Corelight Recognized as a Leader in the 2025 Gartner® Magic Quadrant™ for Network Detection and Response

Corelight Recognized as a Leader in the 2025 Gartner® Magic Quadrant™ for Network Detection and Response

CONTACT US
Detect and disrupt evasive threats with high-fidelity, multi-layered detection.

Detect and disrupt evasive threats with high-fidelity, multi-layered detection.

SEE HOW

volt-typhoon-warning

Detect advanced attacks with Corelight

SEE HOW

cloud-network

Corelight announces cloud enrichment for AWS, GCP, and Azure

READ MORE

partner-icon-green

Corelight's partner program

BECOME A PARTNER

glossary-icon

10 Considerations for Implementing an XDR Strategy

READ NOW

ad-images-nav_0006_Blog

Don't trust. Verify with evidence

READ BLOG

2025 Gartner® Magic Quadrant for NDR

GET THE REPORT

ad-images-nav_0006_Blog

Detecting 5 Current APTs without heavy lifting

READ BLOG

g2-medal-best-support-spring-2024

Network Detection and Response

SUPPORT OVERVIEW

 

Corelight data and LLMs

Corelight has been an innovator and leader in AI and Large Language Model (LLM) adoption for almost 2 years. We introduced our first use of LLMs in our Open NDR platform Investigator in November of 2023. Since then, we have continued to push the boundaries of the possible by working with AI model builders on cybersecurity-specific training and expanding LLM use within Investigator to include data analysis and summaries. Just as rich, actionable data is crucial for a strong cybersecurity defense, it is equally essential for the effective integration of LLMs into that defense. In that spirit, Corelight is excited to provide an initial set of LLM prompts, example data, corresponding Splunk queries, and example outcomes to help both current and prospective customers fuel the use of our rich data within the rapidly expanding use of AI and LLMs in the modern SOC.

This initial release centers on alert triage and log summarization, focusing on Corelight and Suricata® alerts and the summaries of their related logs. These prompts will produce succinct and actionable data that can easily be used within other AI workstreams or directly digested by security practitioners. These one-shot prompts were tested and fine-tuned on OpenAI’s GPT models, specifically GPT-4o mini; however, limited testing was done on the prompts using Google Gemini 2.5, Meta Llama 3, and Claude Sonnet 3.5 v2. The prompting styles of most modern LLMs allow for easy interchange between them.

These prompts provide a way to automate the analysis of network security alerts generated by Corelight. By inputting specific Suricata rules or Corelight alerts—including associated data like messages, descriptions, and payloads—users can quickly get clear and concise summaries and analysis. This can save security analysts significant time and effort in understanding and investigating potential threats.

Key features and functionality:

  • Suricata rule summarization: Takes a Suricata rule as input and outputs a plain-language explanation of what that rule is designed to detect.
  • Alert interpretation: For a given Suricata alert, it explains what the alert signifies, including potential malicious activity being detected.
  • Investigation guidance: Provides next steps for investigating an alert, recommending which Corelight logs to consult and how to use them.
  • Attack context: Outlines the types of attacks and indicators of compromise (IoCs) that might be associated with a given alert.
  • Adversary techniques: Identifies potential attacker techniques, tactics, and procedures (TTPs), often referencing the MITRE ATT&CK framework.
  • Payload analysis: Summarizes the payload data included with a Suricata alert, helping analysts quickly understand the contents of suspicious network traffic.
  • Session analysis: Analyzes all Corelight logs associated with a given session and provides insights such as alert beacons, unusual findings, and attack tactics employed if the session is associated with a given alert.

The use of these LLM prompts can significantly speed up the initial analysis of network security alerts, allowing analysts to quickly prioritize and investigate critical incidents. It provides consistent, understandable summaries, reducing the cognitive load and improving efficiency in threat response. As the world of AI and LLMs continue to evolve, so will the impact on cyber security. Corelight is investigating the release of an MCP server and other agentic capabilities to further accelerate the use of network security data and its ability to be the single source of truth in a sea of data.

It is important to work with your LLM vendors to ensure any data you send as part of prompts is protected and not used for training purposes. Each LLM vendor has their own mitigation processes and it is important to understand those mitigations before sending sensitive data such as Corelight logs.

For more information on obtaining these LLM prompts and associated training, contact your Corelight sales team or contact us to learn more.

Recent Posts