GPT integrations

Corelight Investigator (Investigator) integrates with OpenAI’s GPT models to provide AI-driven analysis of detected threats, network traffic data, threat metadata, and alerts (“AI Features”). Investigator’s AI Features are configured using the GPT integrations available from the settings menu.

Investigator administrators can manage these integrations to control what data is shared with OpenAI and which AI Features are available to analysts.

Both GPT integrations are enabled by default for new tenants:

  • GPT (Non-Private data): Analyzes standard Corelight rules and alerts to deliver better descriptions of rule logic and generic next steps.

  • GPT (Private data): Analyzes your specific network telemetry and payloads to unlock advanced capabilities like autonomous Agentic Triage, deeper payload analysis, and highly contextual next steps.

Important

  • Existing tenants: Your current integration settings remain unchanged. If GPT (Private data) is already enabled, Agentic Triage will be automatically activated. If it is not enabled, you can enable it yourself to activate Agentic Triage. Follow the instructions in the Enable or disable GPT integrations section below.

  • AI icon: Content accompanied by the AI icon is generated by Corelight AI using a large language model. Because an AI algorithm generates this content, there might be errors or omissions; always use your best judgment to verify findings during your investigations.

Managing GPT integrations

To view or manage the GPT integrations, navigate to System Settings | Integrations in the left menu. Here, you can view and manage the settings for both the GPT (Non-Private data) and GPT (Private data) integrations.

Comparing GPT integrations

The following table details the analytical tools and data privacy rules associated with each integration type.

Integration type

Description & data processing

AI features

GPT (Non-Private data)

GPT (Non-Private data) integration tile showing the enabled toggle
  • Description: Helps populate content in the alert catalog and summarizes Corelight-provided rules and alerts. It applies strictly to standard Corelight rules and is not available for unknown or customer-generated data.

  • Data shared: Only Corelight-provided rules and alerts are shared.

  • Data processing: When enabled, the GPT (Non-Private data) integration does not involve the processing of any customer data. No network traffic, payloads, or customer-generated data is submitted to OpenAI.

  • Detection descriptions: AI-generated summaries of the logic contributing to an alert.

  • Impact analysis: Explanations of why a specific detection is important.

  • Generic next steps: Guidance for typical investigation steps based on the alert type.

GPT (Private data)

GPT (Private data) integration tile showing the enabled toggle
  • Description: Analyzes your specific network telemetry, including IP addresses, hostnames, protocol details, and packet payloads.

  • Data shared: Specific network telemetry associated with a triaged alert.

  • Data processing: When enabled, the GPT (Private data) integration involves the processing of customer data for stateless, one-time inference only; it is never stored by OpenAI or used to train OpenAI models.

  • Agentic Triage: Autonomous, entity-based triage of Corelight detections, prioritized by risk.

  • Payload analysis: Summaries of Suricata payloads for validating threat signatures and identifying potential threats.

  • Session analysis: Analyzes network traffic logs surrounding a detection to summarize entity behavior.

  • Alert connection insights: Correlations of network metadata and alert details.

  • Context-aware next steps: Investigation recommendations tailored to the specific attributes of the observed traffic.

GPT integration configuration scenarios

Corelight offers granular control over AI Features, allowing you to balance advanced analytics with your organization’s security and compliance requirements. You can customize the Investigator experience to provide full AI assistance or to restrict specific data sharing.

You can adjust your integrations to fit the following scenarios:

Configuration

Functional impact

GPT (Private data) and GPT (Non-Private data) integrations are both enabled (default for new tenants)

  • Shares network telemetry and Corelight rule data with OpenAI.

  • Provides the complete suite of AI Features. Analysts get autonomous Agentic Triage, Payload Analysis, Session Analysis, AI-generated Detection Descriptions, and Highly Contextual Next Steps.

Disable GPT (Private data) integration

  • Removes Agentic Triage, Payload Analysis, Session Analysis, Alert Connection Insights, and Context-Aware Next Steps.

  • Retains Generic Next Steps, Impact Analysis, and Detection Descriptions derived purely from Corelight’s rule logic.

Disable GPT (Non-Private data) integration

  • Removes AI-generated Detection Descriptions, Impact Analysis, and Generic Next Steps across the alert catalog.

Disable both GPT (Private data) and GPT (Non-Private data) integrations

  • Completely deactivates all AI Features.

  • All AI assistance icons, insights, and auto-generated text are removed from the interface.

Enable or disable GPT integrations

Prerequisite: Only Investigator administrators can modify the GPT integrations. Analyst users can view the integration but cannot make changes.

Agentic Triage is available to:

  • New tenants (on or after June 1, 2026): Agentic Triage is automatically active with no additional setup required.

  • Existing tenants with GPT (Private data) already enabled: Agentic Triage will be automatically enabled with no action required.

  • Existing tenants without GPT (Private data) enabled: Enable the GPT (Private data) integration to activate Agentic Triage. This must be done by an Admin.

Important

Before modifying these settings, review the GPT integration configuration scenarios above to fully understand the functional impact and the specific AI Features that will be removed if an integration is disabled.

  1. From System Settings in the left navigation, choose Integrations.

  2. Locate and click the integration card for either GPT (Private data) or GPT (Non-Private data).

  3. On the integration details page, click the Configure button.

  4. In the configuration dialog, click the toggle to Enable or Disable the integration.

  5. Click Save to apply the configuration change.

Corelight AI Trust FAQs

For detailed information regarding Corelight’s AI Features, see the Corelight AI Trust FAQs.

  • What underlying AI technology does Investigator use? Investigator uses best-in-class third-party hosted Large Language Models (LLMs), specifically the OpenAI GPT series accessed via API (“OpenAI Model(s)”).

  • How is the OpenAI Model accessed and where is data processed? Investigator sends data to the OpenAI API. Model inference (GPU execution) on data happens in the United States.

  • When enabled, does Corelight share all of my logs with the OpenAI Model? No. If using the GPT (Private data) integration, the data shared with the OpenAI Model is limited to triaged alerts.

  • Does the OpenAI Model train on my customer data? No. The data submitted and responses received are not used to train, fine-tune, or improve any AI models or services for OpenAI or other Corelight customers.

  • Does OpenAI store my data? No. OpenAI does not store the data a user submits or the responses received. Corelight has established a Zero Data Retention (ZDR) agreement with OpenAI so data is immediately deleted after processing.

Additional help

Contact Corelight Support for further assistance with GPT integration configuration.