Lesson Plan: AI-Assisted Cybersecurity Learning (Wazuh & Wireshark)

• Level: Beginner (No prior experience with security tools required)
• Duration: 2-3 Hours (or split into two 60-90 minute sessions)
• Goal: Teach students how to leverage AI tools (Gemini, Claude, ChatGPT) as personal mentors to learn, troubleshoot, and master Wazuh and Wireshark.

🧭 Course Overview & Learning Objectives

By the end of this lesson, students will be able to:

1. Prompt AI effectively to translate complex cyber logs and packet captures into plain English.
2. Explain the purpose of Wazuh (SIEM/XDR), focusing on Logs, File Integrity Monitoring (FIM), and VirusTotal integration.
3. Explain the purpose of Wireshark (packet analyzer) and use AI to diagnose network connection protocols and issues.
4. Apply critical thinking to verify AI answers and avoid security hallucinations.

🛡️ Part 1: Wazuh (The Watchtower)

Wazuh is a free, open-source platform that monitors system security. Think of it as a security guard for computers and servers. It collects logs, watches for unauthorized changes, and reports suspicious behavior.

1. Key Concepts Explained

• Logs & Alerts: The operating system and applications write down everything they do (like "User Jane logged in" or "Failed login attempt"). Wazuh reads these entries (logs) and flags important ones as alerts.
• File Integrity Monitoring (FIM): Monitors critical files (like system settings or system executables). If a hacker changes or replaces a file, Wazuh detects the modification and triggers an alert.
• VirusTotal Integration: VirusTotal is an online service that runs files and file signatures (hashes) through over 70 antivirus scanners. Wazuh can automatically send the hashes of newly created/modified files to VirusTotal to check if they are malware.

2. Hands-on Scenario: The Suspicious File Change

Scenario: A student finds an alert in Wazuh indicating that a file was modified in /usr/bin/ on a Linux server, and the VirusTotal integration flagged it. The log details look confusing.

The AI Prompt Strategy

Instead of guessing, students can ask an AI assistant to explain the alert details.

[!TIP] AI Prompt Example to copy & try:

Act as an entry-level cybersecurity mentor. I am a beginner. Explain this Wazuh alert log in plain English. Break down what FIM detected and what the VirusTotal scan results mean:

Alert: {"rule":{"level":12,"description":"VirusTotal: Alert - /usr/bin/malicious_tool - Threat detected"},"decoder":{"name":"json"},"data":{"virustotal":{"malicious":1,"positives":42,"scan_date":"2026-06-24","permalink":"https://www.virustotal.com/gui/file/hashvalue"},"file":"/usr/bin/malicious_tool","event":"modified"}}

AI Response Breakdown (What to expect)

The AI should explain:

• Rule Level 12: High severity alert.
• FIM Trigger: The file /usr/bin/malicious_tool was modified.
• VirusTotal Hit: Out of 70+ engines, 42 flagged the file as positive for malware.

🔍 Part 2: Wireshark (The Microscope)

Wireshark captures and displays the data traveling back and forth on a network in real-time. Think of it as a digital microscope for network cables and wireless connections.

1. Key Concepts Explained

• Packets: Digital data is broken down into small chunks called packets to travel across networks.
• Protocols: Rules that decide how data is formatted. Examples include:
  • DNS (Domain Name System): Translates human-friendly names (e.g., google.com) to IP addresses.
  • TCP (Transmission Control Protocol): Establishes a reliable, ordered connection between a client and server.
• Diagnostics: Looking at the timing, order, and flags of packets to see if a connection is slow, broken, or being attacked.

2. Hands-on Scenario: Troubleshooting a Failed Handshake

Scenario: A student is looking at packet capture (PCAP) data where a connection keeps failing. The packets show a cycle of SYN followed by RST (Reset) instead of the usual TCP three-way handshake (SYN -> SYN-ACK -> ACK).

The AI Prompt Strategy

The student can describe the packet sequence or paste raw packet bytes to get explanations.

[!TIP] AI Prompt Example to copy & try:

I am learning Wireshark and looking at a connection attempt that fails. I see the following packets:
Packet 1: Source: 192.168.1.50 -> Destination: 10.0.0.99 [TCP SYN]
Packet 2: Source: 10.0.0.99 -> Destination: 192.168.1.50 [TCP RST, ACK]

Can you explain what a TCP handshake is, what these packets mean, and why the connection is failing?

AI Response Breakdown (What to expect)

The AI should explain:

• The Normal Handshake: Explain SYN (synchronize request), SYN-ACK (acknowledge request), and ACK (acknowledge back).
• The Reset (RST): The receiving server at 10.0.0.99 is actively refusing the connection, possibly because the port is closed, a firewall is blocking it, or the service is down.

🤖 Part 3: Best Practices for Prompting AI in Cyber

Caution and Responsibility When using AI tools, students must follow professional standards.

1. The "Cyber Prompting" Framework (R-C-T-C)

To get the most accurate answers, students should use the following framework:

1. Role: Tell the AI who it is (e.g., "Act as a friendly cybersecurity instructor").
2. Context: Give background (e.g., "I am analyzing a lab network capture in Wireshark").
3. Task: Clearly define the request (e.g., "List the filter query to find all DNS traffic").
4. Constraints: Define limits (e.g., "Keep it simple, do not use complex jargon").

2. Safe Prompting Rules

[!IMPORTANT] Never upload real-world enterprise log data containing sensitive details to public AI models.

• Redact public IP addresses (replace with 192.0.2.1 or x.x.x.x).
• Remove usernames, domain names, or credentials from logs before pasting.

3. Critical Verification (Spotting AI Hallucinations)

AI models can make up commands, parameters, or flag explanations. Teach students to double-check AI-provided command line flags or syntax by looking at:

• Official manuals (e.g., using man wazuh or official docs).
• Command help switches (e.g., tool --help).

📝 Classroom Exercises & Discussion Prompts

Exercise 1: "Ask the Mentor"

1. Provide students with a raw, obfuscated firewall log.
2. Ask them to prompt the AI to find out:
   • Which IP address is the attacker?
   • Which port is being targeted?
3. Have them write down the prompt they used and discuss what worked best.

Discussion: "When AI is Wrong"

• Ask students: What could happen if a security analyst blindly followed AI-generated advice to delete a file flagged as a false positive?
• Highlight the value of the "trust but verify" principle in security operations.