Text-to-query language (Text-to-QL) techniques allow analysts to express complex threat-hunting and investigation intents in natural language, lowering the barrier to large-scale security telemetry and facilitating practical security analytics. Yet, despite this potential, public resources for this domain remain scarce due to the technical complexities involved in handling wide-column, semi-structured, and high-volume security datasets. To fill this gap, we construct SecKQL-APT29, a Kusto Query Language (KQL) benchmark derived from real APT29 attack traces. It offers an executable, structured schema and expert-annotated Text-to-KQL pairs. We also propose SecKQL-Agent, a Text-to-KQL framework tailored for security analytics that addresses limitations of directly applying Text-to-SQL methods: (i) redundant and oversized schemas, (ii) limited domain adaptation to security query languages, and (iii) semantic mismatch between generated queries and user intent. SecKQL-Agent comprises three components: a Hybrid-attention Schema Refiner for relevant and compact schema selection; an Adaptive Few-shot Generator for robust query generation; and a Chain-of-Thought (CoT)-driven Semantic Consistency Reflector for result-aware semantic validation. Experiments on two benchmarks against three representative baselines show that SecKQL-Agent achieves an optimal balance between execution accuracy and computational efficiency, demonstrating its effectiveness and generalizability.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

SecKQL-Agent: A Real-World APT29 Events Benchmark and Framework for Reliable Text-to-KQL in Security Analytics

  • Huan Zhang,
  • Haiyan Wang,
  • Shaofang Long,
  • Hao Tan,
  • Ziyu Wang,
  • Yan Jia,
  • Zhaoquan Gu

摘要

Text-to-query language (Text-to-QL) techniques allow analysts to express complex threat-hunting and investigation intents in natural language, lowering the barrier to large-scale security telemetry and facilitating practical security analytics. Yet, despite this potential, public resources for this domain remain scarce due to the technical complexities involved in handling wide-column, semi-structured, and high-volume security datasets. To fill this gap, we construct SecKQL-APT29, a Kusto Query Language (KQL) benchmark derived from real APT29 attack traces. It offers an executable, structured schema and expert-annotated Text-to-KQL pairs. We also propose SecKQL-Agent, a Text-to-KQL framework tailored for security analytics that addresses limitations of directly applying Text-to-SQL methods: (i) redundant and oversized schemas, (ii) limited domain adaptation to security query languages, and (iii) semantic mismatch between generated queries and user intent. SecKQL-Agent comprises three components: a Hybrid-attention Schema Refiner for relevant and compact schema selection; an Adaptive Few-shot Generator for robust query generation; and a Chain-of-Thought (CoT)-driven Semantic Consistency Reflector for result-aware semantic validation. Experiments on two benchmarks against three representative baselines show that SecKQL-Agent achieves an optimal balance between execution accuracy and computational efficiency, demonstrating its effectiveness and generalizability.