Posts

Implementing Slack and Putting it all together [SOC Automation with AI Implementation]

Image
  Goal:  To fully integrate ChatGPT using n8n and piece everything together. Workflow Setup: First it's important to disable the Splunk alert for now because we are done with the current test. Then on the n8n server, going back to canvas, we can pin the output so that we don't need to keep triggering the workflow. Before continuing, I created an API Platform account on openai.com. I clicked on "start building" to set it up, naming my organization "Caser" and the API key name "Caser-SOC-Project", and then generated an API key. Once I had this copied it was time to go back and start setting up the workflow. This is where I encountered my first major issue. I went on vacation and during that time I wasn't able to work on the project. This led to my session being timed out, and when I logged back in I was no longer able to pin the webhook trigger event. I spent some time looking to see if there was a way to simply revert it or to see if there was a...
Post a Comment
Read more

Creating A Splunk Alert [SOC Automation with AI Implementation]

Image
Goal:  To create a Splunk alert that the n8n hook can catch it. Alert Setup: I will be setting up an alert to catch failed login attempts on my Windows VM. This will help catch any brute force attempts. To do this I need to make a rule that detects Events with an ID of 4625. One way to artificially create alerts for the sake of testing is by using RDP and purposely failing to connect. To do this I had to make sure the RDP port (3389) was open for my host machine to attempt to connect. Attempting to connect using this rule was not working. I was using RDP to attempt to connect using "localhost:3389" but I believe this was making the computer try to RDP to itself. To fix this I am changing the rule so the host port is now "3390". After changing the Host Port, RDP started working correctly (localhost:3390) and I was now able to continue with triggering the Events. After creating the events, I navigated back to the web UI for Splunk and made sure I installed "Splun...
Post a Comment
Read more