Splunk x ChatGPT for Security Teams
by Zubair Rauf, Team Lead Professional Services and Bruce Johnson, Sr. Director Enterprise Security
Splunk is the premier SIEM/Big Data platform in the cybersecurity industry. There are several extensions to the Splunk platform to incorporate machine learning, natural language processing, threat graphing, statistical computing, and Security Orchestration, Automation, and Response (SOAR). They take advantage of the fact that Splunk, as a big data platform, allows for the crunching and correlation of large quantities of data over extended search timeframes in near real-time. The latest obvious trend is to marry this capability with recent advances in AI utilities. Splunk has multiple premium product offerings, two of which are security focused.
- Splunk Enterprise Security offers additional features over the standard Splunk platform. These include real-time threat identification, advanced analytics, and automated response (with Splunk SOAR).
- Splunk SOAR is a tool that can be used to automate threat response workflows. These can help with incident response, remediation, and reporting.
ChatGPT is a generative AI model trained by OpenAI that can generate human-like responses to a wide range of queries by the users. It can also analyze and generate code, allowing users to:
- Create code faster by generating code snippets based on natural language input.
- Analyze code snippets for security vulnerabilities by identifying potential security issues in code.
- Interpret code for better understanding by providing explanations of code logic and behavior.
In the context of security ChatGPT has been used to attack GitHub repositories, generate malicious code stubs, insertion of proprietary information into the ChatGPT data model, and AI-Generated phishing campaigns (side note: grammar is no longer a prevalent phishing threat indicator as verbiage can be generated). It is only a matter of time until ChatGPT tasking is married together with malicious script libraries and attack techniques to devise batteries of generated, dynamic, morphing threat chains.
As always with cybersecurity threats, creative uses for utilities and techniques start with hackers and quickly demands a response from blue teamers. As cybersecurity professionals we are on our back feet coming up with ways to leverage AI to defend against AI-generated attacks.
Entering the fray are Splunk extensions to SIEM and SOAR platforms to enable extension of search and automation to incorporate AI algorithms. It is a rudimentary but important beginning.
Analysts can access ChatGPT or the underlying language models using the ChatGPT web interface or by using OpenAI’s API.
There are also Splunk Technical Add-ons (TAs) that have been developed for ChatGPT/Splunk integration. These TAs let you interact with ChatGPT directly from your Splunk search through custom search commands and other actions. One notable Technical Add-on (TA) was built by Michael Camp Bentley from Splunkable LLC, a TekStream partner, and is available on Github.
Microsoft Azure OpenAI Service also provides organizations to run OpenAI models in a secure environment. Organizations can use datasets to fine-tune models for more accurate results and tap into more use cases with their data. However before using this service to train and fine-tune models, please read the Data, privacy and security documentation for the service.
Splunk x ChatGPT Applications
Creating Splunk searches with ChatGPT
One of the most used use-cases that I have tested out and have seen other people leverage ChatGPT is to create simple and complex Splunk queries for customized security detections. ChatGPT does a decent job when given the right prompts and can build the underlying logic for an acceptable query. I have seen that you will have to modify the search to filter correctly for your data.
I have tested ChatGPT to create queries for common detections and while it is not 100% accurate in generating the query that you want (it is an AI after all, and the clarity of your prompt matters!), it provides you with some innovative ideas and a great starting point to play around with your search.
ChatGPT also interprets the Splunk query to provide users a foundational understanding of how to build out a dynamic query for a detection/correlation search.
Integrating Splunk Search and ChatGPT
There are many TAs that the Splunk community has made that integrates ChatGPT with Splunk search. A notable one I already mentioned above, built by Splunkable (available here) enables users to directly send prompts and get responses from ChatGPT through a Splunk search command.
This opens numerous possibilities for dynamic prompt generation through eval statements based on your use case. Some use cases I can think of are:
- Based on a detected threat, you can pass MITRE metadata, with the threat to ChatGPT prompt and it can suggest the next potential threat that may come your way
- ChatGPT can automate responses to users about identified phishing threats to users, encourage them to study security topics based on prompts generated from search results. These responses can be sent to users using Splunk email alerts.
Creating Splunk SOAR automation scripts with ChatGPT
ChatGPT can also help Splunk SOAR users create SOAR automation scripts that can be modified to work with the environment and deployed to Splunk SOAR. Splunk SOAR is built on Python, so ChatGPT can be used to generate Python code to perform actions using Splunk SOAR. The generated scripts will provide users with a good starting point and can make modifications before deploying scripts in their environment.
Analyze Scripts and Code
Analysts can use ChatGPT to quickly analyze and interpret a script. This can help analysts quickly triage a malicious script and contain the threat. This can be programmatically done using an integration with ChatGPT. You can pass the script to ChatGPT by using the API integration with Splunk (see Splunkable, LLC Splunk TA for OpenAI) and depending on the response you can determine how critical the alert should be so that it can be prioritized accordingly for analysts. ChatGPT can also provide a detailed analysis of what a script/code-snippet is going to do and provide recommendations for remediation.
Preemptively, ChatGPT can also help security teams running OpenAI in a secure environment determine security vulnerabilities in code before it is deployed to production. This will help ensure that no malicious code is introduced during the development process and identify any security vulnerabilities that need to be addressed.
Building governance and detections using the MITRE ATT&CK framework
If you are starting out on your Splunk security journey and want to dive deeper into building detections using the MITRE ATT&CK® framework, you can leverage ChatGPT to understand different MITRE Tactics. ChatGPT is well trained on the MITRE framework and can help you understand the different MITRE tactics and techniques associated with a variety of common and uncommon attacks.
These techniques/tactics would help a user determine what data would be required for creating detections around the use case and accompanying remediation steps. You can also use this with fine-tuned models through the Azure OpenAI Service to have results tailored to your environment.
Enhance Purple Team Findings
ChatGPT can also help compliance teams efficiently understand purple team findings, map them to MITRE framework, and get insights on remediation tactics. ChatGPT can also recommend what indicators of compromise (IOCs) to focus on, data required to monitor these and common Splunk detections that can help address the vulnerabilities.
This is obviously just the tip of the iceberg. TekStream is constantly working on improving the safety and security of our MDR customers and the focus for everyone in the cybersecurity industry is squarely on leveraging AI to enhance cybersecurity posture (or attack it). It’s not quite Terminator vs. Skynet yet, but AI is certainly a powerful and evolving approach to generate and defend against threats. We’d be interested in how you are using AI in the context of cybersecurity. For more information, and to keep the conversation going, contact us below:
Special thank you to Michael Camp Bentley and Splunkable LLC for their contributions to this article.
*Just for fun, we created the image on this blog post using ChatGPT’s sister image site Dall-E!