Post 023

Tags: project wazuh ollama ai security n8n automation cve vulnerability

The Idea

Wazuh already detects vulnerabilities. It scans every enrolled agent, inventories installed packages, and cross-references them against the National Vulnerability Database. The problem is the output: a dashboard full of CVE numbers that require manual research to understand what they mean and how to fix them.

This workflow bridges the gap! Wazuh provides the CVE data, Ollama provides the plain-English explanation and fix commands, n8n orchestrates the pipeline, and Discord delivers the weekly report.

It's the SIEM and the AI platform working together in a single automated pipeline.

The Pipeline

Schedule trigger (Sunday 8am)
    │
    ▼
Query Wazuh Vulnerability API
    → Filter: severity >= High
    → Group by host
    │
    ▼
For each host's CVE list:
    → Send to Ollama (llama3:8b)
    → Prompt: "For each CVE, provide:
       1. One-line plain-English description
       2. Risk level in context
       3. Recommended fix command for Debian"
    │
    ▼
Format as Discord embed
    → Per-host sections
    → Color-coded by severity
    → Total counts in header
    │
    ▼
Post to Discord (#wazuh-command)

n8n Workflow Detail

Node 1: Schedule Trigger

{
    "type": "n8n-nodes-base.scheduleTrigger",
    "parameters": {
        "rule": {
            "interval": [{ "field": "cronExpression", "expression": "0 8 * * 0" }]
        }
    }
}

Node 2: Query Wazuh API

Method: GET
URL: https://192.168.20.30:55000/vulnerability/{agent_id}/summary/cve
Headers:
    Authorization: Bearer ${WAZUH_API_TOKEN}

The Wazuh API returns structured vulnerability data per agent:

{
    "data": {
        "affected_items": [
            {
                "cve": "CVE-2024-1234",
                "name": "libcairo2",
                "version": "1.18.0-3",
                "severity": "High",
                "status": "VALID",
                "detection_time": "2026-02-15T10:30:00Z"
            }
        ]
    }
}

Node 3: Filter and Group

// Group CVEs by host and filter to High/Critical
const hosts = {};

for (const item of $input.all()) {
    const agent = item.json.agent_name;
    const cves = item.json.vulnerabilities
        .filter(v => ['High', 'Critical'].includes(v.severity));

    if (cves.length > 0) {
        hosts[agent] = cves;
    }
}

return Object.entries(hosts).map(([host, cves]) => ({
    json: { host, cves, count: cves.length }
}));

Node 4: Ollama Remediation Analysis

Method: POST
URL: http://192.168.20.20:11434/api/generate
Body:
{
    "model": "llama3:8b",
    "prompt": "You are a security engineer reviewing CVE reports for a Debian Linux server.\n\nFor each CVE below, provide:\n1. A one-line plain-English description of what the vulnerability does\n2. The risk level in context (is this remotely exploitable? does it require local access?)\n3. The exact apt command to fix it, or 'No fix available' if unpatched\n\nCVEs:\n${cveList}\n\nRespond in this exact format per CVE:\nCVE-XXXX-YYYY: [description] | Risk: [context] | Fix: [command]",
    "stream": false,
    "options": {
        "temperature": 0.3,
        "num_predict": 2000
    }
}

Low temperature (0.3) for factual, consistent output. The structured prompt format makes parsing the response reliable.

Node 5: Format Discord Message

const host = $input.first().json.host;
const ollamaResponse = $input.first().json.remediation;
const cveCount = $input.first().json.count;

const embed = {
    title: `🛡️ Weekly CVE Digest - ${host}`,
    color: cveCount > 5 ? 0xFF0000 : 0xFFAA00, // Red if > 5, amber otherwise
    description: `**${cveCount} High/Critical vulnerabilities detected**\n\n${ollamaResponse}`,
    footer: {
        text: `Wazuh SIEM → Ollama (llama3:8b) → Alliance Fleet | ${new Date().toISOString().slice(0,10)}`
    }
};

return [{ json: { embeds: [embed] } }];

Node 6: Discord Webhook

Method: POST
URL: ${DISCORD_WAZUH_WEBHOOK}
Body: (embed from previous node)

Example Output

🛡️ Weekly CVE Digest - Tantive-III
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

5 High/Critical vulnerabilities detected

CVE-2024-1234: libcairo2 - Buffer overflow in SVG parsing allows
    arbitrary code execution via crafted image file.
    Risk: Requires local file access. Low risk on headless server.
    Fix: apt install --only-upgrade libcairo2

CVE-2024-5678: qemu-guest-agent - Privilege escalation through
    malformed guest-host communication.
    Risk: Requires hypervisor access. Medium risk in VFIO passthrough.
    Fix: apt install --only-upgrade qemu-guest-agent

CVE-2023-9999: linux-image-amd64 - Kernel memory disclosure via
    timing side-channel.
    Risk: Requires local access. Mitigated on modern kernels.
    Fix: apt upgrade linux-image-amd64

[...]

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Wazuh SIEM → Ollama (llama3:8b) → Alliance Fleet | 2026-03-09

Why This Is Portfolio-Worthy

This single workflow demonstrates three distinct skills:

1. SIEM operation - Querying the Wazuh API for vulnerability data, understanding CVE severity and context
2. AI/ML integration - Using a local LLM (Ollama) for practical remediation guidance, not just chatbot fluff
3. Automation engineering - n8n orchestrating a multi-step pipeline with structured output

It also shows these systems aren't running in isolation, they're connected into workflows that produce actionable output. That's the difference between "I installed Wazuh" and "I built a security automation platform."

Real-World Context

At the enterprise level, this is what products like Rapid7 InsightVM, Qualys, and Tenable do, vulnerability scanning with remediation guidance. The difference is those products cost $10K+ annually and the remediation guidance is pre-written by vendor teams. This pipeline uses a local LLM to generate context-specific guidance at zero marginal cost.

Related: Post 020 - n8n Automation Platform | Post 018 - GPU AI Platform | Post 012 - Wazuh Agent Enrollment