Listen to this Post

Introduction:
Security Information and Event Management (SIEM) platforms are drowning in alerts, and marketing decks promise AI will save the day. But outside of basic alert triage, where is AI actually landing in production? Recent discussions among SecOps leaders reveal a split reality: AI as a generator for junior analysts versus AI as a verifier for senior engineers – with the harsh truth that without solid query language fundamentals, you’re just playing a slot machine with your SOC’s budget.
Learning Objectives:
- Evaluate real‑world AI use cases for SIEM queries, parsers, detections, and dashboards based on recent practitioner insights.
- Implement hybrid workflows that combine LLM‑generated content with human validation to avoid false positives and broken rules.
- Execute practical Linux/Windows commands and Python scripts for AI‑assisted SIEM operations, parser mapping, and detection rule mining.
You Should Know:
- LLM‑Generated SIEM Queries – From Slot Machine to Reliable Tool
Rafał Kitab nailed it: “Without knowing the query language, you’re playing a slot machine with the LLM.” Seniors write production detection logic by hand; juniors use LLMs with senior review. Here’s a safe step‑by‑step workflow.
Step‑by‑step guide – Generate and validate a Splunk SPL query using a local LLM (or OpenAI) with automatic syntax checking.
Linux / Python example (save as `siem_query_gen.py`):
import subprocess, json, sys
Simulate LLM query generation – replace with OpenAI API call
user_intent = "show failed SSH logins in last hour"
prompt = f"Convert to Splunk SPL: {user_intent}"
Mock LLM output (in production, call LLM)
llm_query = 'index=linux sourcetype=secure "Failed password" earliest=-1h'
Validate query syntax using Splunk's REST API (if available)
try:
result = subprocess.run(['splunk', 'search', llm_query, '-maxout', '1'],
capture_output=True, text=True, timeout=10)
if "Error" in result.stderr:
print(f"[!] Syntax error: {result.stderr}")
sys.exit(1)
else:
print(f"[+] Valid query:\n{llm_query}")
except FileNotFoundError:
print("[!] Splunk CLI not found – manually review query")
Windows PowerShell validation (for Microsoft Sentinel KQL):
$query = 'SecurityEvent | where EventID == 4625 | where TimeGenerated > ago(1h)' Test KQL using Azure CLI az monitor log-analytics query --workspace-id $wsid --analytics-query $query --timespan P1D
Key practice: Always run generated queries in a dry‑run mode against a test index. Never pipe LLM output directly into production.
2. Automated Parser Generation for Messy Log Sources
Mayur Agnihotri noted: AI handles 80% of well‑behaved JSON/CEF/syslog, but vendor‑specific weirdness (SAP, legacy mainframe) still needs human‑tuned parsers. Use AI for initial schema translation to OCSF, then harden manually.
Step‑by‑step – Convert a messy custom log line to OCSF using a Python script with LLM fallback.
Sample messy log: `2025-04-01T12:34:56Z legacyApp
user="admin" msg="Login fail" src=10.0.0.1`
<h2 style="color: yellow;">Python parser with AI translation:</h2>
[bash]
import re, json, openai pip install openai
log_line = '2025-04-01T12:34:56Z legacyApp [bash] user="admin" msg="Login fail" src=10.0.0.1'
Step 1: regex extraction (human part)
pattern = r'(?P<timestamp>\S+) \S+ [(?P<severity>\w+)] user="(?P<user>[^"]+)" msg="(?P<message>[^"]+)" src=(?P<src_ip>\S+)'
match = re.search(pattern, log_line)
if match:
base = match.groupdict()
else:
Step 2: fallback to AI for weird formats
response = openai.ChatCompletion.create(model="gpt-4", messages=[{"role": "user", "content": f"Convert this log to JSON with fields time, severity, user, msg, src_ip: {log_line}"}])
base = json.loads(response.choices[bash].message.content)
Step 3: map to OCSF schema (simplified)
ocsf_event = {
"time": base.get("timestamp"),
"severity": base.get("severity", "INFO"),
"actor": {"user": {"name": base.get("user")}},
"unmapped": {"raw_msg": base.get("message")},
"src_endpoint": {"ip": base.get("src_ip")}
}
print(json.dumps(ocsf_event, indent=2))
Linux command to test custom parser on log files:
cat messy.log | python3 messy_parser.py >> normalized_ocsf.jsonl
- Detection Rule Mining – Finding Stale or Broken Rules with AI
AI excels at identifying low‑yield or stale detections. Use the SIEM’s API to extract rule metadata and feed it to an LLM for recommendations.
Step‑by‑step – Extract rule performance from Splunk (or Elastic) and generate AI suggestions.
Bash + curl (Splunk REST API):
Get all correlation searches (detection rules) curl -k -u admin:pass https://splunk:8089/services/saved/searches -d output_mode=json > rules.json Extract rules with zero hits in 30 days jq '.entry[] | select(.content.triggered_alert_count == "0") | .name' rules.json > stale_rules.txt
Python analysis with LLM:
import openai
with open("stale_rules.txt") as f:
stale_names = f.readlines()
prompt = f"These detection rules had zero triggers in 30 days: {stale_names}. Suggest why each might be stale and how to update or deprecate them."
response = openai.ChatCompletion.create(model="gpt-4", messages=[{"role": "user", "content": prompt}])
print(response.choices[bash].message.content)
Windows PowerShell (Sentinel):
$rules = Get-AzSentinelAlertRule -ResourceGroupName $rg -WorkspaceName $ws
$stale = $rules | Where-Object { $_.LastModifiedUtc -lt (Get-Date).AddMonths(-3) }
$stale | Select-Object DisplayName, Severity, LastModifiedUtc | Export-Csv stale_rules.csv
Mitigation: Use the AI suggestion as a draft, then apply human FP‑risk analysis before deployment. Never auto‑commit AI‑authored detections.
- On‑the‑Fly Investigation Dashboards – Generated During Active Hunting
Mayur Agnihotri confirms: investigation visuals on‑the‑fly works, but SOC wall and exec metrics stay hand‑built. Use Jupyter notebooks + SIEM APIs for ad‑hoc visualisation.
Step‑by‑step – Dynamic dashboard generation with Python, Pandas, and the Elasticsearch DSL.
Python + Elasticsearch:
from elasticsearch import Elasticsearch
import pandas as pd
import matplotlib.pyplot as plt
es = Elasticsearch([{'host': 'localhost', 'port': 9200}])
Query for failed logins per source IP (investigation context)
query_body = {
"size": 0,
"aggs": {
"src_ips": {
"terms": {"field": "source.ip", "size": 10},
"aggs": {"failures": {"value_count": {"field": "event.id"}}}
}
}
}
res = es.search(index="logs-", body=query_body, filter_path="aggregations")
buckets = res["aggregations"]["src_ips"]["buckets"]
df = pd.DataFrame([(b["key"], b["failures"]["value"]) for b in buckets], columns=["IP", "Failures"])
df.plot(kind="barh", x="IP", y="Failures", title="Top Attack Sources – Live")
plt.tight_layout()
plt.savefig("/tmp/live_investigation.png")
print("[+] Dashboard image saved. Share with team.")
Linux cron job for automated refresh:
/5 /usr/bin/python3 /opt/siem_live_dash.py && scp /tmp/live_investigation.png soc@reviewer:/var/www/soc/
5. Hardening AI Prompts Against Hallucinations and Injection
LLMs invent table names and produce overly long queries. Implement output validation and prompt constraints.
Step‑by‑step – Validate generated query against allowed table schema using regex and allowlists.
Python validation function:
import re
ALLOWED_TABLES = ["win_security", "linux_auth", "firewall_logs"]
def validate_splunk_query(query):
Block dangerous commands
if re.search(r'\b(delete|drop|shutdown|pipe\s+to)\b', query, re.I):
raise ValueError("Unsafe command detected")
Check table names
tables = re.findall(r'index\s=\s(\w+)', query, re.I)
for t in tables:
if t not in ALLOWED_TABLES:
raise ValueError(f"Invalid index {t} – not in allowed list")
return True
Example LLM output
bad_query = "index= | delete "
try:
validate_splunk_query(bad_query)
except ValueError as e:
print(f"[!] Blocked: {e}")
Windows / PowerShell regex validation:
$allowedTables = @("SecurityEvent", "SigninLogs")
$kqlQuery = "SecurityEvent | where EventID == 4625 | extend x=exec('danger')"
if ($kqlQuery -match "exec(|extend\s+\w+=execute") {
Write-Error "Suspicious KQL pattern – abort"
}
- Hybrid Workflow: Git + CI for AI‑Generated Rules
Treat AI‑authored detection logic as code. Use version control and automated testing.
Step‑by‑step – GitHub Actions pipeline that lints and tests every AI‑generated rule before merge.
Example `.github/workflows/siem_ci.yml`:
name: Validate SIEM Rules on: pull_request jobs: test: runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - name: Lint Splunk queries run: | for file in $(find rules/ -name ".spl"); do python3 lint_spl.py "$file" || exit 1 done - name: Dry‑run queries in test SIEM run: | curl -X POST http://test-siem:8089/services/search/jobs \ -d search="$(cat rules/critical.spl)" --fail
Local Git hook (`.git/hooks/pre-commit`):
!/bin/bash Block commit if AI-generated query contains unknown table for file in $(git diff --cached --name-only --diff-filter=ACM | grep '.spl$'); do if grep -q "index=unknown" "$file"; then echo "❌ Commit blocked: $file uses unknown index" exit 1 fi done
What Undercode Say:
- Key Takeaway 1 – AI is a force multiplier only when analysts already understand the underlying SIEM query language. Without basics, LLMs turn into expensive slot machines that accidentally produce correct outputs without true comprehension.
- Key Takeaway 2 – Production splits along a clear axis: AI as generator for junior work (with senior review) and AI as verifier for stale rule detection and parser automation. The human‑in‑the‑loop pattern (AI suggests, analyst approves) remains non‑negotiable for detections and dashboards that face executives or compliance auditors.
Analysis (~10 lines):
The LinkedIn exchange exposes a maturing perspective on AI in SecOps – we’ve moved past “will AI replace analysts?” to “where does AI actually add value without creating more risk?”. The consensus is that AI excels at accelerating pattern recognition (finding unused rules, mapping structured logs) but struggles with vendor‑specific weirdness and context‑aware syntax. The slot‑machine analogy is powerful: trusting LLM outputs without query‑language fluency leads to silent failures – a query that looks plausible but joins the wrong tables or misses critical filters. For CISOs, the implication is clear: upskill your team on KQL/SPL/ES|QL before deploying AI copilots. Automate validation pipelines and enforce peer review for any AI‑generated detection logic. The future is hybrid: AI handles volume and translation; humans handle judgment and weird edge cases. The SOC wall and compliance dashboards will stay hand‑crafted because stability and predictable layouts matter more than novelty.
Prediction:
In the next 18 months, SIEM vendors will embed native LLM query builders that include automatic syntax verification and table‑allowlist enforcement – turning today’s slot machine into a guided assistant. However, the gap between “AI‑generated” and “production‑ready” will persist, driving demand for new SOC roles: AI Validation Engineers who specialize in prompt hardening and false‑positive analysis. Expect open‑source frameworks for testing AI‑authored detection rules (similar to unit testing for code). The most mature teams will separate “exploratory AI” (juniors + LLM for hunting) from “production AI” (hand‑written or heavily curated rules). The vendors that survive will be those that don’t just market AI, but provide granular audit trails showing exactly which parts of a rule were human‑written versus AI‑suggested. Compliance frameworks (SOC2, ISO 27001) will add controls around AI‑generated security content. The SOC wall dashboard? Still built by hand – but generated from a live data source using an API call triggered by an LLM’s natural language request. That’s the real vibe check for 2026.
▶️ Related Video (74% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Filipstojkovski This – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


