Security Operations Center (SOC) teams face the daunting challenge of staying one step ahead as cyber threats continue to evolve. With an ever-increasing volume of textual data to analyze and a need for rapid response, AI-powered tools like ChatGPT have emerged as an invaluable resource for SOC teams. However, for many teams “AI” still remains as a general buzzword and they’re not sure how to actually use these new tools for practical use cases and smart automation in their day-to-day work.
In this post, we’ll explore how Generative AI (specifically ChatGPT) can assist in five different cyber investigation tasks. Leveraging ChatGPT alongside Intezer’s investigative capabilities is one way that SOC teams can create a strong force for streamlining alert triage.
1. Investigating Scripts and Macros with ChatGPT
This saves valuable time and resources, allowing SOC teams to focus on more complex tasks while increasing the efficiency of their investigations. If you want to try this in ChatGPT, here’s an example of how you could do it:
2. Investigating File Paths
File paths can be instrumental in determining if software is legitimate or part of a cyber attack. ChatGPT can analyze file paths to identify patterns, naming conventions, and known vendor structures. By cross-referencing this information with known legitimate software, SOC teams can quickly ascertain the legitimacy of the software in question.
Here’s two examples, first with a file path for legitimate software and then a file path used by malware:
3. Correlating Logs and Data
ChatGPT can help SOC teams correlate different logs and data sources to analyze the root cause of a cyber incident. By ingesting log data from various sources, the AI model can identify patterns, anomalies, and establish connections between seemingly unrelated events. This holistic approach can greatly improve the accuracy and speed of cyber incident investigations.
4. Prompt ChatGPT to Analyze Suspicious Command Lines
Command lines (cmd, PowerShell, bash) can be difficult to decipher, especially when dealing with obfuscated or complex code. ChatGPT can assist in deconstructing these command lines to better understand their purpose and determine if they’re malicious or not. By analyzing the code, the AI model can identify functions, variables, and other components that may indicate a potential cyber threat.
This another feature that we’ve built into Intezer’s AI Insights, so you can better understand those “suspicious activity” alerts that use command lines or other processes for malicious purposes.
Here’s how you can prompt ChatGPT to explain a suspicious command line:
5. Automating SIEM Rules and Queries
ChatGPT can help SOC teams create rules and queries for SIEM products in plain English. By inputting a description of the desired rule or query, the AI model can generate the appropriate syntax, facilitating threat hunting as well as ongoing investigations. This not only saves time but also helps ensure that rules are comprehensive and effective.
The Power of Combining ChatGPT and Intezer
While ChatGPT excels in text-related analysis, Intezer’s core technology focuses on software analysis, providing a complementary set of capabilities for cyber investigations. By combining the two, SOC teams can quickly get a comprehensive understanding of threats, covering both the textual and software aspects of cyber attacks. This powerful synergy enables security professionals to swiftly and effectively address even the most sophisticated threats.
Intezer leverages artificial intelligence, powerful algorithms, machine learning, and other cutting-edge technologies to automate time-consuming tasks that previously required a skilled analyst, reverse engineer, or outsourcing to a managed detection and response provider. With the introduction of Large Language Models (LLMs ) like ChatGPT’s artificial intelligence technology, we’ve found that integrating Generative AI can save even more time for Intezer’s users.
To make things super easy for our customers, when Intezer automatically collects evidence we now use Generative AI technology to power the AI Insights features in our Autonomous SOC product.
Using AI-Powered Tools to Enhance SOC Efficiency and Effectiveness
Incorporating AI-powered tools like ChatGPT and Intezer into your SOC team’s arsenal can greatly enhance the efficiency and effectiveness of cyber investigations. By streamlining both text analysis and software analysis, these technologies can empower security professionals to stay ahead of the curve in an increasingly complex cyber threat landscape.