AI: ChatGPT integration with Sentinel

AI: ChatGPT integration with Sentinel

January 29, 2023 Off By John Alves

Over the past couple of years, we have heard about AI (Artificial Intelligence). The first thing we might think of is the Matrix, Terminator, or even Jarvis in Ironman. As proven throughout history, science fiction tends to lend itself as inspiration for future advancements in technology. Take Star Trek for example, with portable communications devices – now we have cell phones. It is not a surprise that we are talking about AI in one form or another.

AI has the potential to revolutionize many industries and improve people’s lives in a variety of ways. AI can be used to create more efficient and accurate medical diagnoses, improve transportation systems, and assist with scientific research. Additionally, it can be used to create more natural and engaging interfaces for people to interact with technology. It can also be used to generate human-like text, which can be useful in a variety of applications such as content creation, customer service, and language translation. Overall, the possibilities are endless, and the field is rapidly advancing, making it an exciting area to be involved in.

Many of you have heard about ChatGTP and Microsoft’s huge investment in OpenAI. Well, it doesn’t come as a surprise that Microsoft is making a push toward AI integration with its security products.

Why is this important?

GPT opens the door to new opportunities within Sentinel. LogicApps now has a GPT-3 connector that allows you to send prompts to be processed by GPT. Thanks to Zubair Rahim we were introduced to the beginnings of AI integrations with Sentinel. Since then, I have continually taken and expanded on this basic idea of enriching the incident with actionable steps, queries, and other artifacts that would assist in the incident handling and response process.


The initial test was done using Zubair Rahim‘s guide to create a Logic App that took the Incident Title, Incident Description, and entities in a prompt and sent processed it through GPT-3. This returned a message that acted as a simple guide for responding to the incident.

Prompt for Incident Management
GPT-3’s response to a prompt created from a Defender for Endpoint incident ingested into Sentinel involving PyKerberoast.

This was great for the first integration. What if I wanted a quick step-by-step SOC triage playbook created for this incented? We can change the prompt to request a step-by-step.

Prompt for a step-by-step bulleted list for incident management of an incident.
GPT-3’s response to a prompt created from a Defender for Endpoint incident ingested into Sentinel involving PyKerberoast for a step-by-step.

At this point, we have gotten some good responses from GPT-3. There are some issues that I experienced. There is a limit to the prompt and completion. It is up to 4,000 tokens between the prompt and the completion. Each token equates to about 4 characters of text. As we start building out these prompts based on the Incident Title, Description, and entities we encounter the following error due to a large prompt utilizing/requesting more tokens than are accepted.

It can lead to inconsistencies with the use of GPT-3 for Sentinel Incident enrichment and response. In order to get around this, we can remove the item description from the prompt which reduces the overall prompt itself. The title should be enough to provide a decent response for each incident. Granted, a multi-stage incident with a lot of entities can potentially cause a similar error in the prompt length.

KQL from GPT-3

What if we could take it one step further? Maybe we want to provide some KQL hunting queries. It is the logical next step. In the logic app connector for GPT-3, you can create a prompt that requests a hunting query based on the Incident Title and the Entities.

Here we are requesting up to three hunting queries. The results are not bad at all. While it is not a deep hunting query, it is a good starting point.

You can pull this ARM template from my GitHub and test it out.

What’s next?

We have added the ability to dynamically provide a text response that acts as a simple incident management guide or step-by-step guide and has also managed to provide basic KQL queries to the comments of these incidents. Features and capabilities like those above will add value to current SOCs. Some might say that this would mean fewer analysts are needed but this is not the case. AI is meant to improve our processes. Providing a simple incident management guide could speed up the triage process in the incident response. Adding KQL queries, for instance, provide the analyst a starting point for which they can start building deeper more intricate queries to hunt for and correlate against other logs and incidents.

As AI progress and evolves (not the way it does in the Matrix), we will begin to see more and more integrations in various parts of the Information Security and Information Technology world. It will help augment the abilities of IT and Security departments and should be seen as a Value Add and not a replacement for analysts and personnel. We will still need the human factor to truly investigate, understand human nuances, and make decisions. Take it from RoboCop, we still need the human factor.