* [Blog](https://www2.paloaltonetworks.com/blog) * [Security Operations](https://www2.paloaltonetworks.com/blog/security-operations/) * [Playbook of the Week](https://www2.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/) * Playbook of the Week: Usi... # Playbook of the Week: Using ChatGPT in Cortex XSOAR [](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fusing-chatgpt-in-cortex-xsoar%2F) [](https://twitter.com/share?text=Playbook+of+the+Week%3A+Using+ChatGPT+in+Cortex+XSOAR&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fusing-chatgpt-in-cortex-xsoar%2F) [](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fusing-chatgpt-in-cortex-xsoar%2F&title=Playbook+of+the+Week%3A+Using+ChatGPT+in+Cortex+XSOAR&summary=&source=) [](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/security-operations/using-chatgpt-in-cortex-xsoar/&ts=markdown) \[\](mailto:?subject=Playbook of the Week: Using ChatGPT in Cortex XSOAR) Link copied By [Sameh Elhakim](https://www.paloaltonetworks.com/blog/author/sameh-elhakim/?ts=markdown "Posts by Sameh Elhakim") May 18, 2023 5 minutes [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown) [AI](https://www.paloaltonetworks.com/blog/tag/ai/?ts=markdown) [Automation](https://www.paloaltonetworks.com/blog/tag/automation/?ts=markdown) [ChatGPT](https://www.paloaltonetworks.com/blog/tag/chatgpt/?ts=markdown) [Cortex XSOAR](https://www.paloaltonetworks.com/blog/tag/cortex-xsoar/?ts=markdown) [security orchestration](https://www.paloaltonetworks.com/blog/tag/security-orchestration/?ts=markdown) [SOAR](https://www.paloaltonetworks.com/blog/tag/soar-2/?ts=markdown) This post is also available in: [日本語 (Japanese)](https://www2.paloaltonetworks.com/blog/security-operations/using-chatgpt-in-cortex-xsoar/?lang=ja "Switch to Japanese(日本語)") You might have used ChatGPT to help you write a script or generate an image. So now that you know Cortex XSOAR has a [ChatGPT integration](https://xsoar.pan.dev/docs/reference/integrations/open-ai-chat-gpt-v3), are you wondering how you might apply it to your security operations to facilitate incident response? **Quick Note** : For more information on how we are incorporating AI across our Cortex portfolio to drive the autonomous modern SOC, please refer to the [XSIAM Solution brief](https://www.paloaltonetworks.com/resources/techbriefs/cortex-xsiam). Here's an example of how you can start using ChatGPT within your XSOAR playbooks to deliver information in a user-friendly way: * Analysis of incidents delivered in readable, natural language to security analysts. * Improve incident ticket response with information on analysis, impact and recommendations. * For MSSPs, your clients will receive a description and analysis that looks like it was written by a human. That will help in clarity and better user satisfaction as ChatGPT can respond at a much higher speed than humans. Before we dive into the playbook, let's have a look at how ChatGPT rewrites the incident details from an ingested alert, adding richer context and in accordance with the format provided: ## ChatGPT Request We are using **ChatGPT 3.5** in this request and the playbook. ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/05/word-image-293891-1-2.png) ## ChatGPT Response ### Analysis ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/05/word-image-293891-2-2.png) ### Impact Analysis ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/05/word-image-293891-3-2.png) ### Actions/Recommendations ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/05/word-image-293891-4-2.png) ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/05/word-image-293891-5-2.png) **Amazing, right?** Now it is time to integrate it into an automated playbook. This playbook is built using the standard ticketing template which covers: * Details (Analysis) * Impact * Actions/Recommendations You can tweak the ChatGPT response by giving it a different set of output criteria. Quick tip: Put the criteria in bullet points so ChatGPT can format it accordingly. Note: When using ChatGPT for presenting data, we recommend following your organization's data classification policies. ## How to Use the ChatGPT Integration in a Playbook We will use the following integration (OpenAi ChatGPT v3) [https://xsoar.pan.dev/docs/reference/integrations/open-ai-chat-gpt-v3](https://xsoar.pan.dev/docs/reference/integrations/open-ai-chat-gpt-v3) #### **Generate an OpenAI API key** Note: Using the OpenAI API requires a pay-as-you-go subscription after the free trial ends. 1. Login to your OpenAI account using the following link: [https://platform.openai.com/docs/introduction](https://platform.openai.com/docs/introduction) 1. Click on your profile from top right then **View API Keys** ![Menu with API keys](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/05/word-image-293891-6-2.png) Menu with API keys 1. Click on Generate new secret key ![Creating new secret key](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/05/word-image-293891-7-2.png) Creating new secret key To add a new secret key, press *Create new secret key* ![Window to create new secret key](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/05/word-image-293891-8-2.png) Window to create new secret key Copy the new secret key before the pop-up is closed as it will not be accessible once you close the window. ![Next window to create new secret key](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/05/word-image-293891-9-2.png) Next window to create new secret key #### **Configure OpenAI ChatGPT v3 Instance** 1. Download the content pack from the Cortex Marketplace 2. Add an Instance ![Adding an Instance](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/05/word-image-293891-10-2.png) Adding an Instance 1. Paste the copied secret key Then press *Save \& exit* ![Saving the instance](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/05/word-image-293891-11-2.png) Saving the instance ### Use Case Now that we have configured your ChatGPT integration instance, we can use it in a playbook. You can modify the playbook tasks as needed to suit your automation use cases. #### **Incident Enrichment** The enrichment is done in two separate phases: * **Indicator extraction:** Get more details like logs and extract artifacts from your SIEM solution. * \*\*Indicator enrichment:\*\*Enrich the extracted indicators using your threat intel feed such as Unit42 Intel or VirusTotal. ![Indicator enrichment tasks in playbook](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/05/word-image-293891-12-2.png) Indicator enrichment tasks in playbook #### **Incident Analysis** For incident analysis, you will send to ChatGPT all collected data from previous tasks as follows to determine severity of the incident: ![ChatGPT analysis section of playbook](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/05/word-image-293891-13-2.png) ChatGPT analysis section of playbook ##### **ChatGPT Task Configuration** As we mentioned earlier, you can configure your prompts to ChatGPT but here are some tips for optimum output results: * Make it short * Provide specific instructions for your output display * Provide output criteria in bulleted format * Add your data parameters (e.g. title or hostname of compromised machine) ![ChatGPT prompt output in playbook](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/05/word-image-293891-14-2.png) ChatGPT prompt output in playbook ##### **ChatGPT Prompt** As you configured the task with your input parameters, it should look very similar to the ChatGPT web output. ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/05/word-image-293891-15-2.png) ##### **ChatGPT Response Output** It is important to monitor how many tokens are being used to communicate with ChatGPT via the API integration. OpenAI calculates the cost of API usage based on the total number of tokens used in your API calls (prompt + answer). OpenAI provides more details about how they define and count [OpenAI tokens](https://help.openai.com/en/articles/4936856-what-are-tokens-and-how-to-count-them). ![ChatGPT response information in incident War Room](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/05/word-image-293891-16-2.png) ChatGPT response information in incident War Room #### **Incident Response** In this phase, any malicious indicators will be blocked on Cortex XDR or the firewall. This is decided based on the indicator's reputation/score as determined during the indicator's enrichment phase. ![Incident response actions based on incident severity](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/05/word-image-293891-17-2.png) Incident response actions based on incident severity #### **Incident Closure** As part of incident resolution, an email with ChatGPT response details is sent to the SOC analyst, a ServiceNow ticket is generated and updated with the closure notes from the [ChatGPT output](#post-293891-_twjtus5tomr5). ![Incident closure actions](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/05/word-image-293891-18-2.png) Incident closure actions ##### **Sample Email** This is an example of the email received by the analyst from XSOAR with the ChatGPT response output. ![Sample email](https://www.paloaltonetworks.com/blog/wp-content/uploads/2023/05/word-image-293891-19-2.png) Sample email ### **Note:** ChatGPT is one of the many LLMs (large language models) we are working to integrate into Cortex XSOAR. Stay posted for upcoming blogs on other LLM integrations such as Google Vertex Ai. **Learn More** To learn more about how you can automate security operations with Cortex XSOAR, check out our virtual self-guided [XSOAR Product Tour](https://www.paloaltonetworks.com/resources/infographics/xsoar-product-tour) We also host virtual and in-person events, so check [here](https://www.paloaltonetworks.com/resources/cortex-events) for upcoming ones. *** ** * ** *** ## Related Blogs ### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown) [#### Playbook of the week: Streamlining SOC Communications](https://www2.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-streamlining-soc-communications/) ### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown) [#### Playbook of the Week: Automating SecOps Ticketing](https://www2.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-automating-secops-ticketing/) ### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown) [#### Playbook of the Week: Suspicious SSO? Check It Out with XSOAR](https://www2.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-suspicious-sso-check-it-out-with-xsoar/) ### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown) [#### Playbook of the Week: Automate Anything with the Default Playbook](https://www2.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-automate-anything-with-the-default-playbook/) ### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown) [#### Playbook of the week: Responding to RDP Brute Force Attacks](https://www2.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-responding-to-rdp-brute-force-attacks/) ### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown) [#### Playbook of the Week: Automating Password Resets with Chatbot](https://www2.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-automating-password-resets-with-chatbot/) ### Subscribe to Security Operations Blogs! Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more. ![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up Please enter a valid email. By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder. This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply. {#footer} {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language