ML-Driven Log Analysis for Real-Time Cyber Threat Detection in Security Operation Centers

The escalating sophistication of cyber threats necessitates advanced threat detection in Security Operation Centers (SOCs). This study aims to enhance the capabilities of Wazuh, an open-source Security Information and Event Management (SIEM) system, by addressing its primary limitation: high false positive rates in rule-based detection. We propose integrating machine learning (ML) to improve detection accuracy and operational efficiency. The approach involves training and evaluating ML models—Random Forest (RF), Support Vector Machine (SVM), K-Nearest Neighbors (KNN), Logistic Regression, and Gaussian Naive Bayes—alongside clustering algorithms (DBSCAN, K-means, Isolation Forest) using 10-fold cross-validation. Results demonstrate that RF achieved the highest performance with an accuracy of 0.972, precision of 0.982, recall of 0.975, and F1-Score of 0.978, while DBSCAN excelled in clustering with a 91.06% accuracy and 0.0821 false positive rate. This integration significantly reduced false positives, enhancing alert management and enabling efficient real-time threat detection. The study contributes to cybersecurity by demonstrating that ML integration with Wazuh markedly improves threat detection, reduces operational overhead in SOCs, and establishes a more adaptive security framework.