Streamline Incident Response with Azure OpenAI Automation

Table of Contents

1. Introduction
2. Manual Execution of Playbooks in Sentinel Environment
3. Creating an Automation Rule for Incident Handling
4. Viewing Full Details and Recommendations
5. Evaluation of User Account and Identifying Patterns
6. Mitigating Alerts and Malicious Activity
7. Tasks and Steps from Azure Open AI
8. KQL Queries for Relevant Information
9. Utilizing MITRE Framework Tactics
10. Value Add and Benefits of Automation with Open AI

Introduction

In this article, we will explore the capabilities and benefits of using automation with Open AI in incident response and planning. We will discuss manual execution of playbooks in the Sentinel environment, creating automation rules for incident handling, and viewing full details and recommendations. Additionally, we will cover evaluating user accounts, identifying patterns, mitigating alerts and malicious activity, utilizing tasks and steps from Azure Open AI, running KQL queries for relevant information, and leveraging MITRE framework tactics. Let's dive in!

Manual Execution of Playbooks in Sentinel Environment

Before we delve into automation, let's understand how to manually execute playbooks in the Sentinel environment. By simply clicking on a specific incident, you can access the "Action" button and choose the "Run Playbook" option. This will trigger the selected playbook or logic app within the Sentinel environment. This allows you to perform predefined steps and actions to handle the incident effectively. We will explore this further in the following sections.

Creating an Automation Rule for Incident Handling

To streamline the incident handling process, it is beneficial to create automation rules that automatically trigger playbooks for each incident. By going to the Automation section in Sentinel, you can create an automation rule with default options. By providing a name and selecting the desired trigger, such as "Azure Open AI Playbook," you can ensure that the playbook is executed for every incoming incident. This automation rule eliminates the need for manual intervention and ensures consistent response across all incidents.

Viewing Full Details and Recommendations

Once a playbook has been executed for a specific incident, it is essential to review the full details and recommendations provided by the automation. By clicking on the incident and selecting "View Full Details," you can gain insights into the actions performed and recommendations for mitigating the incident. This detailed information is valuable in understanding the incident, assessing the severity, and formulating an appropriate response plan. The recommendations often Align with the MITRE framework tactics, which enhances the effectiveness of incident handling.

Evaluation of User Account and Identifying Patterns

One of the key aspects of incident handling is the evaluation of user accounts and identifying patterns within the data. The automation provided by Azure Open AI allows for the evaluation of the user account that logged in and attempts to identify any malicious activities or patterns in the data. This includes detecting phishing attempts or malicious links that may pose a security threat. By following the recommended steps, incident handlers can thoroughly assess the incident and take appropriate actions to mitigate the risk.

Mitigating Alerts and Malicious Activity

The tasks added by Azure Open AI provide a comprehensive set of steps to mitigate the alerts and address any identified malicious activity. These tasks cover various aspects such as evaluating the user account, identifying patterns, and determining the severity of the incident. By following these recommendations, incident handlers can effectively neutralize the threats and prevent further damage. The ability to access these standardized steps and actions greatly enhances the incident response capabilities of an organization.

Tasks and Steps from Azure Open AI

Azure Open AI offers a wide range of predefined tasks and steps that can be utilized during incident handling. These tasks provide specific actions that can be taken for different types of incidents. For example, when dealing with a failed login attempt to Azure portal, tasks may include evaluating the user account, identifying patterns, and assessing potential malicious activities. These tasks offer a systematic approach to incident response and enable incident handlers to respond promptly and accurately.

KQL Queries for Relevant Information

Another valuable feature provided by Azure Open AI is the ability to run KQL queries to Gather relevant information during incident investigation. KQL queries are recommended to check for additional insights and correlate data related to a specific alert. By running these queries, incident handlers can retrieve information that may help in identifying the root cause of the incident or provide context to the ongoing investigation. KQL queries act as a powerful tool in the incident response arsenal, enabling responders to make informed decisions.

Utilizing MITRE Framework Tactics

The integration of MITRE framework tactics enhances the incident handling process. By categorizing incidents under specific tactics, such as credential access, incident handlers can identify the exact stage the adversary is in. This categorization provides a clearer understanding of the incident and facilitates informed decision-making. Incident handlers can leverage MITRE framework tactics to guide their response and focus on the relevant steps and actions required to mitigate the incident effectively.

Value Add and Benefits of Automation with Open AI

The automation provided by Open AI with Sentinel delivers significant value and benefits to incident response and planning. By automating the execution of playbooks for each incident, incident handlers can save time and ensure consistent response across the organization. The detailed recommendations, tasks, KQL queries, and utilization of MITRE framework tactics provide a structured approach to incident handling. This, in turn, leads to faster response times, enhanced incident analysis, and improved overall security posture.

Highlights

• Manual execution of playbooks in the Sentinel environment allows for customized handling of incidents.
• Creating automation rules streamlines incident handling and ensures consistent response.
• Full details and recommendations provide insights into incidents and aid in formulating effective response plans.
• Evaluation of user accounts and identifying patterns helps in identifying potential security threats.
• Mitigating alerts and malicious activity using recommended tasks minimizes risk and prevents further damage.
• The tasks and steps provided by Azure Open AI offer a systematic approach to incident response.
• KQL queries provide additional insights and contextual information during incident investigations.
• Utilizing MITRE framework tactics enhances incident handling by categorizing incidents and guiding response actions.
• Automation with Open AI adds value by saving time, improving response times, and enhancing overall security posture.

FAQ

Q: Can automation with Open AI replace human intervention in incident handling? A: Automation with Open AI can streamline the incident handling process and minimize manual intervention, but human expertise is still necessary to assess complex situations and make strategic decisions.

Q: Are the recommendations and tasks provided by Azure Open AI customizable? A: While Azure Open AI provides predefined recommendations and tasks, organizations can customize them based on their specific requirements and security policies.

Q: Can KQL queries be used to investigate historical incidents? A: Yes, KQL queries can be utilized to investigate historical incidents and gain insights into past security events.

Q: How frequently should automation rules be reviewed and updated? A: Automation rules should be periodically reviewed and updated to align with evolving security threats and organizational requirements.

Q: Does automation with Open AI require advanced technical skills to set up and operate? A: Setting up automation with Open AI may require some technical expertise, but the user-friendly interface of Sentinel makes it accessible for security personnel with moderate technical skills.

Resources

• Azure Sentinel Documentation
• MITRE Framework
• Kusto Query Language (KQL)
• Open AI Documentation