Towards Agentic Investigation of Security Alerts

TL;DR

This paper introduces an agentic workflow using large language models to automate initial security alert investigations, improving accuracy and reducing manual effort.

Contribution

It presents a novel LLM-augmented workflow that automates alert investigation stages by integrating structured queries and evidence extraction.

Findings

The LLM workflow achieves higher accuracy than standalone LLM verdicts.

The approach effectively integrates multiple log sources for investigation.

It reduces manual workload by automating initial alert analysis.

Abstract

Security analysts are overwhelmed by the volume of alerts and the low context provided by many detection systems. Early-stage investigations typically require manual correlation across multiple log sources, a task that is usually time-consuming. In this paper, we present an experimental, agentic workflow that leverages large language models (LLMs) augmented with predefined queries and constrained tool access (structured SQL over Suricata logs and grep-based text search) to automate the first stages of alert investigation. The proposed workflow integrates queries to provide an overview of the available data, and LLM components that selects which queries to use based on the overview results, extracts raw evidence from the query results, and delivers a final verdict of the alert. Our results demonstrate that the LLM-powered workflow can investigate log sources, plan an investigation, and produce a final verdict that has a significantly higher accuracy than a verdict produced by the same LLM without the proposed workflow. By recognizing the inherent limitations of directly applying LLMs to high-volume and unstructured data, we propose combining existing investigation practices of real-world analysts with a structured approach to leverage LLMs as virtual security analysts, thereby assisting and reducing the manual workload.