Security operations centers (SOCs) rely on large- scale log analytics to investigate alerts and proactively hunt for threats. Translating natural-language (NL) investigative intents into safe and effective Elasticsearch (ES) DSL is error- prone and time-consuming; naive NL DSL generation can yield unsafe, unbounded, or semantically off-target queries. We present , a security-first, constrained pipeline combining schema- aware prompting, JSON-Schema gating, a rule-based validator (field/type discipline, hard time-window requirement, and cost control), and a security layer that detects adversarial prompts with calibrated abstention. The system is provider-agnostic (local and cloud LLMs) and evaluated on a 12-scenario bank across a standard logs index, CIC-IDS2017, a schema-drift variant, and differentially private (DP) indices. Under identical guardrails, the enhanced constrained method achieves macro-F1 0.91 (vs. 0.84 schema-grounded few-shot; 0.72 rules; 0.58 zero-shot). First-pass validator success is 78 %, rising to 95 % after two critique-guided retries with 3 % abstentions. Robustness under schema drift shows F1 of -0.03 with 88 % one-retry recovery for unknown- field errors. Adversarial testing yields a malicious block-rate of 97.2 % at 3.1 % FPR. Privacy-utility curves degrade monotoni- cally with stronger DP ({2.0, 1.0, 0.5}), e.g., macro-F1 0.90, 0.87, 0.82; numeric-only noise outperforms numeric+timestamp jitter at the same. We release an IEEE-style summary aligned to the full thesis, emphasizing safety-by-construction, reproducibil- ity, and open evaluation assets.
Threat hunting, Elasticsearch, NLIDB, LLM, validation, security, differential privacy, schema drift
© IACyC is conducted under the administration of the CyberMACS Erasmus-Mundus Masters Programme. cybermacs.org