Rod’s Blog

Share this post

Generating KQL from Microsoft Sentinel Incidents with ChatGPT

rodtrent.substack.com

Discover more from Rod’s Blog

Microsoft Security and AI with lots of Microsoft Sentinel Sprinkled in. This is not an official Microsoft blog.
Over 2,000 subscribers
Continue reading
Sign in

Generating KQL from Microsoft Sentinel Incidents with ChatGPT

How does one investigate oneself?

Rod Trent
Mar 24, 2023
2
Share this post

Generating KQL from Microsoft Sentinel Incidents with ChatGPT

rodtrent.substack.com
2
Share

I’m working on a few AI demos for an upcoming session called “Modernizing Your SOC Using Microsoft Sentinel - Modern Security Operations Powered by the Cloud and AI” at the Midwest Management Summit at the Mall of America at the beginning of May.

I believe there’s still time to register to attend, but this conference usually sells out pretty quick. Register here: https://rodtrent.com/uow

One thing I’ll be demoing at the conference is how to utilize ChatGPT for several things. There’s nothing secret about any of it, nor any reason to keep these close to the vest until the conference - particularly for those that can’t attend.

Rod’s Blog is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

The demo I’m working on today is pulling in both Incident approach recommendations and associated KQL queries that might help enrich the understanding and placing them in the Incident Tasks pane in the Incident. Here’s what the result looks like…

The KQL query response needs to be tweaked a bit. I think I confused ChatGPT in this instance because it was being asked to respond to an Incident involving itself. lol

And here’s the logic behind this if you want to build it yourself using the Microsoft Sentinel Incident trigger and the Open AI GPT3 Logic App connector.

There’s plenty more value to achieve here. If you create something yourself, let me know about it.


[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Microsoft Sentinel Newsletter]

[Subscribe to the Weekly Microsoft Defender Newsletter]

[Learn KQL with the Must Learn KQL series and book]

Rod’s Blog is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

2
Share this post

Generating KQL from Microsoft Sentinel Incidents with ChatGPT

rodtrent.substack.com
2
Share
Previous
Next
2 Comments
Share this discussion

Generating KQL from Microsoft Sentinel Incidents with ChatGPT

rodtrent.substack.com
Harvey
Jun 22

Wouldn’t that pose unknown risk of sensitivity data getting exposed, let me put it this way. No database is unhackable as far as my knowledge is all about when and who. What’s your opinion?

Expand full comment
Reply
Share
1 reply by Rod Trent
1 more comment...
Top
New
Community

No posts

Ready for more?

© 2023 Rod Trent
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great writing