Create Playbook for ChatGPT from Scratch in Azure Cloud
In Microsoft Sentinel, playbooks represent a collection of automated workflows designed to address security incidents. These playbooks offer flexibility and can be adjusted to align with the unique requirements of any organization. They serve as a means to automate incident responses, coordinate actions, and execute a variety of security-related functions.
In this part of the project, I will integrate Microsoft Sentinel with ChatGPT and create my first playbook.
Creating a Playbook with Incident Trigger
Navigate to Microsoft Sentinel dashboard on "SEC-Monitoring".
- Click on "Automation" under Configuration on the left side bar.
- Click on "Create". Then Select "Playbook with incident trigger".
- This option will trigger automation when the incident is created.
- Fill in the information:
- Playbook name: "ChatGPT-Incident-Enrichment".
- Check the box for "Enable diagnostics logs in Log Analytics".
- This will allow us to track failure with the playbook.
- Click on "Next: Connections >"
- In Connections tab, check if "Microsoft Sentinel" is created.
- The playbook incorporates identity management as an authentication method, obviating the necessity to store explicit credentials or secrets within the playbook or handle them independently.
- Click on "Next: Review and create >"
- In the Review and create tab, click on "Create and continue to designer".
- Wait until it finish deployment.
Getting API Key
While the Sentinel deploys the playbook, I will gp get an API Key since ChatGPT need it in order to be created.
- Navigate to (Platform.openai.com)[https://platform.openai.com/account/api-keys].
- Log in or Sign up.
- Click on "Create new secret key".
- Name it: "Sentinel". Then, click on "Create secret key".
- Successfully created an API Key.
- Store your API Key securely because it will be inaccessible once you exit the page.
Building a Playbook
Logic apps and playbooks are the same and in Microsoft Sentinel, playbooks offer users a user-friendly graphical interface for creating and visualizing workflows involving various services and applications. The designer is composed of distinct building blocks, each corresponding to a specific action or connector used to construct workflows. These building blocks includes triggers, actions, and conditions. The trigger for my Sentinel is incident.
- Click on "Next step".
- Type in: "GPT" in the search bar.
- Select "GPT3 completes your prompt (preview).
- Fill in the information:
- Connection name: "ChatGPT".
- API Key: "Bearer" + "API Key".
- Click on "Create".
- Change Prompt: "How can I remediate", search "Incident Title" on the blue box, "with the description of", search "Incident Description" on the blue box.
- Click on "Next Step".
- Type in: "add comment to incident" in the search bar.
- Select "Add comment to incident (V3) (preview)".
- For "Add comment to incident (V3)
- Incident ARM id: search "Incident ARM" on the blue box on the right side.
- Incident comment message: Click on "see more" on the blue box on the right side. Then, click on "Text".
A new "for each" building block will be generated based on the chosen parameter, allowing me to execute actions on individual items within a set of values defined by my output parameters.
Create Playbook for ChatGPT from Scratch in Azure Cloud
In Microsoft Sentinel, playbooks represent a collection of automated workflows designed to address security incidents. These playbooks offer flexibility and can be adjusted to align with the unique requirements of any organization. They serve as a means to automate incident responses, coordinate actions, and execute a variety of security-related functions.
In this part of the project, I will integrate Microsoft Sentinel with ChatGPT and create my first playbook.
Creating a Playbook with Incident Trigger
- Click on "Automation" under Configuration on the left side bar.
- Click on "Create". Then Select "Playbook with incident trigger". - This option will trigger automation when the incident is created.
- Fill in the information: - Playbook name: "ChatGPT-Incident-Enrichment". - Check the box for "Enable diagnostics logs in Log Analytics". - This will allow us to track failure with the playbook. - Click on "Next: Connections >"
- In Connections tab, check if "Microsoft Sentinel" is created. - The playbook incorporates identity management as an authentication method, obviating the necessity to store explicit credentials or secrets within the playbook or handle them independently. - Click on "Next: Review and create >"
- In the Review and create tab, click on "Create and continue to designer".
- Wait until it finish deployment.
Getting API Key
While the Sentinel deploys the playbook, I will gp get an API Key since ChatGPT need it in order to be created. - Navigate to (Platform.openai.com)[https://platform.openai.com/account/api-keys]. - Log in or Sign up. - Click on "Create new secret key".- Name it: "Sentinel". Then, click on "Create secret key".
- Successfully created an API Key. - Store your API Key securely because it will be inaccessible once you exit the page.
Building a Playbook
Logic apps and playbooks are the same and in Microsoft Sentinel, playbooks offer users a user-friendly graphical interface for creating and visualizing workflows involving various services and applications. The designer is composed of distinct building blocks, each corresponding to a specific action or connector used to construct workflows. These building blocks includes triggers, actions, and conditions. The trigger for my Sentinel is incident. - Click on "Next step".- Type in: "GPT" in the search bar. - Select "GPT3 completes your prompt (preview).
- Fill in the information: - Connection name: "ChatGPT". - API Key: "Bearer" + "API Key". - Click on "Create".
- Change Prompt: "How can I remediate", search "Incident Title" on the blue box, "with the description of", search "Incident Description" on the blue box. - Click on "Next Step".
- Type in: "add comment to incident" in the search bar. - Select "Add comment to incident (V3) (preview)".
- For "Add comment to incident (V3) - Incident ARM id: search "Incident ARM" on the blue box on the right side.
- Incident comment message: Click on "see more" on the blue box on the right side. Then, click on "Text".
A new "for each" building block will be generated based on the chosen parameter, allowing me to execute actions on individual items within a set of values defined by my output parameters.
- Click on "Save" to save the new playbook.
- Successfully deployed a new playbook.