Security analysts are overwhelmed by the volume of alerts and the low context provided by many detection systems. Early-stage investigations typically require manual correlation across multiple log sources, a task that is usually time-consuming. In this paper, we present an experimental, agentic workflow that leverages large language models (LLMs) augmented with predefined queries and constrained tool access (structured SQL over Suricata logs and grep-based text search) to automate the first stages of alert investigation. The proposed workflow integrates queries to provide an overview of the available data, and LLM components that selects which queries to use based on the overview results, extracts raw evidence from the query results, and delivers a final verdict of the alert. Our results demonstrate that the LLM-powered workflow can investigate log sources, plan an investigation, and produce a final verdict that has a significantly higher accuracy than a verdict produced by the same LLM without the proposed workflow. By recognizing the inherent limitations of directly applying LLMs to high-volume and unstructured data, we propose combining existing investigation practices of real-world analysts with a structured approach to leverage LLMs as virtual security analysts, thereby assisting and reducing the manual workload.

翻译：安全分析师面临着告警数量庞大以及许多检测系统提供的上下文信息不足的困境。早期调查通常需要跨多个日志源进行手动关联，这一任务往往耗时巨大。本文提出了一种实验性的智能体工作流程，该流程利用增强了大语言模型（LLM）的功能，结合预定义查询和受限工具访问（对Suricata日志的结构化SQL查询和基于grep的文本搜索），自动化告警调查的初始阶段。所提出的工作流程整合了查询操作以提供可用数据的概览，并通过LLM组件根据概览结果选择适当的查询，从查询结果中提取原始证据，并最终对告警做出判定。我们的结果表明，基于LLM的工作流程能够调查日志源、规划调查流程，并给出最终判定，其准确率显著高于未采用该工作流程的同一LLM所生成的判定。通过认识到直接将LLM应用于高容量和非结构化数据的固有局限性，我们提出将真实世界分析师的现有调查实践与结构化方法相结合，以利用LLM作为虚拟安全分析师，从而辅助并减少手动工作量。