Azure AI Foundry 1. ChatGPT - Deployment

Data privacy: https://learn.microsoft.com/en-us/azure/ai-foundry/responsible-ai/openai/data-privacy?tabs=azure-portal

ChatGPT pricing in Azure: https://azure.microsoft.com/en-us/pricing/details/cognitive-services/openai-service/

Which model is for you: https://learn.microsoft.com/en-us/azure/ai-foundry/foundry-models/concepts/models-sold-directly-by-azure?pivots=azure-openai&tabs=global-standard-aoai%2Cstandard-chat-completions%2Cglobal-standard

For production, you might consider the other two options

Now let's move to the AI Foundry Portal ai.azure.com

Here you will find your URI and API Keys:

AI helping to generate system prompt: click "Generate system prompt" > "I am a cyber security expert, and I need assistance in investigation" > click send

Now, we can use the new URI and API Key

First let's deploy a new playbook https://github.com/Pavel-Hrabec/AI-for-CyberSecurity#

I am using "Azure-ChatGPT-Playbook" option

At Resource Group level > IAM > assign "Microsoft Sentinel Responder" role to the Logic App/Playbook in our case "Azure-ChatGPT-Playbook-demo-PH"

Since we imported this playbook, so we need to authorize this playbook privilege

Now we need to modify the playbook with our AI deployment's URI and API key: (can be found in Azure AI Foundry > Deployment)

Now let's run this playbook against an incident

i.e.

This message was created by ChatGPT and contains recommendation for the incident:


### **Analysis of the Incident**

#### **Incident Overview**
- **Title**: Sign-ins from IPs that attempt sign-ins to disabled accounts.
- **Entity of Interest**: IP address `175.45.176.99`.
- **Key Concern**: The IP address attempted to sign in to a disabled account, which is suspicious behavior as legitimate users should not be targeting disabled accounts.

#### **Logs and Sign-in History**
- **Sign-in History for the User**: No sign-in history is provided for the user associated with this incident.
- **MFA Changes**: No changes to Multi-Factor Authentication (MFA) settings are reported.

#### **Evaluation of the IP Address**
- The IP address `175.45.176.99` is flagged as the entity of interest.
- There is no evidence provided in the logs that this IP address has been previously associated with legitimate user activity.
- The lack of sign-in history for the user or prior association of the IP address with legitimate activity makes it difficult to classify this as a benign positive.
- The attempt to access a disabled account is inherently suspicious, as this behavior aligns with tactics used in reconnaissance or brute-force attacks.

#### **Analysis Based on Available Data**
1. **Benign Indicators**:
- None identified. There is no evidence that the IP address has been used previously by the legitimate user or that the sign-in attempt is part of expected activity.

2. **Threat Indicators**:
- The IP address attempted to sign in to a disabled account, which is not typical of legitimate user behavior.
- The absence of any sign-in history or MFA changes suggests that this activity is anomalous.
- The IP address `175.45.176.99` should be checked against threat intelligence databases to determine if it is associated with known malicious activity.

3. **Contextual Concerns**:
- The lack of sign-in history or MFA changes does not provide any supporting evidence to classify this as a false positive.
- Disabled accounts are often targeted by attackers for reconnaissance or to exploit misconfigurations.

---

### **Findings**

| **Category** | **Details** |
|--------------|-------------------------------------|
| **IoC Type** | Suspicious IP Address |
| **Entity** | `175.45.176.99` |
| **Behavior** | Attempted sign-in to a disabled account |
| **Sign-in History** | No prior sign-in history for the user or association with the IP address. |
| **MFA Changes** | No changes reported. |
| **Threat Intelligence**| Unknown (further investigation required). |

---

### **Score**
**Likelihood of Threat**: **85/100**
- This incident is highly likely to be an active threat due to the suspicious behavior of the IP address and the lack of any benign indicators.

---

### **Actionable Next Steps**

1. **Immediate Containment**:
- Block the IP address `175.45.176.99` at the network perimeter or firewall to prevent further attempts.
- Check if the IP address is associated with other suspicious activities in your environment.

2. **Threat Intelligence**:
- Query the IP address `175.45.176.99` in threat intelligence platforms (e.g., VirusTotal, AbuseIPDB, AlienVault OTX) to determine if it is associated with known malicious campaigns.

3. **Audit and Monitoring**:
- Review logs for other sign-in attempts targeting disabled accounts.
- Enable advanced auditing for all sign-in attempts, especially those targeting sensitive or disabled accounts.

4. **Account Security**:
- Verify that the disabled account is properly secured and not accessible due to misconfigurations.
- Ensure that all accounts (including disabled ones) are protected with strong authentication policies.

5. **Incident Escalation**:
- If additional suspicious activity is detected, escalate to the Incident Response (IR) team for further investigation.

6. **Proactive Measures**:
- Conduct a review of all disabled accounts and ensure they are properly decommissioned.
- Strengthen account lockout policies to mitigate brute-force attempts.

---

### **Conclusion**
Based on the available data, this incident is highly likely to be an active threat. The lack of benign indicators, combined with the suspicious behavior of the IP address, warrants immediate containment and further investigation.