P
AI for Cybersecurity Analyst
1
of 7

What you'll accomplish

By the end of this guide, you'll be able to use ChatGPT to draft SIEM detection rules — Splunk SPL, Microsoft Sentinel KQL, or Sigma format — for attack behaviors you want to detect. What used to take 2–3 hours of documentation-reading and query testing will take 20–30 minutes, and junior analysts will be able to write rules they couldn't write on their own.

What you'll need

  • A free ChatGPT account at chat.openai.com (no subscription required for this use case)
  • Knowledge of which SIEM platform your organization uses (Splunk, Sentinel, QRadar, Elastic, etc.)
  • A specific attack behavior or MITRE ATT&CK technique you want to detect
  • Time needed: 30 minutes for your first rule; 10-15 minutes for subsequent rules
  • Cost: Free

How-To Guide: Write SIEM Detection Rules with ChatGPT

Step 1: Choose your detection target

Before opening ChatGPT, know what you're trying to detect. You need:

  • The attack technique (e.g., "brute force logins," "Kerberoasting," "lateral movement via PsExec")
  • Your SIEM platform (Splunk, Microsoft Sentinel, Elastic, QRadar)
  • The data source/log type that would show this activity (authentication logs, Windows Event Logs, firewall logs, DNS logs)

Tip: Start with MITRE ATT&CK. If you know the technique ID (e.g., T1110 — Brute Force), include it in your prompt for more precise results.