From Production SIEM to Reusable Cybersecurity Artifacts

📅 2026-06-19
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
This work addresses the scarcity of production-grade Security Operations Center (SOC) logs for research due to stringent privacy constraints, which has led prior studies to rely on synthetic or outdated data. To bridge this gap, the authors propose a methodology that, for the first time, transforms real-world financial-sector SIEM logs into reusable research artifacts while adhering to strict privacy boundaries. The approach preserves investigation-relevant structures through structured anonymization, mapping to the MITRE ATT&CK framework, deterministic validation, and large language model (LLM)-based behavioral compliance checks. The resulting artifact comprises 37 HIKARI challenges suitable for effective model training and demonstrates its utility by accurately identifying LLM policy violations across 200 SOCpilot incidents, thereby validating its balanced trade-off between privacy preservation and analytical fidelity.
📝 Abstract
Operational evidence is not automatically scientific evidence. The most realistic Security Operations Center (SOC) data is production telemetry, yet it remains scientifically inaccessible because raw logs cannot be released; as a result, research relies on synthetic or dated datasets. We treat the boundary between private production telemetry and reusable research artifacts as the design object: a methodology that extracts, anonymizes, structures, and validates Security Information and Event Management (SIEM) data from a production financial SOC while preserving task-relevant investigative structure within a declared privacy boundary. Two consumers stress the same artifact. As training material, it fails loudly: 37 MITRE ATT&CK-mapped HIKARI challenges work only when anonymization preserves temporal order and entity consistency. As a measurement substrate, it fails quietly: across 200 SOCpilot incidents, a deterministic verifier detects non-compliant Large Language Model (LLM) actions that are absent from the human baseline. The result is a measurable privacy-utility boundary rather than a formal anonymity claim.
Problem

Research questions and friction points this paper is trying to address.

SIEM
privacy-preserving
cybersecurity artifacts
Security Operations Center
data anonymization
Innovation

Methods, ideas, or system contributions that make the work stand out.

SIEM anonymization
privacy-utility tradeoff
cybersecurity artifacts
SOC telemetry
LLM evaluation
🔎 Similar Papers
No similar papers found.
S
Sidnei Barbieri
Computer Science Division, Aeronautics Institute of Technology (ITA), São José dos Campos/SP - Brazil
L
Leonardo Vaz de Meneses
Computer Science Division, Aeronautics Institute of Technology (ITA), São José dos Campos/SP - Brazil
Á
Ágney Lopes Roth Ferraz
Computer Science Division, Aeronautics Institute of Technology (ITA), São José dos Campos/SP - Brazil
W
Wagner Comin Sonaglio
Computer Science Division, Aeronautics Institute of Technology (ITA), São José dos Campos/SP - Brazil
Lourenço Alves Pereira Júnior
Lourenço Alves Pereira Júnior
Aeronautics Institute of Technology - ITA, Brazil
CybersecurityAI/ML5G/6GMobile SystemsInternet of Things