Rethinking Detection with GenAI

            Let's flip the scenario. Imagine a world where all event and state data from internal and external sources
            neatly organized in well-structured JSON store.  You have access to an unlimited, cost-effective log store
            that can organize these JSONs by various attributes like date and service.  Correlating them becomes a
            manageable problem.

            Let’s look at the three major technical problems that are acting as hurdles for the dream

               ●  Normalization of Events: Converting unstructured log data from each of the sources into
                   JSONS of predefined, well-structured  schemas.
               ●  Abstraction of Events: Picking out relevant logs to query based on a procedure in MITRE TTP
                   parlance for understanding the detection coverage
               ●  Writing rules for new attack patterns:  Writing rules as new threats arise, intelligently picking
                   the right set of procedures and corresponding logs

            GenAI presents solid solutions to the key problems above.




            Log normalization into structured schemas.

            LLMs  front  ending  some  of  the unstructured  log  content  and  making  structured  JSON  to  store  into a
            JSON store








































            Cyber Defense eMagazine – August 2024 Edition                                                                                                                                                                                                          142
            Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.