Dipping a Toe into the Microsoft Sentinel Integration with GPT-3
Just a toe (for now)
It’s probably best to start by setting the record straight. This is not ChatGPT integration, but rather more technically it’s integration with GPT-3. ChatGPT is a large language model based on GPT-3.5 (Generative Pretrained Transformer 3.5).
Read about GPT-3: GPT-3 Powers the Next Generation of Apps (openai.com)
Thanks to some original work by Zubair Rahim, many Microsoft Sentinel customers (and MSFT internal) are interested in seeing what sort of value that ChatGPT/OpenAI API/GPT3 can provide for Sentinel analysts and more.
There are many branches of work being done in many different groups within Microsoft right now. Everyone has an idea of something cool they’d like to see. Many of the efforts sound fantastic and I’m positive that some awesome offerings will come out of this early days effort. For now, though, there’s many questions I have about it, which is one of the primary reasons why I’m messing with it and taking my time doing so. Well, that, and it’s pretty cool.
I’m a bit reluctant (and you should be, too) to send certain types of data. For example, Zubair originally discussed sending Incident Entity information. I stopped doing that. You should be mindful, too, about the types of data that is sent through the API.
I’m also a bit concerned about the API security, itself. Again. It’s early days so I’m taking a step-by-step approach so that it doesn’t get out of hand.
I have a deployable Microsoft Sentinel Playbook to get you started: https://github.com/rod-trent/SentinelPlaybooks/tree/master/ChatGPT
An API key is necessary. You can acquire your own key from: https://beta.openai.com/account/api-keys
Even though it requests your API key during deployment, after deploying to Azure, you'll still need to make the API connection as shown:
Requesting the API key during deployment stores the API key (so you don't lose it or forget it) in a Logic App Parameters value.
The Playbook is pretty simple. Just a framework that allows you to make the connection and then start to build out your own ideas.
The one on my GitHub repo simply:
Reacts to a Microsoft Sentinel Incident
Submits only the Incident Title and Incident Description
Returns the remediation recommendation and writes it to the Incident’s Activity Log pane (the new comment area in the new Incident experience)
As an example of what you can expect as a return, I have a set of rules that run to report when data stops flowing for the different connectors. I ran the Playbook on one of the Incidents generated from these rules.
Here’s an example of a return I received recently:
As you start building your own implementation of this, you can use the OpenAI Logic App Connector reference: OpenAI (Independent Publisher) - Connectors | Microsoft Learn
It’s definitely early days with this. I’ve lived long enough to get a sense that it’s like the era of the CB radio when all the geeks of the day housed these massive radios in their basements and hulking antennas on their roofs just to talk to someone a continent away for free. For those quite a bit younger than me, it could be better related to the release of the first iPhone or the introduction of the Cloud.
Others, of course, will suggest it’s just the next hyperbolic, industry buzz term. But no matter what form it takes in the future, AI is here to stay. Investing efforts into learning more about it is definitely recommended.
Whatever you come up with, I’d be fantastically happy to hear about it.
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Microsoft Sentinel Newsletter]
[Subscribe to the Weekly Microsoft Defender Newsletter]
[Learn KQL with the Must Learn KQL series and book]