Our SecOps team is overwhelmed by the sheer volume of false positives in our SIEM. We are exploring if Generative AI (ChatGPT, Gemini) can assist in parsing complex logs to find indicators of compromise (IoC) more quickly. Has anyone successfully built a pipeline that feeds sanitized logs into these models for faster incident response?
3 answers
We’ve been experimenting with this by using Generative AI (ChatGPT, Gemini) as a Tier-1 analyst. We don't send raw logs due to privacy, but we send summarized metadata. The AI is incredible at spotting patterns across disparate logs that a human might miss during a 12-hour shift. For instance, it connected a failed login in the London office with a weird outbound DNS request from an AWS instance in Ohio. It saved us about four hours of manual correlation. The key is to use the AI to generate the "story" of the attack, which helps the senior hunters focus on the actual remediation steps.
Do you find that the token limits of these models restrict how much log data you can actually analyze in a single session?
It's great for writing YARA rules. I describe the malware behavior, and the AI produces a workable rule in seconds, which is a huge time-saver.
Spot on, Pamela. Writing custom detection logic is where the efficiency gain is highest for most of the security engineering teams I've talked to recently.
Token limits are a hurdle, Ronald. We solve this by using RAG (Retrieval-Augmented Generation) where we only feed the AI the "suspicious" chunks identified by our traditional rules-based engine for a deeper, more contextual linguistic analysis.