Enterprise insider threat detection faces significant challenges due to the massive scale of system logs, rendering manual inspection infeasible. This paper introduces RedChronos, an LLM-based automated log analysis framework. Methodologically, it integrates two key innovations: (1) a query-aware weighted voting mechanism to enhance accuracy in multi-LLM collaborative reasoning; and (2) a semantics-driven genetic algorithm that leverages LLM-generated, context-sensitive mutation operators for adaptive log parsing and anomaly scoring. Evaluated on the CERT 4.2/5.2 benchmarks, RedChronos achieves performance on par with or exceeding current state-of-the-art methods. In a real-world SOC deployment at Xiaohongshu, it reduces human verification effort by 90%, markedly improving detection efficiency and scalability.

Internal threat detection aims to address security threats within organizations or enterprises by identifying potential or already occurring malicious threats within vast amounts of logs. Although organizations or enterprises have dedicated personnel responsible for reviewing these logs, it is impossible to manually examine all logs entirely. In response to the vast number of logs, we propose a system called RedChronos, which is a Large Language Model-Based Log Analysis System. This system incorporates innovative improvements over previous research by employing Query-Aware Weighted Voting and a Semantic Expansion-based Genetic Algorithm with LLM-driven Mutations. On the public datasets CERT 4.2 and 5.2, RedChronos outperforms or matches existing approaches in terms of accuracy, precision, and detection rate. Moreover, RedChronos reduces the need for manual intervention in security log reviews by 90% in the Xiaohongshu SOC. Therefore, our RedChronos system demonstrates exceptional performance in handling Internal Threat Detection (IDT) tasks, providing innovative solutions for these challenges. We believe that future research can continue to enhance the system's performance in IDT tasks while also reducing the response time to internal risk events.