Rule-ATT&CK Mapper (RAM): Mapping SIEM Rules to TTPs
Using LLMs
Prasanna N. Wudali Moshe Kravchik
Ben-Gurion University of the Negev Rafael Advanced Defense Systems
Abstract
The growing frequency of cyberattacks has heightened the demand
for accurate and efficient threat detection systems. Security infor-
mation and event management (SIEM) platforms are important for
arXiv:2502.02337v1 [cs.CR] 4 Feb 2025
analyzing log data and detecting adversarial activities through rule-
based queries, also known as SIEM rules. The efficiency of the threat
analysis process relies heavily on mapping these SIEM rules to the
relevant attack techniques in the MITRE ATT&CK framework. Inac-
curate annotation of SIEM rules can result in the misinterpretation
of attacks, increasing the likelihood that threats will be overlooked.
Such misinterpretation can expose an organization’s systems and
networks to potential damage and security breaches. Existing solu-
tions for annotating SIEM rules with MITRE ATT&CK technique
and sub-technique labels have notable limitations: manual annota-
tion of SIEM rules is both time-consuming and prone to errors, and
machine learning-based approaches mainly focus on annotating un-
structured free text sources (e.g., threat intelligence reports) rather
than structured data like SIEM rules. Structured data often contains
limited information, further complicating the annotation process
and making it a challenging task. To address these challenges, we
propose Rule-ATT&CK Mapper (RAM), a novel framework that
leverages large language models (LLMs) to automate the mapping
of structured SIEM rules to MITRE ATT&CK techniques. RAM’s
multi-stage pipeline, which was inspired by the prompt chaining
technique, enhances mapping accuracy without requiring LLM pre-
training or fine-tuning. Using the Splunk Security Content dataset,
we evaluate RAM’s performance using several LLMs, including
GPT-4-Turbo, Qwen, IBM Granite, and Mistral. Our evaluation high-
lights GPT-4-Turbo’s superior performance, which derives from
its enriched knowledge base, and an ablation study emphasizes
the importance of external contextual knowledge in overcoming
the limitations of LLMs’ implicit knowledge for domain-specific
tasks. These findings demonstrate RAM’s potential in automating
cybersecurity workflows and provide valuable insights for future
advancements in this field.
Keywords
SIEM rules, LLMs, MITRE ATT&CK
1 Introduction
The rapid advancement of technology and widespread adoption
of digital applications have resulted in a significant increase in
cyberattacks [5]. To gain visibility into their digital ecosystems,
organizations deploy security information and event management
(SIEM) systems in their networks. These systems store and analyze
log data generated by various digital entities in the network [11].
SIEM systems enable threat detection by allowing users to exe-
cute search queries, referred to as rules, on the ingested log data.
Ehud Malul, Parth A. Gandhi,
Yuval Elovici, Asaf Shabtai
Ben-Gurion University of the Negev
Each SIEM platform employs its own rule definition language (RDL),
a schema-based structure for defining these rules that standardizes
the creation and execution of SIEM rules, making them inherently
structured data and a foundational component of modern cyber-
security operations. Examples of such schemas include the search
processing language (SPL) from Splunk, the Lucene query language
by Elasticsearch, and the Kusto query language (KQL) by Microsoft.
Security alerts are triggered when the execution of SIEM rules
yields search results. When such alerts are generated, security ana-
lysts must examine each alert individually, performing tasks such
as triage, analysis, and interpretation, and determine whether the
alert corresponds to an actual attack. A critical aspect of effective
threat detection and hunting is the precise mapping and understand-
ing of the tactics, techniques, and procedures (TTPs) employed by
adversaries, as defined in the MITRE ATT&CK framework.1 In-
corporating MITRE ATT&CK techniques in the analysis provides
valuable insights, enabling analysts to discern potential attack flows.
Such mapping enhances security professionals’ ability to anticipate
and mitigate the strategies employed by cyber adversaries.
Mapping SIEM rules to specific MITRE ATT&CK techniques is
a complex manual process that is prone to errors and can be time-
consuming. Cybero, a leading cybersecurity company, reported [8]
that "organizations collect sufficient log data to potentially detect 94%
of techniques outlined in the MITRE ATT&CK framework; however,
only 24% of these techniques are effectively covered due to gaps in
detection rules, with an additional 12% of SIEM rules rendered non-
functional or misconfigured." In its best practices guide [7] to MITRE
ATT&CK mapping, CISA, an American cyber defense agency, listed
(i) leaping to conclusions (i.e., prematurely deciding on a mapping
based on insufficient evidence or examination of the facts), (ii)
missing opportunities (i.e., not considering, being unaware of, or
overlooking other potential technique mappings based on implied
or unclear information), and (iii) miscategorization (i.e., the selec-
tion of incorrect techniques due to misinterpreting, misreading,
or inadequately understanding the techniques, specifically the dif-
ference between two techniques) as common mistakes committed
by security analysts when manually performing the mapping task.
Given the above, there is a need to automate the mapping process
and thereby reduce the workload on security analysts and increase
the speed and accuracy of threat detection.
Recent cybersecurity research has explored various techniques
for mapping unstructured data from cyber threat intelligence (CTI)
reports to the MITRE ATT&CK framework [3, 4, 19, 22, 30]. While
these methods have demonstrated effectiveness in handling un-
structured data, they have a limited ability to adapt to structured
data use cases, such as intrusion detection system and SIEM rules.
Also, these methods use supervised learning-based approaches to
1 https://attack.mitre.org/
classify structured data (i.e., intrusion detection system and SIEM
rules) to MITRE ATT&CK technique classes, which require retrain-
ing when new threats emerge. Their reliance on retraining limits
their scalability and efficiency in dynamic threat landscapes. Măr-
mureanu et al. [20] proposed a method to map structured data,
specifically Splunk rules, to the MITRE ATT&CK framework. This
approach utilizes a BERT model trained as a classifier to categorize
Splunk rules into 14 high-level MITRE ATT&CK tactic classes. How-
ever, this method shares the same limitations as other supervised
learning approaches discussed earlier, particularly the need for re-
training with updated data to address new threats. Furthermore,
the task of mapping rules to high-level tactics is comparatively
easier than mapping them to MITRE ATT&CK techniques and sub-
techniques, which involve around 670 distinct classes and present
a much greater challenge. Despite focusing on this simplified task,
the method failed to achieve high performance in their evaluation,
due to its inherent limitations. In a recent study, Fayyazi et al. [12]
employed large language models (LLMs) to map CTIs in the form
of unstructured text to MITRE ATT&CK techniques, while Nir et
al. [9] employed them to map Snort intrusion detection rules to
MITRE ATT&CK techniques.
These investigations highlight the potential of LLMs in cyber-
security tasks but also underscore their limitations. Solely relying
on the implicit knowledge of LLMs has proven insufficient for ad-
dressing the domain-specific requirements of cybersecurity. This
gap highlights the need for more adaptable and scalable method-
ologies tailored to the dynamic nature of cyber threats. To produce
accurate and reliable predictions, they require additional contextual
information that is not inherently available to the LLM.
To address these shortcomings, we propose RAM, a novel LLM-
based framework for analyzing SIEM rules and recommending
relevant MITRE ATT&CK techniques. RAM eliminates dependence
on training data, utilizes LLM agents to retrieve supplementary
contextual information, and transforms structured rule into un-
structured natural language to preserve the syntactic and semantic
meaning of the rule. This innovative approach ensures reliable and
accurate predictions while overcoming the limitations of existing
methods.
LLMs, with their advanced natural language processing (NLP)
capabilities, can process and analyze structured data, automatically
identify patterns, and understand the syntactic meaning of the
data, but they often fall short in understanding the semantic mean-
ing of the data. This study leverages LLMs to autonomously map
structured data in the form of SIEM rules to MITRE ATT&CK tech-
niques, enabling the automation of cybersecurity threat detection
and investigation.
RAM is a multi-stage AI agent pipeline (see Figure 1) inspired by
the prompt chaining technique [27] and designed to enhance the
understanding and application of SIEM rules. The pipeline begins
with the extraction of indicators of compromise (IoCs) from the
rule (e.g., process names, file names, registry keys and values, IP
addresses, network ports). Then, a web search LLM agent retrieves
additional contextual information related to the IoCs identified in
the rule. Leveraging the information gathered in the preceding
stages, the next AI agent translates the rule into natural language
text, providing a comprehensive description. This textual descrip-
tion is then used by an LLM to identify the data source [15] of the
logs or the mitigation strategy being applied upon which the rule
operates. This natural language representation, along with the data
source or mitigation-related information, serves as input to another
LLM that maps the rule in question to probable MITRE ATT&CK
techniques. In the final stage, the pipeline refines the mapping and
provides reasoning by extracting the most relevant techniques from
the list of potential matches, facilitating precise alignment of the
rule with the MITRE ATT&CK framework.
We conducted a comprehensive series of experiments to eval-
uate RAM’s ability to map SIEM rules to the MITRE ATT&CK
framework. The evaluation focused on common metrics such as
precision and recall, which are indicators of the method’s accuracy
and completeness in correctly classifying the SIEM rules to relevant
techniques within the framework. Various LLMs were examined,
including Qwen, IBM Granite, Mistral, and GPT-4-Turbo, and we
evaluated RAM’s effectiveness when each LLM was employed in
the pipeline. We used the threat detection rules published in the
Splunk Security content dataset2 in our experiments; to ensure that
the rules were not already known to the LLM, we carefully selected
rules for the dataset based on their creation or modification dates.
Specifically, we included only those rules with dates later than the
knowledge cut-off date of the LLMs utilized in our experiments.
Using various configuration settings, we aimed to identify the
optimal strategies for maximizing the performance of these mod-
els. Our study not only demonstrates the potential of LLMs in
automating threat analysis but also provides insights into the most
effective configurations for deploying these models in real-world cy-
bersecurity environments. This study is among the first to explore
leveraging LLMs to map structured data to the MITRE ATT&CK
framework, and our results, which highlight RAM’s potential, leave
room for further refinement in future research. We also provide
valuable insights regarding the challenges encountered during this
study, which can guide subsequent advancements in this domain
for example, the lack of a completely labeled SIEM rules dataset.
The main contributions of this paper are as follows:
• We demonstrate the feasibility of using LLMs to automate the
mapping of SIEM rules to MITRE ATT&CK techniques and pro-
vide reasoning, which could significantly enhance the capabilities
of current cybersecurity tools.
• We propose an AI agent-based framework that utilizes both
implicit and explicit knowledge in automating the mapping of
structured SIEM rules to MITRE ATT&CK techniques.
• We demonstrate the effective utilization of LLMs without the
need for pretraining or fine-tuning, thereby eliminating the need
for any training data.
• We provide a practical guide for deploying LLMs in cybersecurity,
by identifying the optimal configurations for these models.
• We present valuable insights regarding the challenges encoun-
tered during the experimentation process, providing increased
understanding of the obstacles and considerations that shaped
our research and findings.
2 https://github.com/splunk/security_content/tree/develop/detections
Rule-ATT&CK Mapper (RAM): Mapping SIEM Rules to TTPs Using LLMs
Figure 1: Overview of our AI Agent-based RAM pipeline.
2 Background
LLMs, due to their advanced NLP and generation capabilities, are
well-suited to analyze structured data by understanding its syn-
tactical meaning, as well as for providing human understandable
reasoning. However, effectively mapping structured data, such as
SIEM rules, to the MITRE ATT&CK framework [2] requires not
only syntactical understanding but also a deep comprehension of
the semantic meaning of the rules. LLMs must discern the semantic
content of a rule and identify its alignment with the techniques and
sub-techniques. Relying solely on the implicit knowledge of LLMs
is insufficient for this complex task.
To address this challenge, various prompt engineering tech-
niques [23] were implemented to enhance the LLMs’ ability to un-
derstand the semantic nuances of SIEM rules and propose relevant
MITRE ATT&CK techniques and sub-techniques. These prompt
engineering techniques are discussed in detail in this section. Addi-
tionally, to provide context for readers unfamiliar with the MITRE
ATT&CK framework, a brief overview of its structure and purpose
is also included in this section.
2.1 MITRE ATT&CK Framework
The MITRE ATT&CK framework [2] is a comprehensive, globally
recognized knowledge base that provides detailed insights into the
tactics, techniques, and procedures (TTPs) used by adversaries in
cyberattacks. It is designed to aid cybersecurity professionals in un-
derstanding adversarial behaviors, identifying attack patterns, and
strengthening defensive strategies. By systematically categorizing
adversarial actions, the framework helps organizations enhance
their detection, response, and mitigation capabilities.
 The framework is structured around three primary components:
tactics, techniques, and procedures. Tactics represent the high-level
objectives that adversaries aim to achieve during an attack. These
objectives outline the “why” behind an adversary’s actions and are
categorized into stages of an attack lifecycle, such as Initial Ac-
cess, Execution, Persistence, Privilege Escalation, and Exfiltration.
Techniques define the specific methods used to accomplish these
tactical goals. These represent the “how” of an attack and include
actions like phishing (to gain initial access), command and scripting
interpreter usage (for execution), or credential dumping (to gain
access to sensitive credentials). Complementing these, procedures
provide real-world examples of how techniques are operational-
ized, offering context on specific tools, scripts, or strategies used in
documented adversarial campaigns.
In addition to TTPs, the MITRE ATT&CK framework introduces
two critical concepts: data sources and mitigations. Data sources
refer to the various types of telemetry and system-generated data
that can be collected and analyzed to detect adversarial techniques.
Mitigations describe the preventive or corrective actions that can
be implemented to neutralize threats or limit their impact.
2.2 Prompt Engineering
Prompt engineering [23] is the practice of crafting precise and ef-
fective input prompts to optimize the performance and output of
LLMs. It involves designing queries or instructions that guide the
model’s understanding and execution of tasks. This technique has
become pivotal in ensuring that LLMs generate accurate, contextu-
ally appropriate, and reliable results, especially in tasks requiring
nuanced reasoning or complex problem-solving.
2.2.1 Prompt Chaining. Prompt chaining [27] is a technique that
decomposes complex tasks into a sequence of smaller, logically
ordered steps. In this approach, the output from one step serves as
the input for the next, enabling a modular and iterative resolution
of intricate problems. For instance, when generating a report, the
initial prompt could request an outline, subsequent prompts could
expand individual sections, and a final prompt could synthesize the
results into a cohesive document. This method improves the clarity
and manageability of multifaceted tasks.
2.2.2 Chain-of-thought Prompting. Another notable technique is
chain-of-thought (CoT) prompting [25], which implements a step-
by-step reasoning. By explicitly including intermediate reasoning
steps within the prompt or instructing the model to generate these
steps, CoT prompting enhances the AI’s capability to address tasks
that require logical inference or multi-step computation.
2.3 LLM Agents and React Framework
LLM agents, or AI Agents [17], leverage the capabilities of large
language models to perform tasks autonomously by reasoning,
planning, and acting based on input instructions. They are typically
used in applications like chatbots, decision-making systems, or
task automation. These agents operate by combining LLMs with
external tools, APIs, or environments to handle complex tasks that
require more than natural language generation.
The REACT (REasoning & ACTing) framework [28] enhances
the functionality of LLM agents by combining logical reasoning
with actionable operations in a unified system. REACT agents dy-
namically integrate high-level reasoning and decision-making with
the execution of actions in an iterative feedback loop. This enables
the agent to automatically analyze tasks, plan appropriate steps,
execute actions, and adapt to new information or evolving contexts.
The REACT framework operates through a structured workflow: (1)
The LLM interprets the input query or instruction, performs logical
analysis, and generates a plan of action, (2) The agent executes the
planned actions, such as querying an API or controlling an external
system, (3) The results of the actions are analyzed, allowing the
agent to refine its reasoning and plan subsequent steps, and (4)
The final output integrates the outcomes of reasoning and acting,
delivering a comprehensive response to the user.
3 Related Work
Table 1 summarizes the related work on mapping cybersecurity data
to attack tactics and techniques. As can be seen, previous works
mainly focused on mapping unstructured data, such as threat in-
telligence reports and semi-structured data, such as event logs,
to MITRE ATT&CK techniques. These efforts proposed both rule-
based methods [18] and machine learning (ML)-based approaches [3,
4, 12, 14, 19, 22, 29, 30].
The rule-based method proposed by Kryukov et al. [18] aimed to
map security events in SIEM to MITRE ATT&CK framework using
pre-defined rules based on threat patterns. A key limitation of their
method lies in its heavy reliability on rule (or patterns) database.
While these patterns are essential to carry out accurate mapping,
the method’s reliance on them constrains its adaptability to newly
emerging threats within the dynamic and ever-evolving cybersecu-
rity landscape. As a result, increased false positives (misidentifica-
tion of benign activities as threats) and false negatives (failure to
detect actual threats) are produced, particularly when new attack
patterns or techniques have not been added to the database.
Recent advancements have marked a significant shift from tradi-
tional rule-based methods to the adoption of ML-based approaches,
particularly the use of language models, for this task. Language
models, such as BERT and GPT, offer the ability to process unstruc-
tured text with minimal feature engineering due to their powerful
contextual understanding and pre-trained embeddings.
You et al. [29] introduced a classification-based model for map-
ping unstructured data in the form of CTI reports to the MITRE
ATT&CK framework. Their approach utilized a combination of a
bi-directional LSTM model and a CNN model to classify unstruc-
tured data into just six technique classes, significantly simplifying
the task. However, the complexity of mapping unstructured data in-
creases substantially when the model must predict across the entire
set of technique classes in the MITRE ATT&CK framework, which
includes approximately 670 classes. Additionally, it is important
to note that an attack pattern or rule can be mapped to multiple
techniques, and a single technique may fall under multiple tactics,
further complicating the mapping process. This limitation may
restrict the method’s applicability in real-world scenarios where
comprehensive coverage of TTP classes is essential.
Liu et al. [19] proposed a novel approach to map unstructured
CTI to MITRE ATT&CK framework. Their methodology, referred
to as ATHRNN (attention-based transformer hierarchical recurrent
Rule-ATT&CK Mapper (RAM): Mapping SIEM Rules to TTPs Using LLMs
neural network), employs a two-step classification process: first,
classifying the unstructured text into MITRE ATT&CK tactics and
then further classifying it into MITRE ATT&CK techniques. In other
work, Alves et al. [4] explored the application of BERT models
for the classification of unstructured text into MITRE ATT&CK
techniques. The study uses eleven different BERT models to map
unstructured texts to the MITRE ATT&CK framework, aiming to
enhance automation in cyber threat intelligence.
Similarly, Alam et al. [3] proposed LADDER, a framework de-
signed to enhance cybersecurity by automatically extracting attack
patterns from CTI sources. LADDER uses different BERT-based
models for extracting attack patterns from unstructured texts and
then mapping these patterns to MITRE ATT&CK framework. Rani
et al. [22] proposed TTPXHunter, a method designed for the au-
tomated mapping of attack patterns extracted from cyber threat
reports to MITRE ATT&CK framework. This method is an exten-
sion of TTPHunter [21], improving its ability to cover a broader
range of techniques from MITRE ATT&CK framework and preci-
sion with the help of a cyber domain-specific language model called
SecureBERT. Sentences are transformed into embeddings using Se-
cureBERT and then sent to a linear classifier for TTP prediction.
Fayyazi et al. [12] evaluated how well LLMs, specifically encoder-
only (e.g., RoBERTa) and decoder-only (e.g., GPT-3.5) models, can
summarize and map cyberattack procedures to the appropriate
ATT&CK tactics. The authors compared various mapping approaches.
Howerver, they focused on mapping cyberattack procedures to
MITRE ATT&CK tactics (which represent higher-level categoriza-
tions in MITRE ATT&CK framework). While this is useful, it is com-
paratively easier than mapping cyberattack procedures to MITRE
ATT&CK techniques and sub-techniques, which are more granular
and detailed, offering deeper insights into the specific actions and
methods employed in an attack.
Fengrui et al. [14] introduced a method combining data augmen-
tation and instruction supervised fine-tuning using LLMs to classify
TTPs effectively in scenarios with limited data. Similarly, Zhang
et al. [30] introduced a novel framework for constructing attack
knowledge graphs (KGs) from CTI reports, by leveraging LLMs.
While these methods demonstrate remarkable progress in han-
dling unstructured data, their applicability to structured data use
cases, such as mapping SIEM rules, is limited. These approaches
are specifically designed for unstructured data, where relationships
between entities and contextual information are often explicitly
defined, simplifying the mapping process to the MITRE ATT&CK
framework. Adapting these methods to structured formats like
SIEM rules would require extensive modifications, reducing their
effectiveness and suitability for such scenarios.
To the best of our knowledge, only two studies have specifi-
cally focused on mapping structured data, such as IDS rules and
SIEM rules, to the relevant MITRE ATT&CK technique (or sub-
techniques) using language models.
Nir et al. [9] investigated the integration of LLMs, specifically
ChatGPT, into cybersecurity workflows to automate the associ-
ation of network intrusion detection system (NIDS) rules with
corresponding MITRE ATT&CK techniques. While their method
represents one of the first applications of LLMs for this purpose,
their findings highlight the necessity of incorporating additional
contextual information to enhance the accuracy and reliability of
LLM predictions. Mărmureanu et al. [20] proposed method to map
structured data in the form of Splunk rules to MITRE ATT&CK
framework. The authors proposed the use of ML classifiers to map
the Splunk rules to tactics specified in MITRE ATT&CK framework.
A significant limitation of these methods is their dependence on su-
pervised learning approaches to train the machine learning models
within their frameworks. These models are unable to dynamically
adapt to evolving threat landscapes or newly introduced MITRE
ATT&CK techniques without undergoing retraining with updated
datasets. This retraining process is not only time-consuming but
also resource-intensive, substantially restricting the methods’ abil-
ity to keep pace with the rapid evolution of cyber threats.
In summary, the limitations of prior studies can be categorized
as follows: (1) reliance on supervised learning tasks, (2) inability
to adapt to structured texts, and (3) dependence on additional con-
textual information to effectively interpret rules. To address these
shortcomings, we propose RAM, a novel LLM-based approach that
eliminates the need for training data, coherently processes struc-
tured text into natural language, and employs LLM agents to re-
trieve supplementary contextual information, enabling reliable and
accurate predictions.
4 Methodology
Each SIEM system uses its own RDL to define threat detection
rules, and each RDL has its own schema. For example, the Splunk
SIEM uses the SPL to define its threat detection rules. The task of
understanding threat detection rules and recommending relevant
MITRE ATT&CK techniques (or sub-techniques) requires complex
reasoning skills. In the case of LLMs, this can be achieved with a
technique called prompt chaining in which each task is divided into
multiple sub-tasks in order to understand the complex reasoning
behind the task. Therefore, we employ a multi-phase architecture
based on prompt chaining that leverages the power of LLMs to
take a SIEM rule defined in any RDL and map it to relevant MITRE
ATT&CK techniques using the power of LLMs. Our approach is
based on the following intuitions:
• LLMs’ implicit knowledge: LLMs possess deep understanding of
diverse RDLs. This enables them to interpret any rule, regardless
of the RDL it is defined in, and convert it into comprehensible
natural language text.
• LLMs’ similarity comparison capability: LLMs are adept at analyz-
ing and comparing textual descriptions. They can intelligently
assess the similarity between two textual inputs to establish a
meaningful connection.
RAM has two main phases: (1) the rule to text translation phase,
and (2) the MITRE ATT&CK techniques recommendation phase.
These two phases in the pipeline include six key steps to determine
relevant TTPs, as illustrated in Figure 1.
Although LLMs excel at translating SIEM rules into natural lan-
guage, they often lack critical domain-specific contextual informa-
tion related to IoCs in the rules. To overcome this limitation, the
rule to text translation phase includes three steps: IoC extraction,
contextual information retrieval, and natural language translation.
The workflow begins with the extraction of IoCs from the rules
(for example, processes, log source, event codes, and file names) that
the rule searches for in the logs (step (1)).In the next sstep a web
 Table 1: Summary of previous work.

Paper name Mapping Input data (& type) Method Comments

Kryukov et al. [18] Techniques SIEM alerts log Rule-based mapping Coverage of all technique classes. No quantitative metric
(2022) (semi-structured) was provided.
Alves et al. [4] Techniques MITRE Procedures Train BERT model as classifier Achieved classification accuracy of 0.82 on test dataset.
(2022) (unstructured) Coverage of only 253 techniques in their evaluation.
You et al. [29] (2022) Techniques CTI reports Use pre-trained Sentence-BERT for Evaluation performed on only six techniques which
(unstructured) embeddings; train bi-LSTM with attention extremely simplifies the classification task. Classification
coupled with CNN for classification accuracy on six techniques is 0.94.
Liu et al. [19] (2022) Techniques CTI reports Train transformer and RNN-based model as Coverage of all technique classes. Achieved an AUC score
(unstructured) classifier of 0.76 during the classification task.
Fayyazi et al. [12] Tactics MITRE Procedures RAG-based approach to improve LLM Only 14 classes available for classification. Achived a high
(2023) (unstructured) performance F1 score of 0.95 when using RAG to fetch external data.
Alam et al. [3] Techniques CTI reports Train BERT model as classifier Achieved TTP classification recall of 0.63.
(2023) (unstructured)
Rani et al. [22] Techniques CTI reports Use SecureBERT for embeddings and train a The dataset consisted of only 193 Technique classes.
(2024) (unstructured) linear classifier Achieved a recall of 0.96 on augmented test dataset.
Fengrui et al. [14] Techniques MITRE Procedures LLM fine-tuning with MITRE data Achieved a recall of 0.89 when the number of samples in
(2024) (unstructured) the fine-tuning dataset is more than 33. When the sample
size is less, the recall achieved is 0.43.
Zhang et al. [30] Techniques CTI reports Use LLM for similarity matching Overall recall achieved for technique identification is 0.59.
(2024) (unstructured)
Nir et al. [9] (2024) Techniques NIDS rules (structured) Use LLM’s implicit knowledge Maximum recall achieved with ChatGPT-4 is 0.68.
Mărmureanu et Tactics SIEM rules (structured) Train BERT model as classifier Only 14 classes available for classification. With weight
al. [20] (2023) based ensemble learning strategy, achieved a recall of 0.72

Our method Techniques SIEM rules (structured) Use prompt engineering techniques and Coverage of all technique level classes. Achieved a recall of
(RAM) implement LLM agents to enhance LLM 0.75 on the test rules.
performance

search agent performs the task of obtaining additional contextual
information about the IoCs discovered ((step 2)). By incorporating
this additional domain-specific information, the pipeline enhances
the language translation, resulting in a more accurate and mean-
ingful interpretation of SIEM rules. The rule itself and the IoCs’
contextual additional information from the previous stage are then
used to translate the rule from RDL to natural language (step (3)).
The MITRE ATT&CK techniques recommendation phase of the
pipeline includes the following three steps. The rule in processed in
data source identification step in which the probable origin of the
data is identified (step (4)). The description of the rule is then used
to determine probable MITRE ATT&CK techniques based on the
implicit knowledge of the LLM (step (5)). Finally, using chain-of-
thought [25] prompting, the most relevant techniques are extracted
from the list of probable techniques (step (6)). Each step of our
method is further described in detail below.
4.1 IoC Extraction
The context associated with a SIEM detection rule is crucial for
its accurate interpretation and effective application. Obtaining this
contextual understanding requires comprehensive analysis of the
embedded IoCs in the SIEM rule. In the first step, RAM system-
atically identifies and extracts all IoCs, identifying the types of
IoCs and their corresponding values that form the foundational
elements of the detection rules. Leveraging the LLM’s inherent
understanding of rule structures and IoCs, we employ a zero-shot
prompting approach for this task. Zero-shot prompting enables the
direct extraction of IoCs from the rules without requiring extensive
pre-training on specific datasets.
The result of this stage is a dictionary structure, where:
• Keys represent types of IoC, such as processes, files, IP addresses,
and log sources.
• Values are lists containing specific IoC details, such as process
names, file names, IP addresses, and log source identifiers.
In the example depicted in Figure 2(a), the pipeline processes
a rule for which relevant MITRE ATT&CK techniques need to
be recommended. The IoC extractor LLM produces a dictionary
structure as output, organizing the IoCs in a structured format to
support subsequent stages in the analysis pipeline.
4.2 Contextual Information Retrieval
In this step, an LLM agent is employed to retrieve relevant infor-
mation pertaining to the IoCs extracted from the rule. A REACT
agent [1] was used in this case to generate both reasoning traces
and task-specific actions in an interleaved manner. REACT agents
interact with external tools to retrieve additional information that
leads to more factual and reliable responses. The LLM agent con-
ducts a systematic search across web resources to gather additional
contextual information for each IoC value present in the rule. This
step addresses LLMS’ lack of up-to-date knowledge or specialized
domain expertise (which is critical to understanding the role and
significance of the IoCs in the rule), without the need for retraining
or fine-tuning. Figure 2(b) presents an example in which the rule
includes the process name soaphound.exe as an IoC. As can be
seen, the web search results indicate that soaphound.exe is being
Rule-ATT&CK Mapper (RAM): Mapping SIEM Rules to TTPs Using LLMs
Figure 2: An illustration of the different steps in RAM.
used for active directory (AD) enumeration, which is important for
the understanding of the attack.
4.3 Natural Language Translation
The translation of detection rules into natural language textual
descriptions fulfills three key objectives:
(1) Ensures that RAM is format-agnostic: It converts rules
defined in various RDL formats into a generic, unstructured
text format, ensuring compatibility with different SIEM systems,
regardless of the specific rule format.
(2) Provides contextual explanation: It includes all relevant con-
textual information to produce a concise and comprehensible
explanation of the rule.
(3) Enhances the comprehension for LLMs: It enables LLMs
to more effectively compare the translated rule with descrip-
tions in the MITRE ATT&CK framework by providing a unified
textual representation.
To achieve these objectives, a zero-shot prompting technique is
employed. The input to the LLM comprises two components:
• Syntactical information: The rule itself, providing the
structural and operational details.
• Contextual information: Details of the IoCs extracted
from the rule, providing semantic insights into the rule’s
intent and function.
The LLM utilizes these inputs to generate a natural language textual
description of the rule. This transformation not only ensures a
more interpretable representation but also facilitates further steps
of analysis and comparison, particularly in aligning the rule with
MITRE ATT&CK techniques and sub-techniques.
4.4 Data Source or Mitigation Identification
Identifying the most relevant data component or mitigation asso-
ciated with the rule description in this step is critical for filtering
out irrelevant MITRE ATT&CK techniques (or sub-techniques) in
subsequent steps of the pipeline. In the MITRE ATT&CK frame-
work, data sources represent various categories of information that
can be gathered from sensors or logs. These data sources include
data components, which are specific attributes or properties within
a data source that are directly relevant to detecting a particular
technique or sub-technique . For example, in the context of the
rule described in Figure 2(a), the term Endpoint.Processes indi-
cates that the activity is happening on an endpoint. Presence of
the terms such as, soaphound.exe, –buildcache, –certdump and
etc. indicate that the rule searches for command line execution
of an executable named soaphound.exe with specific parameters.
Therefore, the appropriate data source in this example is Com-
mand, with the corresponding data component being Command
Execution. Additionally, mitigations are defined as categories of
technologies or strategies that can prevent or reduce the impact
of specific techniques or sub-techniques. The MITRE ATT&CK
framework explicitly establishes relationships between data com-
ponents, mitigations, and techniques (or sub-techniques), enabling
a systematic approach for identifying relevant elements.
To identify the most relevant data component or mitigation
associated with a given rule description, we utilize agentic retrieval
augmented generation (RAG), which incorporates an AI Agent-
based implementation of the RAG framework. Data from the MITRE
ATT&CK framework, specifically related to data components and
mitigations, is stored in a vector database (e.g., ChromaDB). The
process begins with the rule description from the previous stage,
which serves as the input to the AI Agent. The LLM-powered agent
automatically generates a search query tailored to retrieve relevant
information from the RAG database.
For each query, the system retrieves the five most similar docu-
ments from the database, each containing contextual information
about data components or mitigations. These documents are then
utilized by the LLM agent to contextualize the rule description. By
comparing the content of these retrieved documents with the rule
description, the LLM agent determines and outputs the most rele-
vant data component or mitigation along with a chain-of-thought
as to why the data component or mitigation is related to the rule.
4.5 Probable Technique Recommendation
In this step, an LM agent is utilized to propose probable MITRE
ATT&CK techniques (and sub-techniques) that may be relevant to
the description of the provided rule. We used a REACT agent in this
step as well to utilize both implicit and explicit knowledge during
reasoning. For explicit knowledge, the agent searches the MITRE
ATT&CK framework to obtain the list of probable techniques (and
sub-techniques). The natural language description of the rule from
the previous step serves as input to the LLM agent. The output of
this stage consists of a list of JSON objects, each containing the
MITRE technique ID, technique name, and technique description
as seen in Figure 2(c).
Throughout our experiments, we observed that as the number
of recommendations (𝑘) increases, both the framework’s average
recall and precision initially improve, however beyond a certain
threshold of 𝑘, the precision begins to decline. Based on these
observations(please refer Table 5), we selected a 𝑘-value of 11 to
ensure a high recall.
4.6 Relevant Technique Extraction
In this step, RAM refines the set of probable MITRE ATT&CK
techniques identified in the previous stage by eliminating irrelevant
entries. This step in the pipeline serves two primary purposes: (1)
to enhance precision while maintaining recall achieved in previous
step, and (2) to provide a clear rationale for the selection of the
labels, ensuring transparency and interpretability of the mapping
process. This refinement process is grounded in the assumption
that LLMs are effective for text similarity matching tasks.
The process comprises two key steps:
• Rule-technique comparison: The description of each tech-
nique in the set of probable techniques is compared with
the rule description. A chain-of-thought technique is then
applied to elucidate the reasoning behind the association
of each technique with the rule.
• Confidence calculation: The generated chain-of-thought ra-
tionale for each technique (or sub-technique) is compared
with the rule description to compute a relevance (or confi-
dence) score, as done in prior work [16].
Techniques with higher confidence scores are deemed more rel-
evant to the rule. Conversely, techniques with scores falling below
a predefined threshold are excluded. The techniques retained after
this filtering step represent the most relevant techniques corre-
sponding to the given rule’s description.
The chain-of-thought (CoT) rationale generated during the com-
parison of each rule to its probable technique is also provided as an
output in this step. This rationale offers a detailed natural language
explanation, articulating why a particular technique is relevant to
the given rule. Such explanations are highly valuable for security
analysts, as they provide clear and transparent reasoning behind
the mapping, enabling analysts to better understand and validate
the association between the rule and the technique. Other classi-
fication models proposed in previous works within this domain
also suffer from the limitation of being black-box models, which
lack the ability to provide clear reasoning or explanations. Unlike
RAM, these models fail to generate transparent, CoT rationales that
explain why a particular rule is mapped to a specific technique,
making them less interpretable and less useful for security analysts.
5 Evaluation
5.1 Dataset
The Splunk Security Content dataset is a comprehensive repository
of security resources dedicated to improving the detection and
mitigation of threats, maintained by Splunk Inc.’s research team.
This dataset features over 1,600 analytic rules, all written in Splunk’s
Search Processing Language (SPL), to effectively identify malicious
behaviors.
These analytic rules are systematically organized into distinct
domains such as endpoint, network, application, etc., based on their
intended scope of applicability. For instance, the endpoint domain
comprises rules specifically crafted to detect malicious activities
occurring on endpoint devices. Moreover, each rule is annotated
with corresponding MITRE ATT&CK technique identifiers, thereby
offering a ground-truth framework for our experiments. We chose
the endpoint domain as it presents a higher diversity of MITRE
ATT&CK technique labels than other domains in the dataset.
To ensure experimental integrity, we carefully evaluated the
knowledge cut-off dates of the models utilized. Among the hosted
models, GPT-4-Turbo had the most recent cut-off date of December
2023,3 while Granite, the latest local model, was released in October
2024. To prevent any potential data leakage, we exclusively analyzed
rules from the Splunk Security Content dataset that were created
or modified on or after November 2024. During our review of the
Splunk Security Content repository in December 2024, we identified
360 rules within the endpoint domain that met our criteria. None
that none of the hosted or local models employed in our experiments
were capable of inherently performing web searches since they were
used via an API [6].
5.2 Evaluation Setup
We implemented our method RAM in Python 3.9, leveraging mul-
tiple libraries and frameworks for model interaction. We utilized
the transformers library [26] for local models and for hosted mod-
els, we employed the LangChain and LangGraph frameworks. The
hosted models used in our experiments are GPT-4 Turbo, GPT-4o,
and GPT-4o-mini, whereas the local models are Mistral-7B, IBM
Granite-3.0-8B, and Qwen-2.5-7B. Table 2 provides a summary of
all the models used in our experiments.
3 https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/models?tabs=
global-standard%2Cstandard-chat-completions#gpt-4-and-gpt-4-turbo-models
Rule-ATT&CK Mapper (RAM): Mapping SIEM Rules to TTPs Using LLMs

We configured our experimental setup with an Intel Core i7 pro-

cessor, 32 GB RAM, and NVIDIA RTX 4090 GPU (24GB VRAM).
Given the GPU memory constraints, we specifically selected local
models with up to 8 billion parameters that could be run at full pre-
cision without quantization, ensuring optimal model performance
and reliable comparison baseline. This hardware configuration al-
lowed us to maintain consistent computational precision across all
local model experiments.
With the technical infrastructure in place, we next focused on
developing a standardized approach to model interaction through
careful prompt engineering. Our approach follows a carefully de-
signed template that maximizes model performance while main-
taining consistency across different models. The prompts used in all
steps of RAM follow a four-component structure described below:
• Context: This provides the background or relevant details that
set the stage for the task. It includes information on the topic,
scenario, or purpose, ensuring that the LLM understands the
larger situation.
• Instruction: This part specifies the exact task the LLM is expected
to perform. It provides a clear, concise, and actionable explana-
tion to effectively guide the LLM.
• Guidelines: These are the rules or constraints that the LLM must
follow when completing the task. They ensure that the output is
aligned with the desired tone, format, or style.
• Input: This includes any user-provided data, queries, or material
required for the LLM to complete the task. It serves as the starting
point or raw material for generating the output.
An example of a prompt used in the experiments is illustrated
in Figure 3. In this example, the prompt is structured into four key
components to effectively guide the LLM. The context specifies
that the task belongs to the cybersecurity domain and that the
LLM should approach it as a cybersecurity specialist. Following
Figure 3: Overview of prompt structure used in all steps of
this, the instruction clearly defines the task, requiring the LLM to
the pipeline.
identify and output the relevant attack techniques/sub-techniques
corresponding to the provided rule description. The guidelines set
additional constraints, specifying that the response must be format-
ted in JSON. Lastly, the actual rule description is presented as the approach utilizes SecureBERT to generate embeddings for the
input for the LLM to process and analyze. input data, which are then processed by a linear classifier to
produce the final output.

5.3 Baselines 5.4 Evaluation Metrics

We used three baseline methods to compare RAM with:
(1) A single GPT-4-Turbo LLM with zero-shot prompting. The
input to the LLM was the rule as-is, and the LLM was asked to
analyze the rule and output all the MITRE ATT&CK techniques
or sub-techniques relevant to the rule.
(2) BERT-based classifiers. Building on the research by Mărmure-
anu et al. [20], we trained a BERT model [10] as a baseline for
comparison our experiments. BERT’s ability to capture bidirec-
tional context through its masked language modeling (MLM)
and next sentence prediction (NSP) objectives makes it partic-
ularly effective for classification tasks [24]. Additionally, we
implemented CodeBERT [13] and an adaptation of the BERT
model, as baseline models for comparison in our experiments.
(3) TTPxHunter. By implementing the publicly available code
from the research proposed by Rani et al. [22], we established
an additional baseline for comparison with our method. This
To evaluate our framework, we employed evaluation metrics com-
monly used in classic recommender systems. Specifically, we com-
puted the average recall (AR) and average precision (AP) across the
entire test dataset. In recommender systems, relevance is inherently
user-specific, and both AP and AR metrics effectively capture the
varying importance of individual recommendations. This charac-
teristic makes these metrics particularly well-suited for multi-class
classification problems like MITRE ATT&CK technique prediction,
where a single rule can be associated with multiple valid labels
(techniques or sub-techniques). For instance, the rule illustrated in
Figure 2(a), has multiple techniques and sub-techniques mapped
to it, including: T1087.002, T1069.001, T1482, T1087.001, T1087,
T1069.002, and T1069.
For computing AR, we first calculated the recall for each sample
(rule) in the dataset. The AR was then calculated by averaging
the recall values across all samples in the dataset. Similarly, to
 Table 2: Summary of the models and their configurations.

Model Type Model Name Parameter Size Context Window Max Tokens Knowledge Cut-off
GPT-4-Turbo ∼1.8 Trillion 128,000 4096 December 2023
Hosted GPT-4o ∼2 Trillion 128,000 16,384 October 2023
GPT-4o-mini ∼8 Billion 128,000 16,384 October 2023
IBM Granite ∼8 Billion 128,000 8,192 Not available
Local Mistral ∼7 Billion 32,000 4,096 Not available
Qwen ∼3 Billion 128,000 8,192 Not available

compute the AP, we first calculated the precision for each sample The context window of an LLM refers to the maximum amount of
in the dataset, and then, the AP was determined by averaging the text, measured in tokens, that the model can process at a time. This
precision values across all samples in the dataset. parameter plays a crucial role in determining the model’s ability to
In addition, the task of mapping a SIEM rule to the MITRE handle tasks requiring extensive context. In the case of RAM, the
ATT&CK framework is inherently a multi-class classification prob- performance using the Mistral model was poorer compared to other
lem, where the number of techniques associated with each sample models. This can be attributed to the significantly smaller context
varies. Appendix A provides an analysis of the distribution of sam- window of the Mistral model, which limited its ability to process
ples based on the number of techniques they contain. Therefore, we and utilize the full breadth of information required for effective
also compute the Weighted Average Precision (WAP) and Weighted recommendations. In contrast, GPT-4o-mini, a similar model with
Average Recall (WAR) metrics. These metrics apply weights based a larger context window, performed better as it could handle more
on the relative number of techniques for each sample. comprehensive inputs, leading to improved accuracy and reliability
in mapping SIEM rules to MITRE ATT&CK techniques
5.5 Results
Table 3: RAM’s performance using various hosted and local
Comparison of RAM with baselines. We compared RAM with
models.
the baseline methods described in the previous section, and the
results of this comparison are presented in Table 3. As evident from
the table, RAM outperformed the baseline methods when utilizing Model Type Model Name AR (WAR) AP (WAP)
GPT-4-Turbo and GPT-4o as the underlying models. These findings GPT-4-Turbo 0.75 (0.724) 0.52 (0.51)
underscore the critical role of both implicit and explicit domain- Hosted GPT-4o 0.71 (0.69) 0.49 (0.47)
specific knowledge in enabling LLMs to deliver optimal results for GPT-4o-mini 0.38 (0.36) 0.29 (0.275)
the task of mapping SIEM rules to the MITRE ATT&CK framework. IBM Granite 0.34 (0.31) 0.28 (0.24)
Local Mistral 0.12 (0.09) 0.08 (0.05)
RAM’s performance with different LLMs. RAM’s pipeline Qwen 0.23 (0.19) 0.16 (0.15)
was executed using several LLMs to evaluate its ability to recom- Zero-shot LLM 0.46 (0.43) 0.31 (0.30)
mend MITRE ATT&CK techniques (or sub-techniques) for a given BERT 0.68 (0.65) 0.39 (0.38)
Baselines
SIEM rule. As can be seen in Table 3, GPT-4-Turbo demonstrated CodeBERT 0.65 (0.63) 0.47 (0.45)
superior performance, delivering the most accurate and relevant TTPxHunter [22] 0.59 (0.56) 0.42 (0.41)
recommendations when compared to other hosted and local models.
These results provided insights into how the model configuration,
including model size and architectural differences, influence the Ablation study. In order to analyze the importance of the dif-
quality of recommendations generated by RAM. ferent components and steps in RAM, we performed an ablation
study, mainly focusing on the impact of language translation and
Effect of model’s size and context window length on per- additional contextual information on the recommendations made
formance. As can be seen in Table 3, RAM’s performance is sig- by the LLM. We performed the ablation study by running the ex-
nificantly influenced by the size of the LLMs used in its pipeline periment in three different scenario. In the first scenario, the rule
(see Table 2 for different models used and their sizes and context was provided as-is to the next stage of the pipeline; in this case,
window lengths used). Larger models, such as GPT-4-Turbo and RAM achieved an AR of approximately 0.46 and an AP of around
GPT-4o, demonstrated superior performance compared to their 0.39. In the second scenario, the rule was first translated into a
smaller counterparts like GPT-4o-mini or local models with fewer natural language description, without adding any contextual infor-
parameters. This performance disparity highlights the ability of mation, before being passed to subsequent stages of the pipeline.
larger models to better understand complex relationships and pat- This improved the AR to around 0.54 and the AP to approximately
terns in the input data. The large number of parameters and greater 0.42. Finally, in the third scenario, the rule was translated into a
context window allow them to capture nuanced information that natural language description enriched with contextual information
smaller models might overlook, leading to more accurate and reli- before being processed by the later stages of the pipeline. This
able recommendations. setup yielded the best results, with an AR of around 0.75 and an
Rule-ATT&CK Mapper (RAM): Mapping SIEM Rules to TTPs Using LLMs

AP of approximately 0.51. In these experiments GPT-4-Turbo was

used, given its superior performance in the previous experiments
performed. A summary of the results is presented in Table 4.
These findings highlight the importance of contextual informa-
tion in enhancing RAM’s performance, demonstrating that enrich-
ing natural language translations with domain-specific insights
leads to improved recall and precision.

Table 4: Impact of contextual information that enriches nat-

ural language translation with domain-specific insights on
RAM’s performance.

S.No. Experiment AR (WAR) AP (WAP)

1 Rule as-is 0.46 (0.42) 0.39 (0.36)
Rule description w/o
2 0.54 (0.49) 0.42 (0.40) Figure 4: Average precision vs average recall curve.
contextual information
Rule description with
3 0.75 (0.724) 0.52 (0.51)
contextual information explanation. This explanation, expressed in natural language, pro-
vides the relationship between the rule and the technique. Such
transparency allows security analysts to interpret the rationale be-
Effect of 𝑘 on relevant recommendations. Our preliminary hind the mapping, enabling them to assess whether RAM’s output
experiments demonstrated that limiting 𝑘 substantially influenced can be trusted or requires further scrutiny. For example, refer to
RAM’s performance. Larger 𝑘 values improved recall by capturing SIEM rule mentioned in the Figure 2(a) as input. This rule relates
a broader range of potentially relevant recommendations, but this to the execution of an executable file called soaphound.exe on a
came at the cost of reduced precision. This trade-off highlights the system. One of the labels for this rule is "T1482 - Domain Trust
necessity of carefully selecting 𝑘 to balance precision and recall Discovery". Figure 5 provides the CoT explanation as to why the
according to the specific needs of the application. technique T1482 is relevant to the SIEM rule.
To address this, we replaced the hard limit on 𝑘 with a filtering
mechanism based on the confidence (relevance) score generated
in the final stage of the pipeline. Recommendations with scores
below a predefined threshold were excluded. We used a threshold
of 0.8, which effectively filtered low-confidence recommendations
while retaining the most relevant results. This approach improved
the overall performance of the model by dynamically adjusting
the number of recommendations based on their relevance. RAM’s
results for different 𝑘 values, using the abovementioned filtering
mechanism, are presented in Table 5.

Table 5: RAM’s performance for various values of 𝑘.

S.No. k AR (WAR) AP (WAP) F1-Score

1 1 0.45 (0.44) 0.29 (0.26) 0.35
2 3 0.62 (0.58) 0.34 (0.3) 0.44
3 5 0.66 (0.636) 0.45 (0.43) 0.53
4 7 0.71 (0.68) 0.42 (0.40) 0.527
5 9 0.74 (0.72) 0.40 (0.35) 0.52
6 11 0.75 (0.728) 0.39 (0.38) 0.51
7 13 0.75 (0.72) 0.35 (0.31) 0.48
7 dynamic-k 0.75 (0.724) 0.52 (0.51) 0.62
Figure 5: Chain-of-thought reasoning provided by RAM.
Reasoning. One major advantage of using LLMs over other lan-
guage models like BERT or CodeBERT is their inherent ability to
provide reasoning for the tasks they perform. In RAM’s pipeline, the 6 Discussion
Rule-Technique Comparer step plays a crucial role by comparing the The use of RAM for mapping SIEM rules to the MITRE ATT&CK
rule to the technique in question and generating a chain-of-thought framework offers several distinct advantages. Unlike traditional
approaches, RAM does not require any training data, making it par-
ticularly well-suited for the cybersecurity domain, where publicly
available data is often scarce. Additionally, the incorporation of
LLMs within the pipeline enables the generation of natural language
reasoning, facilitating easier interpretation of results. This trans-
parency enhances the trust of security analysts on the framework,
as they can better understand and validate the mapping process.
While RAM demonstrated promising results, our study has cer-
tain limitations. One of the primary concerns is confidentiality, as
RAM’s pipeline relies on hosted models, which may involve sending
sensitive data to external servers. Additionally, the use of prompt
chaining in the pipeline leads to longer response times compared to
baseline methods. The duration of processing varies based on the
resources available when employing local models, while for hosted
models, it depends on factors such as network bandwidth and the
tokens-per-second (TPS) rate of the model.
The results of our study also revealed several challenges associ-
ated with the research, which are discussed below:
Insufficient Rule-Specific Information: The information em-
bedded within a rule alone was found to be inadequate for fully
understanding its purpose. Additional contextual data such as the
associated common vulnerabilities and exposures (CVE) 4 ID of-
ten proved necessary to interpret the rule accurately. For example,
consider the following rule:
| tstats `security_content_summariesonly` count FROM
datamodel=Endpoint.Registry
where Registry.registry_path="*\InProcServer32\*"
Registry.registry_value_data=*\FORMS\*
by Registry.registry_path Registry.registry_key_name
Registry.registry_value_name
Registry.registry_value_data Registry.dest
Registry.process_guid Registry.user
| `drop_dm_object_name(Registry)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
From the information provided in the rule, it is impossible to infer
that this rule searches for phishing activity through outlook.exe
process unless the CVE ID related to it is known which is "CVE-
2024-21378".
Impact of Textual Similarities on LLM Accuracy: The high de-
gree of similarity in textual descriptions of various MITRE ATT&CK
techniques and sub-techniques led to instances of hallucination by
the language models. This overlap in descriptions posed a signifi-
cant challenge to ensuring accurate predictions.
Dataset Mislabeling: The importance of a technique (or sub-
technique) to a specific rule differed based on the user’s perspective.
This led to inconsistencies in how the dataset was labeled, with
several cases being mislabeled. These errors highlight that deter-
mining relevance is often subjective. As an example, consider the
following rule,
| tstats `security_content_summariesonly`
count min(_time) as firstTime max(_time)
as lastTime from datamodel=Change.All_Changes
4 https://cve.mitre.org/
where All_Changes.result="*locked out*" by
All_Changes.user All_Changes.result
|`drop_dm_object_name("All_Changes")`
|`drop_dm_object_name("Account_Management")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| search count > 5
This rule aims to identify instances where excessive user account
lockouts are being recorded. The label assigned to this rule in the
dataset is "T1078 - Valid Accounts," which is an accurate label.
However, the dataset does not include all the relevant labels for
this rule. In this case, the technique "T1110 - Brute Force" is also a
relevant technique that should have been mapped to the rule but
was not included in the dataset. Despite these imperfections in the
labeling, the Splunk Security Content dataset provided the most
reliable ground truth available for our study.
Technique vs. Sub-Technique Prediction Challenges: In some
cases, the LLM predicted a technique instead of a sub-technique
(or vice versa). Under stricter evaluation criteria that was used
to evaluate our experiments, such discrepancies were categorized
as mismatches, which negatively influenced RAM’s performance
metrics of RAM. These observations underline the need for more
precise distinction mechanisms during prediction tasks.
7 Conclusion and Future Work
We proposed RAM, an LLM-based approach for mapping SIEM
threat detection rules to MITRE ATT&CK techniques. While LLMs
possess implicit knowledge derived from publicly available data,
their direct application in cybersecurity contexts is often limited due
to domain-specific challenges. Our experiments showed that RAM’s
performance significantly improves when additional contextual
information is integrated.
We identified two primary strategies for incorporating such infor-
mation: (i) explicitly supplying contextual data in real time through
LLM agents, and (ii) fine-tuning the LLM with domain-specific infor-
mation. In this study, we adopted the first approach, enriching the
pipeline in real time with publicly available contextual data sourced
from the Internet as fine-tuning an LLM requires labelled dataset.
As part of future work, we plan to enhance RAM by incorporating
organization-specific contextual information, which can further
tailor the model to specific operational environments. Addition-
ally, we aim to explore fine-tuning LLMs with organization specific
contextual data as an alternative approach to further improve the
prediction accuracy of RAM. Future research will also investigate
optimization techniques such as hyperparameter tuning and ensem-
ble methods to further enhance the performance of the proposed
method. With these enhancements RAM will serve as a reliable
and adaptable solution for mapping SIEM rules to MITRE ATT&CK
techniques in dynamic and complex cybersecurity landscapes.
The adoption of RAM will contribute greatly to the automation
of the cybersecurity incident response pipeline. It also provides a
roadmap for integrating advanced LLMs into the defensive strate-
gies of organizations worldwide.
Rule-ATT&CK Mapper (RAM): Mapping SIEM Rules to TTPs Using LLMs

References [25] Jason Wei, Xuezhi Wang, Dale Schuurmans, Maarten Bosma, Fei Xia, Ed Chi,
[1] [n. d.]. ReAct Prompting. https://www.promptingguide.ai/techniques/react Quoc V Le, Denny Zhou, et al. 2022. Chain-of-thought prompting elicits reason-
[2] Bader Al-Sada, Alireza Sadighian, and Gabriele Oligeri. 2024. Mitre att&ck: State ing in large language models. Advances in neural information processing systems
of the art and way forward. Comput. Surveys 57, 1 (2024), 1–37. 35 (2022), 24824–24837.
[3] Md Tanvirul Alam, Dipkamal Bhusal, Youngja Park, and Nidhi Rastogi. 2023. [26] Thomas Wolf. 2020. Transformers: State-of-the-Art Natural Language Processing.
Looking beyond IoCs: Automatically extracting attack patterns from external arXiv preprint arXiv:1910.03771 (2020).
CTI. In Proceedings of the 26th International Symposium on Research in Attacks, [27] Tongshuang Wu, Ellen Jiang, Aaron Donsbach, Jeff Gray, Alejandra Molina,
Intrusions and Defenses. 92–108. Michael Terry, and Carrie J Cai. 2022. Promptchainer: Chaining large language
[4] Paulo MMR Alves, PR Geraldo Filho, and Vinícius P Gonçalves. 2022. Leveraging model prompts through visual programming. In CHI Conference on Human Factors
BERT’s Power to Classify TTP from Unstructured Text. In 2022 Workshop on in Computing Systems Extended Abstracts. 1–10.
Communication Networks and Power Systems (WCNPS). IEEE, 1–7. [28] Shunyu Yao, Jeffrey Zhao, Dian Yu, Nan Du, Izhak Shafran, Karthik Narasimhan,
[5] Checkpoint. [n. d.]. Check Point Research. https://blog.checkpoint.com/research/ and Yuan Cao. 2023. ReAct: Synergizing Reasoning and Acting in Language
check-point-research-reports-highest-increase-of-global-cyber-attacks-seen- Models. arXiv:2210.03629 [cs.CL] https://arxiv.org/abs/2210.03629
in-last-two-years-a-30-increase-in-q2-2024-global-cyber-attacks/ [29] Yizhe You, Jun Jiang, Zhengwei Jiang, Peian Yang, Baoxu Liu, Huamin Feng,
[6] Xiang Chen, Chaoyang Gao, Chunyang Chen, Guangbei Zhang, and Yong Liu. Xuren Wang, and Ning Li. 2022. TIM: threat context-enhanced TTP intelligence
2024. An Empirical Study on Challenges for LLM Application Developers. mining on unstructured threat data. Cybersecurity 5, 1 (2022), 3.
arXiv:2408.05002 [cs.SE] https://arxiv.org/abs/2408.05002 [30] Yongheng Zhang, Tingwen Du, Yunshan Ma, Xiang Wang, Yi Xie, Guozheng Yang,
[7] CISA. [n. d.]. Best Practices for Mapping to MITRE ATT&CK. https://www.cisa. Yuliang Lu, and Ee-Chien Chang. 2024. AttacKG+: Boosting Attack Knowledge
gov/news-events/news/best-practices-mitre-attckr-mapping Graph Construction with Large Language Models. arXiv preprint arXiv:2405.04753
[8] Cybero. [n. d.]. SIEM Optimization Through MITRE ATT&CK. https: (2024).
//www.cyrebro.io/blog/siem-optimization-through-mitre-attck-staying-
ahead-of-threats-with-cyrebro/
[9] Nir Daniel, Florian Klaus Kaiser, Anton Dzega, Aviad Elyashar, and Rami Puzis.
A Labels Distribution
2023. Labeling NIDS Rules with MITRE ATT &CK Techniques Using ChatGPT.
In European Symposium on Research in Computer Security. Springer, 76–91.
[10] Jacob Devlin. 2018. Bert: Pre-training of deep bidirectional transformers for
language understanding. arXiv preprint arXiv:1810.04805 (2018).
[11] Exabeam. [n. d.]. What is SIEM and How Does it Work? https://www.exabeam.
com/explainers/siem-tools/siem-solutions/
[12] Reza Fayyazi, Rozhina Taghdimi, and Shanchieh Jay Yang. 2023. Advancing TTP
Analysis: Harnessing the Power of Encoder-Only and Decoder-Only Language
Models with Retrieval Augmented Generation. arXiv preprint arXiv:2401.00280
(2023).
[13] Zhangyin Feng, Daya Guo, Duyu Tang, Nan Duan, Xiaocheng Feng, Ming Gong,
Linjun Shou, Bing Qin, Ting Liu, Daxin Jiang, et al. 2020. Codebert: A pre-trained
model for programming and natural languages. arXiv preprint arXiv:2002.08155
(2020).
[14] Yu Fengrui and Yanhui Du. 2024. Few-Shot Learning of TTPs Classification
Using Large Language Models. (2024).
[15] MITRE ATT&CK framework. [n. d.]. Data Sources. https://attack.mitre.org/
datasources/
[16] Scott Freitas, Jovan Kalajdjieski, Amir Gharib, and Robert McCann. 2024. AI-
Driven Guided Response for Security Operation Centers with Microsoft Copilot
for Security. arXiv:2407.09017 [cs.LG] https://arxiv.org/abs/2407.09017
[17] Xu Huang, Weiwen Liu, Xiaolong Chen, Xingmei Wang, Hao Wang, Defu Lian,
Yasheng Wang, Ruiming Tang, and Enhong Chen. 2024. Understanding the
planning of LLM agents: A survey. arXiv:2402.02716 [cs.AI] https://arxiv.org/
abs/2402.02716 Figure 6: Distribution of length of labels in test samples.
[18] Roman Kryukov, Vladimir Zima, Elena Fedorchenko, Evgenia Novikova, and
Igor Kotenko. 2022. Mapping the Security Events to the MITRE ATT &CK Attack
Patterns to Forecast Attack Propagation. In International Workshop on Attacks
and Defenses for Internet-of-Things. Springer, 165–176.
[19] Chenjing Liu, Junfeng Wang, and Xiangru Chen. 2022. Threat intelligence
ATT&CK extraction based on the attention transformer hierarchical recurrent
neural network. Applied Soft Computing 122 (2022), 108826.
[20] Marius Mărmureanu and Ciprian Oprişa. 2023. MITRE Tactics Inference from
Splunk Queries. In 2023 IEEE 19th International Conference on Intelligent Computer
Communication and Processing (ICCP). 277–283. doi:10.1109/ICCP60212.2023.
10398612
[21] Nanda Rani, Bikash Saha, Vikas Maurya, and Sandeep Kumar Shukla. 2023.
TTPHunter: Automated Extraction of Actionable Intelligence as TTPs from
Narrative Threat Reports. In Proceedings of the 2023 Australasian Computer Sci-
ence Week (Melbourne, VIC, Australia) (ACSW ’23). Association for Computing
Machinery, New York, NY, USA, 126–134. doi:10.1145/3579375.3579391
[22] Nanda Rani, Bikash Saha, Vikas Maurya, and Sandeep Kumar Shukla. 2024.
TTPXHunter: Actionable Threat Intelligence Extraction as TTPs form Finished
Cyber Threat Reports. arXiv preprint arXiv:2403.03267 (2024).
[23] Pranab Sahoo, Ayush Kumar Singh, Sriparna Saha, Vinija Jain, Samrat Mondal,
and Aman Chadha. 2024. A systematic survey of prompt engineering in large
language models: Techniques and applications. arXiv preprint arXiv:2402.07927
(2024).
[24] Chi Sun, Xipeng Qiu, Yige Xu, and Xuanjing Huang. 2019. How to fine-tune
bert for text classification?. In Chinese computational linguistics: 18th China
national conference, CCL 2019, Kunming, China, October 18–20, 2019, proceedings
18. Springer, 194–206.