Existing cyber threat intelligence (CTI) approaches struggle to accurately and interpretably identify malicious events from unstructured, ambiguous system logs. This paper proposes an ontology-driven, large language model (LLM)-enhanced method that tightly integrates a cybersecurity domain ontology with an LLM and introduces a SHACL-constraint-guided structured output mechanism, enabling end-to-end transformation of raw logs into semantically enriched knowledge graphs. The approach significantly improves accuracy and interpretability in entity recognition, relation extraction, and event attribution. Experiments on public datasets demonstrate an average 18.7% improvement in F1-score over prompt-engineering-only baselines, with outputs strictly adhering to domain-specific semantic constraints. The core contribution is the first synergistic integration of ontology modeling, SHACL validation, and LLMs for CTI knowledge extraction—achieving superior precision, robustness, and transparency.

Effective Cyber Threat Intelligence (CTI) relies upon accurately structured and semantically enriched information extracted from cybersecurity system logs. However, current methodologies often struggle to identify and interpret malicious events reliably and transparently, particularly in cases involving unstructured or ambiguous log entries. In this work, we propose a novel methodology that combines ontology-driven structured outputs with Large Language Models (LLMs), to build an Artificial Intelligence (AI) agent that improves the accuracy and explainability of information extraction from cybersecurity logs. Central to our approach is the integration of domain ontologies and SHACL-based constraints to guide the language model's output structure and enforce semantic validity over the resulting graph. Extracted information is organized into an ontology-enriched graph database, enabling future semantic analysis and querying. The design of our methodology is motivated by the analytical requirements associated with honeypot log data, which typically comprises predominantly malicious activity. While our case study illustrates the relevance of this scenario, the experimental evaluation is conducted using publicly available datasets. Results demonstrate that our method achieves higher accuracy in information extraction compared to traditional prompt-only approaches, with a deliberate focus on extraction quality rather than processing speed.