Welcome to this exciting sprint, where our primary goal is to seamlessly bring platforms together and integrate them, unlocking a new level of power for your Security Information and Event Management capabilities.

Integration Description
Microsoft Teams Seamless connection for unified communication and collaboration, enabling real-time collaboration, information sharing, and swift threat response.
Threat Intelligence Integration of real-time threat data, enhancing SIEM's ability to detect and respond promptly to potential security incidents, staying ahead of adversaries.
OpenAI Introduction of OpenAI integration, bringing advanced natural language processing and machine learning capabilities to enhance automated threat detection, trend analysis, and proactive risk management.
Version Control Use Git to SecOperate Done as code— last sprint.

A Unified Approach #

The synergy of integrating Microsoft Teams, Microsoft Threat Intelligence, and OpenAI creates a holistic and unified approach to SIEM.

Your security ecosystem is no longer siloed, but rather interconnected and fortified with the strengths of each integrated platform.

This holistic integration ensures that your SIEM not only detects and responds to threats effectively but also facilitates collaboration, intelligence sharing, and continuous improvement.

Benefits of Integration #

By embracing this comprehensive integration, you can expect:

  • Improved collaboration among security teams.
  • Real-time access to Microsoft Threat Intelligence data.
  • Enhanced natural language processing and machine learning capabilities.
  • Proactive threat detection and mitigation.
  • A unified and streamlined SIEM experience.

Empower your security operations with the fusion of Microsoft Teams, Microsoft Threat Intelligence, and OpenAI.

Together, let's redefine what's possible in the world of cybersecurity.

Integrate A Communication Tool #

We've laid the groundwork for all the technological foundations, empowering you to approach this process confidently and with a sense of familiarity.

Teams is cool

Microsoft Teams is a collaboration platform widely used for communication and collaboration within organizations.

The primary objective of this integration is to streamline communication and incident response within the organization by connecting incidents with Teams group chat.

Implementation #

The process is extremely straightforward. We will implement this using playbook logic app, allowing for manual application as we've learned in handling incidents and, alternatively, enabling automation to ensure it is sent to a team chat e.g. each time an incident is created or updated.

The Go DIY Approach #

I've provided you with sufficient information; now it's your turn to translate it into your own logic app. I apologize if you find it challenging. Take the initiative to overcome this hurdle—it's all you need.

Pre-Post Logic App Teams Workflow and Custom Message

Following that, launch it as an automation rule and customize it based on your team's specific preferences and conditions to get the incidents streamlined e.g. only when created.

Microsoft Teams From Sentinel Workflow #

The workflow for this integration can be summarized as follows:

  1. An incident is detected in Azure Sentinel.
  2. The Logic App is triggered by the Azure Sentinel incident on automation rules.
  3. The Logic App retrieves incident details and formats a message.
  4. The formatted message is sent to the designated Microsoft Teams group chat.
  5. Relevant stakeholders in the Teams channel are notified in real-time.

Post Sentinel Incidents To Microsoft Teams

The handle above is redacted.

Actually, I performed the entire flow; however, a coworker wanted to authenticate with his credentials and take the lead, so he did.

Feel free to craft the message according to your preferences.

The integration of Microsoft Teams group chat with Azure Sentinel incidents using Logic Apps enhances the organization's ability to respond to security incidents promptly and collaboratively.

This streamlined communication channel contributes to a more effective incident response process.

Integration With Threat Intelligence #

Microsoft has recently introduced a new threat intelligence product called "Threat Analytics" as part of its Defender product suite.

This innovative addition to their offerings is fresh for this year.

As the author stays updated on the latest advancements, he'll guide you there.

Threat intelligence refers to information and analysis about potential cyber threats and risks that could pose harm to an organization's assets, systems, or overall security posture.

This information is collected, processed, and disseminated to help you understand the nature of cyber threats, anticipate potential attacks, and enhance their ability to prevent, detect, and respond to security incidents.

A Really One Click Guide #

This connector, which is currently in public preview, offers an innovative solution by seamlessly integrating Sentinel with Microsoft Defender Threat Intelligence, also known as Threat Analytics.

The Connector provide the built-in TI Defender solution and brings a new level of synergy and efficiency to the realm of cybersecurity with a very basic setup.

  1. Locate the connectors like we previously explained in sprint one.
  2. In the connector search bar, direct your attention to this area and type in "Microsoft Defender Threat Intelligence."

Microsoft Threat Analytics Built-In Connector

Integration is a breeze—no complexities, just simplicity.

Verify TI Integration #

You can verify the availability of the connector by checking the logs and type a TI query.

  1. Access the logs in the left pane and write TI query.

Microsoft Sentinel Threat Intelligence Custom Query

  1. Look for any error messages or warnings that might indicate connectivity issues.
  2. Analyze the log entries to identify the cause of the problem.
  3. Pay attention to timestamps to determine when the issue occurred if there are any.

The quality was low because I initially delivered it as a doc file in word and when I needed them elsewhere, I retrieved from there, hence the compromised visibility.

PS: I managed to retrieve the real one and it is below.

Microsoft Sentinel Threat Intelligence Custom Query

Verify Using TI Indicators #

  1. Once the connector is in place, you will have the required data source.
  2. Click on "Threat Analytics" for TI source equals Microsoft Defender TI.

Defender Threat Intelligence SIEM Indicator

  1. To narrow down the results specifically to those originating from the Microsoft Defender Threat Intelligence source, you can apply a relevant filter.

Locate the filtering options within the TI interface, which is in the navbar. You will have the required indicators listed as shown above in the figure.

SIEM Theat Intelligence Notify #

The connector has a built-in rule to trigger alerts coming from DTI to Sentinel.

Defender Threat Intelligence SIEM Analytics Rule

The connector is equipped with a built-in rule specifically designed to trigger alerts when receiving data from DTI and forwarding them to Sentinel.

  1. Purpose of the Built-in Rule:
    • The primary objective of the built-in rule is to facilitate seamless alerting and monitoring between DTI and Sentinel.
    • It ensures that critical events or conditions detected by DTI are promptly relayed to Sentinel for further analysis and action.
  2. Configuration and Activation:
    • It ensures that critical events or conditions detected by DTI are promptly relayed to Sentinel for further analysis and action.
  3. Alert Triggering Mechanism:
    • The built-in rule within the connector is programmed to identify specific events or criteria that warrant alert generation.
    • This mechanism ensures that only relevant and critical events trigger alerts, minimizing noise and enhancing response efficiency.
  4. Alert Routing to Sentinel:
    • Once the built-in rule detects an event that meets the predefined criteria, it automatically generates an alert.
    • The alert is seamlessly routed to Sentinel, ensuring a centralized and organized platform for further analysis and action.

The alert is then seamlessly routed to Sentinel, a powerful monitoring and analysis platform, for further processing. The connector leverages integration capabilities to establish a secure and reliable connection with Sentinel.

Note: For further analysis, the alerts can be customized and enriched within Sentinel using additional playbooks or workflows.

This integration ensures that security teams have access to timely and actionable insights, enabling them to respond effectively to emerging threats and security incidents.

Visualize TI in SIEM #

DTI also has a workbook for insights on Microsoft Defender Threat Intelligence, get it.

Get The Built-In Threat Intelligence Workbook

The workbook serves as a comprehensive tool, offering an intricate view of the currently available Threat Intelligence (TI) sources. It goes beyond a mere list, providing detailed insights into each TI source's attributes, capabilities, and relevance to your cyber vision.

Defender Threat Analytics Realtime Dashboards

You can make better SIEM decisions that align with your organization's security objectives, ensuring a robust and proactive approach to threat detection and mitigation and here is an integration of threat intelligence with Cloud Apps:

Cloud Apps

Microsoft Defender Threat Analytics #

This solution built in the defender platform provides organizations with valuable insights and proactive defense against cyber threats.

Microsoft Defender Threat Analytics Platform

Microsoft Defender Threat Analytics, powered by the acquisition of RiskIQ, offers organizations the following key benefits:

  • Comprehensive Threat Visibility: Gain deep visibility into your organization's threat landscape.
  • Advanced Threat Detection: Detect and mitigate sophisticated cyber threats effectively.
  • Proactive Defense: Take proactive measures to strengthen your security posture.
  • Incident Response Readiness: Enhance your organization's preparedness to respond promptly and effectively to security incidents.
  • Continuous Monitoring and Adaptation: Implement continuous monitoring strategies and adapt your security measures to evolving cyber threats.

Service

The home page serves as a comprehensive dashboard that offers valuable insights into various aspects related to incidents triggered by threat intelligence.

In addition, it provides a wide range of information regarding the threat level and other pertinent details.

The threat analytics view provides a comprehensive interface for consulting and investigating high-level attacks.

The platform provides a detailed investigation process and great security—employ it and in case you need this section singular.

Integration With OpenAI #

Welcome to our cutting-edge integration, where we harness the power of the latest advancements in AI for our security operations.

Here is a brief view I want you to just look at.

These instructions presume that you have grasped the core concepts covered in the previous sprints because we will use core services already exposed as follow:

Sentinel and OpenAI, The Integration Of The Future

We are designing our workflows as Logic Apps, bundled as security playbooks.

These will be manually triggered against incidents initially and, eventually, automated through security rules based on created or updated incidents as per specifications.

  • Enhanced Incident Understanding: OpenAI's analysis contributes to a more comprehensive understanding of the incident by providing additional insights and context.
  • Standardized Response: The dynamically generated playbook ensures a standardized and efficient response to various incident types.
  • Adaptive Learning: Over time, the integration with OpenAI enables adaptive learning, allowing the system to continually improve its responses based on evolving incident patterns.
  • Increased Efficiency: The automation of security playbooks streamlines incident response processes, reducing manual efforts and enhancing overall operational efficiency.
  • Proactive Threat Mitigation: By leveraging AI-driven insights, the integration facilitates proactive threat mitigation strategies, identifying and addressing potential security issues before they escalate.

Coming next, action time illustrating how this innovative integration not only improves incident response but also sets the stage for a proactive and adaptive security framework.

Translating Architecture into Actionable Workflow #

As you can observe, we have translated the previously provided architecture into an actionable workflow ready for implementation.

Complete Custom LogicApp OpenAI Workflow

These were also posted by the company authorities.

You may as well consider trying with something more minimal like the above. It took me sometimes to get it right at first so make sure you give patience while you recover from mistakes as this is pretty normal.

Synergizing Security and AI: #

Upon successful execution, you'll see the enlightenment reflected on your incident dashboard based on your specific preferences.

Innovation-Driven Incident Response With OpenAI

This improvement empowers security teams to gain clearer insights into investigations, identify proactive measures for protection, and conduct more effective questioning and investigations, let's help you do it step by step at your own pace.

Add a New Step to the Incident Connector #

If you've developed an incident trigger playbook following the guidance provided in SOAR sprint, you should be equipped with a solitary connector for Sentinel incidents.

This step involves integrating OpenAI into the incident response workflow by adding a specific action related to GPT-3 to that Pre made Incident Connector.

  1. Search for OpenAI and select the action related to "GPT3 Completes your prompt."
  2. Create a connection by assigning your API key from the OpenAI platform.

Obtain OpenAI API Key #

In this section, we'll authenticate OpenAI with Logic App by extracting the token from the OpenAI platform and injecting it into the Logic App action connector.

Follow these steps to get the API key from OpenAI:

  1. Sign in or up to the openai platform.
  2. On the left side bar menu, click API Keys.
  3. API Keys Windows opens, Click Create new secret.

Create API Secret From OpenAI Platform

  1. Copy the obtained key, and go straight back to Logicapp.
  2. Insert it in the GPT action connector as "Bearer ."

This now ensures the playbook has the necessary authorization to access OpenAI's services and use the model.

In case you find the instructions hard, you can always access using the following URL: OpenAI API Keys

Design the Action Prompt #

This step involves crafting a prompt that leverages incident-specific info from OpenAI.

  1. In your action, design the prompt according to your preferences.
  2. Utilize variables such as incident attributes (e.g., tactics, severity, name) to customize the prompt.

Incident and OpenAI Completion Connectors

The output is visible within the Logic App and the OpenAI platform, but there's nothing on your incident dashboard—yet, the truth will soon emerge.

Send Output to Sentinel Incident #

At this juncture, we initiated the incident trigger connector. Subsequently, we incorporated an action featuring prompt.

The 3rd logical connector involves appending it as a comment to your incident dashboard to mind-map the demonstrated process.

  1. From the designer add an action to the GPT connector.
  2. To view the results in the Sentinel incident, use the "Add comment to incident logic app connector."
  3. Re-examine your prompt design before shipping.
  4. When ready, save the LogicApp.

Add Sentinel Incident Comment Connector To Your Flow

This now integrates the output into the incident for further analysis and visibility.

Feel free to finalize the workflow and explore additional connectors, such as those included in the initial complete flow I created.

With that, we should have all three nodes aligned, ensuring that our valuable data is delivered to the product as a comment thanks to the latter.

Trigger an Incident #

Testing ensures that our playbook functions correctly and interacts with OpenAI as intended.

  1. After designing the prompt, save the playbook.
  2. Manually test the playbook.
  3. Check the incident activity logs.

OpenAI Resolved Incident Tactics and Techniques

  1. Consult the Task pane for more information about the target incident.

OpenAI Prompt Design and Incident Shoot

For those unfamiliar with the testing process, please consult the instructions provided in the previous sprint, where we detailed how to manually and auto-run workflows.

Automate OpenAI Target Incident #

What if we want every newly created incident to undergo this workflow, ensuring the application of OpenAI integration for enhanced value and enrichment? That's precisely what we'll be implementing.

OpenAI Rule Trigger, Condition and Action Spec

We'll follow the same steps as before—create an automation rule, grant the necessary Sentinel permissions to the playbook, and assign it to our rule for activation.

This process unlocks the potential we designed and delivered for your benefits.

  1. You can trigger based on incident create or update.
  2. For conditions, let the incident equals all and analytics rules contain all.
  3. For actions, specify the playbook intended for that flow.
  4. Click apply to confirm the automation rule.

OpenAI Automation Rule Listed in Sentinel

I also requested Azure OpenAI service from Microsoft when it was strictly limited to partners for my previous startup, thanks to my great friendship with Houssem, who provided a referral, allowing us to gain exclusive access afterwards that kept to be of a great use as of this writing.

A while later, I used this powershell script to get the interesting feedback above regarding our environment running the latest innovation of AI. I passed it our canadian company subscription and it provided us with an excel file with 4 sheets and a great DRAWIO architecture.

However, architectures are always best when they are self-imposed and interpreted based on your unique experience. Here’s how to get started designing yourself.

Regarding subscriptions, there is also a tool that prints your organization's Azure costs via the CLI.

Exploring Integration and Beyond #

With this milestone achieved, everything will operate more seamlessly from now on.

This effectively unleashes the full potential of the architecture the author again conceived and delivered for your benefit.

The integration of OpenAI for incident enhancement using a playbook enriches the incident response process. We are leveraging natural language processing.

You can also benefit from better incident understanding and more efficient and standardized response procedures.

Moreover, by staying updated on the latest threats through shared cyber intelligence using Defender Threat analytics and ensuring the seamless flow of all incidents into the necessary entity Teams chat, we can say that this chapter serves as your literal enabler.

A Glimpse into the Pre-Final Sprint #

Sprint VI has been a creative journey of customization and integration.

We have taken significant steps to enhance our security systems, making them uniquely tailored to our needs and fortified against potential threats.

Taking a moment to Reflect on Sprint Number Four

As we look ahead, we remain committed to achieving the highest levels of security and efficiency and help you a bit—to the best of one's ability in doing the same.