Abstract
Generating structured artifacts such as database queries, threat framework mappings, and entity schemas with Large Language Models (LLMs) is relatively straightforward; however, ensuring their reliability for production deployments presents challenges. We introduce a lightweight framework based on a core principle: LLMs generate, we validate. This reframing shifts the responsibility from generation quality to validation rigor.
Key Attributes of the Framework
- Test-Driven Generation: When tests fail, the LLM receives indicative error messages that reveal why the output failed, enabling the LLM to understand its mistakes and refine subsequent attempts.
- Deterministic and LLM-Based Tests: Deterministic tests capture heuristics that can be programmatically verified (schema, syntax, cross-reference), while LLM-based tests evaluate nuanced semantic and delicate features that resist programmatic inspection (intent alignment, logical consistency, domain correctness).
- Expert-Distilled Judges: LLM-based tests are calibrated to distill and replicate human expert decision distributions, transforming manual human quality gates into scalable, reusable evaluation proxies that reflect professional-grade validation standards.
Application Demonstration
We demonstrate the framework on three artifact types in the security domain - KQL query generation, MITRE ATT&CK mapping, and entity mapping - deployed in production at Microsoft Sentinel. We believe this framework can be applied beyond security to other artifact generation tasks, providing a path to reliable, high-quality outputs without sacrificing the efficiency gains of LLM generation.
Blogger's Review: This framework's essence lies in enhancing the reliability of generated content through effective validation mechanisms, particularly demonstrated in its security domain applications. By integrating testing with feedback loops, LLMs can not only generate content but also continuously optimize themselves, driving the entire generation process towards higher standards.