LLM Framework Automates SOC Threat Detection and Response
A new end-to-end framework for Security Operations Centers (SOCs) integrates ensemble-based detection, syntax-constrained query generation, and retrieval-augmented resolution support. The detection module combines three large language models (LLMs) into an ensemble, achieving 82.8% accuracy with a 0.120 false positive rate on SIEM logs. The SQM (Syntax Query Metadata) architecture generates executable queries for IBM QRadar and Google SecOps using platform-specific syntax constraints and documentation-grounded prompting. The framework addresses challenges from increasing threat volumes and heterogeneous SIEM platforms by automating critical security workflows.
Key facts
- Framework integrates ensemble detection, query generation, and resolution support.
- Ensemble of three LLMs achieves 82.8% accuracy and 0.120 false positive rate.
- SQM architecture generates queries for IBM QRadar and Google SecOps.
- Automates evidence collection with platform-specific syntax constraints.
- Addresses mounting SOC challenges from threat volumes and heterogeneous SIEMs.
- Uses retrieval-augmented resolution support.
- Combines traditional ML classifiers and LLMs in detection module.
- Published on arXiv with ID 2604.27321.
Entities
Institutions
- IBM
- arXiv