknown threats.\
🔹 Wazuh + AI models like DeepSeek-R1 and Isolation Forest can automate log analysis and anomaly detection.\
🔹 You can deploy this integration via scheduled scripts or a real-time FastAPI service.

Would you like help setting up AI-powered SIEM automation? Let’s discuss in the comments! 🚀