LLM-Assisted Log Analysis

Every SIEM and log management platform uses a different query language, and fluency in any one of them takes significant time to develop. Kusto Query Language (KQL), used in Microsoft Sentinel, is a capable and expressive language with a syntax that rewards investment but penalizes unfamiliarity. Splunk's Search Processing Language (SPL) is similarly powerful and similarly opaque to those new to it. Elastic uses a Lucene-based syntax. A SOC that uses multiple platforms requires analysts who can switch between these languages, or accepts that certain team members can only effectively work in certain tools.

LLM query translation addresses the access problem without requiring analysts to achieve full fluency in every syntax. The analyst describes what they want to know: "find all instances where a service account authenticated to a domain controller outside business hours in the last 30 days, and show me the source IP addresses." The LLM generates the query in the appropriate syntax, including joins, time-range filters, and aggregation logic that would take a non-expert significant time to construct correctly. The analyst can review the generated query before running it, which is important because LLMs do occasionally make mistakes in complex query construction.

The review step is not optional. An LLM-generated query that silently returns incomplete results because a field name is wrong, or that runs successfully but answers a slightly different question than the analyst intended, produces a false sense of investigative completeness. Training analysts to verify generated queries against expected result shapes, and to be suspicious of unusually clean results, is part of responsible LLM-assisted investigation practice.

The most time-consuming part of many log investigations is not the querying. It is reading the output. A query that returns 50,000 log lines cannot be read sequentially. The analyst samples, searches for specific patterns, and assembles a mental model of what happened. This is slow, relies heavily on individual skill, and is prone to missing connections between events that occurred at different times or in different parts of the log.

LLM summarization changes this. After running a query, the analyst provides the output to the LLM and asks it to summarize what happened. The LLM reads the full output, identifies the most significant events, constructs a narrative that explains the sequence of actions, and flags anything that looks unusual or that matches known attack patterns. The analyst receives a paragraph or a structured report rather than 50,000 lines of raw data.

The quality of this summarization depends heavily on the LLM's cybersecurity domain knowledge and on the quality of the prompt. A generic summarization request produces a generic summary. A request that specifies "summarize this authentication log output in the context of a possible credential-based lateral movement investigation, identifying any sequences that might indicate pivoting between accounts or systems" produces a much more targeted analysis. Learning to write effective investigation prompts is itself a skill, but it is a skill that transfers across tools and environments in a way that learning a specific query language does not.

Standard LLMs have context window limits that make direct analysis of large log datasets impossible. A modern enterprise SIEM ingests billions of events per month; no LLM context window can hold that. RAG is the technical architecture that makes LLM-assisted log analysis work at operational scale.

The process has two components. The retrieval component preprocesses the log data: events are converted into numerical vector embeddings and stored in a vector database. When a query arrives, the query is also converted into a vector embedding and matched against the stored event embeddings. The most semantically relevant log excerpts are retrieved. The generation component receives those relevant excerpts as context and uses them to generate a response.

This architecture has important security implications. If the organization's log data is processed externally through a commercial LLM API, the logs themselves may leave the organization's security boundary. For environments with strict data residency or classification requirements, locally hosted LLMs, as demonstrated by Wazuh's integration with locally running Ollama models, are the appropriate architecture. The model runs on infrastructure the organization controls, the log data never leaves the environment, and the LLM's responses are grounded in organizational context rather than generic training data.

LLM-assisted log analysis becomes significantly more powerful when the LLM has access to threat intelligence context alongside the log data. When an IP address appears in a log that is also listed in a threat intelligence feed as associated with a known threat actor, the LLM can incorporate that context directly into its analysis rather than requiring the analyst to cross-reference separately. When a sequence of events matches the pattern of a specific MITRE ATT&CK technique, the LLM can label it accordingly, which connects the observed activity to the broader body of knowledge about that technique's detection, mitigation, and common variations.

MITRE ATT&CK is particularly important here because it provides a shared vocabulary for describing adversary behavior that spans tools, organizations, and roles. An LLM that can map observed log events to ATT&CK techniques is translating raw technical data into a framework that both technical and non-technical stakeholders can reason about. "The logs show Technique T1078 (Valid Accounts) followed by T1021 (Remote Services)" is a statement that an executive can understand in terms of business risk, not just a sequence of authentication events that only an analyst can interpret.

Microsoft Copilot for Security, Elastic AI Assistant, and similar commercial implementations have invested heavily in this direction, embedding threat intelligence and ATT&CK knowledge into the LLM's context so that log analysis responses automatically include these mappings. The practical effect for the analyst is a significant reduction in the number of separate lookup steps required in a typical investigation.

LLM-assisted log analysis tools are powerful but they are tools, not oracles. Several operational habits separate effective use from ineffective use. Verifying generated queries before relying on their results is the most critical. Treating LLM summaries as starting points for investigation rather than conclusions is the second. An LLM that summarizes 50,000 log lines will produce a useful narrative, but it may miss context that is obvious to an analyst who knows the environment, may weight the significance of events incorrectly, and may omit details that are relevant given organizational knowledge the LLM does not have.

The best implementations treat the LLM as a highly capable junior analyst. It can gather information quickly, summarize what it found, and flag patterns worth investigating. It needs the senior analyst's judgment to decide what those patterns mean, whether the investigation is complete, and what actions to take. This is a useful mental model precisely because it sets appropriate expectations: the LLM accelerates the work without being expected to replace the expertise that interprets it.

Log retention and indexing quality determine how useful LLM-assisted analysis can be. An LLM cannot find events that are not logged, and it cannot reason about log data that was not indexed at sufficient granularity. Organizations that invest in comprehensive, high-fidelity logging across their full environment get dramatically more value from AI-assisted analysis than those with sparse or inconsistent log coverage.