GPT integrations¶
Corelight Investigator (Investigator) integrates with OpenAI’s GPT models to provide AI-driven analysis of detected threats, network traffic data, threat metadata, and alerts (“AI Features”). Investigator’s AI Features are configured using the GPT integrations available from the settings menu.
Investigator administrators can manage these integrations to control what data is shared with OpenAI and which AI Features are available to analysts.
Both GPT integrations are enabled by default for new tenants:
GPT (Non-Private data): Analyzes standard Corelight rules and alerts to deliver better descriptions of rule logic and generic next steps.
GPT (Private data): Analyzes your specific network telemetry and payloads to unlock advanced capabilities like autonomous Agentic Triage, deeper payload analysis, and highly contextual next steps.
Important
Existing tenants: Your current integration settings remain unchanged. If GPT (Private data) is already enabled, Agentic Triage will be automatically activated. If it is not enabled, you can enable it yourself to activate Agentic Triage. Follow the instructions in the Enable or disable GPT integrations section below.
AI icon: Content accompanied by the AI icon is generated by Corelight AI using a large language model. Because an AI algorithm generates this content, there might be errors or omissions; always use your best judgment to verify findings during your investigations.
Managing GPT integrations¶
To view or manage the GPT integrations, navigate to System Settings | Integrations in the left menu. Here, you can view and manage the settings for both the GPT (Non-Private data) and GPT (Private data) integrations.
To understand the differences between the two integrations, see the Comparing GPT integrations and GPT integration configuration scenarios sections below.
While both integrations are enabled by default for new tenants, you can find instructions for turning these features on or off in the Enable or disable GPT integrations section below.
Comparing GPT integrations¶
The following table details the analytical tools and data privacy rules associated with each integration type.
GPT integration configuration scenarios¶
Corelight offers granular control over AI Features, allowing you to balance advanced analytics with your organization’s security and compliance requirements. You can customize the Investigator experience to provide full AI assistance or to restrict specific data sharing.
You can adjust your integrations to fit the following scenarios:
Configuration |
Functional impact |
|---|---|
GPT (Private data) and GPT (Non-Private data) integrations are both enabled (default for new tenants) |
|
Disable GPT (Private data) integration |
|
Disable GPT (Non-Private data) integration |
|
Disable both GPT (Private data) and GPT (Non-Private data) integrations |
|
Enable or disable GPT integrations¶
Prerequisite: Only Investigator administrators can modify the GPT integrations. Analyst users can view the integration but cannot make changes.
Agentic Triage is available to:
New tenants (on or after June 1, 2026): Agentic Triage is automatically active with no additional setup required.
Existing tenants with GPT (Private data) already enabled: Agentic Triage will be automatically enabled with no action required.
Existing tenants without GPT (Private data) enabled: Enable the GPT (Private data) integration to activate Agentic Triage. This must be done by an Admin.
Important
Before modifying these settings, review the GPT integration configuration scenarios above to fully understand the functional impact and the specific AI Features that will be removed if an integration is disabled.
From System Settings in the left navigation, choose Integrations.
Locate and click the integration card for either GPT (Private data) or GPT (Non-Private data).
On the integration details page, click the Configure button.
In the configuration dialog, click the toggle to Enable or Disable the integration.
Click Save to apply the configuration change.
Corelight AI Trust FAQs¶
For detailed information regarding Corelight’s AI Features, see the Corelight AI Trust FAQs.
What underlying AI technology does Investigator use? Investigator uses best-in-class third-party hosted Large Language Models (LLMs), specifically the OpenAI GPT series accessed via API (“OpenAI Model(s)”).
How is the OpenAI Model accessed and where is data processed? Investigator sends data to the OpenAI API. Model inference (GPU execution) on data happens in the United States.
When enabled, does Corelight share all of my logs with the OpenAI Model? No. If using the GPT (Private data) integration, the data shared with the OpenAI Model is limited to triaged alerts.
Does the OpenAI Model train on my customer data? No. The data submitted and responses received are not used to train, fine-tune, or improve any AI models or services for OpenAI or other Corelight customers.
Does OpenAI store my data? No. OpenAI does not store the data a user submits or the responses received. Corelight has established a Zero Data Retention (ZDR) agreement with OpenAI so data is immediately deleted after processing.
Additional help¶
Contact Corelight Support for further assistance with GPT integration configuration.

