GPT integrations

Corelight Investigator (Investigator) integrates with OpenAI’s GPT models to provide AI-driven analysis of detected threats, network traffic data, threat metadata, and alerts (“AI Features”). Investigator’s AI Features are configured using the GPT integrations available from the settings menu.

Investigator administrators can manage these integrations to control what data is shared with OpenAI and which AI Features are available to analysts.

These GPT integrations are both enabled by default:

• GPT (Non-Private data): Analyzes standard Corelight rules and alerts to deliver better descriptions of rule logic and generic next steps.

• GPT (Private data): Analyzes your specific network telemetry and payloads to unlock advanced capabilities like autonomous Agentic Triage, deeper payload analysis, and highly contextual next steps.

Important

• Private Preview: The Agentic Triage feature is currently in private preview. Contact your Corelight Account Manager or Corelight Support for more information.

• Existing customers: As of April 8, 2026, both GPT (Private data) and GPT (Non-Private data) integrations are enabled by default for all new tenants. This new default does not apply to your existing tenants, and your current settings will remain the same. If you want to enable/disable either or both integrations, follow the instructions in the sections below.

• AI icon: Content accompanied by the AI icon is generated by Corelight AI using a large language model. Because an AI algorithm generates this content, there might be errors or omissions; always use your best judgment to verify findings during your investigations.

Managing GPT integrations

To view or manage the GPT integrations, navigate to System Settings | Integrations in the left menu. Here, you can view and manage the settings for both the GPT (Non-Private data) and GPT (Private data) integrations.

• To understand the differences between the two integrations, see the Comparing GPT integrations and GPT integration configuration scenarios sections below.

• While both integrations are enabled by default, you can find instructions for turning these features on or off in the Enable or disable GPT integrations section below.

Comparing GPT integrations

The following table details the analytical tools and data privacy rules associated with each integration type.

Integration type	Description & data processing	AI features
GPT (Non-Private data)	Description: Helps populate content in the alert catalog and summarizes Corelight-provided rules and alerts. It applies strictly to standard Corelight rules and is not available for unknown or customer-generated data. Data shared: Only Corelight-provided rules and alerts are shared. Data processing: When enabled, the GPT (Non-Private data) integration does not involve the processing of any customer data. No network traffic, payloads, or customer-generated data is submitted to OpenAI.	Detection descriptions: AI-generated summaries of the logic contributing to an alert. Impact analysis: Explanations of why a specific detection is important. Generic next steps: Guidance for typical investigation steps based on the alert type.
GPT (Private data)	Description: Analyzes your specific network telemetry, including IP addresses, hostnames, protocol details, and packet payloads. Data shared: Specific network telemetry associated with a triaged alert. Data processing: When enabled, the GPT (Private data) integration involves the processing of customer data for stateless, one-time inference only; it is never stored by OpenAI or used to train OpenAI models.	Agentic Triage: Autonomous, entity-based triage of Corelight detections, prioritized by risk. Payload analysis: Summaries of Suricata payloads for validating threat signatures and identifying potential threats. Session analysis: Analyzes network traffic logs surrounding a detection to summarize entity behavior. Alert connection insights: Correlations of network metadata and alert details. Context-aware next steps: Investigation recommendations tailored to the specific attributes of the observed traffic.

GPT integration configuration scenarios

Corelight offers granular control over AI Features, allowing you to balance advanced analytics with your organization’s security and compliance requirements. You can customize the Investigator experience to provide full AI assistance or to restrict specific data sharing.

You can adjust your integrations to fit the following scenarios:

Configuration	Functional impact
GPT (Private data) and GPT (Non-Private data) integrations are both enabled by default	Shares network telemetry and Corelight rule data with OpenAI. Provides the complete suite of AI Features. Analysts get autonomous Agentic Triage, Payload Analysis, Session Analysis, AI-generated Detection Descriptions, and Highly Contextual Next Steps.
Disable GPT (Private data) integration	Removes Agentic Triage, Payload Analysis, Session Analysis, Alert Connection Insights, and Context-Aware Next Steps. Retains Generic Next Steps, Impact Analysis, and Detection Descriptions derived purely from Corelight’s rule logic.
Disable GPT (Non-Private data) integration	Removes AI-generated Detection Descriptions, Impact Analysis, and Generic Next Steps across the alert catalog.
Disable both GPT (Private data) and GPT (Non-Private data) integrations	Completely deactivates all AI Features. All AI assistance icons, insights, and auto-generated text are removed from the interface.

Enable or disable GPT integrations

Prerequisite: Only Investigator administrators can modify the GPT integrations. Analyst users can view the integration but cannot make changes.

Important

Before modifying these settings, review the GPT integration configuration scenarios above to fully understand the functional impact and the specific AI Features that will be removed if an integration is disabled.

1. From System Settings in the left navigation, choose Integrations.

2. Locate and click the integration card for either GPT (Private data) or GPT (Non-Private data).

3. On the integration details page, click the Configure button.

4. In the configuration dialog, click the toggle to Enable or Disable the integration.

5. Click Save to apply the configuration change.

Corelight AI Trust FAQs

For detailed information regarding Corelight’s AI Features, see the Corelight AI Trust FAQs.

• What underlying AI technology does Investigator use? Investigator uses best-in-class third-party hosted Large Language Models (LLMs), specifically the OpenAI GPT series accessed via API (“OpenAI Model(s)”).

• How is the OpenAI Model accessed and where is data processed? Investigator sends data to the OpenAI API. Model inference (GPU execution) on data happens in the United States.

• When enabled, does Corelight share all of my logs with the OpenAI Model? No. If using the GPT (Private data) integration, the data shared with the OpenAI Model is limited to triaged alerts.

• Does the OpenAI Model train on my customer data? No. The data submitted and responses received are not used to train, fine-tune, or improve any AI models or services for OpenAI or other Corelight customers.

• Does OpenAI store my data? No. OpenAI does not store the data a user submits or the responses received. Corelight has established a Zero Data Retention (ZDR) agreement with OpenAI so data is immediately deleted after processing.

Additional help

Contact Corelight Support for further assistance with GPT integration configuration.