Augmenting an Incident with GPT3

In the previous example we identified a security incident from SAP.

In this demo we will build an automation to augment the incident with more information derived from GPT3.

This demo depends on the steps we executed on the previous chapter. Don’t skip it

Setting up permissions

The SAPCAL resource group has a set of permissions that require some adjustments so we can create atuomations.

In this step we will setup those permissions correctly so Sentinel can use its resources.

  1. On the Azure portal, let’s go to the Resource Groups resource page: sso1

  2. On the Resource Groups resource page, click on the resource group, select Access Control (IAM) and Add role assingment. sso1

  3. We will do this 2X for 2 sets of permissions: Owner and Logic App Contributor.

    • Click on Owner Role and select the desired role. Click Next sso1
    • Go to the members tab, and Select Members. Pick your user and click Select sso1
    • Repeat it for the Logic App Contributor sso1

  4. Let’s make sure we have done it correcly: Click on the Check Access and confirm you have the 2 roles assigned. sso1

  5. Then, go to Sentinel, click on Settings, then expand Playbook Permissions, click on Configure permissions and select the Resource Group . Click Apply. sso1

Creating our Automation

  1. On the Sentinel page, under the Azure Portal, go to Automations, and Create a Playbook with Incident Trigger sso1

  2. Pick the resource group and name the Playbook SAP_ADDGPTCOMMENTS, also make sure to check to enable diagnostics so you can troubleshoot any issues. Click Next: Connections sso1

  3. Permissions for Sentinel should be setup. We will further add permissions to the Logic App. Click Next: Review and Create
    sso1

  4. Click Create and continue to designer
    sso1

  5. You will be brought to the Logic App Designer, where we will build the automation flow without creating a single line of code. It comes pre-populated with a Sentinel Incident as trigger. let’s add the GPT3 action. Search for GPT3 and select GPT3 completes your prompt action: sso1

  6. Then you will need to provide an API Key for OpenAI GPT3. Log in (or create an acount) in the OpenAI page, on the top right click on your user and View API Keys and then Create a secret key. Copy the value for the next step. sso1 sso1

  7. Back to the Logic App, name the connection as GPT3APIKEY and add you key in the format Bearer (example “Bearer djklcsjcsdkjcsdlkcsjdlcsd”). Click Create. sso1

  8. Let’s add the prompt we need using the data from the Sentinel incident.

  • Prompt: “What should be the next investigation steps on security incident with description “” and title “” with involved entities “
  • Dynamic Content: Incident Description, Incident Title, Entities
  • You can also expand max tokens from 100 to 250 sso1

  1. As a next step, we will tell to Logic Apps what to do with the GPT3 API response. Add an action Add comment to incident v3 under Sentinel. sso1

  2. Use the Dynamic Content for Incident ARM ID and expand GPT3 dynamic content and select Text. sso1

  3. That is it, the Logic App is setup. It should be something like the picture below: sso1

  4. With our Logic App ready, we need to allow it to act on the Resource Groups resources. Still on the Logic App page, go to Identity, enable Status and click on Azure role assignments. sso1

  5. Click on the Add role assignment button and specify that you want to grant permissions based on Resource Groups, selecting resource group and the Contributor role. Click Save and we are done in the Logic App page.
    sso1

  6. Go back to Sentinel page, and let’s set up a rule triggering the Logic App we just created. CLick on Automation and create an Automation rule. sso1

  7. Let’s name the rule Add_GPT3_Comment_rule, select as Action Run playbook and select the previously created SAP_ADDGPTCOMMENTS playbook. Click Apply sso1

And that is it. We should have setup everything so that when an alert shows up and an incident is created, Sentinel will be able to append comments with additional incident information for first responder. Let’s test it !

Generating an Incident

  1. Log on to the Bastion Host and log on the SAP GUI (SAP Logon) with user SAP/Welcome1* (this will be a super restricted user log in incident) sso1

  2. Go to TCODE SU01 so we can create a new user sso1

  3. Name the user hacker01 and click on User sso1

  4. Give it a Last Name hacker01 and move on to the Logon Data tab sso1

  5. Set the password and confirm to Welcome1, c;lick Save and then log off be using the Back button sso1

  6. Now, lets log in with the newly creater hacker01/Welcome1 user, simulating another security incident sso1

  7. It will ask for a new password. You can use Microsoft1 and the new one here and proceed. Once logged in, you can log off, since the risk was already been recorded. sso1

  8. After a few minutes (5-10 minutes) the logs should have flown to Sentinel and an Incident should have been created. Go to Sentinel, on Overview (optionally you can disable the new interface), and select one recent incident. sso1

  9. On the incident details page, you can go to Comments tab sso1

  10. If everything worked, you should see a comment added by the playbook with some augmentation regarding the security incident: sso1

Congratulations! In this example we were able to create a playbook, a rule and augment an incident with AI generated information upon a creation of an incident from SAP!