[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"doc-detail-38628-en":3,"doc-seo-38628-105":29,"detail-sidebar-cat-0-en-105":90},{"code":4,"msg":5,"data":6},0,"success",{"doc_id":7,"user_id":8,"nickname":9,"user_avatar":10,"doc_module":4,"category_id":11,"category_name":12,"doc_title":13,"doc_description":14,"doc_content":15,"file_id":16,"file_url":17,"file_type":18,"file_size":19,"view_count":4,"is_deleted":4,"is_public":20,"is_downloadable":20,"audit_status":20,"page_count":21,"language":22,"language_code":23,"site_id":24,"html_lang":23,"table_of_contents":25,"faqs":26,"seo_title":13,"seo_description":14,"update_tm":27,"read_time":28},38628,1374391974585,"Genevieve","https://ap-avatar.wpscdn.com/davatar_276721f389ce27ea32af1340a28f341c",8,"Research & Report","X-SIEM Framework Integrating Rule-Based ML and LLMs for Cyber Threat Intelligence","Security Operations Centers face alert fatigue as conventional SIEM platforms produce high volumes of alerts, many of which are false positives. Machine-learning approaches further introduce an explainability gap, reducing analyst trust and complicating compliance. The paper proposes a three-layer hybrid SIEM framework combining a rule engine, a hybrid ML ensemble (Random Forest and Isolation Forest), and a fine-tuned LLM that generates interpretable explanations and response guidance. Evaluation on CICIDS datasets reports 98.7% precision and an 82% false-positive reduction.","2025 28th International Conference on Computer and Information Technology (ICCIT) ©2025 IEEE DOI: 10.1109/ICCIT68739.2025.11491524| 979-8-3315-7867-1/25/$31.00 |   \n2025 28th International Conference on Computer and Information Technology (ICCIT) 19–21 December 2025, Cox’s Bazar, Bangladesh  \nX-SIEM Framework: Integrating Rule-Based, ML, and LLMs for Cyber Threat Intelligence  \nMd Fahim Al Shihab, Sabbir Ahmed Al Seum, Md. Atikur Rahman,  \nRagib Nadim, Albar Hossain Rafi, Tonny Shekha Kar  \nDepartment of Computer Science and Engineering,  \nAmerican International University–Bangladesh (AIUB), Dhaka, Bangladesh  \nEmails: [22-46945-1@student.aiub.edu](22-46945-1@student.aiub.edu), [22-47196-1@student.aiub.edu](22-47196-1@student.aiub.edu), [22-47944-2@student.aiub.edu](22-47944-2@student.aiub.edu),  \n[23-50683-1@student.aiub.edu](23-50683-1@student.aiub.edu), [21-45093-2@student.aiub.edu](21-45093-2@student.aiub.edu), [tonny.kar@aiub.edu](tonny.kar@aiub.edu)  \nAbstract—Security Operations Centers (SOCs) are increasingly challenged by alert fatigue, with traditional Security Information and Event Management (SIEM) systems generating thousands of daily alerts, a significant portion of which are false positives. Concurrently, the adoption of machine learning (ML) for threat detection has introduced a ”black box” problem, where the lack of explainability hinders analyst trust and compliance with regulations. This paper presents a novel three-layer hybrid SIEM framework designed to bridge the gap between detection accuracy and operational interpretability. The framework synergistically combines a high-speed rule engine, a hybrid ML ensemble (Random Forest and Isolation Forest), and a fine-tuned Large Language Model (LLM) for explanation and response generation. The framework was evaluated on the CICIDS-2017 and CICIDS- 2018 benchmark datasets, achieving a 98.7% precision and an 82% reduction in false positives compared to a baseline rulebased system. Furthermore, the LLM-generated explanations, mapped to the MITRE ATT&CK framework, reduced the meantime to respond (MTTR) by 58% in simulated analyst workflows. Statistical significance testing confirmed our results (p ¡ 0.01), and comprehensive ablation studies validated our architectural choices. Our results demonstrate that this integrated approach not only enhances the accuracy of threat detection but also provides the actionable, transparent intelligence necessary for modern cybersecurity operations.  \nIndex Terms—Cybersecurity, SIEM, Explainable AI (XAI), Large Language Models (LLMs), Threat Intelligence, Machine Learning, Hybrid Detection  \nI. INTRODUCTION  \nModern digital companies face an endless barrage of sophisticated cyberattacks. Security Operations Centers (SOCs) are leading the defence, but they are struggling under the weight of overwhelming data volumes. A typical SOC can handle more than 10,000 daily alerts [1], leading to high analyst exhaustion and a likely miss of real threats in background noise. Traditional SIEM systems, although central to SOC operations, frequently suffer from high false-positive rates (up to 40%) and an inability to detect new zero-day attacks [2] . To resolve this, next-generation SIEMs have incorporated machine learning (ML) models, which have demonstrated significant success in reporting anomalous patterns consistent with attacks [3] . However, this has created new challenges: the interpretability paradox. Complex models like deep neural networks or large ensembles are black boxes, producing alerts without a clear rationale. The lack of transparency in automated systems  \nundermines analyst trust, complicates forensic investigations, and poses compliance risks under regulations like the GDPR, which mandate a right to explanation. [4] . This paper closesthe gap in imperative detection of explainable and actionable intelligence. Unlike previous work that focuses primarily on detection accuracy, this concept incorporates three synergistic detect","cbCaiiXfXMEYgSWg","https://ap.wps.com/l/cbCaiiXfXMEYgSWg","pdf",452318,1,6,"English","en",105,"# Introduction\n# Related Work","[{\"question\":\"What problem does the proposed X-SIEM framework address in SOC operations?\",\"answer\":\"It targets alert fatigue caused by large numbers of low-quality SIEM alerts and the interpretability paradox introduced by ML “black box” models, which reduces analyst trust and increases compliance risk.\"},{\"question\":\"How does the framework combine rule-based, ML, and LLM components?\",\"answer\":\"It uses a fast adaptive rule engine for known threats, a hybrid ML ensemble (Random Forest and Isolation Forest) for known and unknown anomalies, and a fine-tuned LLM to convert complex alerts into human-readable explanations and actionable response plans.\"},{\"question\":\"What evaluation results and validation methods are reported?\",\"answer\":\"Experiments on CICIDS-2017 and CICIDS-2018 achieve 98.7% precision and an 82% reduction in false positives versus a baseline rule-based system. LLM explanations mapped to MITRE ATT\\u0026CK reduce MTTR by 58% in simulated workflows, with significance testing (p \\u003c 0.01) and ablation studies supporting design choices.\"}]",1783068997,15,{"code":4,"msg":30,"data":31},"ok",{"site_id":24,"language":23,"slug":32,"title":13,"keywords":33,"description":14,"schema_data":34,"social_meta":85,"head_meta":87,"extra_data":89,"updated_unix":27},"x-siem-framework-integrating-rule-based-ml-and-llms-for-cyber-threat-intelligence","",{"@graph":35,"@context":84},[36,53,67],{"@type":37,"itemListElement":38},"BreadcrumbList",[39,43,47,50],{"item":40,"name":41,"@type":42,"position":20},"https://docshare.wps.com","Home","ListItem",{"item":44,"name":45,"@type":42,"position":46},"https://docshare.wps.com/document/","Document",2,{"item":48,"name":12,"@type":42,"position":49},"https://docshare.wps.com/document/research-report/",3,{"item":51,"name":13,"@type":42,"position":52},"https://docshare.wps.com/document/x-siem-framework-integrating-rule-based-ml-and-llms-for-cyber-threat-intelligence/38628/",4,{"url":51,"name":13,"@type":54,"author":55,"headline":13,"publisher":57,"fileFormat":60,"inLanguage":23,"description":14,"dateModified":61,"datePublished":61,"encodingFormat":60,"isAccessibleForFree":62,"interactionStatistic":63},"DigitalDocument",{"name":9,"@type":56},"Person",{"url":40,"name":58,"@type":59},"DocShare","Organization","application/pdf","2026-07-03",true,{"@type":64,"interactionType":65,"userInteractionCount":4},"InteractionCounter",{"@type":66},"ViewAction",{"@type":68,"mainEntity":69},"FAQPage",[70,76,80],{"name":71,"@type":72,"acceptedAnswer":73},"What problem does the proposed X-SIEM framework address in SOC operations?","Question",{"text":74,"@type":75},"It targets alert fatigue caused by large numbers of low-quality SIEM alerts and the interpretability paradox introduced by ML “black box” models, which reduces analyst trust and increases compliance risk.","Answer",{"name":77,"@type":72,"acceptedAnswer":78},"How does the framework combine rule-based, ML, and LLM components?",{"text":79,"@type":75},"It uses a fast adaptive rule engine for known threats, a hybrid ML ensemble (Random Forest and Isolation Forest) for known and unknown anomalies, and a fine-tuned LLM to convert complex alerts into human-readable explanations and actionable response plans.",{"name":81,"@type":72,"acceptedAnswer":82},"What evaluation results and validation methods are reported?",{"text":83,"@type":75},"Experiments on CICIDS-2017 and CICIDS-2018 achieve 98.7% precision and an 82% reduction in false positives versus a baseline rule-based system. LLM explanations mapped to MITRE ATT&CK reduce MTTR by 58% in simulated workflows, with significance testing (p \u003C 0.01) and ablation studies supporting design choices.","https://schema.org",{"og:url":51,"og:type":86,"og:title":13,"og:site_name":58,"og:description":14},"article",{"robots":88,"canonical":51},"index,follow",{"doc_id":7,"site_id":24},{"code":4,"msg":5,"data":91},[92,96,100,104,109,113,118,121,126,129,133],{"id":20,"doc_module":4,"doc_module_name":45,"category_name":93,"show_sort_weight":94,"slug":95},"Story & Novel",90,"story-novel",{"id":46,"doc_module":4,"doc_module_name":45,"category_name":97,"show_sort_weight":98,"slug":99},"Literature",80,"literature",{"id":52,"doc_module":4,"doc_module_name":45,"category_name":101,"show_sort_weight":102,"slug":103},"Exam",70,"exam",{"id":105,"doc_module":4,"doc_module_name":45,"category_name":106,"show_sort_weight":107,"slug":108},5,"Comic",60,"comic",{"id":21,"doc_module":4,"doc_module_name":45,"category_name":110,"show_sort_weight":111,"slug":112},"Technology",50,"technology",{"id":114,"doc_module":4,"doc_module_name":45,"category_name":115,"show_sort_weight":116,"slug":117},7,"Healthcare",40,"healthcare",{"id":11,"doc_module":4,"doc_module_name":45,"category_name":12,"show_sort_weight":119,"slug":120},30,"research-report",{"id":122,"doc_module":4,"doc_module_name":45,"category_name":123,"show_sort_weight":124,"slug":125},9,"Religion & Spirituality",20,"religion-spirituality",{"id":124,"doc_module":4,"doc_module_name":45,"category_name":127,"show_sort_weight":124,"slug":128},"World Cup","world-cup",{"id":130,"doc_module":4,"doc_module_name":45,"category_name":131,"show_sort_weight":130,"slug":132},10,"Lifestyle","lifestyle",{"id":134,"doc_module":4,"doc_module_name":45,"category_name":135,"show_sort_weight":105,"slug":136},19,"General","general"]