Use of large language models for security event analysis

As cyberattacks continue to rise and adversary techniques become more sophisticated, the workload on security monitoring and incident response teams in security operations centers increases substantially. Access to security events in existing telemetry storage systems still largely relies on queries written in specialized syntax, which does not always provide the required speed and depth of analysis. In parallel, large language models are rapidly evolving, enabling natural-language interaction with accumulated security logs. This paper proposes integrating a semantic large language models layer into an existing security event collection and processing architecture to retrieve relevant events by semantic similarity from natural-language queries. An implemented prototype is also described, demonstrating the technical feasibility of the approach using a locally deployed Mistral model and a web-based chatbot interface for SOC analysts, serving as a foundation for further development and operational adoption.