Security Information and Event Management (SIEM) platforms centralize and correlate heterogeneous telemetry to surface suspicious behavior. Yet a stubborn gap remains between raw events and analyst-ready claims about what actually happened—claims that align with operational abstractions such as MITRE ATT&CK techniques. Large language models (LLMs) are a natural candidate for this semantic bridge: they read unstructured text well and can map descriptions to controlled vocabularies. However, the usual way LLMs are applied—open prompts, long contexts, free-form outputs—sits uneasily with security operations. Hallucinated details, brittle formatting, unclear provenance, and privacy constraints make naïve integration impractical. This thesis asks a practical question: how can a SIEM pipeline employ LLMs to transform telemetry into attack-informed, auditable artifacts under constraints of accuracy, privacy, and governance? Rather than proposing a single “LLM for security,” the thesis advances a modular architecture in which multiple LLM operators—potentially different models with different inductive biases—are composed under narrow contracts and surrounded by validation, retrieval, and feedback.