Towards Small Language Models for Security Query Generation in SOC Workflows

Saleha Muzammil, Rahul Reddy, Vishal Kamalakrishnan, Hadi Ahmadi, Wajih Ul Hassan · Dec 7, 2025 · Citations: 0

Abstract

Analysts in Security Operations Centers routinely query massive telemetry streams using Kusto Query Language (KQL). Writing correct KQL requires specialized expertise, and this dependency creates a bottleneck as security teams scale. This paper investigates whether Small Language Models (SLMs) can enable accurate, cost-effective natural-language-to-KQL translation for enterprise security. We propose a three-knob framework targeting prompting, fine-tuning, and architecture design. First, we adapt existing NL2KQL framework for SLMs with lightweight retrieval and introduce error-aware prompting that addresses common parser failures without increasing token count. Second, we apply LoRA fine-tuning with rationale distillation, augmenting each NLQ-KQL pair with a brief chain-of-thought explanation to transfer reasoning from a teacher model while keeping the SLM compact. Third, we propose a two-stage architecture that uses an SLM for candidate generation and a low-cost LLM judge for schema-aware refinement and selection. We evaluate nine models (five SLMs and four LLMs) across syntax correctness, semantic accuracy, table selection, and filter precision, alongside latency and token cost. On Microsoft's NL2KQL Defender Evaluation dataset, our two-stage approach achieves 0.987 syntax and 0.906 semantic accuracy. We further demonstrate generalizability on Microsoft Sentinel data, reaching 0.964 syntax and 0.831 semantic accuracy. These results come at up to 10x lower token cost than GPT-5, establishing SLMs as a practical, scalable foundation for natural-language querying in security operations.

HFEPX Relevance Assessment

This paper appears adjacent to HFEPX scope (human-feedback/eval), but does not show strong direct protocol evidence in metadata/abstract.

Eval-Fit Score

0/100 • Low

Treat as adjacent context, not a core eval-method reference.

Human Feedback Signal

Not explicit in abstract metadata

Evaluation Signal

Detected

HFEPX Fit

Adjacent candidate

If you are doing eval pipeline work, start here:

Human Eval Hub LLM-as-Judge Hub Pairwise Preference Hub Tool-Use Eval Hub

Human Data Lens

Uses human feedback: No
Feedback types: None
Rater population: Domain Experts
Unit of annotation: Unknown
Expertise required: Multilingual
Extraction source: Runtime deterministic fallback

Evaluation Lens

Evaluation modes: Automatic Metrics
Agentic eval: None
Quality controls: Not reported
Confidence: 0.35
Flags: low_signal, possible_false_positive, runtime_fallback_extraction

Protocol And Measurement Signals

Benchmarks / Datasets

No benchmark or dataset names were extracted from the available abstract.

Reported Metrics

accuracyprecisionlatencycosttoken cost

Research Brief

Deterministic synthesis

We propose a three-knob framework targeting prompting, fine-tuning, and architecture design. HFEPX signals include Automatic Metrics with confidence 0.35. Updated from current HFEPX corpus.

Generated Mar 2, 2026, 9:57 PM · Grounded in abstract + metadata only

Key Takeaways

We propose a three-knob framework targeting prompting, fine-tuning, and architecture design.
Third, we propose a two-stage architecture that uses an SLM for candidate generation and a low-cost LLM judge for schema-aware refinement and selection.

Researcher Actions

Treat this as method context, then pivot to protocol-specific HFEPX hubs.
Identify benchmark choices from full text before operationalizing conclusions.
Validate metric comparability (accuracy, precision, latency).

Caveats

Generated from title, abstract, and extracted metadata only; full-paper implementation details are not parsed.
Low-signal flag detected: protocol relevance may be indirect.

Recommended Queries

human-eval protocol design pairwise preference data quality inter-rater agreement adjudication

Research Summary

Contribution Summary

We propose a three-knob framework targeting prompting, fine-tuning, and architecture design.
Third, we propose a two-stage architecture that uses an SLM for candidate generation and a low-cost LLM judge for schema-aware refinement and selection.
We evaluate nine models (five SLMs and four LLMs) across syntax correctness, semantic accuracy, table selection, and filter precision, alongside latency and token cost.

Why It Matters For Eval

Third, we propose a two-stage architecture that uses an SLM for candidate generation and a low-cost LLM judge for schema-aware refinement and selection.
On Microsoft's NL2KQL Defender Evaluation dataset, our two-stage approach achieves 0.987 syntax and 0.906 semantic accuracy.

Researcher Checklist

Gap: Human feedback protocol is explicit

No explicit human feedback protocol detected.
Pass: Evaluation mode is explicit

Detected: Automatic Metrics
Gap: Quality control reporting appears

No calibration/adjudication/IAA control explicitly detected.
Gap: Benchmark or dataset anchors are present

No benchmark/dataset anchor extracted from abstract.
Pass: Metric reporting is present

Detected: accuracy, precision, latency, cost

Category-Adjacent Papers (Broader Context)

These papers are nearby in arXiv category and useful for broader context, but not necessarily protocol-matched to this paper.

Confusion-Aware Rubric Optimization for LLM-based Automated Grading Category Neighbor

Citations: 0 Relevance: 4.10
- Shared arXiv category (cs.AI)
- Shared metric mentions
- Shared terminology (accuracy, precision)
Spatio-Temporal Token Pruning for Efficient High-Resolution GUI Agents Category Neighbor

Citations: 0 Relevance: 4.10
- Shared arXiv category (cs.AI)
- Shared metric mentions
- Shared terminology (latency, token)
Stepwise Penalization for Length-Efficient Chain-of-Thought Reasoning Category Neighbor

Citations: 0 Relevance: 4.10
- Shared arXiv category (cs.AI)
- Shared metric mentions
- Shared terminology (accuracy, cost)
When Metrics Disagree: Automatic Similarity vs. LLM-as-a-Judge for Clinical Dialogue Evaluation Category Neighbor

Citations: 0 Relevance: 4.10
- Shared arXiv category (cs.AI)
- Shared metric mentions
- Shared terminology (accuracy, precision)
Why Diffusion Language Models Struggle with Truly Parallel (Non-Autoregressive) Decoding? Category Neighbor

Citations: 0 Relevance: 3.75
- Shared arXiv category (cs.AI)
- Shared metric mentions
- Shared terminology (latency, token, generation)
SPARTA: Scalable and Principled Benchmark of Tree-Structured Multi-hop QA over Text and Tables Category Neighbor

Citations: 0 Relevance: 2.95
- Shared arXiv category (cs.AI)
- Shared terminology (small, query, generation)
AgentDropoutV2: Optimizing Information Flow in Multi-Agent Systems via Test-Time Rectify-or-Reject Pruning Category Neighbor

Citations: 0 Relevance: 2.85
- Shared arXiv category (cs.AI)
- Shared metric mentions
- Shared terminology (accuracy)
Assessing Deanonymization Risks with Stylometry-Assisted LLM Agent Category Neighbor

Citations: 0 Relevance: 2.85
- Shared arXiv category (cs.CR)
- Shared metric mentions
- Shared terminology (accuracy)

Need human evaluators for your AI research? Scale annotation with expert AI Trainers.

Post a Job Get a Quote