Analisa: An Intelligent Assistant for SOC Threat Hunting

This article introduces the Analisa project, an LLM-integrated system developed by the Threat Hunting Division of CyberSecurity Malaysia (MyCERT), designed specifically for Security Operations Centers (SOCs). Using natural language processing technology, it helps threat hunting teams quickly analyze Elasticsearch telemetry data, classify security alerts, and generate investigation playbooks. This addresses the conflict between massive alerts and limited human resources, improving the efficiency of security analysis.

In modern enterprise SOCs, security analysts face the severe challenge of massive security alerts and limited human resources every day. While traditional SIEM systems can collect telemetry data from tools like Endpoint Detection and Response (EDR), analysts have to manually query Elasticsearch, analyze logs, and correlate events—this process is time-consuming and prone to missing critical threats. How to improve analysis efficiency while ensuring investigation quality is an urgent problem for SOC teams to solve.

Analisa is an independent Large Language Model (LLM)-integrated system designed for the daily security operations of threat hunting teams. This project aims to bridge the gap between raw Elasticsearch telemetry data and natural language processing. By introducing LLM capabilities, it allows analysts to quickly query complex, high-volume security logs using natural language, significantly reducing investigation time.

Analisa adopts a multi-agent architecture, breaking down the security investigation process into specialized phases:

• Manager: Creates initial incident investigation documents, extracts information from Elastic to generate draft playbooks, and builds a validation framework based on EDR data;
• Analyst: Serves as the core instruction layer, executes playbook steps, and formats LLM prompts;
• ElasticQueryAgent with Lightning: Formulates and executes queries based on instructions, outputs Python code to demonstrate the communication process between AI and the database;
• ElasticQueryAgent: Converts raw Python output into human-readable summaries. Tech Stack: The backend is based on Python and Django framework; the data layer connects to SIEM/EDR systems via Elasticsearch API; the AI engine uses a locally deployed LLM (optimized for log parsing and security analysis, ensuring sensitive data never leaves the internal network).

Core Functions:

1. Accelerated Alert Classification: Supports natural language queries, automatically converts them into Elastic queries, and presents results in a structured way, significantly reducing investigation time;
2. Automated Playbook Generation: Automatically drafts investigation documents based on EDR telemetry data, ensuring consistency and completeness of the investigation process;
3. Intelligent Decision Recommendations: Outputs readable investigation summaries and provides three types of decisions (false positive/confirmed threat/needs further investigation). Privacy Compliance: Uses a fully localized LLM architecture, where sensitive log data never leaves the internal network, meeting data protection regulations and Non-Disclosure Agreement (NDA) requirements.

Analisa represents a typical application paradigm of LLM in the field of security operations: it does not replace human analysts but acts as an intelligent assistant to enhance their capabilities. By automating repetitive tasks, providing a structured analysis framework, and generating auditable records, Analisa allows analysts to focus on complex threats that truly require human judgment. In the future, as LLM capabilities improve, more AI-assisted security tools will drive SOCs toward intelligence and automation.