add: FAQ

README.md

@@ -212,6 +212,35 @@ The model demonstrates high accuracy in classifying Wazuh alerts but may require
 - **Libraries:** Transformers, Hugging Face Datasets, Unsloth
 - **Training Platform:** Google Cloud Platform (Compute Engine)
 
+## 🧠 FAQ
+
+### Q: Where should I extract the alerts from within Wazuh for this model?
+
+The alerts in the example input are raw JSON data extracted from the Wazuh alert log at:
+
+`/var/ossec/logs/alerts/alerts.json`
+
+
+Using raw alert data is recommended because it provides the **full unaltered structure** of each alert. This ensures the model learns from and classifies alerts based on **complete original context**, which helps improve its real-world usability.
+
+That said, you're also free to extract alerts via:
+
+- **Custom external integrations**
+
+If you're working on **real-time alert processing**, using Wazuh's [external API integrations](https://documentation.wazuh.com/current/user-manual/manager/integration-with-external-apis.html) is ideal. You can configure your custom integration to only forward certain alert levels (e.g., level ≥ 3).
+
+> 💡 For this model, alerts of **level 3 and above** were used during training.
+
+If you'd like to **retrain or fine-tune** the model on specific alert fields only (e.g., `rule.description`, `full_log`, etc.), feel free to reach out — I can share the training script used in this project.
+
+---
+
+**References:**
+
+- 📘 [Wazuh Alert Management](https://documentation.wazuh.com/current/user-manual/manager/alert-management.html)  
+- 🔌 [Wazuh API Integration](https://documentation.wazuh.com/current/user-manual/manager/integration-with-external-apis.html)
+
+
 ## Citation
 
 **BibTeX:**