Wazuh AI Analyst service

Overview

The Wazuh AI Analyst service provides Wazuh Cloud users with insights into their security posture and offers recommendations on how to remediate threats detected within their Wazuh Cloud subscription.

This service is an automated AI-powered security analysis solution that integrates Wazuh Cloud with advanced AI models. It leverages machine learning capabilities to process security data and deliver actionable insights to help improve organizational security.

The service provides organizations with:

  • Automated security analysis without manual intervention.

  • Insights aggregated from multiple security data sources.

  • Structured recommendations to improve security posture.

  • Regular assessments of security posture through scheduled analyses.

What to expect

The service periodically sends emails and reports. You can download these reports from the Wazuh Cloud Console.

AI Analyst email

Users receive periodic emails with key performance indicators and a summary of their security posture. Each email includes:

  • A histogram showing the number of protected endpoints.

  • The volume of alerts received by the SIEM.

  • The number of active vulnerabilities.

  • A summary of the current security posture.

  • The AI Analyst Report attached as a PDF.

AI Analyst report

The report includes AI-generated insights based on data from the user's Wazuh Cloud subscription. It contains the following sections:

  • Overall assessment

    A summary generated by the AI, providing an overall evaluation of the organization's security posture during the reporting period.

  • Alert analysis

    Wazuh analyzes log data collected across the monitored infrastructure. Each log is evaluated against predefined security rules, each tagged with a criticality level.

    This section presents alert data analysis by MITRE technique and alert level, along with a summary of recommended actions.

  • Vulnerability analysis

    Software vulnerabilities are weaknesses in code that attackers can exploit to gain unauthorized access or alter application behavior. Vulnerable software applications are commonly targeted by attackers to compromise endpoints and gain a persistent presence on targeted networks.

    This section includes analysis by severity, affected packages, and operating system, along with recommended mitigation actions.

  • Endpoint analysis

    Highlights the ten most active endpoints based on alert volume. This helps identify areas with elevated security activity.

F.A.Q.

Data privacy and security

Q: Is data from Wazuh Cloud subscriptions shared with third parties?

A: No, data from Wazuh Cloud subscriptions is not shared with third parties. Data is processed by AWS Bedrock and Anthropic's Claude model solely within the AI pipeline. It is not shared beyond that scope. Both providers follow strict data protection policies that prevent sharing of customer data with external parties.

Q: Is data used to train AI models?

A: No, your data is not used to train AI models. Customer data is not used for model training or improvement, as stated in Anthropic's terms of service under AWS Bedrock. Data is only used to generate your security analysis reports and is not retained or used for any other purposes.

Q: Can data leak to third parties?

A: The service implements multiple layers of security to prevent data leaks:

  • Encrypted data transmission.

  • Enterprise-grade security controls in AWS Bedrock.

  • Isolated processing environments for Claude.

  • No permanent data storage during processing.

  • Restricted access to authorized Wazuh service components only.

Q: How should I use the recommendations in the AI Analyst report?

A: Treat AI-generated recommendations as advisory. Users are responsible for:

  • Reviewing and validating all AI-generated recommendations.

  • Acting based on internal security policies and risk assessments.

  • Consulting with security professionals when necessary.

The service is subject to the limitations and disclaimers outlined in:

Service operations

Q: How often are reports generated?

A: Reports are generated based on your Wazuh Cloud subscription and configuration settings.

Q: Can I customize the analysis parameters?

A: Not currently. The service uses predefined parameters optimized for comprehensive security assessment.

Q: What happens if the AI service is unavailable?

A: Report generation is paused during outages and resumes automatically when the service is restored.

Q: How long are reports retained?

A: Reports remain available in the Wazuh Console per your subscription's data retention policy. Emails are sent to designated technical contacts and may be retained indefinitely.

Q: What data is included in the analysis?

A: The analysis includes:

  • Security alerts and MITRE ATT&CK mappings

  • Vulnerability scan results

  • High-priority rule triggers

  • Endpoint activity patterns

  • Operating system and package vulnerability data

Q: Can I opt out of the AI Analyst service?

A: Yes. You can disable the service through your Wazuh Cloud subscription settings. Contact your administrator or Wazuh Support for assistance.

Terms & conditions