AI Augmented Alert Triage: When More Visibility Creates a New Problem
How a locally hosted LLM triage layer transformed a noisy Wazuh SIEM from a source of alert fatigue into an actionable, privacy-preserving SOC for the homelab.
title: "AI Augmented Alert Triage: When More Visibility Creates a New Problem" description: "How a locally hosted LLM triage layer transformed a noisy Wazuh SIEM from a source of alert fatigue into an actionable, privacy-preserving SOC for the homelab." date: "2026-07-03" category: "Security Operations" tags: ["Wazuh", "SIEM", "AI Security", "Homelab SOC", "Alert Triage", "Ollama"] author: "Stephen Nnamani" readingTime: "5 min" image: "/images/blog/wazuh-ai-triage.png"
AI Augmented Alert Triage: When More Visibility Creates a New Problem
By Stephen Nnamani — Cybersecurity Analyst | Cloud & Network Security
There is a version of the homelab SIEM story that goes well. You deploy Wazuh. You integrate Suricata for network intrusion detection. You layer in CrowdSec for threat intelligence feeds. Within days, you have genuine visibility across fifteen or more hosts — desktops, laptops, virtual machines — that previously had none. The dashboard lights up. Events flow. Alerts fire. It feels like the problem is solved.
It is not. What you have built is a noise machine.
The system I described was generating hundreds of events daily. High and Critical severity alerts queued up faster than any single analyst — even a motivated one at eleven at night — could work through them. The majority turned out to be false positives: Wazuh firing on expected system behaviour that had not been tuned out, Suricata flagging benign scanning activity, CrowdSec matching internal IP ranges against threat feeds. The ratio of genuine threats to noise looked far worse than the absence of monitoring had suggested. A SIEM without intelligent triage is not a security tool. It is noise at scale.
The Design Question
The core challenge is architectural, not operational. Tuning rules manually — suppressing signatures, building exception lists, refining thresholds — is a remediation strategy for known noise patterns. It does not solve the underlying problem, which is that the volume of events requiring human cognitive attention will always tend to exceed the bandwidth of a single analyst, particularly in an environment with no dedicated SOC resource and no working hours.
The more defensible approach borrows a principle from endpoint detection and response: automate the triage decision so that human attention is reserved for what genuinely warrants it. The same logic that drives SOAR platforms in enterprise environments applies here, scaled to the constraint.
The Triage Layer
Rather than sending every qualifying alert to a human, a lightweight Python integration intercepts Wazuh alerts at severity level 7 and above and routes them to a locally hosted large language model — Ollama running qwen2.5:7b-instruct on the Windows host at 192.168.50.51. The model receives the full alert context: rule description, agent identity, the relevant MITRE ATT&CK tactic and technique, and the raw event details.
What comes back is a structured SOC-style analysis. The model returns an assessment — true positive, false positive, or requires investigation — mapped to the applicable MITRE technique with brief commentary on why, recommended containment steps, and a confidence rating. Every analysis, regardless of outcome, is written to a persistent log. Nothing is silently dropped.
The confidence rating is the routing mechanism. When the model returns a High confidence assessment, a Telegram notification fires: a concise, already analysed alert delivered directly to a phone, with context and next steps written. Events rated Medium or Low confidence stay in the log and are available for review, but they do not generate an interrupt. The audit trail is complete. The cognitive overhead of manual triage is not.
Why This Architecture
Privacy and data sovereignty were the first design constraints. All inference runs locally on my hardware. No alert data — which includes internal hostnames, IP addresses, and event details — leaves the network. That constraint immediately rules out AI APIs hosted in the cloud, and it makes the locally hosted model not a compromise but the correct design choice for this environment.
The second principle is that noise reduction must not create blind spots. Every qualifying alert is evaluated. The LLM sees them all. The difference is that the system decides what deserves your attention at 11 PM versus what can wait for a morning review. This is meaningfully different from alert suppression, which discards events before analysis. Here, the analysis happens. The notification is what gets filtered.
The third consideration was appropriate tooling for the context. An enterprise SOC solves the same problem with dedicated SOAR platforms, playbook automation, and analyst teams. For a homelab, a Telegram notification from a locally hosted AI achieves the same operational outcome — actionable intelligence on demand — at zero recurring cost. The architecture does not pretend to be something it is not. It is correctly sized for the environment.
What I find professionally interesting about this pattern is its extensibility. The Telegram channel is just a delivery endpoint. The same integration logic works against a Slack webhook, a custom Wazuh dashboard widget, or a genuine SOAR platform. The next phase of the roadmap grounds the model's responses in a retrieval-augmented generation layer — pulling from NIST 800-53 controls and CIS Benchmarks at inference time — so that alert triage becomes compliance-aware incident response, not just noise reduction.
What Changed
The operational shift is unambiguous. Before the integration, alert triage was a manual exercise that ran for hours and produced diminishing returns. After it, a single Telegram notification arrives when something genuinely warrants attention, with the MITRE context and containment steps already written. The homelab SIEM moved from being a source of cognitive load to functioning the way a SIEM is supposed to function: as an early warning layer that surfaces signal, not noise.
The judgement behind that shift — that the correct response to alert fatigue is not fewer alerts but smarter routing — is the same judgement applied in enterprise SOC design. The scale is different. The principle is not.
Stephen Nnamani is a cybersecurity analyst with hands-on experience in homelab SOC design, SIEM deployment, and security automation. Connect on LinkedIn or explore his project documentation at cloudtechengine.com.