Integrate ChatGPT and Splunk in Sysmon Log Analysis
Integrate ChatGPT and Splunk in Sysmon Log Analysis
In this project, we attempt to use two add-ons of Splunk: “OB OpenAI ChatGPT” and “Sysmon Splunk Add-on for Microsoft Windows” to integrate Splunk and ChatGPT for analyzing Sysmon events, exploring the applications of artificial intelligence in incident response.
Tools
| Tool | version |
|---|---|
| Sysmon | v15.0 |
| Splunk | Enterprise Server 9.1.0.1 |
| ChatGPT | ChatGPT-4 API |
| OB OpenAI ChatGPT | 1.0.2 |
| Splunk Add-on for Microsoft Windows | 8.7.0 |
Process
Install Splunk
This project uses a trial version of Splunk Enterprise, which can be registered and downloaded from the official Splunk website.
https://www.splunk.com/en_us/download.html?301=/en_us/download/get-started-with-your-free-trial.html
Install Sysmon
Sysmon can be downloaded from Microsoft Sysinternal official website.
https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
After downloading Sysmon, you can easily install it with command:
./sysmon64.exe -i
Add Sysmon data into Splunk
To upload Sysmon events from Windows to Splunk, you need the Splunk add-on “Splunk Add-on for Microsoft Windows”.
Click Apps>Find more Apps on Splunk Menu.
Search: “Splunk Add-on for Microsoft Windows” and click install.
Login with your Splunk account and install.
Click Setting>Add-Data on the top menu.
Click Operating System.
Click Microsoft Windows.
Click Next.
Select Single Instence and click next.
Click Finish.
Click Setting>Data inputs.
Click “Local event log collection”.
Select “Microsoft-Windows-Sysmon/Operational” and click Save.
Now you may have Sysmon log uploaded to Splunk.
Go to Splunk Search and Search with this query. See if you can get your Sysmon log.
index=main source="WinEventLog:Microsoft-Windows-Sysmon/Operational"
| head 1
Connect Splunk with ChatGPT
To connect Splunk with ChatGPT API, you need the Splunk add-on “OB OpenAI ChatGPT”.
Follow the same process of install Add-on on Splunk and install “OB OpenAI ChatGPT” with your Splunk account.
After downloading the OB OpenAI ChatGPT Add-on, you need to set up your ChatGPT Orgnization ID and API key.
Open the app> Configuration> Add-on Settings> paste you API key and Organization ID> Save.
Your Organization ID and API key and be found here:
https://beta.openai.com/account/org-settings
https://beta.openai.com/account/api-keys
Integrate ChatGPT and Splunk in Sysmon Log Analysis
Now, let’s try to send Sysmon events to ChatGPT and let it analyze it for you.
To customize or formating the ChatGPT response, role setting is an important thing.
The role I assigned to ChatGPT as following:
“You are a knowledgeable assistant specialized in sysmon data, provide a very brief summary, conclusion, risky score ? out of 100 and response recommendation. for the following Sysmon log events, no need to explain individual fields.”
The command is:
index=main source="WinEventLog:Microsoft-Windows-Sysmon/Operational"
| head 3
| rename _raw as r
| obopenai prompt=r system_role="You are a knowledgeable assistant specialized in sysmon data, provide a very brief summary, conclusion, risky score ? out of 100 and response recommendation. for the following Sysmon log events, no need to explain individual fields."
| spath input=gpt_response output=response_content path="choices{0}.message.content"
| table r response_content
I query 3 Sysmon events and rename the _raw field as r then send it to ChatGPT with the role I setted for ChatGPT.
Here is the result.
Although the answer is still a bit Generic, it seems acceptable for a preliminary Triage.
More ChatGPT Add-on usage can be found in the following article.
https://github.com/nadavc2c/TA-ob-openai-chatgpt
Comments
Post a Comment