Role of generative AI in Concert

IBM® Concert combines traditional analytics and generative AI, powered by IBM watsonx.ai, to deliver comprehensive insights to your applications and environments.

Concert incorporates the "ask-wx" service framework to enable the connection with watsonx.ai. Based on specific user interactions, the framework is used to provide enriched contextual data to inform prompt engineering interactions with the Concert chat. For example, watsonx.ai uses contextual data to validate user-provided evidence that an environment is compliant with an assessed control.

The application topology payload is shared as part of the invocation of the watsonx.ai API prompt to help focus the model's responses during that session. For example, if you use watsonx.ai to understand the impact of a CVE, details about your applications and environments that are associated with that vulnerability are used to inform the responses.

Note: No customer data is used to enrich or refine the global watsonx.ai model. Context that is collected is ephemeral and limited to a single session.

Working with AI to mitigate vulnerabilities

A vulnerability scan file contains the results of a vulnerability scanning process including details about the scanned system, discovered vulnerabilities, the exploitability and severity of impact, and recommendations for remediation. The amount of text included in these files make them a good candidate for summarization by AI models and for producing programming language and runtime-specific guidance on remediation.

As Concert ingests vulnerability data from a scan output, it applies a series of preprocessors and algorithms to correlate vulnerability findings across application components, pinpoint the root cause, and determine the blast radius such as exposed API endpoints. Concert queries IBM X-Force Red data to understand the exploitability of a vulnerability to refine the severity level and prioritization of the CVE.

Screenshot of watsonx.ai chat interaction in which the user asked for a summary for how to address a CVE in their application environment.
You can use the watsonx.ai chat interface in the Concert UI to summarize or learn more about an impacting CVE using enriched prompt interactions that consider the context provided in the vulnerability scan as well as the unique landscape of your applications and environments. In this case, watsonx.ai serves as a built-in subject matter expert who can help a variety of users in your organization. For example:
  • A Site Reliability Engineer (SRE) or Security Operations Engineer can use the chat to understand vulnerabilities and remediation options in terms of patches or upgrades.
  • A Developer can use the context-aware interactions to elicit guidance on how to mitigate the vulnerability risk in the source code.

Working with AI to expedite compliance

Compliance controls are notoriously vague, leaving them open to interpretation. This makes it difficult for software engineers to understand the requirements, especially for those who are not familiar with the specific regulations or standards they must meet. Concert enables you to use watsonx.ai as a compliance subject matter expert, summarizing requirements and validating evidence against the assessed controls. For example, an IT Operations Engineer or SRE can use the chat to request clarifications about a specific compliance control and methods to meet its requirements.

Compliance assessments include numerous procedural elements and most require documented proof of compliance for each control. Reviewing the evidence is time-consuming and typically requires an experience subject matter expert to validate. Concert uses generative AI to validate text-based evidence provided by end users against the compliance controls to determine and record if there is sufficient proof of compliance. This functionality is triggered automatically to produce a brief, human-readable summary, and validation status. This application of watsonx.ai in Concert reduces time-consuming efforts to record evidence and improves the efficiency and efficacy of subsequent audit procedures and compliance reviews.