This work addresses the inefficiencies in security alert investigation caused by overwhelming alert volumes, lack of contextual information, and the manual correlation of multi-source logs. To tackle these challenges, the authors propose an intelligent agent workflow grounded in large language models (LLMs), which emulates real-world analyst reasoning. The approach leverages constrained tool invocations—specifically structured SQL queries over Suricata logs and grep-based text searches—to autonomously conduct initial alert triage, encompassing data summarization, query formulation, evidence extraction, and verdict determination. Innovatively, the LLM is embedded within a controlled collaborative framework that prevents direct exposure to high-noise, unstructured data. Experimental results demonstrate that this workflow significantly improves alert classification accuracy compared to baseline LLM approaches without workflow support, thereby substantially reducing manual investigative burden.

Security analysts are overwhelmed by the volume of alerts and the low context provided by many detection systems. Early-stage investigations typically require manual correlation across multiple log sources, a task that is usually time-consuming. In this paper, we present an experimental, agentic workflow that leverages large language models (LLMs) augmented with predefined queries and constrained tool access (structured SQL over Suricata logs and grep-based text search) to automate the first stages of alert investigation. The proposed workflow integrates queries to provide an overview of the available data, and LLM components that selects which queries to use based on the overview results, extracts raw evidence from the query results, and delivers a final verdict of the alert. Our results demonstrate that the LLM-powered workflow can investigate log sources, plan an investigation, and produce a final verdict that has a significantly higher accuracy than a verdict produced by the same LLM without the proposed workflow. By recognizing the inherent limitations of directly applying LLMs to high-volume and unstructured data, we propose combining existing investigation practices of real-world analysts with a structured approach to leverage LLMs as virtual security analysts, thereby assisting and reducing the manual workload.