Enhancing the Actionability of Intrusion Detection Systems Through Explainable Artificial Intelligence: A Case Study in Mitigating False Alerts in Wazuh

Malik Shah Jahan; Muhammad Mansoor Alam

Authors

Malik Shah Jahan Riphah International University I-14 Campus Islamabad
Muhammad Mansoor Alam Riphah International University I-14 Campus Islamabad

Keywords:

Explainable Artificial Intelligence, Wazuh SIEM, False Positive Reduction, Security Operations Centre, Intrusion Detection Systems

Abstract

Intrusion Detection Systems and SIEM platforms such as Wazuh are essential for detecting cyber threats, yet their effectiveness is constrained by high false positive rates and limited interpretability of alert decisions. This study introduces an XAI-enhanced Wazuh framework that shifts the focus from detection accuracy alone to actionable alert explainability, directly addressing the root cause of false positives through interpretable causality. The research adopts an applied mixed-methods approach using a design–implementation–evaluation cycle with Six Sigma integration, combining quantitative validation and analyst-driven qualitative assessment. The framework integrates XAI techniques such as SHAP and LIME into a five-step alert analysis workflow, evaluated using UNSW-NB15 and CIC-IDS2018 datasets within a Wazuh–ELK environment. The proposed approach demonstrates that embedding explainability significantly enhances SOC performance by enabling precise analyst decision-making. Preliminary results indicate a reduction in false positives by 25 to 65 percent and an improvement in Mean Time to Discover by 20 to 40 percent, while maintaining a minimal increase in false negatives. The findings highlight that false alerts are primarily driven by a lack of contextual interpretability rather than detection limitations. By exposing feature-level contributions through the feature vectors and explanation functions, analysts can systematically tune detection rules, reducing alert ambiguity and fatigue. Furthermore, the study establishes a measurable relationship between explainability and operational metrics, bridging a critical gap in existing SIEM research. Integrating XAI into Wazuh transforms alert handling from reactive filtering to informed decision-making, significantly improving the effectiveness and efficiency of security operations.

References

J. J. Yepes-Nuñez, G. Urrútia, M. Romero-García, and S. Alonso-Fernández, “The PRISMA 2020 statement: an updated guideline for reporting systematic reviews,” Revista Espanola de Cardiologia, vol. 74, no. 9, pp. 790–799, Sep. 2021, doi: 10.1016/J.RECESP.2021.06.016.

Matthew J. Page, David Moher, “PRISMA 2020 explanation and elaboration: updated guidance and exemplars for reporting systematic reviews,” BMJ, p. 372, 2021.

Kenechukwu Ikenna Nnaka, Paul Oluchukwu Mbamalu, John Cherechim Nwaigbo, Peter Chika Ozo-ogueji, Victor Ifeanyi Njoku, and Chijioke Cyriacus Ekechi, “AI-powered threat detection: Opportunities and limitations in modern cyber defense,” World Journal of Advanced Research and Reviews, vol. 27, no. 2, pp. 210–223, Aug. 2025, doi: 10.30574/WJARR.2025.27.2.2854.

Carlos Merlano, “Enhancing Cyber Security through Artificial Intelligence and Machine Learning: A Literature Review,” Journal of Cyber Security, vol. 6, no. 1, pp. 89–116, 2024, doi: 10.32604/jcs.2024.056164.

Shahroz Tariq, Mohan Baruwal Chhetri, “Alert Fatigue in Security Operations Centres: Research Challenges and Opportunities,” ACM Computing Surveys, vol. 57, no. 9, pp. 1–38, 2025, doi: https://doi.org/10.1145/3723158.

Koivisto, Jasper, “Tekoäly SOC (Security Operations Center) -ympäristössä ja mahdolliset käyttötavat,” 2024.

M. Khayat, E. Barka, M. Adel Serhani, F. Sallabi, K. Shuaib and H. M. Khater, “Empowering Security Operation Center With Artificial Intelligence and Machine Learning—A Systematic Literature Review,” IEEE Access, vol. 13, pp. 19162–19197, 2025, doi: 10.1109/ACCESS.2025.3532951.

Rajesh Kalakoti, Risto Vaarandi, Hayretdin Bahsi, Sven Nõmm, “Evaluating explainable AI for deep learning-based network intrusion detection system alert classification,” arXiv:2506.07882, 2025.

R. Da Silveira Lopes, J. C. Duarte, and R. R. Goldschmidt, “False Positive Identification in Intrusion Detection Using XAI,” IEEE Latin America Transactions, vol. 21, no. 6, pp. 745–751, Jun. 2023, doi: 10.1109/TLA.2023.10172140.

“Role of AI & ML in Enhancing Cybersecurity Against Threats.” Accessed: Apr. 02, 2026. [Online]. Available: https://www.eccouncil.org/cybersecurity-exchange/network-security/role-of-ai-ml-in-enhancing-cybersecurity-against-threats/

C. E. Ben Ncir, M. A. Ben HajKacem, and M. Alattas, “Enhancing intrusion detection performance using explainable ensemble deep learning,” PeerJ Computer Science, vol. 10, 2024, doi: 10.7717/PEERJ-CS.2289/.

M. J. Hossain, K. Alam, M. Fahad Monir, M. Mozammal Hoque and T. Ahmed, “Explainable AI Meets Synthetic Data: A Deep Learning Framework for Detecting Network Intrusion in NextG Network Infrastructure,” IEEE Access, vol. 13, pp. 114979–115001, 2025, doi: 10.1109/ACCESS.2025.3585783.

Roya Morshedi, S. Mojtaba Matinkhah, “A Comprehensive Review of Deep Learning Techniques for Anomaly Detection in IoT Networks: Methods, Challenges, and Datasets,” Engineering Reports, 2025, doi: https://doi.org/10.1002/eng2.70415.

Kelech P. Okpara, “Human-Centric Machine Learning Intrusion Detection for Smart Grid SCADA Systems, Grounded in Human-Systems Integration Theory,” American Scientific Research Journal for Engineering, Technology, and Sciences, vol. 102, no. 1, pp. 195–211, 2025.

G. Kayode-Bolarinwa, “Responsive AI with Cybersecurity: A Synergistic Approach to Modern Threat Management,” 2025, Accessed: Oct. 18, 2025. [Online]. Available: https://www.researchgate.net/profile/Gbemisola-Kayode-Bolarinwa/publication/394147671_Responsive_AI_with_Cybersecurity_A_Synergistic_Approach_to_Modern_Threat_Management/links/688b75be035de96584d1281f/Responsive-AI-with-Cybersecurity-A-Synergistic-Approach-to-Modern-Threat-Management.pdf

A. Alabdulatif, “A novel ensemble of deep learning approach for cybersecurity intrusion detection with explainable artificial intelligence,” Applied Sciences, vol. 15, no. 14, p. 7984, 2025.

H. B. Ahmad, H. Gao, and N. Latif, “Adaptive Anomaly Detection and Classification in Critical Infrastructure Systems: A Real-Time Privacy-Preserving Multi-Model Framework,” Available at SSRN 5073961, Accessed: Oct. 18, 2025. [Online]. Available: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=5073961

K. Harshdeep, K. Sumalatha, and R. Mathur, “DeepTransIDS - Transformer-Based Deep learning Model for Detecting DDoS Attacks on 5G NIDD”, Accessed: Oct. 18, 2025. [Online]. Available: https://www.researchgate.net/profile/Sumalatha-Konatham/publication/390710666_DeepTransIDS_Transformer-Based_Deep_learning_Model_for_Detecting_DDoS_Attacks_on_5G_NIDD/links/6852c09124267473b778b298/DeepTransIDS-Transformer-Based-Deep-learning-Model-for-Detecting-DDoS-Attacks-on-5G-NIDD.pdf

O. Okusi, E. N. Chukwuani, and C. D. Ikemefuna, “Developing Real-Time Cyber Threat Intelligence Systems for Securing Algorithmic Trading, Digital Payments, and Financial Market Infrastructures,” Journal homepage: www. ijrpr. com ISSN, vol. 2582, p. 7421.

“(PDF) Cyber Attack Prediction: From Traditional Machine Learning to Generative Artificial Intelligence.” Accessed: Apr. 02, 2026. [Online]. Available: https://www.researchgate.net/publication/389533957_Cyber_Attack_Prediction_From_Traditional_Machine_Learning_to_Generative_Artificial_Intelligence

D. Preuveneers et al., “On the Use of AutoML for Combating Alert Fatigue in Security Operations Centers,” Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 14399 LNCS, pp. 609–627, 2024, doi: 10.1007/978-3-031-54129-2_36/FIGURES/7.