Macro-to-Micro SOC Triage Reproducibility Package

This repository provides the reproducibility package accompanying the manuscript “Privacy-Preserving Macro-to-Micro Triage for High-Throughput Firewall Telemetry Using Micro-Behavioral Features.”

The package includes source code, preprocessing scripts, feature extraction utilities, synthetic injection routines, baseline implementations, ablation scripts, UNSW-NB15 feature-mapping utilities, and plotting scripts used to reproduce the reported experimental workflow. The included components support the evaluation of macro-to-micro SOC triage, privacy-preserving entity profiling, micro-behavioral feature construction, anomaly scoring, comparative baselines, and Top-K triage metrics.

Due to institutional confidentiality and operational security constraints, the raw enterprise firewall/SIEM telemetry used in the manuscript cannot be publicly released. To support reproducibility without exposing sensitive network identifiers or operational infrastructure details, the package includes a synthetic data generator and example anonymized inputs that approximate the statistical structure of the evaluated telemetry. The synthetic data are intended for methodological replication, code verification, and baseline comparison; they should not be interpreted as raw operational traffic.

The package is intended to help researchers and practitioners reproduce the main computational pipeline, inspect the feature engineering and evaluation logic, and adapt the proposed privacy-preserving macro-to-micro triage workflow to other SOC or network telemetry environments.