Azure Sentinel 3. Raw Logs + ChatGPT
- Michael He
- Oct 9
- 3 min read
Updated: Oct 10
Modify previously built ChatGPT Logic App, see my blog -> ChatGPT Logic App
Create "Alert Query" variable
Create "Alert Query Result" variable
Create a set variable "Set Alert Query"
Create a LogAnalytics Workspace action
Create a Append to string variable to store the raw logs
Modify ChatGPT User Prompt Variable
Run ChatGPT playbook against an incident
This message was created by ChatGPT and contains recommendations for the incident.
Based on the incident data provided, the hash `d3e0384fc1e932671fcf881ca900b746195910aa4b60b390e86bb8305b542247` (SHA256) is associated with a `.docx` file that has been flagged in a threat intelligence (TI) feed as potentially malicious, with a signature match to **Formbook**, a known information-stealing malware. The VirusTotal detection rate is **50%**, indicating that half of the antivirus engines flagged it as malicious.
This situation suggests a **moderate to high-risk** alert that requires further investigation to confirm its legitimacy and potential impact.
---
## ✅ **Actionable Next Steps for Incident Response**
### 🔍 **1. Validate the Legitimacy of the Threat**
#### a. **Confirm Threat Intelligence Source**
- Verify the **reputation and reliability** of the TI feed that flagged the hash.
- Check for **additional corroborating intelligence** (e.g., from VirusTotal, Hybrid Analysis, Any.run, or other sandboxing tools).
#### b. **Analyze VirusTotal Report**
- Review the **full VirusTotal report** for:
- Number and names of AV engines detecting the file.
- Behavior analysis (e.g., network connections, dropped files).
- Community comments or tags (e.g., “Formbook”, “infostealer”).
#### c. **Cross-Reference with Internal Systems**
- Search internal telemetry (EDR, SIEM, AV logs) for:
- Any **execution or download** of the file with the hash.
- **File path**, **user account**, **hostnames**, and **timestamps** associated with the file.
- **Outbound connections** or **command-and-control (C2)** behavior linked to Formbook.
---
### 🧪 **2. Containment and Eradication**
#### a. **Isolate Affected Hosts**
- If the file has been executed or opened, **isolate the endpoint(s)** from the network to prevent lateral movement or data exfiltration.
#### b. **Quarantine the File**
- Ensure the file is **quarantined or deleted** by AV/EDR tools.
- If not, manually remove the file and block its hash in endpoint protection systems.
#### c. **Block Indicators of Compromise (IOCs)**
- Block the following across all security controls:
- SHA256: `d3e0384fc1e932671fcf881ca900b746195910aa4b60b390e86bb8305b542247`
- MD5: `c2d9176b53b5f2ac0045cf238adcaa36`
- SHA1: `15097a57bdfea6a3c578e7d6594a8cc6133e1514`
- Any known **Formbook C2 domains/IPs** (if identified in sandboxing).
---
### 🧾 **3. Forensic Investigation**
#### a. **Memory and Disk Analysis**
- Perform memory forensics on affected systems to detect:
- **Injected processes**
- **Persistence mechanisms**
- **Credential harvesting**
#### b. **Check for Persistence**
- Look for Formbook persistence techniques:
- Registry run keys
- Scheduled tasks
- Startup folder entries
#### c. **Network Traffic Review**
- Analyze historical and live traffic for:
- **Suspicious outbound connections**
- **Data exfiltration attempts**
- **Connections to known Formbook infrastructure**
---
### 👥 **4. User and Email Investigation**
#### a. **Identify Initial Infection Vector**
- Check if the file was delivered via **email attachment** or **drive-by download**.
- Search email logs for:
- Sender address
- Subject line
- Attachment name
#### b. **Alert Users**
- Notify users who received or interacted with the file.
- Provide guidance on recognizing phishing or suspicious attachments.
---
### 🔐 **5. Remediation and Recovery**
#### a. **Reset Credentials**
- For any affected users, **force password resets**.
- Monitor for unusual authentication activity post-reset.
#### b. **Reimage Systems (if needed)**
- If compromise is confirmed and remediation is not guaranteed, **reimage the system**.
---
### 📊 **6. Reporting and Documentation**
- Document:
- Timeline of events
- Actions taken
- Systems/users affected
- Final assessment of impact
- Submit IOCs to:
- Internal threat intelligence repositories
- External sharing platforms (e.g., MISP, ISACs)
---
### 🔁 **7. Post-Incident Activities**
#### a. **Lessons Learned**
- Conduct a post-mortem to identify:
- Gaps in detection or response
- Opportunities for automation or improved alerting
#### b. **Update Detection Rules**
- Add detection rules for:
- Formbook signatures
- Similar malicious Office documents
- Suspicious child processes from Word (e.g., `winword.exe` spawning `powershell.exe`)
#### c. **User Awareness Training**
- Reinforce phishing awareness and safe document handling practices.
---
## 🔑 Key Indicators to Monitor
| Indicator Type | Value |
|----------------|-------|
| SHA256 | `d3e0384fc1e932671fcf881ca900b746195910aa4b60b390e86bb8305b542247` |
| MD5 | `c2d9176b53b5f2ac0045cf238adcaa36` |
| SHA1 | `15097a57bdfea6a3c578e7d6594a8cc6133e1514` |
| File Type | `.docx` |
| Malware Family | `Formbook` |
| VT Detection Rate | `50%` |
---
## ✅ Summary
This incident appears to be **legitimate** and potentially dangerous, given the association with Formbook and a 50% AV detection rate. Immediate containment, investigation, and remediation are warranted. The hash should be treated as **malicious** unless proven otherwise through sandboxing or false-positive validation.
Let me know if you want help drafting SIEM queries or EDR search parameters to hunt for this hash across your environment.
Comments