LLM Agent Automates Security Alert Investigation
An innovative experimental process leverages large language models (LLMs) to streamline the initial examination of security alerts. This methodology, detailed in arXiv paper 2604.25846, integrates LLMs with specific queries and limited tool access, such as structured SQL for Suricata logs and grep-based text searches. Initially, the system executes queries to summarize the available data. Following this, the LLM component determines which queries to apply based on the summary, extracts relevant evidence from the findings, and ultimately provides a conclusive judgment. This strategy seeks to minimize the time analysts dedicate to manually correlating alerts from various log sources. Findings indicate that the LLM-driven workflow achieves significantly improved accuracy in investigating log sources and rendering final decisions.
Key facts
- Paper arXiv:2604.25846 presents an agentic workflow for security alert investigation.
- Workflow uses LLMs augmented with predefined queries and constrained tool access.
- Tools include structured SQL over Suricata logs and grep-based text search.
- Workflow integrates queries to provide an overview of available data.
- LLM selects queries based on overview results.
- LLM extracts raw evidence from query results.
- LLM delivers a final verdict on the alert.
- Results show significantly higher accuracy in final verdicts.
Entities
Institutions
- arXiv