Agent-driven Automated Investigation of Security Alerts: Empowering Large Language Models as Virtual Security Analysts

This article proposes an agent workflow based on large language models (LLMs) that automates the initial investigation of security alerts through structured queries and restricted tool access. It aims to address the alert fatigue issue in enterprise Security Operations Centers (SOCs), significantly improving investigation accuracy and reducing the manual workload of analysts. The core idea is to combine the investigation practices of real analysts with structured methods, enabling LLMs to act as virtual security analysts rather than replacing the entire investigation process.

In modern enterprise SOCs, analysts need to handle massive security alerts daily—medium-sized enterprises receive thousands to tens of thousands of alerts per day, but only a few can be thoroughly investigated. Traditional security detection systems provide low-context alerts (e.g., "suspicious IP access"), requiring analysts to manually correlate multi-source information such as firewall logs, EDR data, and network traffic. A single initial investigation takes tens of minutes to hours, leading to alert fatigue and missed critical threats.

Applying LLMs directly to raw logs has three major issues: the huge data volume (GB/TB level) is uneconomical; log formats are diverse and noisy, making it difficult to extract value; and security investigations require systematic reasoning rather than simple matching. The study proposes a core concept: combining real analysts' practices with structured methods to enable LLMs to act as virtual analysts instead of replacing the process.

A three-layer architecture is adopted to balance automation and controllability:

1. Data Overview and Query Planning: LLMs generate predefined overview queries (e.g., "external communication IPs in the past 24 hours") and intelligently select relevant subsets to reduce data processing volume;
2. Structured Evidence Extraction: Obtain precise evidence through restricted tool access (SQL queries for Suricata logs, grep searches for unstructured logs) to ensure security and efficiency;
3. Comprehensive Judgment: LLMs integrate evidence to generate final decisions with reasoning processes and evidence chains, facilitating human review.

Experiments used real Suricata logs to simulate scenarios, with the following comparison results:

• Direct use of LLMs has low accuracy, proving the need for structured processes;
• The complete workflow has significantly higher accuracy across multiple scenarios, with more obvious advantages in complex reasoning scenarios;
• Decisions include clear evidence chains, strong interpretability, and are easy to gain analysts' trust.

Three key insights:

1. LLMs are assistants rather than panaceas; they can handle repetitive initial investigations, allowing analysts to focus on high-value tasks;
2. Structured methods are crucial—designing query interfaces and processes improves accuracy and controllability;
3. Interpretability is the foundation of trust; security decisions require clear reasoning bases.

Limitations: Experiments are only based on Suricata logs and need to adapt to Windows event logs, cloud audit logs, etc.; query templates require scenario-based maintenance, which involves workload. Future directions: Expand log types and interfaces; explore LLMs to automatically generate optimized query templates; integrate Security Orchestration, Automation, and Response (SOAR) platforms.

This study demonstrates a pragmatic AI application: through structured workflow design, AI becomes a capable assistant to human analysts. The agent-driven automation method has shown potential in alert investigation, and future SOCs are expected to achieve more efficient and accurate threat detection and response.