Detecting AI Tool Usage on Endpoints

26 views
Skip to first unread message

minshad

unread,
Jun 2, 2026, 1:44:45 AM (5 days ago) Jun 2
to Wazuh | Mailing List

Hi ,

We are currently evaluating the possibility of detecting and monitoring AI tool usage on endpoints using Wazuh and would like to understand whether anyone in the community has implemented a similar use case.

Our objective is to detect activities such as:

  • Users accessing AI platforms (ChatGPT, Claude, Gemini, Copilot, Perplexity, DeepSeek, etc.)

  • Usage of locally installed AI applications

  • Local AI runtimes such as Ollama

  • Connections to AI-related services from endpoints

One important limitation in our environment is that we currently do not have proxy or firewall logs available. The only telemetry available to us comes from the endpoints themselves.

We are therefore looking at approaches based on:

  • Sysmon

  • Windows Event Logs

  • Process monitoring

  • DNS client events

  • Endpoint network connection events

  • Other endpoint-based telemetry sources supported by Wazuh

Has anyone successfully implemented AI usage detection using only endpoint telemetry?

If so, would you be willing to share:

  • Sample Wazuh rules or decoders

  • Sysmon configurations

  • Detection logic for browser-based AI access

  • Methods used to maintain allowlists/blocklists of approved AI services

  • Detection approaches for local AI runtimes such as Ollama

  • Any GitHub repositories, blog posts, architecture diagrams, or implementation references

We would appreciate any practical experience, recommendations, or lessons learned from implementing this use case.

Thank you.

Reply all
Reply to author
Forward
0 new messages