Microsoft Sentinel Article Series: How To Integrate OpenAI GPT3 with SOAR Ms Sentinel
This use case outlines an incident management process in Microsoft Sentinel, triggered by a specific event like a suspicious network connection. Upon trigger, the system appends a comment detailing the attacker’s methods per the Mitre Att&ck framework and generates a task to guide further investigation. This investigation could involve data collection, automated probes, or specific containment or remediation actions. To facilitate the investigation, the system also suggests a Kusto Query Language (KQL) query based on the outcome of a previous task, enabling a search for specific events or log entries to gather more information about the incident and understand the cause and scope of the attack.
Pre-Requisites :
- Active Azure Subscriptions
- Active Microsoft Sentinel
- Logic Apps
- Right Permissions
Original Templates :
How To Install :
- Create from Template (Just Click Link at above or this )
2. Click Review+Create then Edit your Playbook you’ve created before.
3.In your first flow blue color with sentinel logo, Click the box then Change Connection with your email connected to azure sentinel (see picture below)
4. In your second flow alias orange color, Click the box then Change Connection, connect your API from OpenAI from link below :
5. Generate your API key, save in another secret place.
6. Connect your API in your Logic Apps with format
(dont forget to add Bearer word before the api-key):
“Bearer api-keyblablabla”
7. Fill all parameters. I started from the left side first then right side tree. here the left third flow..
you just need to adjust max token so that prompt message from gpt fully completed. You can adjust by yourself.
8. Then here the configuration of Right Tree flow
9. Save.
Trigger Your SOAR Manually
- Go to Incident, Click 1 of the incident then Actions.
2. Run Playbook
3. Choose Your Right Playbook from your right resources-group. click Run.
4. Done. Check your Playbook or your Result.
Result :
Click Close the playbook bar. Go to View Full Details. Then Scroll down until you find a comment like below
Then view Task generated By GPT :
But you must really know the GPT-3 have so many limitation. soon i will give you tutorial how to integrate the GPT-4.
Troubleshot Permission Unauthorized
Here i guide you if you find unauthorized permissions.
Error Sample Screenshot
Remember : Dont forget to choose the right Resource-Group.
If you cannot trigger because of permission, configure your permission about sentinel and resource-group at here :
Click Playbook permissons then click Configure permissions
Give the permission and done. Run or Save your Playbook.
Here is the references of Sentinel Roles, You can give role from this tutorial.
Add Roles :
If you want to adding roles, go to the resources-group then IAM.
Go to Add and Add role assignment
Enter your Roles, dont forget to add member like below
Save.
Thank you for reading!!
References
Thanks to Mr. Antonio Formato
https://github.com/format81/MicrosoftSentinel-ChatGPT-playbook
https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles