Introduction

In the realm of cyber defense, context holds supreme importance, but speed governs the domain. When a new threat report is released, the interval between reading it and detecting it is where adversaries gain an advantage. I’ve developed a Python tool that leverages Gemini 2.5 Flash to bridge that gap. By providing it with a specific set of agentic instructions (Fig 2), the bot converts a browser-saved .html report into a structured tactical summary and functional SIEM queries in markdown format (.md).

The Brain: Gemini 2.5 Flash + Grounding

The secret to this bot isn't just the code; it’s the instruction set. Most AI summaries are too generic for SOC work. To fix this, I implemented a "Mandatory Grounding" instruction (Fig 3).

The Grounding Rule: The bot is strictly forbidden from "guessing" TTPs. It must use the Grounding with Google Search (Fig 4) tool to cross-reference attack.mitre.org in real-time. This ensures that every Technique ID (like T1059.001) is current and accurate.

The 4-Stage Analysis Workflow

The bot follows a rigid four-stage pipeline designed to mimic a Senior CTI Analyst:

1. Strategic Summary: It identifies the "Who" and "Why"—including the threat actor, their aliases, country attribution, motivation, industries and countries or regions targeted, as well as any malware, tools used, and exploited vulnerabilities.

2. IOC Extraction: identify and extract indicators of compromise (IOCs) categorized by type, including IP addresses, file hashes, domains, and more.

3. MITRE TTP Mapping: The grounding tool maps observed behaviors to the MITRE ATT&CK techniques. For instance, if a report states "compromised server used to exfiltrate files," the bot might identify T1041 (Exfiltration Over C2 Channel).

4. Operational Hunting: Finally, it attempts to translate identified TTPs into SIEM Queries (SPL, KQL, AQL and UDM).

Fig 7. Gen AI proposed SIEM queries

The Python code

The python codes can be found in this GitHub repository.

The Vision: Enhancing CTI and Detection Engineering

I envision this tool not as a replacement for an analyst, but as a force multiplier. It's a tailored tool designed to speed up the two labor-intensive stages of the intelligence lifecycle:

1. Contextual Synthesis: transforming a threat intelligence report into a structured tactical summary.

2. Logic Translation: converting high-level adversary behavior into the specific syntax of a SIEM query.

By automating these processes, the tool allows detection engineers to concentrate their efforts where it truly matters: refining the logic and verifying the data.

A Note on Accuracy: The Human-in-the-Loop Requirement

While Gemini 2.5 Flash is exceptionally powerful—particularly with the essential MITRE grounding integrated—it is not without flaws. In the critical realm of threat hunting, accuracy is binary: it’s either correct or it poses a risk.

It is crucial to keep in mind:

• Verification is Essential: All content produced by LLMs, especially SIEM queries and TTP mappings, must be reviewed by a human analyst before being deployed in a production setting.

• The Risk of Hallucination: Even though grounding significantly reduces errors, LLMs may still generate "confident" inaccuracies or overlook subtle nuances in complex attack sequences.

  
  

• The Necessity of Fine-Tuning: Standard models are generalists. To achieve complete operational reliability, further fine-tuning based on your organization's specific log formats, naming standards, and historical threat data is required.

  
  

• The Guiding Principle: Utilize the bot to quickly establish an 80% baseline, then apply your human expertise to reach the final 20% of precision and validation.