Generating KQL from Microsoft Sentinel Incidents with ChatGPT

How does one investigate oneself?

I’m working on a few AI demos for an upcoming session called “Modernizing Your SOC Using Microsoft Sentinel - Modern Security Operations Powered by the Cloud and AI” at the Midwest Management Summit at the Mall of America at the beginning of May.

I believe there’s still time to register to attend, but this conference usually sells out pretty quick. Register here: https://rodtrent.com/uow

One thing I’ll be demoing at the conference is how to utilize ChatGPT for several things. There’s nothing secret about any of it, nor any reason to keep these close to the vest until the conference - particularly for those that can’t attend.

The demo I’m working on today is pulling in both Incident approach recommendations and associated KQL queries that might help enrich the understanding and placing them in the Incident Tasks pane in the Incident. Here’s what the result looks like…

The KQL query response needs to be tweaked a bit. I think I confused ChatGPT in this instance because it was being asked to respond to an Incident involving itself. lol

And here’s the logic behind this if you want to build it yourself using the Microsoft Sentinel Incident trigger and the Open AI GPT3 Logic App connector.

There’s plenty more value to achieve here. If you create something yourself, let me know about it.

---

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Microsoft Sentinel Newsletter]

[Subscribe to the Weekly Microsoft Defender Newsletter]

[Learn KQL with the Must Learn KQL series and book]