[Информационная безопасность, Машинное обучение] Chatbox on Top of SIEM Solution
Автор
Сообщение
news_bot ®
Стаж: 6 лет 3 месяца
Сообщений: 27286
One of the most time-consuming steps while implementing a SIEM solution is writing and tuning "Playbook" document – a set of reaction procedures SOC Team has to follow in case of alert triggering.During one of our implementation projects I stoped for a moment and thought: how can I optimize (ideally automate) the Playbook execution – in a playful way?<cut/>First of all – how does Playbook looks like? Here is a basic snippet of this document:
Playbook documentOne of the ideas I could come up with was – hey, why don't we add some AI on top of it? Everyone is doing AI nowadays, isn't it? Can we automate SOC activities with some extra help of a Chatbot? TensorFlow is one of the well known free and open-source libraries available for machine learning and deep neural networks and it was the first thing to investigate.OK, now I forgot to mention one substantial fact – our SIEM solution (Enterprise Threat Detection, or SAP ETD) comes from SAP SE, which means this SIEM solution runs on SAP HANA as a platform. How can I integrate Tensorflow into HANA platform? Quick research confirmed that it was possible:Tensorflow Machine Learning Model Integration with SAP HANANowadays we can integrate TensorFlow even with ABAP environment:How To Use TensorFlow Seamlessly Inside ABAPOK, Google, that goes far beyond my humble research..So I decided to focus on end-to-end solutions. Let's try to make use of SAP Conversational AI (CAI). Luckily, there is a trial service available, hopefully no programming skills is necessary.Now that I am logged onto a trial version CAI, let's create a "performing actions" Chatbot named "SEC", which would be (at least) able to participate in some basic discussions, such as greetings, small talks and weather:
Steps 1-2
Step 3This newly born bot is already able to do some basic activities, but let's add some extra security-relevant capabilities (intents) to it:
- Initiator – collect information about attacker's terminal id
- Username – collect information about attacker's username
- System – collect information about attacker's system
- Inform – inform SAP Basis Team about possible attacker in their system
- Alert – collect information about triggered alert
IntentsNow we group these new "intents" into new "skills" so that our bot would be able to "register alerts" and "talk to basis":
New "skills"The last thing I want to do is of course bot training:
Training is in progressWhen training is finished I can test the bot:
New chatbotWhen the bot says "We have blocked this terminal..." that's no joke because one of the "talk to basis" skills was calling external APIs:
Bot reacts on true-positivesWhat do you think of Chatbot helping SOC Team registering alerts and reacting to threats? Tell in comments
===========
Источник:
habr.com
===========
Похожие новости:
- [Информационная безопасность, IT-инфраструктура] Как атаковали промышленную инфраструктуру на The Standoff: анализ трафика с помощью PT ISIM
- [Информационная безопасность, Браузеры] «Яндекс.Браузер» наконец-то заблокировал сторонние трекеры
- [Go, DevOps, История IT] Почему язык Go стал стандартом для DevOps-инженеров
- [Информационная безопасность, Тестирование веб-сервисов] «Осторожно, печеньки!»: советы начинающим тестировщикам в сфере безопасности
- [Транспорт] Самая дорогая электроошибка: Hyundai заменит 80 тысяч батарей электромобилей из-за опасности возгорания
- [Информационная безопасность, Криптография, Администрирование доменных имен, DNS] Как я угнал национальный домен Демократической Республики Конго (перевод)
- [Информационная безопасность, Реверс-инжиниринг] Распаковка исполняемых файлов
- [Информационная безопасность, Разработка игр, Игры и игровые приставки, IT-компании] Инцидент с вирусом-криптовымогателем в CD Projekt Red подорвал работу над обновлениями Cyberpunk 2077
- [Информационная безопасность, Системное администрирование, Программирование, API] Подтверждение номеров телефона без SMS
- [Настройка Linux, Информационная безопасность, Разработка под Linux, Софт, IT-компании] Google начала спонсировать двух разработчиков ядра Linux
Теги для поиска: #_informatsionnaja_bezopasnost (Информационная безопасность), #_mashinnoe_obuchenie (Машинное обучение), #_ai, #_machine_learning, #_chatbot, #_security, #_siem, #_cybersecurity, #_informatsionnaja_bezopasnost (
Информационная безопасность
), #_mashinnoe_obuchenie (
Машинное обучение
)
Вы не можете начинать темы
Вы не можете отвечать на сообщения
Вы не можете редактировать свои сообщения
Вы не можете удалять свои сообщения
Вы не можете голосовать в опросах
Вы не можете прикреплять файлы к сообщениям
Вы не можете скачивать файлы
Текущее время: 18-Май 06:03
Часовой пояс: UTC + 5
| Автор | Сообщение |
|---|---|
|
news_bot ®
Стаж: 6 лет 3 месяца |
|
|
One of the most time-consuming steps while implementing a SIEM solution is writing and tuning "Playbook" document – a set of reaction procedures SOC Team has to follow in case of alert triggering.During one of our implementation projects I stoped for a moment and thought: how can I optimize (ideally automate) the Playbook execution – in a playful way?<cut/>First of all – how does Playbook looks like? Here is a basic snippet of this document:  Playbook documentOne of the ideas I could come up with was – hey, why don't we add some AI on top of it? Everyone is doing AI nowadays, isn't it? Can we automate SOC activities with some extra help of a Chatbot? TensorFlow is one of the well known free and open-source libraries available for machine learning and deep neural networks and it was the first thing to investigate.OK, now I forgot to mention one substantial fact – our SIEM solution (Enterprise Threat Detection, or SAP ETD) comes from SAP SE, which means this SIEM solution runs on SAP HANA as a platform. How can I integrate Tensorflow into HANA platform? Quick research confirmed that it was possible:Tensorflow Machine Learning Model Integration with SAP HANANowadays we can integrate TensorFlow even with ABAP environment:How To Use TensorFlow Seamlessly Inside ABAPOK, Google, that goes far beyond my humble research..So I decided to focus on end-to-end solutions. Let's try to make use of SAP Conversational AI (CAI). Luckily, there is a trial service available, hopefully no programming skills is necessary.Now that I am logged onto a trial version CAI, let's create a "performing actions" Chatbot named "SEC", which would be (at least) able to participate in some basic discussions, such as greetings, small talks and weather:  Steps 1-2  Step 3This newly born bot is already able to do some basic activities, but let's add some extra security-relevant capabilities (intents) to it:
 IntentsNow we group these new "intents" into new "skills" so that our bot would be able to "register alerts" and "talk to basis":  New "skills"The last thing I want to do is of course bot training:  Training is in progressWhen training is finished I can test the bot:  New chatbotWhen the bot says "We have blocked this terminal..." that's no joke because one of the "talk to basis" skills was calling external APIs:  Bot reacts on true-positivesWhat do you think of Chatbot helping SOC Team registering alerts and reacting to threats? Tell in comments =========== Источник: habr.com =========== Похожие новости:
Информационная безопасность ), #_mashinnoe_obuchenie ( Машинное обучение ) |
|
Вы не можете начинать темы
Вы не можете отвечать на сообщения
Вы не можете редактировать свои сообщения
Вы не можете удалять свои сообщения
Вы не можете голосовать в опросах
Вы не можете прикреплять файлы к сообщениям
Вы не можете скачивать файлы
Вы не можете отвечать на сообщения
Вы не можете редактировать свои сообщения
Вы не можете удалять свои сообщения
Вы не можете голосовать в опросах
Вы не можете прикреплять файлы к сообщениям
Вы не можете скачивать файлы
Текущее время: 18-Май 06:03
Часовой пояс: UTC + 5