Introducing Wazuh LLM: Fine-Tuned Llama 3.1 for Security Event Analysis

Introducing Wazuh LLM: Why Specialized Security Analysis Matters

In the cybersecurity world, SOC specialists deal with massive streams of security events daily. Analyzing each alert requires deep knowledge, experience, and time. That’s why I created a specialized language model to assist security analysts in their day-to-day operations.

I’m excited to introduce Wazuh LLM — a fine-tuned version of Llama 3.1 8B, specifically trained for analyzing Wazuh security events. This model is currently in beta testing and available through Ollama under the name OpenNix/wazuh-llama-3.1-8B-v1.

Why a Specialized Model for Wazuh?

General-purpose language models like GPT or base Llama have broad knowledge but don’t specialize in specific tasks. When it comes to security event analysis, you need:

If you’re already using Wazuh with Ollama, you might find our previous guide helpful: Enhancing Wazuh with Ollama: A Cybersecurity Boost (Part 1).

Deep Wazuh Understanding: The model must know the event structure, rules, severity levels, and the context of Wazuh as a SIEM system.

MITRE ATT&CK Knowledge: The ability to map events to tactics and techniques from the MITRE ATT&CK framework is critical for understanding attack chains.

Practical Recommendations: It’s not enough to just describe the problem — the model must suggest concrete actions for incident response.

Risk Assessment: The model should evaluate threat severity and prioritize response efforts.

These requirements formed the foundation for fine-tuning Llama 3.1 8B to create Wazuh LLM.

Key Capabilities: AI-Powered Security Analysis

Wazuh LLM provides structured security event analysis that includes:

Rule Level Determination: Automatic classification of event severity from low to critical level.

Event Type Identification: Determining the incident category — from brute force attempts to rootkit detection.

Detailed Reasoning: Comprehensive explanation of why this event represents a threat and what attack mechanism might be employed.

Risk Assessment: Analysis of potential system impact considering context and possible consequences.

Action Recommendations: Specific steps for incident response, including technical measures and investigation procedures.

Investigation Guidance: Advice for further incident analysis and searching for indicators of compromise.

MITRE ATT&CK Mapping: Automatic correlation of events to tactics and techniques from the MITRE ATT&CK framework.

Multilingual Support: Analysis support in English, Russian, and other languages, making the model useful for international security teams.

Real-World Security Analysis Examples

Let’s look at several practical examples of using Wazuh LLM.

Example 1: SSH Connection Attempt Analysis

Query to the model in English:

ollama run OpenNix/wazuh-llama-3.1-8B-v1 "Analyze this Wazuh alert: SSH login from 192.168.1.100 to root account"

Model response:

Rule Level: 12 - High importance event

Event Type: Unauthorized SSH Login
Detailed Reasoning: There has been an unauthorized SSH login attempt from the IP address 192.168.1.100 to the system's root account. This is a high priority event as it indicates potential compromise of the system.

Risk Assessment: Medium to High Risk - An unauthorized SSH login attempt to the root account may indicate successful exploitation of a vulnerability, brute force attack, or other malicious activity. If left unchecked, this could lead to data breaches, system compromise, service disruption, and other security incidents.

Recommended Actions: Block the source IP 192.168.1.100 at the firewall level, change the root password, review system logs for further indicators of compromise, and run a full system scan with an antivirus program.

Investigation Guidance: Review SSH login history for suspicious activity, check for any successful logins from the same source IP, review system configuration for security vulnerabilities, and monitor system performance for signs of compromise.

MITRE ATT&CK: T1078 - Valid Accounts (possible)

Example 2: Malware Detection Analysis

Query with JSON event structure:

ollama run OpenNix/wazuh-llama-3.1-8B-v1 '{
  "timestamp": "2025-01-15T14:00:00Z",
  "agent": {"id": "000", "name": "malware_detection-00", "ip": "10.0.0.100"},
  "rule": {
    "id": "600",
    "level": 13,
    "description": "Rootkit detected in system",
    "groups": ["rootkit", "malware", "attack"],
    "category": "malware_detection",
    "mitre": {"id": ["T1014"], "tactic": ["Defense Evasion"]}
  },
  "data": {
    "severity": "high",
    "file": "/tmp/malware_0.exe",
    "malware_name": "Trojan.Generic",
    "action": "quarantined",
    "scanner": "ClamAV"
  },
  "location": "/var/log/malware_detection/security.log"
}'

Model response:

Rule Level: 13 - Unusual error

Event Type: Rootkit Detection
Detailed Reasoning: Rule 600 triggered due to detection of rootkit in system. This indicates potential for malicious activity and requires investigation.

Risk Assessment: Medium risk - Rootkits can indicate presence of other malware, compromise system integrity, and provide backdoor access for attackers.

Recommended Actions: Quarantine the detected file (/tmp/malware_0.exe) and notify incident response team. Review system logs for any suspicious activity. Run full system scan with anti-malware software to ensure thorough cleaning.

Investigation Guidance: Document event details, review system configuration for vulnerabilities, check for signs of lateral movement, and report findings to incident response team.

MITRE ATT&CK: T1014 (Rootkit)

Example 3: Brute Force Attack (Russian Query)

ollama run OpenNix/wazuh-llama-3.1-8B-v1 "Я в логах вижу 100500 попыток подключения по ssh, что мне делать?"

Model response in Russian:

Rule Level: 12 - High importance event

Event Type: Brute Force Attack
Detailed Reasoning: Слишком частые попытки подключений по SSH могут свидетельствовать о попытке brute force атаки на систему. Это когда злоумышленник пытается угадать пароль пользователя, используя различные комбинации символов.

Risk Assessment: Риск высокий, поскольку если атакующий успеет угадать пароль, он сможет получить доступ к системе и причинить вред.

Recommended Actions: Нужно увеличить сложность паролей пользователей, включив требования для паролей, такие как наличие большого количества символов и цифр. Кроме того, нужно активировать двухфакторную аутентификацию (2FA) для дополнительной защиты. Система администратор должен также рассмотреть блокировку IP адресов, от которых приходят атакующие запросы.

Investigation Guidance: Нужно проверить логи системы на предмет других атак и проверить пароли пользователей на предмет их безопасности. Следует также определить источник атаки и сообщить об этом в соответствующие органы.

MITRE ATT&CK: T1110 - Brute Force

Example 4: Multilingual Support (Finnish)

ollama run OpenNix/wazuh-llama-3.1-8B-v1 "Lokitiedoissa näkyy 100 500 SSH-yhteysyritystä. Mitä minun pitäisi tehdä?"

Response in Finnish:

Rule Level: 14 - High importance security event

Event Type: Brute Force Attack
Detailed Reasoning: Lokitiedot paljastavat epätavalta suuren määrän yrityksiä luoda SSH-yhteys, mikä viittaa brute force -hyökkäykseen.

Risk Assessment: Brute force -hyökkäykset voivat johtaa salauksen rikkomiseen ja tietokonetta käyttävän käyttäjän tietojen vahingoittamiseen.

Recommended Actions: Käynnistä nopeasti vastatoimenpiteet estääksesi lisättyjä yrityksiä. Tarkista salauksen turvallisuus ja vahvista sitä tarvittaessa.

Investigation Guidance: Tutki tapausta syvällä tarkkaavaisuudella. Tarkasta lokitietoja ja määritä hyökkäyksen aika-ajoin.

MITRE ATT&CK: T1110 (Brute Force) ja T1078 (Valid Accounts)

How to Install and Deploy Wazuh LLM

To use Wazuh LLM, you need to have Ollama installed. The process of running the model is straightforward.

Installing Ollama

If you don’t have Ollama installed yet, follow the installation instructions from the official website:

Linux and macOS:

curl -fsSL https://ollama.com/install.sh | sh

Windows: Download the installer from the official Ollama website.

Docker:

docker run -d -v ollama:/root/.ollama -p 11434:11434 --name ollama ollama/ollama

Downloading Wazuh LLM

After installing Ollama, download the model:

ollama pull OpenNix/wazuh-llama-3.1-8B-v1

Running the Model

For interactive work with the model:

ollama run OpenNix/wazuh-llama-3.1-8B-v1

To analyze a specific alert:

ollama run OpenNix/wazuh-llama-3.1-8B-v1 "Your query or Wazuh event JSON"

Using via API

The model is also available through the Ollama REST API:

curl http://localhost:11434/api/chat -d '{
  "model": "OpenNix/wazuh-llama-3.1-8B-v1",
  "messages": [
    {
      "role": "user",
      "content": "Analyze this Wazuh alert: Multiple failed login attempts from 10.0.0.50"
    }
  ],
  "stream": false
}'

SOC Automation and Workflow Integration

Technical Specifications

Base Model: Meta Llama 3.1 8B

Model Size: Approximately 4.7 GB

Format: GGUF (quantized version for efficient usage)

Resource Requirements: Minimum 8 GB RAM, recommended 16 GB

Supported Languages: English, Russian, Finnish, and others

Specialization: Wazuh security event analysis, SIEM, incident response

Integration Workflows

Wazuh LLM can be integrated into various security workflows:

SOC Dashboard: Automatic alert analysis in real-time with recommendations displayed on the dashboard.

Incident Response Automation: Using the model as part of automated incident response playbooks.

Security Team Chatbot: Creating an interactive assistant for SOC analysts.

API Integrations: Connecting the model to existing SIEM and SOAR platforms via REST API.

Personnel Training: Using the model as a training tool for new security analysts.

For deeper insights on threat intelligence and machine learning in security, check out our guide on Building ML-Powered Threat Intelligence with Honeypot Datasets. Additionally, if you’re working with containers, see how to enhance security with Container Image Security Using Wazuh and Trivy.

Development Status and Roadmap

The model is currently in beta testing. This means I’m actively working on improving response quality and expanding functionality.

Current Capabilities (Beta)

Analysis of Wazuh security events with basic JSON structure and text descriptions performs at a good level. The model provides risk assessment and response recommendations, as well as mapping to the MITRE ATT&CK framework. Multilingual support allows working with queries in English, Russian, and other languages.

Planned Improvements

Future releases will include expanded support for all Wazuh rule types, deeper integration with the MITRE ATT&CK framework, and improved event correlation algorithms for identifying attack chains. There are also plans to add support for large log analysis and automatic incident report generation.

Wazuh LLM vs GPT-4 and Commercial AI Models

You might ask: why use a specialized model when there’s GPT-4 or Claude? Let’s compare.

Specialization vs. Universality

General models like GPT-4 have broad knowledge but don’t specialize in specific domains. Wazuh LLM is trained specifically on the context of Wazuh security events, making its responses more accurate and relevant for SOC analysts.

Local Deployment

Unlike cloud solutions, Wazuh LLM can run locally, which is critical for organizations with data confidentiality requirements. You have complete control over where your security data is processed.

Cost

Using Wazuh LLM through Ollama is free, while commercial model APIs can be expensive with large analysis volumes.

Customization for Your Needs

Since the model is available locally, you can fine-tune it on your specific data and Wazuh rules, which is impossible with commercial cloud solutions.

SOC Analyst Use Cases and Scenarios

Scenario 1: Initial Alert Analysis

A SOC analyst receives an alert about suspicious activity. Instead of spending time on manual analysis, they can send the event to Wazuh LLM and receive structured analysis with recommendations in seconds.

Scenario 2: Training Junior Analysts

New employees can use the model as an interactive learning tool, asking questions about different attack types and receiving detailed explanations with examples.

Scenario 3: Incident Prioritization

With a large number of alerts, the model helps quickly assess the risk of each event and properly prioritize response efforts.

Scenario 4: Incident Documentation

The model can assist in creating structured incident reports, including event description, impact assessment, and remediation recommendations.

Best Practices for Usage

For maximum effectiveness when working with Wazuh LLM, several principles should be followed.

When formulating queries, try to be specific and include as much context as possible. Instead of general descriptions, it’s better to provide the complete JSON structure of the Wazuh event so the model can provide the most accurate analysis.

Use the model’s analysis results as a starting point for your own investigation, not as a final conclusion. The model provides expert recommendations, but the final decision should always be made by a human considering the full context of your infrastructure.

Regularly update the model to the latest version to get improved analysis algorithms and support for new attack types. Combine the model with other security tools to get the most complete picture of an incident.

Conclusion

Wazuh LLM represents a specialized tool for security event analysis that can significantly accelerate SOC analyst work and improve incident response quality. The model is under active development, and I welcome your feedback for its improvement.

Try the model in your work and share your impressions. Together we can make security event analysis more efficient and accessible.

Useful Links

Note: The model is in beta testing. Analysis results should be used as recommendations, not absolute truth. Always conduct additional incident investigation.