GUARDIUM

GUARDIUM is an intelligent Wazuh rule optimization framework designed to reduce false positives, improve alert accuracy, and assist SOC teams in maintaining high-quality SIEM detections. GUARDIUM combines rule analysis, threat context, and Large Language Models (LLMs) to automatically evaluate, explain, and optimize Wazuh rules.

---

🚀 Key Features

• Wazuh Rule Optimization Automatically analyzes existing Wazuh rules and suggests improvements to reduce noise and false positives.

• False Positive vs True Positive Analysis Uses contextual reasoning and historical alert patterns to distinguish between false positives and real threats.

• LLM-Powered Rule Refinement Integrates fine-tuned Large Language Models to rewrite or enhance Wazuh rules without breaking their original structure.

• Autonomous Detection Levels Supports multi-level detection logic (e.g., heuristic, behavioral, and autonomous threat scoring).

• Explainable Security Decisions Provides human-readable explanations for why a rule is optimized or flagged as weak.

---

🏗️ Architecture Overview

GUARDIUM is designed as a modular system:

1. Input Layer

   • Wazuh rules (XML)
   • Wazuh alerts and logs

2. Analysis Engine

   • Pattern recognition
   • Threat scoring
   • Historical event correlation

3. LLM Optimization Layer

   • Rule evaluation
   • Rule rewriting suggestions
   • False positive reasoning

4. Output Layer

   • Optimized Wazuh rules
   • Explanation reports

---

⚙️ Installation

Prerequisites

• Python 3.10+
• Wazuh Manager
• GPU recommended (for LLM inference)

Setup

bash setup.sh

---

▶️ Usage

Run the interactive optimization engine:

python chat.py

You can:

• Paste Wazuh rules for evaluation
• Submit logs/alerts for false/true positive analysis
• Request optimized versions of existing rules

---

🎯 Use Cases

• SOC teams struggling with alert fatigue
• Blue teams tuning Wazuh rules
• Security researchers studying detection quality
• SIEM environments with high false positive rates

---

🔒 Security Philosophy

GUARDIUM follows a human-in-the-loop approach:

• Rules are suggested, not automatically enforced
• Analysts maintain full control
• Transparency and explainability are prioritized

---

🧠 Future Roadmap

• Web-based dashboard
• Direct Wazuh API integration
• Continuous learning from analyst feedback
• Rule performance scoring metrics

---

📜 License

This project is released under the MIT License.

---

👤 Author

UNKNOWNMAN
Cyber Security Enthusiast

---

⭐ Acknowledgments

• Wazuh Community
• Open-source security researchers
• Authors fellas
• LLM and AI security practitioners

---

GUARDIUM aims to act as a digital security analyst—reducing noise, improving clarity, and strengthening detection logic.