Elastic security AI assistent — AWS Bedrock

With the release of 8.11 Elastic introduced support for the Amazon Web Services Bedrock service, specifically the Claude and Claude Instant models. In this post I’ll go through setting it up and asking a couple of basic questions.

Why AI Assistent?

Before setting up the bedrock connecter, I want to take a moment to adress the “why” of the AI Assistent; With the rise of LLM’s and them becoming accessible to anyone with an internet connection it makes sense to utilize them to help SOC Analysts and Engineers on their way.

The skill and people shortages in cybersecurity are not going away any time soon and utilizing LLM’s (AI) to help our juniors on their way, not to replace them is a smart move. Integrating this into their workflows will only lower the barrier to entry.

Setting up

After enabling AWS Bedrock in an appropriate region and requesting access to the Claude FM. The steps are pretty straight forward

1. Create a user with an access key/secret key in AWS.
2. Navigate to the stack management -> connectors section in Kibana
3. Create a new connector (bedrock)
4. insert details

but wait, you have to…. change the default URL. In my instance the default url had to be changed to use the invoke url instead of the manage url as is documented on this aws page

Once you have configured the connector, you can start using the AI assistent.

Playing around

I happened to have some old Elastic Defend alerts, which triggered on my gaming machine for launching Lord of the Rings Online (yes, i’m a fan). I was pleasently suprised that I could even pick up one of these older alerts, select the chat option and within the chat, you can select the connector top right and use the quick-action of “allert summarization” to have it summarized. That was all it took to get a quick summary of the alert.

If I look at this summary this would help a new person in my team to understand the alert and have follow up questions. The most value for me in this flow is that any analyst is able to get some additional insight into alerts without having to involve anyone else (seniors) from the team.

Because this is also a “conversation” it allows you to ask follow up questions like

Can you suggest me some ways I could investigate this alert further to determine if this was benine or malicious activity?

Which produces a response usable to start investigations:

Conclusion

In conclusion, setting up the AI Assisten connector for AWS Bedrock is trivial, with one minor bump, and using the connector for Analyst workflows is easy, intuitive and within their workflow. Reducing the barrier and decreasing the skill shortage and resource usage within a SOC.
But not replacing anyone…..yet.