DeepSeek LLM + Wazuh + AWS Detections

Let’s Go, “Wazuh+AIng”

In my recent write-ups on Ollama and LLMs like DeepSeek-R1, I started with a basic understanding of how Ollama operates as a local LLM framework and also explored its use for analysing AWS CloudTrail Alerts.

Previously, we explored how we can leverage Ollama to get meaningful security insights from logs. Now, let’s take this a step further and see how we can integrate this process into a Wazuh SIEM ingestion pipeline, effectively automating AWS log analysis and generating AI-driven security recommendations.

Photo by Igor Omilaev on Unsplash

I will call it “Autonomous SOC” that can help you enhance your Threat Detection, Incident Response and security operations with minimal human intervention. That enables your security teams to focus on critical areas rather than spending time manually clicking through alerts and the escalating it to the internal teams.

Don’t be mad at me for posting this, if not me then someone else would! Companies like Qevlar AI, Radiant Security and AirMDR are already taking this to the next level with their own advanced AI/ML models.

Deep Anonymous SOC

Let’s accept, the future!

Let’s jump into Wazuh Security Copilot

This approach enables security teams to automate log analysis, enrich SIEM alerts and provide actionable recommendations that can be directly pushed to a ticketing system like JIRA or IRIS for incident response.

We still have a long way to go in achieving the security response maturity but let’s look at something to start with as per which we would be using following:

DeepSeek and Wazuh Integration: CloudTrail Analysis

AWS CloudTrail logs capture every API call made within our AWS environment that is crucial for deeper security investigations. However, manually analysing these logs is time-consuming and complex and hence Ollama’s DeepSeek-R1 model enables us to automate the log analysis process and providing AI-driven security recommendations based on detected patterns.

Required steps:

Process Flow

Wazuh Security Copilot: AshishSecDev

1. Server Preparation:Install Ollama and DeepSeek

> sudo apt update && sudo apt upgrade -y
> curl -fsSL https://ollama.com/install.sh | sh
> ollama - version

Install Ollama

Restart Shell and check installed Ollama version

Install DeepSeek Model

Install Python Script dependencies

Ollama API — List LLM Models

2. Python Script:Install Ollama and DeepSeek

A Python script that interacts with the Ollama endpoint, configures the required LLM model, reads stored AWS CloudTrail logs, uses saved prompts for LLM driven analysis and saves the enriched logs with AI-generated recommendations that are then ingested into Wazuh.

Refer to below Python script:

Python Code Snippet: DeepSeek <> AWS CloudTrail: Wazuh

Sample JSON

{"eventVersion":"1.08","userIdentity":{"type":"Root","principalId": "444455556666","arn":"arn:aws:iam::444455556666:root","accountId": "444455556666","accessKeyId":"EXAMPLEAOTKEG44KPW5P","sessionContext": {"sessionIssuer":{},"webIdFederationData":{},"attributes":{"creationDate" :"2022-11-25T13:01:14Z","mfaAuthenticated":"false"}}},"eventTime": "2022-11-25T13:01:14Z","eventSource":"iam.amazonaws.com","eventName": "ChangePassword","awsRegion":"us-east-1","sourceIPAddress":"192.0.2.0", "userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36","requestParameters": null,"responseElements":null,"requestID":"c64254c2-e4ff-49c0-900e-EXAMPLE9e6d2" ,"eventID":"d059176c-4f4d-4a9e-b8d7-EXAMPLE2b7b3","readOnly":false,"eventType" :"AwsApiCall","managementEvent":true,"recipientAccountId":"444455556666", "eventCategory":"Management"}

Beautify JSON:

Update sample “AWS Cloudtrail” file to update the input file

You can also use echo to append into file

Run the Python script as per the below or set it as Cron:

Run DeepSeek Analysis

Check the Output file

Check the JSON format using Jq “.” <FileName>

3. Configure Wazuh:Setup file reading for the output file and test rules.

$ vi /var/ossec/etc/ossec.conf

<ossec_config>

  <localfile>
    <log_format>json</log_format>
    <location>/opt/ollama/*.json</location>
  </localfile>

  <localfile>
    <log_format>json</log_format>
    <location>/opt/ollama/cloudtrail/*.json</location>
  </localfile>

</ossec_config>

Setup Rule in Rules file:

<group name="aws, cloudtrail, iam">
  <rule id="100990" level="9">
    <decoded_as>json</decoded_as>
    <field name="eventName">ChangePassword</field>
    <description>IAM password change detected - AWS CloudTrail logs</description>
    <group>aws, cloudtrail, iam</group>
  </rule>
</group>

Test Wazuh Rules trigger using the logs from output file:

You can test it using CLI in Wazuh: $/var/wazuh/bin/wazuh-logtest

Wazuh Rule Test CLI

Check rule trigger in Wazuh GUI

#1 Wazuh AI Triggered

#2 Wazuh AI enriched field

#3 Wazuh AI Complete Summary

4. Integrate Jira/IRISThe final step will be to integrate the ticketing platform with Wazuh alerts so that the data.ai.agent.recommendation field is added as a comment in the tickets. It ensures that other team members can understand the issue and provide relevant supporting comments accordingly.

Jira Integration: You can refer here!

Final Thoughts: I first analyzed the AWS logs via DeepSeek and then send them to Wazuh but that’s just an example for the AWS GuardDuty or CloudTrail use case.

There can be multiple possible approaches, whether to send CloudTrail logs to Ollama first or should it be Wazuh to generate alerts and then process them in Jira/IRIS using an Ollama template or plugin for analysis and comments.

It’s entirely up to you, however my initial thought was to fine-tune the prompts and build confidence in filtering only high and medium severity alerts for Wazuh.

Hope this was a valuable learning experience and an insightful use case!

Feel free to reach out to me with any suggestions — happy to help!

~Happy Learning!
AshishSecDev