5 Ways to Use ChatGPT in Your SOC: Real-World AI Applications to Streamline Alert Triage

Written by Itai Tevet

    Share article
    FacebookTwitterLinkedInRedditCopy Link

    Top Blogs

    Check out our other blogs here to learn how Intezer uses Generative AI to analyze and summarize text-based threats like scripts and macros or interpret text and hidden elements in phishing emails.

    Security Operations Center (SOC) teams face the daunting challenge of staying one step ahead as cyber threats continue to evolve. With an ever-increasing volume of textual data to analyze and a need for rapid response, AI-powered tools like ChatGPT have emerged as an invaluable resource for SOC teams. However, for many teams “AI” still remains as a general buzzword and they’re not sure how to actually use these new tools for practical use cases and smart automation in their day-to-day work. 

    In this post, we’ll explore how Generative AI (specifically ChatGPT) can assist in five different cyber investigation tasks. Leveraging ChatGPT alongside Intezer’s investigative capabilities is one way that SOC teams can create a strong force for streamlining alert triage.

    1. Investigating Scripts and Macros with ChatGPT

    ChatGPT can be used to quickly analyze suspicious code in scripts and macros. By simply providing the code to the AI model, it can interpret the underlying logic and identify if the code is malicious or benign. This is now a native capability in Intezer that is powered by Generative AI: it is how our AI Insights features analyzes text-based threats (like macros or scripts such as Python, PowerShell, NSI, VBScript, JavaScript, LNK, and BAT) that we collected as evidence.

    This saves valuable time and resources, allowing SOC teams to focus on more complex tasks while increasing the efficiency of their investigations. If you want to try this in ChatGPT, here’s an example of how you could do it:

    vba scripts in ChatGPT

    2. Investigating File Paths

    File paths can be instrumental in determining if software is legitimate or part of a cyber attack. ChatGPT can analyze file paths to identify patterns, naming conventions, and known vendor structures. By cross-referencing this information with known legitimate software, SOC teams can quickly ascertain the legitimacy of the software in question.

    Here’s two examples, first with a file path for legitimate software and then a file path used by malware:

    legit software file path investigation chatgpt
    ChatGPT’s answer after being prompted with a file path for legitimate software.
    suspicious file path investigate chatgpt
    After prompting ChatGPT about a file path from a malware.

    3. Correlating Logs and Data

    ChatGPT can help SOC teams correlate different logs and data sources to analyze the root cause of a cyber incident. By ingesting log data from various sources, the AI model can identify patterns, anomalies, and establish connections between seemingly unrelated events. This holistic approach can greatly improve the accuracy and speed of cyber incident investigations.

    4. Prompt ChatGPT to Analyze Suspicious Command Lines

    Command lines (cmd, PowerShell, bash) can be difficult to decipher, especially when dealing with obfuscated or complex code. ChatGPT can assist in deconstructing these command lines to better understand their purpose and determine if they’re malicious or not. By analyzing the code, the AI model can identify functions, variables, and other components that may indicate a potential cyber threat.

    This another feature that we’ve built into Intezer’s AI Insights, so you can better understand those “suspicious activity” alerts that use command lines or other processes for malicious purposes.

    Here’s how you can prompt ChatGPT to explain a suspicious command line:

    investigate command line chatgpt

    5. Automating SIEM Rules and Queries

    ChatGPT can help SOC teams create rules and queries for SIEM products in plain English. By inputting a description of the desired rule or query, the AI model can generate the appropriate syntax, facilitating threat hunting as well as ongoing investigations. This not only saves time but also helps ensure that rules are comprehensive and effective.

    The Power of Combining ChatGPT and Intezer

    While ChatGPT excels in text-related analysis, Intezer’s core technology focuses on software analysis, providing a complementary set of capabilities for cyber investigations. By combining the two, SOC teams can quickly get a comprehensive understanding of threats, covering both the textual and software aspects of cyber attacks. This powerful synergy enables security professionals to swiftly and effectively address even the most sophisticated threats.

    Intezer leverages artificial intelligence, powerful algorithms, machine learning, and other cutting-edge technologies to automate time-consuming tasks that previously required a skilled analyst, reverse engineer, or outsourcing to a managed detection and response provider. With the introduction of Large Language Models (LLMs ) like ChatGPT’s artificial intelligence technology, we’ve found that integrating Generative AI can save even more time for Intezer’s users.

    To make things super easy for our customers, when Intezer automatically collects evidence we now use Generative AI technology to power the AI Insights features in our Autonomous SOC product

    Using AI-Powered Tools to Enhance SOC Efficiency and Effectiveness

    Incorporating AI-powered tools like ChatGPT and Intezer into your SOC team’s arsenal can greatly enhance the efficiency and effectiveness of cyber investigations. By streamlining both text analysis and software analysis, these technologies can empower security professionals to stay ahead of the curve in an increasingly complex cyber threat landscape.

    chatgpt intezer integration artificial intelligence

    Try out Intezer’s AI Insights by signing up for free to see it for yourself or book a demo here.

    Itai Tevet

    Once led a government CERT. Now CEO at Intezer, changing the way we investigate and respond to cybersecurity incidents.

    Generic filters
    Exact matches only
    Search in title
    Search in content
    Search in excerpt