🤖 AI Summary
This work addresses the scarcity of production-grade Security Operations Center (SOC) logs for research due to stringent privacy constraints, which has led prior studies to rely on synthetic or outdated data. To bridge this gap, the authors propose a methodology that, for the first time, transforms real-world financial-sector SIEM logs into reusable research artifacts while adhering to strict privacy boundaries. The approach preserves investigation-relevant structures through structured anonymization, mapping to the MITRE ATT&CK framework, deterministic validation, and large language model (LLM)-based behavioral compliance checks. The resulting artifact comprises 37 HIKARI challenges suitable for effective model training and demonstrates its utility by accurately identifying LLM policy violations across 200 SOCpilot incidents, thereby validating its balanced trade-off between privacy preservation and analytical fidelity.
📝 Abstract
Operational evidence is not automatically scientific evidence. The most realistic Security Operations Center (SOC) data is production telemetry, yet it remains scientifically inaccessible because raw logs cannot be released; as a result, research relies on synthetic or dated datasets. We treat the boundary between private production telemetry and reusable research artifacts as the design object: a methodology that extracts, anonymizes, structures, and validates Security Information and Event Management (SIEM) data from a production financial SOC while preserving task-relevant investigative structure within a declared privacy boundary. Two consumers stress the same artifact. As training material, it fails loudly: 37 MITRE ATT&CK-mapped HIKARI challenges work only when anonymization preserves temporal order and entity consistency. As a measurement substrate, it fails quietly: across 200 SOCpilot incidents, a deterministic verifier detects non-compliant Large Language Model (LLM) actions that are absent from the human baseline. The result is a measurable privacy-utility boundary rather than a formal anonymity claim.