From logs to tactics: unsupervised reconstruction of APT campaigns with MITRE-enriched meta-alerts

Abstract The operational effectiveness of Security Operation Centres (SOCs) is increasingly hindered as analysts are overwhelmed with low-signal alerts from heterogeneous detection systems, leading to cognitive fatigue and impairing the ability to detect complex, multi-stage intrusions like Advanced Persistent Threats (APTs). To overcome the limitations of heuristic-based aggregation and the brittleness of supervised models in data-scarce environments, we present a fully unsupervised framework for the automated generation of high-level, MITRE ATT&CK-enriched meta-alerts. Our pipeline systematically integrates Graph Neural Networks (GNNs) to reconstruct coherent event sequences from noisy telemetry, Large Language Models (LLMs) for contextual summarization, and an advanced semantic clustering module based on transformer embeddings to group alerts with high contextual fidelity. The core of our contribution is a novel hybrid mapping engine that synergistically fuses a symbolic cybersecurity ontology with a BERT-based semantic classifier, demonstrably overcoming the individual weaknesses of each approach. We present a rigorous empirical evaluation using large-scale datasets from the NATO CCDCOE Crossed Swords exercise (XS), intentionally retaining their inherent noise and heterogeneity to validate the real-world applicability of our framework. Our results demonstrate that the framework achieves a significant reduction in alert triage volume while ensuring that no critical threats are dropped. Notably, our hybrid mapping engine achieves an F1-score of 87%, outperforming non-hybrid baselines. This work provides a validated blueprint for moving from reactive alert triage to proactive, context-aware threat investigation in modern SOCs.