Corelight Recognized as a Leader in the 2025 Gartner® Magic Quadrant™ for Network Detection and Response
Corelight Recognized as a Leader in the 2025 Gartner® Magic Quadrant™ for Network Detection and Response
START HERE
WHY CORELIGHT
SOLUTIONS
CORELIGHT LABS
Detect and disrupt evasive threats with high-fidelity, multi-layered detection.
SERVICES
ALLIANCES
USE CASES
Detect advanced attacks with Corelight
Corelight announces cloud enrichment for AWS, GCP, and Azure
Corelight's partner program
10 Considerations for Implementing an XDR Strategy
2025 Gartner® Magic Quadrant™ for NDR
July 31, 2025 by Stan Kiefer
Corelight has been an innovator and leader in AI and Large Language Model (LLM) adoption for almost 2 years. We introduced our first use of LLMs in our Open NDR platform Investigator in November of 2023. Since then, we have continued to push the boundaries of the possible by working with AI model builders on cybersecurity-specific training and expanding LLM use within Investigator to include data analysis and summaries. Just as rich, actionable data is crucial for a strong cybersecurity defense, it is equally essential for the effective integration of LLMs into that defense. In that spirit, Corelight is excited to provide an initial set of LLM prompts, example data, corresponding Splunk queries, and example outcomes to help both current and prospective customers fuel the use of our rich data within the rapidly expanding use of AI and LLMs in the modern SOC.
This initial release centers on alert triage and log summarization, focusing on Corelight and Suricata® alerts and the summaries of their related logs. These prompts will produce succinct and actionable data that can easily be used within other AI workstreams or directly digested by security practitioners. These one-shot prompts were tested and fine-tuned on OpenAI’s GPT models, specifically GPT-4o mini; however, limited testing was done on the prompts using Google Gemini 2.5, Meta Llama 3, and Claude Sonnet 3.5 v2. The prompting styles of most modern LLMs allow for easy interchange between them.
These prompts provide a way to automate the analysis of network security alerts generated by Corelight. By inputting specific Suricata rules or Corelight alerts—including associated data like messages, descriptions, and payloads—users can quickly get clear and concise summaries and analysis. This can save security analysts significant time and effort in understanding and investigating potential threats.
Key features and functionality:
The use of these LLM prompts can significantly speed up the initial analysis of network security alerts, allowing analysts to quickly prioritize and investigate critical incidents. It provides consistent, understandable summaries, reducing the cognitive load and improving efficiency in threat response. As the world of AI and LLMs continue to evolve, so will the impact on cyber security. Corelight is investigating the release of an MCP server and other agentic capabilities to further accelerate the use of network security data and its ability to be the single source of truth in a sea of data.
It is important to work with your LLM vendors to ensure any data you send as part of prompts is protected and not used for training purposes. Each LLM vendor has their own mitigation processes and it is important to understand those mitigations before sending sensitive data such as Corelight logs.
For more information on obtaining these LLM prompts and associated training, contact your Corelight sales team or contact us to learn more.
Tagged With: Corelight, Network Security Monitoring, NDR, featured, AI, large language model, llm