Existing cybersecurity playbooks are often written in heterogeneous, non-machine-readable formats, which limits their automation and interoperability across Security Orchestration, Automation, and Response platforms. This paper explores the aptitude of Large Language Models with Prompt Engineering to automatically translate legacy incident response playbooks into the standardized, machine-readable CACAO format. We systematically examine various Prompt Engineering techniques and design prompts aimed at maximizing syntactic accuracy and semantic fidelity for control flow preservation. Our transformation pipeline integrates a syntax checker to ensure syntactic correctness, and it features an iterative refinement mechanism that progressively reduces syntactic errors. We evaluate our approach on a custom-generated dataset comprising diverse legacy playbooks paired with manually created CACAO references. The results demonstrate that our method significantly improves the accuracy of playbook transformation over baseline models, effectively captures complex workflow structures, and substantially reduces errors. It highlights the potential for practical deployment in automated cybersecurity playbook transformation tasks.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

From Legacy to Standard: LLM-Assisted Transformation of Cybersecurity Playbooks into CACAO Format

  • Mehdi Akbari Gurabi,
  • Lasse Nitz,
  • Radu-Mihai Castravet,
  • Roman Matzutt,
  • Avikarsha Mandal,
  • Stefan Decker

摘要

Existing cybersecurity playbooks are often written in heterogeneous, non-machine-readable formats, which limits their automation and interoperability across Security Orchestration, Automation, and Response platforms. This paper explores the aptitude of Large Language Models with Prompt Engineering to automatically translate legacy incident response playbooks into the standardized, machine-readable CACAO format. We systematically examine various Prompt Engineering techniques and design prompts aimed at maximizing syntactic accuracy and semantic fidelity for control flow preservation. Our transformation pipeline integrates a syntax checker to ensure syntactic correctness, and it features an iterative refinement mechanism that progressively reduces syntactic errors. We evaluate our approach on a custom-generated dataset comprising diverse legacy playbooks paired with manually created CACAO references. The results demonstrate that our method significantly improves the accuracy of playbook transformation over baseline models, effectively captures complex workflow structures, and substantially reduces errors. It highlights the potential for practical deployment in automated cybersecurity playbook transformation tasks.