XDR Breach Detection: Beyond Traditional ML to the Era of LLMs

Share on

Ravi Lingarkar
Chief Product & Engineering Officer


A significant component of Extended Detection and Response (XDR) systems is log analysis which is used to prevent and identify potential breaches. Their strength comes from the use of a broad set of rules:

  • Correlation Rules that trigger on known patterns.
  • Simple Alerting Rules that trigger on conditions met.
  • Allowlist and Denylist Rules to specifically permit or block activities.
  • Trending Rules that observe data patterns over extended periods.
  • Context-aware Rules that utilize additional data sources, like threat intelligence.
  • Sequential Alerting Rules that combine multiple conditions for detection.
  • Time-based Rules that focus on the timing of events for anomalies.

Although these rules provide a reasonable defense mechanism, XDR has relied on traditional machine learning (ML) for intricate patterns and anomalies. Techniques like Decision Trees, SVMs, and Random Forests come with their baggage. They can overfit, struggle with large datasets, or demand significant computational power. Neural Networks often need extensive modifications to cater to the multifaceted challenges of cybersecurity. K-Means Clustering is bound by the need for predefined clusters. These complexities not only consume time and resources but also introduce potential vulnerabilities.

In the context of XDR, these limitations of traditional ML manifest as:

High False Positives: The propensity of traditional ML to produce false positives is one of the most important critiques against it. This wastes resources and may result in complacency, making it more difficult to identify real dangers.

Lack of Contextual Understanding: Because these models are trained on datasets, they frequently overlook the larger context. If innocuous behaviors resemble well-known patterns, they can mark them malicious, increasing the number of false positives.

Overfitting: Models could perform well in lab testing but fall short in production because they cannot generalize and adjust to changing threats.
Heavy Dependence on Feature Engineering: The trial-and-error method for feature engineering can cause the model’s effectiveness to degrade significantly if a key feature is absent or the model is overwhelmed with irrelevant features.

Inefficiency in Anomaly Detection: While cybersecurity requires the identification of recognized risks, it’s also essential to spot strange patterns or anomalies that could point to new, unidentified threats. Traditional ML relies on a large amount of labeled data to identify such abnormalities, which makes it less successful at identifying unknown risks.

Given these challenges, Large Language Models (LLMs) are receiving more attention. It appears that transitioning to LLMs isn’t just an improvement – it’s becoming a necessity. Why? Let’s find out next.

Understanding Word Vectors and LLMs

LLMs are a subset of ML models created primarily to understand and generate human-like text. These models, which can have billions of parameters, are developed using enormous volumes of textual data. Due to their considerable training, they can recognize complex patterns, nuances, and situations that traditional ML models miss. Additionally, domain-specific data can be used to fine-tune LLMs further, improving their accuracy and relevance in specialized fields.

Word Vectors (WordVec), on the other hand, are mathematical representations of words. Based on their context in the training data, these vectors capture the semantic meaning of words. They are extremely useful for tasks that call for comprehension of the links between words since the proximity of words with this vector space can imply semantic similarity.


Harnessing LLMs and WordVec for Enhanced Log Analysis

Broad Worldview with LLMs

LLMs are large, with billions of parameters, and are trained on diverse datasets ranging from literature to technical manuals. This vast training background equips them with a comprehensive knowledge base, allowing them to understand the context, nuances, and even the intent behind log entries. For instance, while a traditional ML might flag a harmless system update as suspicious due to a pattern match, an LLM can contextualize the update within a broader system narrative, reducing false positives.

Dynamic Adaptability of LLMs

LLMs can be continually fine-tuned with new data, ensuring they remain relevant. This adaptability is akin to updating a virus definition database but on a much more sophisticated scale. Instead of merely adding new threat signatures, the entire model’s understanding of cyber threats can be refined.

Automated Feature Recognition by LLMs

While traditional ML techniques lean heavily on experts for feature identification and input, LLMs can autonomously discern and prioritize features from raw data. This automation minimizes human error and ensures that even subtle, often overlooked features are incorporated into the analysis.

Deep Semantic Understanding through WordVec

WordVec captures more than isolated meanings by representing words in a relational space. For instance, in a log entry, terms like “unauthorized,” “access,” and “root” might individually seem benign. However, when these terms are closely aligned in a word vector space, they can collectively indicate a potential breach. This relational understanding, derived from WordVec, facilitates a deeper and more nuanced analysis of log entries.

Efficient Dimensionality Reduction with WordVec

Given the verbosity of logs, analyzing them can be daunting. WordVec simplifies this by representing words in a dense vector space, streamlining the data, and spotlighting relationships and patterns that the volume of raw data might otherwise obscure.

Transfer Learning Capabilities of WordVec

One standout feature of WordVec is its adaptability. Once trained on extensive datasets, word vectors can be fine-tuned for specific tasks, such as cybersecurity. This means the broad understanding gleaned from diverse sources can be channeled to enhance performance in specialized domains like log analysis.


Challenges and Effective Deployment Strategies for LLMs in XDR

One of the primary concerns is their response time. Given their complexity and the sheer size and number of layers, LLMs can respond slower than more streamlined models, especially when overwhelmed with vast amounts of log data. However, these challenges do not diminish the promise of LLMs. We can harness their strengths while mitigating their limitations. Here are some ways an LLM can be effectively utilized in XDR.

Optimizing Alert Generation with Selective Log Feeds to LLMs

Rather than overwhelming the LLM with a deluge of logs, it’s more efficient to forward only those logs that have undergone initial filtering and bear potential security significance. This approach ensures that the LLM directs its process power toward truly relevant data.

Enhanced Alert Management via Prioritization with Contextual Insights

When hundreds of rules run every few minutes and churn out a large number of alerts, integrating LLMs can be a game-changer. LLMs delve deep into the context and potential implications of each alert. By doing so, they can not only prioritize alerts based on their urgency but also provide a detailed understanding of the reasons behind such prioritizations.

Using LLMs for Unified Alert Presentation for Consistency Across Tools

Security tools, from NDR to IPS/IDS and EDR, often produce alerts in diverse formats. By employing LLMs, we can achieve a standardized presentation of these alerts, ensuring clarity and facilitating a more efficient response by security analysts. Additionally, with this standardization in place, LLMs can correlate and detect threats by synthesizing alerts across all the tools.

Tailored Threat Response by Allowing LLM to Guide SOAR Playbook Selection

Given the unique characteristics and severity of each alert, LLMs can adeptly recommend the most fitting Security Orchestration, Automation, and Response (SOAR) playbook. This precision ensures that every response is meticulously aligned with the specific threat, optimizing both the speed and efficacy of the response.

Enhancing Threat Hunting with LLM Insights

LLMs offer a unique advantage in the realm of threat hunting. By analyzing and learning from the alerts they’ve processed for a customer, LLMs can identify patterns, anomalies, and emerging threats that might otherwise go unnoticed. This historical context, combined with their vast knowledge encapsulated in billions of parameters, equips them to proactively suggest areas of concern or potential vulnerabilities. With this insight, security teams can embark on threat-hunting missions with a more informed perspective, targeting areas most likely to yield significant findings.

By leveraging LLMs in these targeted ways, we can harness their strengths in understanding context and nuance while ensuring they operate efficiently and effectively within the XDR environment.



Cybersecurity threats are changing at a rate that has never been seen before. Relying on traditional ML, with its high false positives and inefficiencies, is akin to bringing a knife to a gunfight. LLMs, bolstered by the power of word vectors, offer a more sophisticated, adaptable, and efficient solution for log analysis and breach detection. As cyber threats grow in complexity, it’s high time our defense mechanisms evolve in tandem.

SISA’s Latest
close slider