![[2512.06660] Towards Small Language Models for Security Query Generation in SOC Workflows](https://arxiv.org/static/browse/0.3.4/images/arxiv-logo-fb.png){kind=logo}
[2512.06660] Towards Small Language Models for Security Query Generation in SOC Workflows
Summary
This paper explores the use of Small Language Models (SLMs) for translating natural language queries into Kusto Query Language (KQL) in Security Operations Centers, aiming to reduce the expertise bottleneck in security teams.
Why It Matters
As organizations increasingly rely on data-driven security operations, the ability to efficiently translate natural language queries into actionable insights is crucial. This research highlights a scalable solution that can enhance the capabilities of security teams while lowering operational costs.
Key Takeaways
- SLMs can effectively translate natural language to KQL, addressing expertise bottlenecks in security operations.
- The proposed framework includes error-aware prompting and LoRA fine-tuning for improved accuracy.
- Results show significant cost savings, achieving up to 10x lower token costs compared to larger models like GPT-5.
Computer Science > Cryptography and Security arXiv:2512.06660 (cs) [Submitted on 7 Dec 2025 (v1), last revised 26 Feb 2026 (this version, v2)] Title:Towards Small Language Models for Security Query Generation in SOC Workflows Authors:Saleha Muzammil, Rahul Reddy, Vishal Kamalakrishnan, Hadi Ahmadi, Wajih Ul Hassan View a PDF of the paper titled Towards Small Language Models for Security Query Generation in SOC Workflows, by Saleha Muzammil and 4 other authors View PDF HTML (experimental) Abstract:Analysts in Security Operations Centers routinely query massive telemetry streams using Kusto Query Language (KQL). Writing correct KQL requires specialized expertise, and this dependency creates a bottleneck as security teams scale. This paper investigates whether Small Language Models (SLMs) can enable accurate, cost-effective natural-language-to-KQL translation for enterprise security. We propose a three-knob framework targeting prompting, fine-tuning, and architecture design. First, we adapt existing NL2KQL framework for SLMs with lightweight retrieval and introduce error-aware prompting that addresses common parser failures without increasing token count. Second, we apply LoRA fine-tuning with rationale distillation, augmenting each NLQ-KQL pair with a brief chain-of-thought explanation to transfer reasoning from a teacher model while keeping the SLM compact. Third, we propose a two-stage architecture that uses an SLM for candidate generation and a low-cost LLM judge for sche...
