One of the most time-consuming steps while implementing a SIEM solution is writing and tuning "Playbook" document – a set of reaction procedures SOC Team has to follow in case of alert triggering.
During one of our implementation projects I stoped for a moment and thought: how can I optimize (ideally automate) the Playbook execution – in a playful way?
<cut/>
First of all – how does Playbook looks like? Here is a basic snippet of this document:
![Playbook document Playbook document](https://habrastorage.org/getpro/habr/upload_files/956/8ec/aed/9568ecaedc8f4c92aa1c4814708688e2.png)
One of the ideas I could come up with was – hey, why don't we add some AI on top of it? Everyone is doing AI nowadays, isn't it? Can we automate SOC activities with some extra help of a Chatbot?
TensorFlow is one of the well known free and open-source libraries available for machine learning and deep neural networks and it was the first thing to investigate.
OK, now I forgot to mention one substantial fact – our SIEM solution (Enterprise Threat Detection, or SAP ETD) comes from SAP SE, which means this SIEM solution runs on SAP HANA as a platform. How can I integrate Tensorflow into HANA platform?
Quick research confirmed that it was possible:
Tensorflow Machine Learning Model Integration with SAP HANA
Nowadays we can integrate TensorFlow even with ABAP environment:
How To Use TensorFlow Seamlessly Inside ABAP
OK, Google, that goes far beyond my humble research..
So I decided to focus on end-to-end solutions. Let's try to make use of SAP Conversational AI (CAI). Luckily, there is a trial service available, hopefully no programming skills is necessary.
Now that I am logged onto a trial version CAI, let's create a "performing actions" Chatbot named "SEC", which would be (at least) able to participate in some basic discussions, such as greetings, small talks and weather:
![Steps 1-2 Steps 1-2](https://habrastorage.org/getpro/habr/upload_files/691/f61/e25/691f61e25782063948481be0a0336be7.png)
![Step 3 Step 3](https://habrastorage.org/getpro/habr/upload_files/54b/4f5/661/54b4f566112f654f9575d0d3921cfdff.png)
This newly born bot is already able to do some basic activities, but let's add some extra security-relevant capabilities (intents) to it:
Initiator – collect information about attacker's terminal id
Username – collect information about attacker's username
System – collect information about attacker's system
Inform – inform SAP Basis Team about possible attacker in their system
Alert – collect information about triggered alert
![Intents Intents](https://habrastorage.org/getpro/habr/upload_files/e0f/a63/433/e0fa63433df86421efe5f7910e03fdd2.png)
Now we group these new "intents" into new "skills" so that our bot would be able to "register alerts" and "talk to basis":
![New "skills" New "skills"](https://habrastorage.org/getpro/habr/upload_files/631/0a1/52c/6310a152ccd4925707473aa18102a70f.png)
The last thing I want to do is of course bot training:
![Training is in progress Training is in progress](https://habrastorage.org/getpro/habr/upload_files/e2a/31f/9e5/e2a31f9e54cedb647df14e48d96b6638.png)
When training is finished I can test the bot:
![New chatbot New chatbot](https://habrastorage.org/getpro/habr/upload_files/ad5/941/80d/ad594180d750d1562b5aa1e01ef24256.gif)
When the bot says "We have blocked this terminal..." that's no joke because one of the "talk to basis" skills was calling external APIs:
![Bot reacts on true-positives Bot reacts on true-positives](https://habrastorage.org/getpro/habr/upload_files/622/b79/176/622b79176b3ca21bf2f7de9d09d7d709.png)
What do you think of Chatbot helping SOC Team registering alerts and reacting to threats? Tell in comments