kholil-lil/wazuh-model

Wazuh Alert Classifier: Reducing False Positives in SOC Operations

The kholil-lil/wazuh-model is an 8 billion parameter Transformer-based classification model, fine-tuned from LLaMA 3.1 8B. Developed by kholil, its primary purpose is to classify Wazuh security alerts as either true positive or false positive, significantly aiding SOC analysts in filtering non-critical alerts and focusing on actionable threats.

Key Capabilities & Features

• Specialized Classification: Designed exclusively for Wazuh alerts, distinguishing between true and false positives.
• Performance: Achieves 92% accuracy, 91% precision, and 90% recall on a held-out set of labeled Wazuh alerts.
• Integration Ready: Can be integrated into SIEM systems, security automation platforms, and SOC dashboards.
• Training: Fine-tuned using instruction-based learning on real-world Wazuh alerts, preprocessed with an Alpaca-style template.
• Efficiency: Utilizes 4-bit quantization with unsloth and mixed-precision FP16 training for optimized performance.

When to Use This Model

This model is ideal for organizations using Wazuh for security monitoring who want to:

• Reduce Alert Fatigue: Automatically filter out non-critical alerts, allowing analysts to prioritize.
• Enhance SOC Efficiency: Streamline alert review processes and improve response times.
• Integrate with Existing Systems: Seamlessly incorporate alert classification into current security operations.

Limitations

It's important to note that the model is not designed for general cybersecurity analysis outside of Wazuh alerts. It may misclassify alerts due to security data bias or evolving attack patterns, requiring human verification and periodic retraining. The model was trained on alerts of level 3 and above.