Tree-based security analysis and threat hunting aided by large language models

What is claimed is: 1 . A method comprising: providing a first investigation context and an investigation goal to a large language model system; receiving from the large language model system, an indication of alternative suggested steps to perform in the investigation, the indication comprising: a description of a first step; specific computer executable code, in a computer programming language, that as a result of being executed performs a skill in the first step, the skill comprising a supplemental access, analytic or enrichment function; and a description of what the computer executable code performs as a result of being executed; providing a tree interface in a user interface that causes display of the indication of suggested steps in a tree format, wherein the tree format includes an expansion user interface element, that as a result of being selected by a user causes display of the description of the first step; the specific computer executable code that as a result of being executed performs the skill in the first step; and the description of what the computer executable code performs as a result of being executed; and executing the computer executable code thus performing the supplemental access, analytic or enrichment function. 2 . The method of claim 1 , further comprising: providing a user interface element that receives investigation context and a user interface element that receives investigation goals; and receiving the first investigation context at the user interface element that receives investigation context and the investigation goal at the user interface element that receives investigation goals. 3 . The method of claim 1 , further comprising: receiving first generated context generated by the large language model system as a result of executing the computer executable code; providing first cumulative context based on the first generated context and the first investigation context to the large language model system; receiving from the large language model system, an additional indication of additional suggested steps to perform in the investigation; and causing display of the additional indication of additional suggested steps in the tree interface as tree branches from an indication of the first step. 4 . The method of claim 3 , further comprising: providing the first generated context and the first investigation context to the large language model system; prompting the large language model system to generate the first cumulative context; and receiving the first cumulative context from the large language model system. 5 . The method of claim 3 , further comprising causing display of the first cumulative context in the user interface. 6 . The method of claim 3 , further comprising performing branch switching by: receiving user input selecting a second step from the suggested steps, and executing computer executable code for the second step; receiving second generated context generated by the large language model system as a result of executing the computer executable code for the second step; providing second cumulative context based on the second generated context and the first context to the large language model system; receiving from the large language model system, an additional indication of additional suggested steps to perform in the investigation; and causing display of the additional indication of additional suggested steps in the tree interface as tree branches from the first step. 7 . The method of claim 3 , wherein executing the computer executable code causes data output to be created, the method further comprising: storing the data output in a memory associated with the first step; providing a schema for the data output to the large language model system; and wherein an indication of a third step in the additional suggested steps comprises third executable code including a reference to the data output generated based on the schema. 8 . The method of claim 7 , further comprising: causing the large language model system to generate a query expression to summarize the data output, based on the investigation goal, the first cumulative context, and a schema for the data output; and executing the query expression, causing the data output to be summarized. 9 . The method of claim 1 , further comprising providing, to the large language model system, a filtered list of skills and direction, the direction comprising natural language instructions on how the large language model system should analyze the filtered list of skills, first investigation context, and investigation goal. 10 . The method of claim 9 , further comprising, creating the filtered list of skills by using ontological information from the first investigation context to match ontological context to skills in a broader set of skills. 11 . The method of claim 1 further comprising: providing references to a plurality of different data sets to the large language model system; providing schemas for the plurality of different data sets to the large language model system; providing instructions to the large language model system to generate computer executable instructions to manipulate data in the plurality of different data sets; and wherein the specific computer executable code to perform the skill in the first step comprises references to the data sets in the plurality of different data sets. 12 . The method of claim 1 further comprising: prompting the large language model system to generate a summary for the investigation, including providing context, the investigation goal, entities, and steps executed in the investigation; receiving from the large language model a summary of the investigation; and causing display of the summary of the investigation in the user interface. 13 . The method of claim 1 further comprising providing instructions to the large language model system to not hallucinate. 14 . The method of claim 1 further comprising storing instances of generated context, generated as a result of being steps are executed, in memories for the steps. 15 . The method of claim 14 , wherein the memories store context as deltas from parent nodes. 16 . The method of claim 14 , further comprising storing skill outputs for the skills in the memories. 17 . The method of claim 14 , further comprising storing data table summaries in the memories. 18 . A computing system comprising: a user interface, wherein the user interface comprises a user interface element that receives investigation context and a user interface element that receives investigation goals; network connection hardware connecting to a large language model, and configured to provide investigation context and investigation goals to the large language model system; the network connection hardware further configured to receive from the large language model system, an indication of alternative suggested steps to perform in an investigation, the indication comprising: a description of a first step; specific computer executable code, in a computer programming language, that as a result of being executed performs a skill in the first step, the skill comprising a supplemental access, analytic or enrichment function; and a description of what the computer executable code performs as a result of being executed; the user interface further comprising a tree interface that causes display of the indication of suggested steps in a tree format, wherein the tree format includes a user interface expansion element, that as a result of being s