In this project phase, I will implement advanced GPT integration based on Antonio Formato's GitHub solution.
Deploying Antonio ChatGPT Version to Azure
Navigate to Antonio Formato's GitHub page for ChatGPT demo Here.
- Scroll down, click on "Deploy to Azure".
- This took me to the custom template deployment in Azure.
- For Resource group: "SEC-Monitoring".
- For Playbook Name: "ChatGPT-Incident-Enrichment-ADV".
- Click on "Review + create".
- Click on "Create".
Modify the Logic App for Playbook to Fit the Requirements
- Navigate to "Resource Groups" for "SEC-Monitoring".
- Click on the new playbook "ChatGPT-Incident-Enrichment-ADV".
- Click on "Logic app designer" under Development Tools at the left side bar.
- The new playbook performs two parallel actions after "Microsoft Sentinel incident".
- The orange triangles means the connections are not authorized yet.
- Click on both of the connections and change the connection to "ChatGPT". (I have 2 because ChatGPT the first one wasn't working for me).
- In the max tokens for both connections put: "300".
- Click on "For each" to expand it.
- Click on "Connections" inside "For each".
- Change connection to "ChatGPT".
- Change max token: "300".
- Click on "Save" to save the logic app for the playbook.
Assigning Microsoft Sentinel Responder Role to the New Playbook
- Navigate to Resource groups for "SEC-Monitoring".
- Click on "Access control (IAM)" under Overview at the left side bar.
- Click on "Add". Then, "Add role assignment".
- Type in "Responder" on search bar and click on "Microsoft Sentinel Responder".
- Click on "Next".
- Select: "Managed identity".
- Click on "Select members".
- Managed identity: "Logic app".
- Click on "ChatGPT-Incident-Enrichment-ADV".
- Click on "Select".
- Click on "Next".
- Click on "Review + assign".
Run an Incident on Sentinel with the New Playbook with Complex Integration
- Navigate to Microsoft Sentinel for "SEC-Monitoring".
- Click on "Incidents" under Threat management at the left side bar.
- Click on the "Kerberoasing" incident that was created for demonstration.
- Click on "Actions". Then, "Run playbook (Preview)".
- Click on "Run" for the new playbook.
- Click on "View full details".
- Click on "Activity log".
- Shows a more in depth comment from ChatGPT.
- There is a new Tasks section on the left side.
- Click on "View full details".
- The full detail for tasks shows a better recommendation.
- Successfully created a complex integration version of ChatGPT for Sentinel SIEM.
Complex Integration of AI with SIEM
In this project phase, I will implement advanced GPT integration based on Antonio Formato's GitHub solution.
Deploying Antonio ChatGPT Version to Azure
- Scroll down, click on "Deploy to Azure". - This took me to the custom template deployment in Azure.
- For Resource group: "SEC-Monitoring". - For Playbook Name: "ChatGPT-Incident-Enrichment-ADV". - Click on "Review + create".
- Click on "Create".
Modify the Logic App for Playbook to Fit the Requirements
- Navigate to "Resource Groups" for "SEC-Monitoring".- Click on the new playbook "ChatGPT-Incident-Enrichment-ADV".
- Click on "Logic app designer" under Development Tools at the left side bar.
- The new playbook performs two parallel actions after "Microsoft Sentinel incident". - The orange triangles means the connections are not authorized yet.
- Click on both of the connections and change the connection to "ChatGPT". (I have 2 because ChatGPT the first one wasn't working for me).
- In the max tokens for both connections put: "300".
- Click on "For each" to expand it. - Click on "Connections" inside "For each". - Change connection to "ChatGPT". - Change max token: "300".
- Click on "Save" to save the logic app for the playbook.
Assigning Microsoft Sentinel Responder Role to the New Playbook
- Navigate to Resource groups for "SEC-Monitoring".- Click on "Access control (IAM)" under Overview at the left side bar.
- Click on "Add". Then, "Add role assignment".
- Type in "Responder" on search bar and click on "Microsoft Sentinel Responder". - Click on "Next".
- Select: "Managed identity". - Click on "Select members". - Managed identity: "Logic app". - Click on "ChatGPT-Incident-Enrichment-ADV". - Click on "Select". - Click on "Next".
- Click on "Review + assign".
Run an Incident on Sentinel with the New Playbook with Complex Integration
- Navigate to Microsoft Sentinel for "SEC-Monitoring".- Click on "Incidents" under Threat management at the left side bar.
- Click on the "Kerberoasing" incident that was created for demonstration.
- Click on "Actions". Then, "Run playbook (Preview)".
- Click on "Run" for the new playbook.
- Click on "View full details". - Click on "Activity log". - Shows a more in depth comment from ChatGPT.
- There is a new Tasks section on the left side. - Click on "View full details".
- The full detail for tasks shows a better recommendation.
- Successfully created a complex integration version of ChatGPT for Sentinel SIEM.