Listen to this Post
Introduction:
Security teams are increasingly turning to AI assistants like and GPT, connecting them via MCP servers to their entire security stack—SIEM, EDR, NDR, ZTNA, IAM, and ticketing systems. While this enables rapid investigations and automations, it inadvertently fragments knowledge, isolates context, and undermines institutional memory. A centralized SOC platform with an AI‑native interface, unifying all tools and preserving investigation history, is emerging as the critical evolution to prevent these silos and truly harness AI’s potential.
Learning Objectives:
- Understand the risks of using standalone AI tools for security investigations.
- Learn how to architect a centralized SOC platform with integrated AI capabilities.
- Implement best practices for unifying security tools and preserving institutional knowledge.
You Should Know
- The Allure and Peril of MCP‑Connected AI in Security Operations
Model Context Protocol (MCP) servers act as middleware, allowing AI models to query your SIEM, EDR, or Jira via APIs. While this speeds up triage, each AI instance becomes a silo—investigations are not shared, and context is lost.
Step‑by‑step: Test a direct AI‑SIEM connection
Example using Python to query Splunk and send data to OpenAI pip install requests splunk-sdk
import splunklib.client as client
import openai
Connect to Splunk
service = client.connect(host="localhost", port=8089, username="admin", password="changeme")
kwargs = {"earliest_time": "-1h", "latest_time": "now", "search_mode": "normal"}
searchquery = "search index=main sourcetype=access_combined | stats count by clientip"
job = service.jobs.create(searchquery, kwargs)
Wait for results and read
while not job.is_done():
pass
reader = job.results()
for result in reader:
events = result
Send to OpenAI for analysis
openai.api_key = "your-key"
response = openai.ChatCompletion.create(
model="gpt-4",
messages=[{"role": "user", "content": f"Summarize these web logs: {events}"}]
)
print(response.choices[bash].message.content)
This simple script bypasses any centralized case management, illustrating how ad‑hoc AI usage creates knowledge gaps.
- How to Expose Your SIEM Data to AI Without Losing Control
To prevent data leakage and maintain audit trails, expose SIEM data via read‑only API keys with strict rate limiting and IP whitelisting. Use a reverse proxy to log every AI query.
Step‑by‑step: Configure a secure API gateway for Elasticsearch
Install Nginx as reverse proxy sudo apt update && sudo apt install nginx
Create an Nginx config `/etc/nginx/sites-available/es-proxy`:
server {
listen 443 ssl;
server_name es-api.yourdomain.com;
ssl_certificate /etc/ssl/certs/yourcert.pem;
ssl_certificate_key /etc/ssl/private/yourkey.key;
location / {
proxy_pass https://localhost:9200;
proxy_set_header Authorization "ApiKey your-base64-api-key";
proxy_set_header X-Forwarded-For $remote_addr;
access_log /var/log/nginx/es-access.log combined;
}
}
Enable and test:
sudo ln -s /etc/nginx/sites-available/es-proxy /etc/nginx/sites-enabled/ sudo nginx -t && sudo systemctl reload nginx Test query via AI curl -k "https://es-api.yourdomain.com/_search?q=" -H "Authorization: ApiKey your-base64-api-key"
All AI queries are now logged, preserving an audit trail.
- Building a Centralized Investigation Hub with Open Source Tools
Combine TheHive (case management), Cortex (analysis engine), and MISP (threat intel) into a unified platform. Then integrate AI to enrich every case.
Step‑by‑step: Install TheHive and connect it to AI
Install TheHive on Ubuntu 22.04 wget -qO - https://raw.githubusercontent.com/TheHive-Project/TheHive/master/install.sh | bash sudo systemctl start thehive
Create a Python script that listens for new alerts and calls GPT for enrichment:
import requests
import json
import openai
thehive_url = "http://localhost:9000"
api_key = "your-thehive-api-key"
Fetch new alerts
headers = {"Authorization": f"Bearer {api_key}"}
alerts = requests.get(f"{thehive_url}/api/alert", headers=headers).json()
for alert in alerts:
if alert["status"] == "New":
prompt = f"Analyze this alert: {alert['title']} - {alert['description']}"
openai.api_key = "your-openai-key"
response = openai.ChatCompletion.create(
model="gpt-4",
messages=[{"role": "user", "content": prompt}]
)
analysis = response.choices[bash].message.content
Update TheHive case with analysis
case_data = {"title": alert["title"], "description": analysis}
requests.post(f"{thehive_url}/api/case", headers=headers, json=case_data)
Now every AI analysis becomes a permanent part of the investigation record.
4. Automating Script Execution from AI: Security Implications
Allowing AI to run scripts (e.g., firewall blocks, host scans) can be catastrophic if not sandboxed. Use Docker containers with stripped capabilities.
Step‑by‑step: Run AI‑triggered automations in a secure container
FROM alpine:latest RUN apk add --no-cache python3 py3-pip COPY script.py /script.py RUN adduser -D restricted USER restricted CMD ["python3", "/script.py"]
Example `script.py` (runs a safe nmap scan on a whitelisted IP):
import subprocess
import sys
target = sys.argv[bash] if len(sys.argv) > 1 else "127.0.0.1"
if target.startswith("10.") or target == "127.0.0.1":
result = subprocess.run(["nmap", "-p", "80,443", target], capture_output=True, text=True)
print(result.stdout)
else:
print("Unauthorized target")
Run from AI orchestration:
docker build -t secure-script . docker run --rm secure-script python3 script.py 10.0.0.1
This containerization prevents host compromise and limits blast radius.
- Unifying IAM and ZTNA Logs for AI‑Powered Threat Hunting
Aggregate logs from Okta and Cloudflare Zero Trust into a central Elasticsearch cluster. Then use AI to detect anomalies across both sources.
Step‑by‑step: Forward logs to Elasticsearch with Logstash
Install Logstash wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add - sudo apt-get install logstash
Create `/etc/logstash/conf.d/iam-ztna.conf`:
input {
http {
port => 5044
codec => json
}
}
filter {
if [bash] == "okta" {
mutate { add_tag => ["iam"] }
}
if [bash] == "cloudflare" {
mutate { add_tag => ["ztna"] }
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
index => "security-logs-%{+YYYY.MM.dd}"
}
}
Send Okta logs via curl:
curl -XPOST "http://localhost:5044" -H "Content-Type: application/json" -d '{"service":"okta","event":"user_login_failed","user":"john.doe"}'
Now run AI queries across Elasticsearch to correlate failed logins with ZTNA connection anomalies.
- Ensuring Institutional Memory: Building a Knowledge Graph from Past Investigations
Use Neo4j to store investigation data as nodes (alerts, cases, artifacts, users) and relationships. AI can query this graph to avoid repeating work.
Step‑by‑step: Load investigation data into Neo4j
Install Neo4j Community Edition wget -O - https://debian.neo4j.com/neotechnology.gpg.key | sudo apt-key add - sudo apt-get install neo4j sudo systemctl start neo4j
Python script to insert case data:
from neo4j import GraphDatabase
uri = "bolt://localhost:7687"
driver = GraphDatabase.driver(uri, auth=("neo4j", "password"))
def add_investigation(tx, alert_id, case_id, analyst, findings):
tx.run("MERGE (a:Alert {id: $alert_id}) "
"MERGE (c:Case {id: $case_id}) "
"MERGE (u:Analyst {name: $analyst}) "
"MERGE (a)-[:INVESTIGATED_IN]->(c) "
"MERGE (u)-[:HANDLED]->(c) "
"SET c.findings = $findings",
alert_id=alert_id, case_id=case_id, analyst=analyst, findings=findings)
with driver.session() as session:
session.execute_write(add_investigation, "alert-123", "case-456", "jsmith", "Phishing campaign")
AI can then query: “Show me similar cases to alert-123” via Cypher.
- Mitigating the Silos: Implementing a Unified SOAR with AI Integration
A SOAR platform like Shuffle can orchestrate all tools and inject AI at every step, ensuring all actions are logged and share context.
Step‑by‑step: Create an AI‑enriched SOAR playbook in Shuffle
1. Install Shuffle:
docker run -p 3001:3001 -v /var/run/docker.sock:/var/run/docker.sock ghcr.io/shuffle/shuffle:latest
2. Open Shuffle web UI at `http://localhost:3001`.
3. Create a new workflow:
- Trigger: Webhook (receives alert from SIEM)
- Action: HTTP (fetch threat intel from MISP)
- Action: Python (call OpenAI to summarize)
- Action: TheHive (create case with summary)
- Action: Email (notify analyst)
Example Python action code in Shuffle:
import openai
openai.api_key = "sk-..."
def shuffle_function(input):
alert = input["alert"]
response = openai.ChatCompletion.create(
model="gpt-4",
messages=[{"role": "user", "content": f"Summarize this alert: {alert}"}]
)
return {"summary": response.choices[bash].message.content}
Every step is tracked, and the summary is stored in TheHive, accessible to all analysts.
What Undercode Say:
- Key Takeaway 1: AI integration without centralization fragments knowledge and erodes institutional memory.
- Key Takeaway 2: A unified platform with an AI‑native interface preserves context, accelerates response, and prevents redundant investigations.
The trend of connecting generic AI chatbots directly to security tools is a double‑edged sword: it empowers individual analysts but risks creating data silos. Without a central repository for investigations and automations, context is lost, and teams repeat work. Organizations must invest in integrated platforms that combine AI with centralized case management, knowledge graphs, and SOAR capabilities. This not only preserves history but also enables AI to learn from past investigations, turning isolated experiments into a collective defense advantage. The future belongs to AI‑native SOC platforms that treat every alert, investigation, and response as part of a living knowledge base.
Prediction:
Within two years, we will witness the emergence of “AI‑Native SOC Platforms” that replace traditional SIEM/SOAR tools. These platforms will feature natural language interfaces as the primary means of investigation and response, backed by built‑in knowledge graphs that retain all institutional knowledge. This shift will reduce mean time to detect (MTTD) and respond (MTTR) by over 50%, but will also demand new skill sets—SOC analysts will need to become adept at prompt engineering and AI workflow design. The winners will be those who break down silos today and build a unified, AI‑driven security operations center.
▶️ Related Video (70% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Filipstojkovski Is – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
