Skip to content
Seerflow

LLM Overview

Seerflow’s LLM features are opt-in and off by default. They are designed to augment the deterministic ML + Sigma pipeline, never to replace it: the LLM never sees a raw event stream and never makes a detection decision on its own.

Why bother with an LLM at all?

Section titled “Why bother with an LLM at all?”

The deterministic pipeline (Drain3, Half-Space Trees, Holt-Winters, CUSUM, Markov, biDSPOT, pySigma, correlation engine) is fast, cheap, and explainable. LLMs add value only at three narrow points:

FeatureTriggerOutput
Alert explanationAnalyst clicks “Explain” on an alertPlain-English root cause + recommended next steps
Natural-language huntAnalyst types a hunt query in EnglishStructured EventQuery executed against storage
Rule suggestionA pattern accumulates N true-positive feedback eventsA Sigma YAML draft, validated by pySigma

All three services are cached (per alert / query / pattern) so repeat calls do not re-spend tokens.

Backends

Section titled “Backends”
BackendWhen to useInstall
llama_cppAir-gapped or CPU-only deployments. Loads a local GGUF model.uv sync --extra llm-local
ollamaLocal LLM via the Ollama HTTP API. Default model: phi4-mini.Install Ollama, pull a model
cloudAnthropic Claude or OpenAI. Pay-per-token.uv sync --extra llm-cloud
"" (default)LLM features disabled. The dashboard hides the buttons.

Switch via llm.backend in seerflow.yaml:

llm:
  backend: ollama
  ollama_url: http://localhost:11434
  ollama_model: phi4-mini
  ollama_timeout_s: 30.0

Cloud example:

llm:
  backend: cloud
  cloud_provider: anthropic                  # anthropic | openai
  cloud_api_key: ${ANTHROPIC_API_KEY}
  cloud_model: claude-sonnet-4-6
  cloud_timeout_s: 30.0

Local llama.cpp example:

llm:
  backend: llama_cpp
  model_path: ~/.cache/seerflow/phi-4-mini-Q4_K_M.gguf
  n_ctx: 4096
  n_threads: 8
  n_gpu_layers: 0
  max_tokens_default: 256
  temperature_default: 0.2
  seed: 42

See the LLM configuration reference for every knob.

Privacy posture

Section titled “Privacy posture”
  • Local backends (llama_cpp, ollama) keep all prompts on-host. Use these for sensitive logs.
  • Cloud backends send a redacted context (alert summary, top events, top entities — no raw PII fields) to the provider. The redaction lives in seerflow.llm.*.context. Audit it before enabling cloud LLM on regulated workloads.
  • API keys (cloud_api_key, Ollama tokens) carry repr=False so they never appear in logs or GET /api/v1/config (which redacts secrets).

How the three services compose

Section titled “How the three services compose”
                       ┌──────────────┐
   New alert ─────────►│   Dashboard  │── explain button ──► AlertExplanationService
                       └──────────────┘
                              
                              
                       Analyst review
                              
                      true_positive feedback
                              
                              
                       Pattern bucket ──── N TPs ───► RuleSuggestionService ──► Sigma YAML draft
                              │                                                       │
                              ▼                                                       ▼
                       HuntService ◄────────── operator question ───────►   pySigma validation
                                                                                      
                                                                                      
                                                                              Add to bundle, reload

The feedback loop is what makes the pipeline get sharper over time: analyst labels reinforce which patterns deserve a permanent rule, and the rule suggester turns recurring true positives into pre-approved Sigma drafts.