Wazuh introduces AI-powered threat hunting using local LLM integration

    June 13, 2025
    Wazuh’s new integration enables security teams to query recent logs using natural language and receive detailed, context-rich responses.
    Related To:
    684c502a16d2e9d20aa7ef4f Wazuhheaderimage

    Wazuh has introduced advanced capabilities that integrate artificial intelligence into its threat hunting process by pairing its Security Event and Incident Management (SIEM) and Extended Detection and Response (XDR) capabilities with locally deployed large language models (LLMs).

    Wazuh’s new integration leverages LLMs such as LLaMA 3 running on Ollama, combined with vectorized log data and LangChain, to enable security teams to query recent logs using natural language and receive detailed, context-rich responses. This setup allows Wazuh users to:

    • Analyze thousands of logs at once for anomalous patterns, lateral movement, or misuse of Living Off the Land Binaries (LOLBins).

    • Detect brute force attacks, unauthorized access attempts, and data exfiltration attempts, even when no explicit detection rule exists.

    • Query for threats in plain English (“Were there any failed SSH logins in the last 24 hours?”) and receive investigative context from the LLM.

    The threat hunting engine supports both Linux and Windows endpoints and is fully local, ensuring that sensitive telemetry never leaves the analyst’s environment. The LLM is deployed on-premise, and responses are derived from archived log data processed via FAISS vector stores, HuggingFace embeddings, and a Python-based QA chain.

    “Traditional rulesets will always be reactive by design,” said Santiago Bassett, founder & CEO, Wazuh. “By integrating local LLMs, we give defenders the power to ask broader questions, uncover unknown threats, and collapse the time to detection.”

    Wazuh also supports dashboard integration for AI-assisted analysis, allowing users to interact with the LLM through a chatbot embedded directly in the OpenSearch-based UI. Queries such as "Who attempted to exfiltrate files this week?" now return event-specific responses with timestamps, user identities, and attack vectors, backed by log forensics.

    For technical setup instructions and use cases, visit the Wazuh blog or join the Wazuh Slack community.