For Cybersecurity Analysts ·
What you'll accomplish
By the end of this guide, you'll be able to use ChatGPT to draft SIEM detection rules — Splunk SPL, Microsoft Sentinel KQL, or Sigma format — for attack behaviors you want to detect. What used to take 2–3 hours of documentation-reading and query testing will take 20–30 minutes, and junior analysts will be able to write rules they couldn't write on their own.
What you'll need
Before opening ChatGPT, know what you're trying to detect. You need:
Tip: Start with MITRE ATT&CK. If you know the technique ID (e.g., T1110 — Brute Force), include it in your prompt for more precise results.
Go to chat.openai.com and start a new conversation. Begin by giving context before asking for the rule:
Type: "I'm a security analyst and I need to write detection rules. Our SIEM is [Splunk / Microsoft Sentinel / Elastic]. Our Windows logs are ingested using [WEC / Sysmon / native event forwarding]. I'll describe behaviors I want to detect, and you'll write the query."
What you should see: ChatGPT acknowledges your setup and is ready to write queries.
Troubleshooting: If ChatGPT says it can't write SIEM queries, just proceed with your request — it will usually comply when given a specific technical question.
Describe the behavior in detail, not just the technique name. The more specific you are, the better the query.
Good prompt structure: "Write a [Splunk SPL / Microsoft Sentinel KQL / Sigma] query to detect [specific behavior]. The relevant fields in our logs are: [field names if you know them]. Detection criteria: [specific conditions — thresholds, time windows, field values]."
Example: "Write a Splunk SPL query to detect brute force login attempts: 5 or more failed Windows authentication events (Event ID 4625) within 5 minutes from the same source IP, followed by a successful login (Event ID 4624) from that same IP within 10 minutes."
What you should see: A complete, formatted SIEM query with field names, time windows, and aggregation logic.
After getting the query, ask: "Explain what each part of this query does, and what thresholds I might want to adjust based on environment size."
This gives you:
What you should see: A clear explanation you can paste into your detection rule documentation.
If you want a platform-agnostic version, ask: "Now write this same detection as a Sigma rule." Sigma rules can be converted to any SIEM format and are useful for sharing with your community or storing in your detection library.
Copy the query and paste it into your SIEM's search interface. Run it against historical data (last 30 days) to see if it produces results. Check:
If you get too many false positives, describe the issue back to ChatGPT: "This query returns 200 results daily, mostly from our helpdesk password reset system at IP 10.10.5.20. How can I exclude that IP and raise the threshold to 10 failures?"
What you should see: A revised query with exclusion logic added.
Brute force detection (Sentinel KQL):
Write a Microsoft Sentinel KQL query to detect brute force: 10+ failed sign-ins (SignInLogs where ResultType != "0") within 5 minutes from the same IP, followed by a success from that IP within 15 minutes. Return: IP, user accounts targeted, failure count, success time.
Lateral movement via PsExec (Splunk):
Write a Splunk SPL query to detect lateral movement using PsExec. We have Windows Security Event Logs. Use EventID 7045 (new service installed) combined with process name containing "PSEXESVC." Correlate with EventID 4624 type 3 (network logon) from the same source. Alert if seen on more than 2 hosts in 30 minutes.
Data exfiltration detection (Sigma):
Write a Sigma rule to detect potential data exfiltration: unusually large outbound transfers (>100MB) to external IPs via protocols HTTP, HTTPS, or FTP, from workstations (not servers). Flag if the destination domain is new (not seen in last 30 days).
Persistence via scheduled task (Sentinel KQL):
Write a Sentinel KQL query using SecurityEvent logs to detect scheduled task creation (EventID 4698) by non-admin accounts, where the task runs a script from a temp directory (%TEMP%, %APPDATA%, or C:\Users\Public).