Integrating Claude 3.5 Haiku LLM in Wazuh Dashboard for AI-Powered Security Insights#

Introduction#

Imagine having an AI security analyst directly embedded in your Wazuh dashboard, ready to answer questions, explain alerts, and provide security guidance in natural language. By integrating Claude 3.5 Haiku - Anthropic’s fast and efficient LLM - into Wazuh, we create an intelligent interface that transforms how security teams interact with their SIEM.

This integration provides:

💬 Natural language queries about security events
🧠 AI-powered analysis of alerts and vulnerabilities
📚 Instant security knowledge and best practices
🚀 Accelerated incident investigation
🤖 24/7 AI assistance within your dashboard

Why Claude Haiku for Security Operations?#

Claude 3.5 Haiku offers unique advantages for security use cases:

Speed: Sub-second response times for real-time assistance
Accuracy: Strong performance on technical and security tasks
Cost-Effective: Efficient token usage for high-volume queries
Context Understanding: Excellent at interpreting security logs and alerts
Safety: Built-in safeguards against harmful outputs

Architecture Overview#

1
flowchart TB
2
    subgraph "Wazuh Dashboard"
3
        U1[Security Analyst] --> C1[Chat Interface]
4
        C1 --> O1[OpenSearch Assistant]
5
    end
6

7
    subgraph "OpenSearch Plugins"
8
        O1 --> P1[ML Commons Plugin]
9
        P1 --> P2[Flow Framework]
10
        P2 --> P3[Skills Plugin]
11
        P3 --> P4[Assistant Plugin]
12
    end
13

14
    subgraph "ML Framework"
15
        P1 --> A1[Agent]
16
        A1 --> C2[Connector]
17
        C2 --> M1[Model Configuration]
18
    end
19

20
    subgraph "AWS Bedrock"
21
        M1 --> B1[API Gateway]
22
        B1 --> B2[Claude 3.5 Haiku]
23
        B2 --> B3[Response Processing]
24
    end
25

26
    subgraph "Security Features"
27
        B3 --> S1[Query Analysis]
28
        S1 --> S2[Security Context]
29
        S2 --> S3[Response Generation]
30
        S3 --> O1
31
    end
32

33
    style U1 fill:#4dabf7
34
    style O1 fill:#51cf66
35
    style B2 fill:#ffd43b
36
    style S3 fill:#ff6b6b

Prerequisites#

Infrastructure Requirements#

Wazuh Server (Ubuntu 24.04):
- Wazuh 4.12.0 central components
- Minimum 8GB RAM, 4 CPUs
- Internet connectivity for AWS
AWS Environment:
- AWS account with Bedrock access
- IAM permissions for Claude 3.5 Haiku
- Active AWS region (us-west-2 recommended)

Implementation Guide#

Part 1: AWS Configuration#

Enable Claude 3.5 Haiku Model#

Access Amazon Bedrock:

1
AWS Console → Amazon Bedrock → Model Access

Enable Claude 3.5 Haiku:
- Click “Enable specific models”
- Select “Claude 3.5 Haiku”
- Submit request (may require support ticket)
Verify Model Access:
- Status should show “Access granted”
- Note the model ID: anthropic.claude-3-5-haiku-20241022-v1:0

Create IAM User and Credentials#

Create IAM User:

1
IAM → Users → Create User
2
Name: wazuh-claude-integration

Generate Access Keys:

1
Security Credentials → Create Access Key
2
Use Case: Application running outside AWS

Save Credentials:

1
Access Key ID: AKIA...
2
Secret Access Key: wJal...

Configure IAM Policies#

Create Custom Policy (WazuhBedrockAccess):

1
{
2
  "Version": "2012-10-17",
3
  "Statement": [
4
    {
5
      "Sid": "MarketplaceBedrock",
6
      "Effect": "Allow",
7
      "Action": [
8
        "aws-marketplace:ViewSubscriptions",
9
        "aws-marketplace:Unsubscribe",
10
        "aws-marketplace:Subscribe"
11
      ],
12
      "Resource": "*"
13
    }
14
  ]
15
}

Attach Policies:
- Custom: WazuhBedrockAccess
- AWS Managed: AmazonBedrockFullAccess

Part 2: Install OpenSearch Plugins#

Download and Install Plugins#

1
# Download OpenSearch Dashboard plugins
2
curl https://artifacts.opensearch.org/releases/bundle/opensearch-dashboards/2.13.0/opensearch-dashboards-2.13.0-linux-x64.tar.gz -o opensearch-dashboards.tar.gz
3

4
# Extract archive
5
tar -xvzf opensearch-dashboards.tar.gz
6

7
# Copy required plugins to Wazuh dashboard
8
cp -r opensearch-dashboards-2.13.0/plugins/observabilityDashboards/ /usr/share/wazuh-dashboard/plugins/
9
cp -r opensearch-dashboards-2.13.0/plugins/mlCommonsDashboards/ /usr/share/wazuh-dashboard/plugins/
10
cp -r opensearch-dashboards-2.13.0/plugins/assistantDashboards/ /usr/share/wazuh-dashboard/plugins/
11

12
# Set correct permissions
13
chown -R wazuh-dashboard:wazuh-dashboard /usr/share/wazuh-dashboard/plugins/observabilityDashboards/
14
chown -R wazuh-dashboard:wazuh-dashboard /usr/share/wazuh-dashboard/plugins/mlCommonsDashboards/
15
chown -R wazuh-dashboard:wazuh-dashboard /usr/share/wazuh-dashboard/plugins/assistantDashboards/
16

17
chmod -R 750 /usr/share/wazuh-dashboard/plugins/observabilityDashboards/
18
chmod -R 750 /usr/share/wazuh-dashboard/plugins/mlCommonsDashboards/
19
chmod -R 750 /usr/share/wazuh-dashboard/plugins/assistantDashboards/

Configure Dashboard Settings#

Edit /etc/wazuh-dashboard/opensearch_dashboards.yml:

1
# Enable AI Assistant features
2
assistant.chat.enabled: true
3
observability.query_assist.enabled: true

Install Indexer Plugins#

1
# Navigate to Wazuh indexer directory
2
cd /usr/share/wazuh-indexer/
3

4
# Install required plugins
5
./bin/opensearch-plugin install org.opensearch.plugin:opensearch-flow-framework:2.13.0.0
6
./bin/opensearch-plugin install org.opensearch.plugin:opensearch-skills:2.13.0.0
7

8
# Restart Wazuh dashboard
9
systemctl restart wazuh-dashboard

Part 3: Configure Claude Integration#

Navigate to Indexer Management → DevTools in Wazuh dashboard.

1. Enable ML Commons#

1
PUT /_cluster/settings
2
{
3
  "persistent": {
4
    "plugins.ml_commons.only_run_on_ml_node": "false"
5
  }
6
}

2. Create Claude Connector#

1
POST /_plugins/_ml/connectors/_create
2
{
3
  "name": "Amazon Bedrock Claude Haiku",
4
  "description": "Connector for Claude 3.5 Haiku security analysis",
5
  "version": 1,
6
  "protocol": "aws_sigv4",
7
  "credential": {
8
    "access_key": "YOUR_ACCESS_KEY",
9
    "secret_key": "YOUR_SECRET_KEY"
10
  },
11
  "parameters": {
12
    "region": "us-west-2",
13
    "service_name": "bedrock",
14
    "auth": "Sig_V4",
15
    "response_filter": "$.content[0].text",
16
    "max_tokens_to_sample": "8000",
17
    "anthropic_version": "bedrock-2023-05-31",
18
    "model": "anthropic.claude-3-5-haiku-20241022-v1:0"
19
  },
20
  "actions": [
21
    {
22
      "action_type": "predict",
23
      "method": "POST",
24
      "headers": {
25
        "content-type": "application/json"
26
      },
27
      "url": "https://bedrock-runtime.us-west-2.amazonaws.com/model/${parameters.model}/invoke",
28
      "request_body": "{\"messages\":[{\"role\":\"user\",\"content\":[{\"type\":\"text\",\"text\":\"${parameters.prompt}\"}]}],\"anthropic_version\":\"${parameters.anthropic_version}\",\"max_tokens\":${parameters.max_tokens_to_sample}}"
29
    }
30
  ]
31
}

Save the connector_id from the response.

3. Create Model Group#

1
POST /_plugins/_ml/model_groups/_register
2
{
3
  "name": "Wazuh Security AI",
4
  "description": "AI models for security analysis"
5
}

Save the model_group_id.

4. Register and Deploy Model#

1
POST /_plugins/_ml/models/_register?deploy=true
2
{
3
  "name": "Claude Security Assistant",
4
  "function_name": "remote",
5
  "model_group_id": "YOUR_MODEL_GROUP_ID",
6
  "description": "Claude 3.5 Haiku for Wazuh security analysis",
7
  "connector_id": "YOUR_CONNECTOR_ID"
8
}

Save the model_id.

5. Create Security-Focused Agent#

1
POST /_plugins/_ml/agents/_register
2
{
3
  "name": "Wazuh_Security_AI_Agent",
4
  "type": "conversational",
5
  "description": "AI agent specialized in Wazuh and security operations",
6
  "llm": {
7
    "model_id": "YOUR_MODEL_ID",
8
    "parameters": {
9
      "max_iteration": 5,
10
      "stop_when_no_tool_found": true
11
    }
12
  },
13
  "memory": {
14
    "type": "conversation_index"
15
  },
16
  "tools": [
17
    {
18
      "type": "MLModelTool",
19
      "name": "security_assistant",
20
      "description": "Security analysis and Wazuh expertise",
21
      "parameters": {
22
        "model_id": "YOUR_MODEL_ID",
23
        "prompt": "Human: You are a Wazuh security expert AI assistant. You help with:\n- Explaining Wazuh alerts and their severity\n- Providing security best practices\n- Analyzing vulnerabilities and suggesting remediation\n- Writing Wazuh rules and decoders\n- Incident response guidance\n- MITRE ATT&CK framework mapping\n\nAlways provide accurate, actionable security advice. If unsure, recommend consulting official Wazuh documentation.\n\n${parameters.chat_history:-}\n\nHuman: ${parameters.question}\n\nAssistant:"
24
      }
25
    }
26
  ]
27
}

Save the agent_id.

6. Connect Agent to Dashboard#

1
PUT .plugins-ml-config/_doc/os_chat
2
{
3
  "type": "os_chat_root_agent",
4
  "configuration": {
5
    "agent_id": "YOUR_AGENT_ID"
6
  }
7
}

Refresh the Wazuh dashboard to see the AI assistant icon.

Using Claude AI in Wazuh#

Example Security Queries#

1. Alert Analysis#

Query: “What does rule ID 5716 mean and how serious is it?”

Claude Response:

1
Rule ID 5716 is a Wazuh SSH authentication failure alert with severity level 5 (medium).
2

3
This rule triggers when someone fails to authenticate via SSH. Key details:
4
- Indicates potential brute force attempts
5
- Monitor for multiple failures from same IP
6
- Check if source IP is known/authorized
7
- Consider implementing fail2ban or active response
8

9
Recommended actions:
10
1. Review source IP reputation
11
2. Check for pattern of attempts
12
3. Verify user exists
13
4. Enable rate limiting if frequent

2. Vulnerability Guidance#

Query: “I see a critical CVE-2024-1234 vulnerability alert. What should I do?”

Claude Response:

1
For critical vulnerability CVE-2024-1234:
2

3
Immediate Actions:
4
1. Identify affected systems using Wazuh vulnerability detector
5
2. Check if exploit is in the wild (check threat intel)
6
3. Assess exposure (internet-facing? critical data?)
7

8
Remediation Steps:
9
1. Apply vendor patches immediately if available
10
2. If no patch: implement compensating controls
11
3. Monitor for exploitation attempts
12
4. Update Wazuh rules to detect exploitation
13

14
Post-Remediation:
15
- Rescan to verify patch application
16
- Document remediation in ticket system
17
- Schedule follow-up vulnerability scan

3. Rule Writing Assistance#

Query: “Write a Wazuh rule to detect failed sudo attempts”

Claude Response:

1
<group name="sudo,">
2
  <rule id="100200" level="5">
3
    <if_sid>5402</if_sid>
4
    <match>authentication failure</match>
5
    <description>Failed sudo authentication attempt</description>
6
    <group>authentication_failed,</group>
7
  </rule>
8

9
  <rule id="100201" level="10" frequency="5" timeframe="300">
10
    <if_matched_sid>100200</if_matched_sid>
11
    <same_user />
12
    <description>Multiple failed sudo attempts by $(user)</description>
13
    <mitre>
14
      <id>T1548.003</id>
15
    </mitre>
16
    <group>authentication_failures,</group>
17
  </rule>
18
</group>

4. Incident Response#

Query: “Multiple servers showing ransomware alerts. What’s the response plan?”

Claude Response:

1
CRITICAL: Ransomware Incident Response
2

3
Immediate Actions (0-15 minutes):
4
1. ISOLATE affected systems - disconnect network
5
2. ALERT incident response team
6
3. PRESERVE evidence - capture memory, logs
7
4. IDENTIFY patient zero and infection vector
8

9
Containment (15-60 minutes):
10
1. Block C2 communications at firewall
11
2. Disable affected user accounts
12
3. Reset credentials for privileged accounts
13
4. Check backups integrity (air-gapped?)
14

15
Investigation:
16
1. Timeline reconstruction using Wazuh logs
17
2. Search for IOCs across infrastructure
18
3. Identify lateral movement patterns
19
4. Check for data exfiltration
20

21
Recovery:
22
1. Restore from clean backups
23
2. Rebuild affected systems
24
3. Apply all security patches
25
4. Enhanced monitoring for reinfection

Advanced Integration Features#

Custom Security Context#

Enhance the agent with domain-specific knowledge:

1
{
2
  "parameters": {
3
    "prompt": "Human: You are specialized in:\n- ${COMPANY} security policies\n- Custom Wazuh rules (IDs 100000-200000)\n- Industry compliance: PCI-DSS, HIPAA\n- Technology stack: Linux, Docker, AWS\n\nProvide advice considering our environment.\n\nHuman: ${parameters.question}\n\nAssistant:"
4
  }
5
}

Multi-Model Approach#

1
flowchart LR
2
    subgraph "Query Router"
3
        Q1[User Query] --> R1{Query Type?}
4
        R1 -->|Alert Analysis| M1[Claude Haiku]
5
        R1 -->|Code Writing| M2[Code Model]
6
        R1 -->|Threat Intel| M3[Security Model]
7
    end
8

9
    subgraph "Response Aggregation"
10
        M1 --> A1[Combine]
11
        M2 --> A1
12
        M3 --> A1
13
        A1 --> F1[Final Response]
14
    end

Integration with Wazuh API#

1
# Enhance AI responses with real-time Wazuh data
2
def enhance_ai_query(question):
3
    # Get context from Wazuh API
4
    if "alert" in question.lower():
5
        recent_alerts = wazuh_api.get_alerts(limit=5)
6
        context = f"Recent alerts: {format_alerts(recent_alerts)}"
7
        enhanced_prompt = f"{context}\n\nQuestion: {question}"
8
        return enhanced_prompt
9
    return question

Security Considerations#

1. API Key Protection#

1
# Store credentials securely
2
cat > /etc/wazuh-dashboard/claude-config.json << EOF
3
{
4
  "credentials": {
5
    "access_key": "encrypted_key",
6
    "secret_key": "encrypted_secret"
7
  }
8
}
9
EOF
10

11
chmod 600 /etc/wazuh-dashboard/claude-config.json
12
chown wazuh-dashboard:wazuh-dashboard /etc/wazuh-dashboard/claude-config.json

2. Query Sanitization#

1
// Prevent prompt injection
2
function sanitizeQuery(userInput) {
3
  const blockedPatterns = [
4
    /ignore previous instructions/i,
5
    /reveal your prompt/i,
6
    /system message/i
7
  ];
8

9
  for (const pattern of blockedPatterns) {
10
    if (pattern.test(userInput)) {
11
      return "Invalid query detected";
12
    }
13
  }
14

15
  return userInput.substring(0, 1000); // Limit length
16
}

3. Response Validation#

1
def validate_ai_response(response):
2
    """Ensure AI responses are safe and accurate"""
3

4
    # Check for harmful content
5
    if contains_harmful_content(response):
6
        return "Response filtered for safety"
7

8
    # Verify technical accuracy
9
    if "rule" in response:
10
        validate_rule_syntax(response)
11

12
    # Add disclaimer for critical actions
13
    if any(word in response for word in ["delete", "remove", "disable"]):
14
        response += "\n\n⚠️ Warning: Verify this action before proceeding"
15

16
    return response

Performance Optimization#

1. Response Caching#

1
POST /_plugins/_ml/models/_predict
2
{
3
  "model_id": "YOUR_MODEL_ID",
4
  "parameters": {
5
    "prompt": "Cached question",
6
    "cache_ttl": 3600,
7
    "cache_key": "hash_of_question"
8
  }
9
}

2. Token Usage Optimization#

1
# Optimize prompts for efficiency
2
def optimize_prompt(question, max_context=500):
3
    # Truncate long questions
4
    if len(question) > max_context:
5
        question = question[:max_context] + "..."
6

7
    # Remove redundant information
8
    question = remove_redundancy(question)
9

10
    # Use concise system prompt
11
    return {
12
        "prompt": f"Security expert. Brief answers. Q: {question}",
13
        "max_tokens": 500
14
    }

3. Concurrent Query Handling#

1
// Queue management for multiple users
2
class AIQueryQueue {
3
  constructor(maxConcurrent = 3) {
4
    this.queue = [];
5
    this.active = 0;
6
    this.maxConcurrent = maxConcurrent;
7
  }
8

9
  async addQuery(query) {
10
    return new Promise((resolve, reject) => {
11
      this.queue.push({ query, resolve, reject });
12
      this.processQueue();
13
    });
14
  }
15

16
  async processQueue() {
17
    if (this.active >= this.maxConcurrent || this.queue.length === 0) {
18
      return;
19
    }
20

21
    this.active++;
22
    const { query, resolve, reject } = this.queue.shift();
23

24
    try {
25
      const result = await sendToAI(query);
26
      resolve(result);
27
    } catch (error) {
28
      reject(error);
29
    } finally {
30
      this.active--;
31
      this.processQueue();
32
    }
33
  }
34
}

Troubleshooting#

Common Issues and Solutions#

1. Model Not Responding#

1
# Check model status
2
curl -X GET "localhost:9200/_plugins/_ml/models/YOUR_MODEL_ID"
3

4
# Restart model if needed
5
curl -X POST "localhost:9200/_plugins/_ml/models/YOUR_MODEL_ID/_undeploy"
6
curl -X POST "localhost:9200/_plugins/_ml/models/YOUR_MODEL_ID/_deploy"

2. Authentication Errors#

1
// Verify AWS credentials
2
{
3
  "error": "The security token included in the request is invalid"
4
}
5

6
// Solution: Regenerate IAM credentials and update connector

3. Region Issues#

1
# Ensure model is available in your region
2
aws bedrock list-foundation-models --region us-west-2 | grep claude-3-5-haiku

Best Practices#

1. Query Guidelines#

✅ Good Queries:

“Explain this SSH brute force alert and remediation steps”
“Write a Wazuh rule for detecting PowerShell encoded commands”
“What’s the MITRE technique for credential dumping?”

❌ Poor Queries:

“Fix everything”
“Hello” (too vague)
“Write malicious code” (will be blocked)

2. Response Verification#

Always verify AI responses against:

Official Wazuh documentation
Security best practices
Your organization’s policies
Current threat intelligence

3. Continuous Improvement#

1
# Log queries for analysis
2
def log_ai_interaction(query, response, feedback=None):
3
    log_entry = {
4
        "timestamp": datetime.now().isoformat(),
5
        "query": query,
6
        "response_preview": response[:200],
7
        "useful": feedback,
8
        "model": "claude-3.5-haiku"
9
    }
10

11
    # Use for model fine-tuning
12
    with open("/var/log/wazuh-ai-interactions.jsonl", "a") as f:
13
        f.write(json.dumps(log_entry) + "\n")

Cost Optimization#

Monitor Usage#

1
# Track token usage
2
def calculate_monthly_cost(daily_queries=100, avg_tokens=1000):
3
    # Claude 3.5 Haiku pricing (example)
4
    input_cost_per_1k = 0.00025
5
    output_cost_per_1k = 0.00125
6

7
    monthly_input_tokens = daily_queries * 30 * (avg_tokens * 0.3)
8
    monthly_output_tokens = daily_queries * 30 * (avg_tokens * 0.7)
9

10
    total_cost = (
11
        (monthly_input_tokens / 1000) * input_cost_per_1k +
12
        (monthly_output_tokens / 1000) * output_cost_per_1k
13
    )
14

15
    return f"Estimated monthly cost: ${total_cost:.2f}"

Optimize Token Usage#

Use concise prompts
Implement response caching
Set appropriate max_tokens
Filter unnecessary queries

Future Enhancements#

1. RAG Integration#

1
# Retrieval Augmented Generation with Wazuh docs
2
def enhance_with_rag(query):
3
    # Search Wazuh documentation
4
    relevant_docs = search_wazuh_docs(query)
5

6
    # Include in prompt
7
    context = f"Relevant documentation:\n{relevant_docs}\n"
8
    enhanced_query = f"{context}\nQuestion: {query}"
9

10
    return enhanced_query

2. Custom Fine-Tuning#

1
{
2
  "training_data": [
3
    {
4
      "prompt": "What is rule 5716?",
5
      "completion": "Rule 5716 detects SSH authentication failures..."
6
    },
7
    {
8
      "prompt": "How to remediate CVE-2024-1234?",
9
      "completion": "For CVE-2024-1234 remediation: 1) Apply patch..."
10
    }
11
  ]
12
}

3. Automated Actions#

1
# AI-driven automated response
2
async def ai_automated_response(alert):
3
    # Get AI recommendation
4
    query = f"Recommend automated response for: {alert}"
5
    recommendation = await query_ai(query)
6

7
    # Execute if confidence high
8
    if recommendation.confidence > 0.9:
9
        execute_response(recommendation.action)
10
    else:
11
        notify_analyst(recommendation)

Conclusion#

Integrating Claude 3.5 Haiku into the Wazuh dashboard transforms security operations by providing:

🤖 Instant AI assistance for security queries
📈 Accelerated incident response with expert guidance
📚 On-demand security knowledge without leaving the dashboard
🔍 Enhanced threat analysis with AI-powered insights

This integration bridges the gap between human expertise and AI capabilities, creating a more efficient and effective security operations center.

Key Takeaways#

Easy Integration: OpenSearch plugins enable seamless LLM integration
Security-Focused: Custom prompts ensure relevant security responses
Cost-Effective: Claude Haiku provides fast, affordable AI assistance
Extensible: Framework supports multiple models and use cases
Production-Ready: With proper security controls and monitoring

Resources#

Empowering security teams with AI-driven insights, directly in the Wazuh dashboard. The future of SIEM is conversational! 🚀