AI Analysis

Sentinel Nerd leverages GPT-4 to analyze security events, provide contextual threat assessments, and generate human-readable incident summaries.

Note

AI Analysis is available on Pro and Enterprise plans. Starter plans include 100 AI analyses per month.

How It Works

When an alert triggers or when you manually request analysis, Sentinel Nerd sends the event context to GPT-4 with security-specific prompts. The AI analyzes:

  1. Event context — What happened, which devices and users were involved
  2. Threat assessment — How severe is this, what's the likely intent
  3. Historical patterns — Has this source/target been seen before
  4. Recommended actions — What should you do next

AI Analysis Output

Each analysis produces a structured response:

AI Analysis Response 
{
  "analysis_id": "ai_abc123",
  "event_id": "evt_xyz789",
  "summary": "SSH brute force attack from known malicious IP in Beijing, China. The source IP has 142 abuse reports on AbuseIPDB and is associated with a botnet campaign targeting SSH services.",
  "threat_score": 87,
  "confidence": 0.92,
  "classification": "Credential Stuffing / Brute Force",
  "mitre_attack": {
    "tactic": "Credential Access",
    "technique": "T1110.001 - Brute Force: Password Guessing"
  },
  "recommendations": [
    "Block source IP 203.0.113.42 immediately",
    "Review SSH access logs for successful logins from this IP",
    "Enable key-based authentication and disable password auth",
    "Consider geo-blocking SSH access from CN"
  ],
  "related_events": 23,
  "false_positive_likelihood": "low"
}

MITRE ATT&CK Mapping

AI analysis automatically maps threats to the MITRE ATT&CK framework, providing:

  • Tactic and technique identification
  • Sub-technique classification where applicable
  • Links to MITRE documentation
  • Related techniques that may indicate lateral movement

Automated Analysis Triggers

Configure which events automatically receive AI analysis:

AI Analysis Configuration 

ai_analysis:
      auto_analyze:
        - severity: critical
          always: true
        - severity: high
          conditions:
            - threat_score_gt: 70
            - source_is_external: true
        - severity: medium
          conditions:
            - first_occurrence: true
      daily_summary: true
      weekly_report: true
      model: gpt-4
      max_tokens: 1000

Interactive Analysis

From any event or alert in the dashboard, click Analyze with AI to get an on-demand analysis. You can also ask follow-up questions:

  • "Is this related to the incidents we saw last week?"
  • "What would the attacker's next steps likely be?"
  • "Should I block the entire subnet or just this IP?"
  • "Draft an incident report for this alert."

Daily and Weekly Reports

AI-generated reports summarize your security posture: Pro

  • Daily summary — Top threats, new patterns, alert statistics
  • Weekly report — Trend analysis, rule effectiveness, recommendations
  • Monthly executive brief — High-level security posture overview Enterprise

Data Privacy

AI analysis sends only the minimum necessary event data to OpenAI's API. Specifically:

  • IP addresses and port numbers
  • Event types and severity
  • Threat intelligence enrichment data
  • Rule match metadata

Private AI deployment

Enterprise plans can use a private Azure OpenAI deployment, ensuring event data never leaves your cloud environment. Contact sales for setup assistance.

No user credentials, personal data, or raw packet captures are ever sent to the AI model. See our Privacy Policy for full details.