Loading...
Degree
Bachelor of Science (Computer Science)
Department
Department of Computer Science
School
School of Mathematics and Computer Science (SMCS)
Advisor
Dr. Faisal Iradat, Assistant Professor, School of Mathematics & Computer Science (SMCS)
Keywords
SIEM, Wazuh, Cybersecurity, Large Language Models, Natural Language Query, Compliance, Computer Network Security
Abstract
This report documents the design, implementation, and evaluation of an AI-enhanced Security Information and Event Management (SIEM) system developed as a final year project at IBA Karachi. The project augments the open-source Wazuh SIEM platform with six substantive enhancements: (1) a custom compliance ruleset mapped to Pakistan's Prevention of Electronic Crimes Act 2016 (PECA), (2) an AI-driven security analyst chatbot powered by a large language model gateway, (3) an interactive network topology visualisation plugin, (4) a natural language query (NLQ) search interface enabling plain-English alert retrieval, (5) a comparative cross-framework compliance dashboard, and (6) a bilingual Urdu/English localisation layer with comprehensive dark mode support across the entire Wazuh Dashboard. All components are delivered as OpenSearch Dashboards plugins and are deployable via a single idempotent setup script with feature-flag-controlled selective installation. The project required reverse-engineering the internal plugin architecture of a pre-compiled, closed-build-chain dashboard application; directly patching minified, Brotli- and gzip-compressed JavaScript bundles; integrating a multi-service LLM gateway with the OpenSearch ML Commons framework; and reimplementing a Python-based natural language query transpilation pipeline in JavaScript without external dependencies. The NLQ pipeline - called Sec-IR (Security Intermediate Representation) - uses a schema-constrained JSON object as a deterministic layer between LLM output and query generation. Evaluation across a 240-query labelled dataset produced a semantic match accuracy of 67.9% and a schema validity rate of 97.4% using a 4-billion-parameter locally-runnable model with no fine-tuning. The complete system has been deployed on an AWS EC2 instance and validated against a clean Wazuh Docker environment, confirming end-to-end reproducibility.
Tools and Technologies Used
Wazuh SIEM, OpenSearch Dashboards, OpenSearch ML Commons, Python, FastAPI, LangChain, LangChain-MCP-Adapters, Model Context Protocol (MCP), opensearch-mcp-server-py, Google Gemini API, Groq API, OpenAI API, AWS Bedrock, JavaScript, Node.js, webpack 5, D3.js, React, Ubuntu 24.04 LTS, systemd, Docker, AWS EC2, Bash, npm, HTTPS/TLS, REST API
Methodology
The project followed a modular, feature-driven development approach. Each component was developed and tested independently before integration into the main system. Development began with an analysis of the existing Wazuh architecture to identify integration points for each feature. Custom OpenSearch Dashboards plugins were built using vanilla JavaScript and webpack 5 to avoid dependency conflicts with Wazuh's internal React environment. The conversational interface was implemented using the MCP architecture — a three-component pipeline consisting of an OpenSearch MCP Server, an MCP-LLM Gateway, and OpenSearch ML Commons — allowing the LLM to query live Wazuh indices through structured tool calls rather than direct index access. The NLQ Search pipeline uses a deterministic Sec-IR intermediate representation layer between the LLM and the Wazuh DSL transpiler, reducing hallucination in generated queries through schema validation and self-correction. All features were first tested locally on a Linux Mint VM, then validated on a clean Wazuh Docker container to confirm reproducibility, before final deployment to AWS EC2. A single master installation script with feature flags was written to automate the entire setup process across all six components.
Document Type
Restricted Access
Submission Type
BSCS Final Year Project
Recommended Citation
., S., Hussain, S., & Shahid, F. (2026). Enhanced SIEM with AI-Driven Security Analytics and Natural Language Querying. Retrieved from https://ir.iba.edu.pk/fyp-bscs/61
Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-Share Alike 4.0 International License.
COinS
