Corelight has been an innovator and leader in AI and Large Language Model (LLM) adoption for almost 2 years. We introduced our first use of LLMs in our Open NDR platform Investigator in November of 2023. Since then, we have continued to push the boundaries of the possible by working with AI model builders on cybersecurity-specific training and expanding LLM use within Investigator to include data analysis and summaries. Just as rich, actionable data is crucial for a strong cybersecurity defense, it is equally essential for the effective integration of LLMs into that defense. In that spirit, Corelight is excited to provide an initial set of LLM prompts, example data, corresponding Splunk queries, and example outcomes to help both current and prospective customers fuel the use of our rich data within the rapidly expanding use of AI and LLMs in the modern SOC.
This initial release centers on alert triage and log summarization, focusing on Corelight and Suricata® alerts and the summaries of their related logs. These prompts will produce succinct and actionable data that can easily be used within other AI workstreams or directly digested by security practitioners. These one-shot prompts were tested and fine-tuned on OpenAI’s GPT models, specifically GPT-4o mini; however, limited testing was done on the prompts using Google Gemini 2.5, Meta Llama 3, and Claude Sonnet 3.5 v2. The prompting styles of most modern LLMs allow for easy interchange between them.
These prompts provide a way to automate the analysis of network security alerts generated by Corelight. By inputting specific Suricata rules or Corelight alerts—including associated data like messages, descriptions, and payloads—users can quickly get clear and concise summaries and analysis. This can save security analysts significant time and effort in understanding and investigating potential threats.
Key features and functionality:
- Suricata rule summarization: Takes a Suricata rule as input and outputs a plain-language explanation of what that rule is designed to detect.
- Alert interpretation: For a given Suricata alert, it explains what the alert signifies, including potential malicious activity being detected.
- Investigation guidance: Provides next steps for investigating an alert, recommending which Corelight logs to consult and how to use them.
- Attack context: Outlines the types of attacks and indicators of compromise (IoCs) that might be associated with a given alert.
- Adversary techniques: Identifies potential attacker techniques, tactics, and procedures (TTPs), often referencing the MITRE ATT&CK framework.
- Payload analysis: Summarizes the payload data included with a Suricata alert, helping analysts quickly understand the contents of suspicious network traffic.
- Session analysis: Analyzes all Corelight logs associated with a given session and provides insights such as alert beacons, unusual findings, and attack tactics employed if the session is associated with a given alert.
The use of these LLM prompts can significantly speed up the initial analysis of network security alerts, allowing analysts to quickly prioritize and investigate critical incidents. It provides consistent, understandable summaries, reducing the cognitive load and improving efficiency in threat response. As the world of AI and LLMs continue to evolve, so will the impact on cyber security. Corelight is investigating the release of an MCP server and other agentic capabilities to further accelerate the use of network security data and its ability to be the single source of truth in a sea of data.
It is important to work with your LLM vendors to ensure any data you send as part of prompts is protected and not used for training purposes. Each LLM vendor has their own mitigation processes and it is important to understand those mitigations before sending sensitive data such as Corelight logs.
For more information on obtaining these LLM prompts and associated training, contact your Corelight sales team or contact us to learn more.
