Build A Smarter Security Chatbot With Amazon Bedrock Agents

Utilize a chatbot using Amazon Security Lake and Amazon Bedrock to assist with incident investigation. This article will teach you how to set up a security chatbot that uses an Amazon Bedrock agent to integrate pre-existing playbooks into a serverless backend and graphical user interface (GUI) to investigate or react to a security incident. Using natural language input from the user, the chatbot displays specially designed Amazon Bedrock agents that assist in addressing security issues. In order to develop and execute SQL queries or suggest internal incident response playbooks for looking into or reacting to potential security incidents, the solution features a single graphical user interface (GUI) that offers a direct interaction with the Amazon Bedrock agent.

Security chatbot sample solution overview

As seen in Figure 1, the application flow

• The React UI is used by the user to submit a query.
  • Note: Authentication is not integrated into the React UI used in this approach. It is advised that you include authentication features that adhere to the security specifications of your company. AWS Amplify UI and Amazon Cognito may be used to add authentication features.
• An Amazon API Gateway REST API receives the user’s query and uses the Invoke Agent AWS Lambda function.
• With the user’s inquiry, the Lambda function calls the Amazon Bedrock agent.
• After processing the question, the Amazon Bedrock agent (using Claude 3 Sonnet from Anthropic) chooses between utilizing Amazon Athena to query Security Lake or collecting information from the playbooks.

For enquiries about the playbook knowledge base:

• The playbooks knowledge base is queried by the Amazon Bedrock agent, which then returns pertinent results.

For enquiries on Security Lake data:

• To generate a SQL query, the Amazon Bedrock agent extracts the Security Lake table schemas from the schema knowledge base.
• The SQL query is sent as a parameter when the Amazon Bedrock agent calls the SQL query action from the Amazon Bedrock action group.
• The Execute SQL on Athena Lambda function is called by the action group, running the query on Athena and sending the results back to the Amazon Bedrock agent.

Following the extraction of findings from the action group or knowledge base:

• The final answer is created by the Amazon Bedrock agent using the information that was collected, and it is then returned to the Invoke Agent Lambda function.
• The Lambda function uses an API Gateway WebSocket API to return the response to the client.
• Through a WebSocket connection to the client, API Gateway provides the response to the React UI.
• The user sees the agent’s response in the chat interface.

Requirements

Prior to implementing the example solution, fulfil the following requirements:

• In AWS Organisations, enable Security Lake for your company and choose an administrator account to oversee the Security Lake setup for each member account. Set up Security Lake using the relevant log sources: Amazon Route53, AWS Security Hub, AWS CloudTrail, and Amazon Virtual Private Cloud (Amazon VPC) Flow Logs.
• Establish subscriber query access between the subscriber’s AWS account and the source Security Lake AWS account.
• In AWS Resource Access Manager (AWS RAM), approve a resource sharing request in the subscriber’s AWS account.
• Provide access to the Athena tables in the Security Lake AWS account and create a database link in AWS Lake Formation in the subscriber AWS account.
• In the AWS subscriber account where you plan to implement the solution, provide access to Anthropic’s Claude v3 model for Amazon Bedrock. You will see an error notice if you attempt to utilize a model before enabling it in your AWS account.

The following resources are provided by the example solution architecture after the conditions are met:

• Amazon Simple Storage Service (Amazon S3) is the source of Amazon CloudFront.
• A static webpage hosted on Amazon S3 for the chatbot user interface.
• A Lambda function can be called via an API gateway.
• An Amazon Bedrock agent is invoked via a Lambda function.
• A knowledge base-equipped Amazon Bedrock agent.
  • An action group for Amazon Bedrock agents to create and run SQL queries on Athena.
  • For reference to sample Athena table schemas in Security Lake, see the Amazon Bedrock knowledge base. The accuracy of SQL query generation for table fields in Security Lake is increased by supplying sample table schemas, even if the Amazon Bedrock agent may retrieve information straight from the Athena table.
  • A knowledge base on Amazon Bedrock to consult pre-existing incident response playbooks. Based on playbooks that have previously been authorised by your organisation, the Amazon Bedrock agent can use this knowledge base to recommend actions for investigation or reaction.

Cost

It’s critical to comprehend the cost of the AWS services being utilised prior to implementing the sample solution and following this post. The quantity of data you deal with in Amazon Bedrock and while using Athena to query Security Lake will determine how much it costs.

• The amount of log and event data consumed from AWS services determines the pricing of Security Lake. Other AWS services that Security Lake arranges for you are paid for separately. Amazon S3, AWS Glue, Amazon EventBridge, AWS Lambda, Amazon Simple Query Service (Amazon SQS), and Amazon Simple Notification Service (Amazon SNS) all have price details available.
• Pricing for Amazon Bedrock on-demand is determined on the quantity of input and output tokens as well as the large language model (LLM) that is chosen. The fundamental textual unit that a model learns to comprehend user input and prompts is called a token, which is made up of a few characters. Check out Amazon Bedrock price for more information.
• Athena is used to launch the SQL queries that Amazon Bedrock generates. The cost of Athena is determined by how much data is scanned for that query in Security Lake. See Athena price for further information.

Clean up

If you used the Launch Stack button and the console with the CloudFormation template security_genai_chatbot_cfn to launch the security chatbot example solution, clean up as follows:

• Select the Security GenAI Chatbot stack in the CloudFormation interface for the account and region where the solution was deployed.
• Select the “Delete the stack” option.

Use the command cdk destruct –all if you used the AWS CDK to deploy the solution.

Conclusion

The example solution shows how you can improve your entire security posture and speed up inquiry and analysis by utilizing task-oriented Amazon Bedrock agents and natural language input. Example of a prototype solution that includes a user interface driven by an Amazon Bedrock agent. You may expand this solution to include more task-oriented agents, each with its own models, knowledge bases, and instructions. You may help your security team work more effectively across several security domains in your AWS environment by expanding the usage of AI-powered agents.

Security Lake, which normalises data into the Open Cybersecurity Schema Framework (OCSF), is used by the chatbot’s backend to look i