Detecting Unauthorized or Shadow AI Tools in our Environments

[minshad]

Hello Wazuh Community,

We are currently exploring ways to detect and monitor unauthorized or “Shadow AI” tool usage within our environment (for example: unsanctioned AI assistants, browser-based AI services, local AI models, AI-related applications, or API usage outside approved channels).

We would like to understand whether anyone in the community has already implemented detection use cases for this using Wazuh.

Some areas we are particularly interested in:

• Detecting installation or execution of AI-related applications
• Monitoring browser access to public AI platforms
• Identifying API calls to AI providers
• Endpoint telemetry or Sysmon rules for AI tooling
• Detecting local LLM runtimes or GPU-intensive AI processes
• Any custom Wazuh rules, decoders, or integrations already in use

If anyone has experience implementing this, or can share detection strategies, sample rules, dashboards, or best practices, it would be greatly appreciated.

[Bony V John]

Hi,

Please allow me some time, I'm working on this and will get back to you with an update as soon as possible

[Bony V John]

Hi,

Based on your requirement, I tested these use cases on my end, and they are working properly. You can follow the below steps to achieve this.

For detecting AI applications installed on endpoints or AI-related processes running on endpoints, I used custom scripts and rules to trigger alerts.

By default, the Wazuh Syscollector module monitors installed software packages and running processes on the endpoint. You can view these details in the IT Hygiene dashboard.

For AI application detection, I created a custom Python script that queries the wazuh-states-inventory-packages-* index. If an AI-related application is detected, the script writes a JSON log into /var/log/llm_process.log on the Wazuh manager. The script also stores previously detected packages in a local JSON database file to avoid repeatedly reporting the same packages.

Similarly, for process monitoring, the script queries the wazuh-states-inventory-processes-* index. When an LLM-related process is detected, it writes the event into the same log file in JSON format.

To configure this:

Create the script on the Wazuh manager server:

vi /var/ossec/integrations/llm_process_monitor.py

Copy and paste the Python script into the file.

Update the following values inside the script:

INDEXER_URL - Your Wazuh indexer IP

USERNAME and PASSWORD - Wazuh indexer credentials

If you want to monitor additional AI processes, add them into the LLM_PROCESS_KEYWORDS block.

If you want to add more AI applications, update the AI_PACKAGE_KEYWORDS block.

Then update the permissions:

chmod +x /var/ossec/integrations/llm_process_monitor.py

After that, configure the script to run every 5 minutes:

crontab -e

Add the following line:

*/5 * * * * /usr/bin/python3 /var/ossec/integrations/llm_process_monitor.py >/dev/null 2>&1

You can adjust the execution interval based on your requirement.

Then add the following configuration into the Wazuh manager ossec.conf file:

<localfile>
  <log_format>json</log_format>
  <location>/var/log/llm_process.log</location>
</localfile>

Save the configuration and restart the Wazuh manager:

systemctl restart wazuh-manager

Then add the following custom rules to trigger alerts for AI application and AI process detection:

<group name="llm,local_ai,">

  <rule id="110500" level="10">
    <decoded_as>json</decoded_as>
    <field name="event.kind">^alert$</field>
    <field name="event.category">^shadow_ai$</field>
    <field name="event.type">^process$</field>
    <field name="event.action">^detected$</field>
    <description>Shadow AI: Local LLM process detected on endpoint $(agent.name): $(process.name)</description>
    <group>shadow_ai,local_llm,llm_process,</group>
  </rule>

  <rule id="110510" level="10">
    <decoded_as>json</decoded_as>
    <field name="event.kind">^alert$</field>
    <field name="event.category">^shadow_ai$</field>
    <field name="event.type">^package$</field>
    <field name="event.action">^detected$</field>
    <description>Shadow AI: AI-related software detected on endpoint $(agent.name): $(package.name)</description>
    <group>shadow_ai,ai_package,ai_software,</group>
  </rule>

</group>

Save the rules and reload the Wazuh rule engine.

Then install an application listed in AI_PACKAGE_KEYWORDS or execute a process listed in LLM_PROCESS_KEYWORDS to trigger alerts.

For browser-based AI platform access detection, it is generally better to use firewall logs, DNS logs, or proxy logs if those are available in your environment.

In my case, I used another method because I did not have firewall or proxy visibility available.

On Windows endpoints, I used custom scripts to collect browser history from Google Chrome and Microsoft Edge. Then I configured the Wazuh agent to monitor those logs.

After that, I created custom rules to trigger alerts when users accessed AI platforms through the browser.

For browser history collection, I followed the guidance from the Wazuh integration repository for monitoring Chrome and Microsoft Edge history.

Then I used the following custom rule to detect access to AI platforms:

<group name="chrome_history">
    <rule id="110300" level="10">
    <decoded_as>json</decoded_as>

  <url>chatgpt.com|chat.openai.com|openai.com|claude.ai|anthropic.com|gemini.google.com|generativelanguage.googleapis.com|copilot.microsoft.com|githubcopilot.com|perplexity.ai|poe.com|huggingface.co|replicate.com|mistral.ai|groq.com|deepseek.com|openrouter.ai|ollama.com</url>
    <description>Shadow AI: Browser history shows access to AI platform - $(url)</description>
  </rule>
</group>

You can modify the above rule to include additional AI platforms as needed.

Please let me know if you face any issues.

[minshad]

Hi,

Thankyou so much, I appreciate your effort and will get back to you if I am facing any issues.

[minshad]

Hi,

I tested the provided Shadow AI detection approach in my environment using Wazuh 4.12.

I modified the Python script accordingly, and the script execution itself is working properly. The events are being written successfully into the configured log file (/var/log/llm_process.log), and during wazuh-logtest execution, the events are not matching the custom rules correctly.

I also simplified the rule for testing purposes as below:

<group name="shadow_ai_monitor,"> 

 <rule id="110500" level="10">

 <match>shadow_ai</match>

 <description>Shadow AI Detection Event</description> 

</rule> 

</group>

Even with simplified is not matching  wazuh-logtest validation.

Current observations:

• Script execution is successful

• JSON logs are getting written correctly

• Wazuh manager restart completed successfully

• Rules are loaded without syntax errors

The issues I am currently facing is:

• Rule processing

• Alert generation

Could someone please help verify whether additional configuration changes are required specifically for Wazuh 4.12 to make these alerts visible in the dashboard?

Thanks.

[Bony V John]

Hi,

The issue is with the custom rule configuration. That is why the alert is not being triggered.

From the logtest screenshot, the event is being decoded by the default JSON decoder. However, your custom rule is not mapped to the JSON decoder, so the rule is not being evaluated properly for that event.

Your custom rule should look like this:

<group name="shadow_ai_monitor,"> 

   <rule id="110500" level="10">

     <decoded_as>json</decoded_as>

     <match>shadow_ai</match>

     <description>Shadow AI Detection Event</description> 

   </rule> 

</group>

In the above rule, the custom rule is mapped to the JSON decoder using:

<decoded_as>json</decoded_as>

So, when an event is decoded by the JSON decoder, this rule will also be evaluated. If the event matches the rule condition, it will trigger an alert.

You can refer to the Wazuh custom rules syntax documentation for more details.