Azure Sentinel 4. Incident Comments + ChatGPT

We are feeding incident comments to ChatGPT this time. Please see my previous blogs for ChatGPT and Sentinel Integration

• Sentinel & ChatGPT Integration

• Sentinel Raw Logs & ChatGPT Integration

Create a Comment Query variable

Fill in the value with this query:

SecurityIncident
| where IncidentNumber == <Incident Sentinel ID> and Comments != ""
| where TimeGenerated > ago(30d)
| top 1 by TimeGenerated desc  
| mv-expand Comments
| project Comment = Comments.message

Create a variable to store the comment query results

Create an Azure Monitor action:

Now assign the outputs into a variable and use it inside the user prompt

Modify user prompt:

Now let's run this playbook against an incident (better to have a previously AI i.e. VirusTotal generated comments, but it's not required!)

This message was created by ChatGPT and contains recommendations for the incident.


Based on the evidence provided, this incident has a **high likelihood of being a legitimate threat**. Here's a detailed breakdown and final threat rating:

---

## 🔍 Summary of Key Indicators

| Indicator | Value | Threat Relevance |
|----------|-------|------------------|
| **Domain Queried** | `avsvmcloud.com` | ✅ Known Solorigate/SUNBURST C2 domain |
| **IP Address** | `17.81.146.1` | ⚠️ Associated with Apple ASN (ASN714), but seen in DNS responses for `avsvmcloud.com` |
| **DNS Resolution** | Successful (NOERROR) | ✅ Indicates internal systems attempted to resolve the malicious domain |
| **Event Source** | Cisco Umbrella DNS logs | ✅ Reputable source confirming DNS queries |
| **Event Action** | Allowed | ⚠️ DNS query was not blocked, indicating potential exposure |
| **Reputation Check** | `avsvmcloud.com` is confirmed malicious | ✅ High confidence from multiple threat intel sources |
| **Time of Activity** | 2019-09-12 | ⚠️ Pre-dates known Solorigate campaign (which began around March 2020), but could indicate early beaconing or false timestamp |
| **Endpoint Context** | Missing | ❌ No hostnames, process names, or user accounts provided |
| **SolarWinds Orion Presence** | Unknown | ❓ No confirmation of SolarWinds deployment on affected systems |

---

## ⚖️ Threat Likelihood Assessment

| Factor | Weight | Score (0–10) | Weighted Score |
|--------|--------|--------------|----------------|
| Known malicious domain (`avsvmcloud.com`) | 25% | 10 | 2.5 |
| DNS resolution from internal systems | 20% | 9 | 1.8 |
| IP reputation (`17.81.146.1`) | 10% | 5 | 0.5 |
| Lack of endpoint telemetry | 15% | 3 | 0.45 |
| Timing mismatch (2019 vs. 2020 campaign) | 10% | 4 | 0.4 |
| Threat intelligence correlation | 20% | 9 | 1.8 |

**Total Threat Score: 7.45 / 10 → 74.5 / 100**

---

## 🧠 Final Threat Rating

**🔴 Threat Likelihood: 75 / 100**

This incident is **likely a legitimate threat** and should be treated as a **high-priority security event**. The presence of DNS queries to a known Solorigate C2 domain (`avsvmcloud.com`) is a strong indicator of compromise, even if endpoint context is missing.

---

## 🛡️ Recommended Immediate Actions

1. **Isolate** any systems that queried `avsvmcloud.com`.
2. **Block** the domain and IP at DNS and firewall levels.
3. **Investigate** affected endpoints using EDR or forensic tools.
4. **Verify** if SolarWinds Orion was deployed and whether it was vulnerable.
5. **Report** the incident to internal stakeholders and, if applicable, to external authorities (e.g., CISA, MS-ISAC).

Let me know if you need help with KQL queries, IOC searches, or forensic triage.