ResearchTrend.AI
44
0

Rule-ATT&CK Mapper (RAM): Mapping SIEM Rules to TTPs Using LLMs

Prasanna N. Wudali
Moshe Kravchik
Ehud Malul
Parth A. Gandhi
Yuval Elovici
A. Shabtai
ArXivPDFHTML
Abstract

The growing frequency of cyberattacks has heightened the demand for accurate and efficient threat detection systems. SIEM platforms are important for analyzing log data and detecting adversarial activities through rule-based queries, also known as SIEM rules. The efficiency of the threat analysis process relies heavily on mapping these SIEM rules to the relevant attack techniques in the MITRE ATT&CK framework. Inaccurate annotation of SIEM rules can result in the misinterpretation of attacks, increasing the likelihood that threats will be overlooked. Existing solutions for annotating SIEM rules with MITRE ATT&CK technique labels have notable limitations: manual annotation of SIEM rules is both time-consuming and prone to errors, and ML-based approaches mainly focus on annotating unstructured free text sources rather than structured data like SIEM rules. Structured data often contains limited information, further complicating the annotation process and making it a challenging task. To address these challenges, we propose Rule-ATT&CK Mapper (RAM), a novel framework that leverages LLMs to automate the mapping of structured SIEM rules to MITRE ATT&CK techniques. RAM's multi-stage pipeline, which was inspired by the prompt chaining technique, enhances mapping accuracy without requiring LLM pre-training or fine-tuning. Using the Splunk Security Content dataset, we evaluate RAM's performance using several LLMs, including GPT-4-Turbo, Qwen, IBM Granite, and Mistral. Our evaluation highlights GPT-4-Turbo's superior performance, which derives from its enriched knowledge base, and an ablation study emphasizes the importance of external contextual knowledge in overcoming the limitations of LLMs' implicit knowledge for domain-specific tasks. These findings demonstrate RAM's potential in automating cybersecurity workflows and provide valuable insights for future advancements in this field.

View on arXiv
@article{wudali2025_2502.02337,
  title={ Rule-ATT&CK Mapper (RAM): Mapping SIEM Rules to TTPs Using LLMs },
  author={ Prasanna N. Wudali and Moshe Kravchik and Ehud Malul and Parth A. Gandhi and Yuval Elovici and Asaf Shabtai },
  journal={arXiv preprint arXiv:2502.02337},
  year={ 2025 }
}
Comments on this paper