Towards Agentic Investigation of Security Alerts

Computer Science > Cryptography and Security [Submitted on 28 Apr 2026] Towards Agentic Investigation of Security Alerts Even Eilertsen, Vasileios Mavroeidis, Gudmund Grov Security analysts are overwhelmed by the volume of alerts and the low context provided by many detection systems. Early-stage investigations typically require manual correlation across multiple log sources, a task that is usually time-consuming. In this paper, we present an experimental, agentic workflow that leverages large language models (LLMs) augmented with predefined queries and constrained tool access (structured SQL over Suricata logs and grep-based text search) to automate the first stages of alert investigation. The proposed workflow integrates queries to provide an overview of the available data, and LLM components that selects which queries to use based on the overview results, extracts raw evidence from the query results, and delivers a final verdict of the alert. Our results demonstrate that the LLM-powered workflow can investigate log sources, plan an investigation, and produce a final verdict that has a significantly higher accuracy than a verdict produced by the same LLM without the proposed workflow. By recognizing the inherent limitations of directly applying LLMs to high-volume and unstructured data, we propose combining existing investigation practices of real-world analysts with a structured approach to leverage LLMs as virtual security analysts, thereby assisting and reducing the manual workload. Comments: 10 pages, 3 figures, 4 tables. Accepted at the 2025 IEEE International Conference on Big Data (BigData) Subjects: Cryptography and Security (cs.CR); Artificial Intelligence (cs.AI) ACM classes: I.2.7; K.6.5; D.4.6 Cite as: arXiv:2604.25846 [cs.CR]   (or arXiv:2604.25846v1 [cs.CR] for this version)   https://doi.org/10.48550/arXiv.2604.25846 Focus to learn more Journal reference: Proc. 2025 IEEE Int. Conf. on Big Data (BigData), 2025 Related DOI: https://doi.org/10.1109/BigData66926.2025.11402161 Focus to learn more Submission history From: Even Eilertsen [view email] [v1] Tue, 28 Apr 2026 16:52:12 UTC (194 KB) Access Paper: view license Current browse context: cs.CR < prev   |   next > new | recent | 2026-04 Change to browse by: cs cs.AI References & Citations NASA ADS Google Scholar Semantic Scholar Export BibTeX Citation Bookmark Bibliographic Tools Bibliographic and Citation Tools Bibliographic Explorer Toggle Bibliographic Explorer (What is the Explorer?) Connected Papers Toggle Connected Papers (What is Connected Papers?) Litmaps Toggle Litmaps (What is Litmaps?) scite.ai Toggle scite Smart Citations (What are Smart Citations?) Code, Data, Media Demos Related Papers About arXivLabs Which authors of this paper are endorsers? | Disable MathJax (What is MathJax?)