Using LLMs to Automate Threat Intelligence Analysis Workflows in Security Operation Centers
PeiYu Tseng, ZihDwo Yeh, Xushu Dai, Peng Liu
TL;DR
Security Operations Centers rely on SIEMs, but modern SIEMs cannot automate the analysis of natural-language CTI reports. The paper presents an LLM-based AI agent that automates IOC extraction, RegEx generation for SIEM rules, and relationship graph construction without human intervention. The approach combines per-paragraph IOC extraction, majority voting with retrieval-augmented filtering, capture-group discrimination for RegEx, RegEx validation, and relationship verification to produce a structured graph of CTI artifacts. The evaluation suggests the agent can substantially automate CTI analysis workflows and reduce SOC workload, potentially shortening incident response times.
Abstract
SIEM systems are prevalent and play a critical role in a variety of analyst workflows in Security Operation Centers. However, modern SIEMs face a big challenge: they still cannot relieve analysts from the repetitive tasks involved in analyzing CTI (Cyber Threat Intelligence) reports written in natural languages. This project aims to develop an AI agent to replace the labor intensive repetitive tasks involved in analyzing CTI reports. The agent exploits the revolutionary capabilities of LLMs (e.g., GPT-4), but it does not require any human intervention.