Question About Alert Extraction in the Wazuh LLM
Hello Holil,
I hope you're doing well. I've been exploring your Wazuh alert classification model, and I find the concept very interesting. However, I have a question regarding the extraction of alerts.
In the model's documentation, it’s not clear where you recommend extracting the alerts from within Wazuh. Should I use the web panel, the Wazuh API, Syslog, or another method? Additionally, what would be the best approach to ensure that the extracted alerts match the format used in your model?
Your guidance would be greatly appreciated to make sure I’m using the model correctly.
Thank you in advance for your help and for sharing this great contribution!
Hello Pedro,
The alerts that I extracted in the input example are raw data that I took from the Wazuh alert itself (/var/ossec/logs/alerts/alerts.json). Why did I use the raw data (default) directly? Because I expect this model to be able to adapt to the original Wazuh data better without any part of the alert being reduced at all.
But you can also extract Wazuh alerts via API (External API integration) if needed for live streaming alerts. Create a custom integrator and determine what level of alerts you want to forward to the model. For this model, I take at least level 3 alerts and above.
If you need this model to be trained further with only certain alerts properties, I can share the code I used during the training process.
Reference: