Gen AI assistant

Edit online

The gen AI capability allows you to offload and optimize human-generated tasks that are involved in cybersecurity management and workflows with a set of pre-trained, AI-powered skills. The you can interact in natural language by using a dialog interface to get quick insights or responses.

Before you begin

Note: Ask watsonx is a requestable feature, VDEV-52267 (Verify Analytics GenAI). To request this feature, contact your IBM Sales representative or IBM contact and indicate your interest in enabling this capability. You can also create a support ticket with the feature number if you have the permission. IBM® Verify trial subscriptions cannot create support tickets. Initially, this feature is available in the US and EU regions only.

Currently, the Ask watsonx requestable feature is free of charge. However, a 90-day notice is given after this feature or parts of this feature are positioned as a chargeable feature.

You must have administrative permission to complete this task.
Log in to the IBM Verify administration console as an Administrator. For more information, see Accessing IBM Verify.

The icon is displayed in the upper-right bar in the Admin home page.

Access policy generation

Note: Ask watsonx is a requestable feature, VDEV-52267 (Verify Analytics GenAI) and VDEV-60440 (Access policies). To request this feature, contact your IBM Sales representative or IBM contact and indicate your interest in enabling this capability. You can also create a support ticket with the feature number if you have the permission. IBM Verify trial subscriptions cannot create support tickets. Initially, this feature is available in the US and EU regions only.

Currently, the Ask watsonx requestable feature is free of charge. However, a 90-day notice is given after this feature or parts of this feature are positioned as a chargeable feature.

Using a set of pre-defined questions, the Ask watsonx chatbot allows the admin user to generate a new access policy.

The following details can be referred to use the Ask watsonx chatbot to generate a new access policy:

Log in as an administrator on Verify. Navigate to the profile icon and click Switch to admin.
Select Security > Access policies.
Navigate to the upper-right bar and click the icon to open the chatbot.

The chatbot displays pre-defined prompt and selectable option based on which, the process further streamlines to generate the access policy. The following table demonstrates the sample prompts and response received to generate a Federated sign-on policy:

Table 1. Access policy questionnaire
The table demonstrates the sample prompts and response received to generate a Federated sign-on policy.
watsonx Prompt	Sample instructions and response
Hi Scott! To generate a new access policy, select the quick action or type instructions in the prompt box. `Generate an access policy`	Selecting Generate an access policy initiates the process to create a new policy. The chatbot displays the following response: Generate an access policy
Sure! First, please give this policy a name.	Here, the user must enter an appropriate name for the new policy: For example, Manage access.
Now choose the policy type. Federated sign-on policy Native custom app policy	Now, the user must select the type of policy they want to create: For example, Federated sign-on policy.
Please provide the instructions for this policy ensuring you define post authentication SSO rules.	Here, the user must enter the post authentication SSO rules: For example, MFA always for users in admin group with Fido2, users in developer group require Fido2 and email otp, block otherwise.
The chatbot displays the following message upon successful creation of the policy: Done! Your access policy has been successfully created. View policy. Clicking View policy redirects the user to the policy details page. Note: The sequence of prompts generated by the Ask watsonx varies and depends on the policy type selection.
If the user selects Native custom app policy, the following are the prompts
Choose the enforcement type for this policy. Federated sign-on policy Native custom app policy	Now, the user must select the type of policy they want to create: For example, Native custom app policy.
Do you require first contact rules? Yes No	If the user enters Yes, the following suggested prompts are displayed. Note: If the user enters No, they are directly prompted to provide instructions for SSO rules.
Please provide the instructions for these rules.	Enter the required instructions. For example, if access originates from IP address outside office network (10.0.0.0/8), then use Fido2
Do you require SSO rules? Yes No	For example, the user enters Yes. Note: If the user enters No, the chatbot directly creates the policy and displays the success message.
Please provide the instructions for these rules.	Enter the required instructions. For example, MFA always for users in admin group with Fido2, users in developer group require Fido2 and email otp, block otherwise.
The chatbot displays the following message upon successful creation of the policy: Done! Your access policy has been successfully created. View policy. Clicking View policy redirects the user to the policy details page. Note: The sequence of prompts generated by the Ask watsonx varies and depends on the policy type selection.

Note: All the policies generated using the Ask watsonx feature display an AI icon before their names in the All policies list. Also, the auto-generated Policy rules display the same AI icon before their Rule name.

See Managing access policies for further details.

Threat detection reports

Note: Ask watsonx is a requestable feature, VDEV-52267 (Verify Analytics GenAI). To request this feature, contact your IBM Sales representative or IBM contact and indicate your interest in enabling this capability. You can also create a support ticket with the feature number if you have the permission. IBM Verify trial subscriptions cannot create support tickets. Initially, this feature is available in the US and EU regions only.

Currently, the Ask watsonx requestable feature is free of charge. However, a 90-day notice is given after this feature or parts of this feature are positioned as a chargeable feature.

The AI feature provides a natural language interface to ask questions that are related to potential risks with context to a threat, users, applications, IP addresses, and also vulnerability in systems. The admin can further take mitigation of risky users and threats from Verify users.

The following details can be referred to use the Ask watsonx chatbot from Threat detection report page:

Log in as an administrator on Verify. Navigate to the profile icon and click Switch to admin.
Select Reporting & diagnostics > Reports.
Select the View Report on the Threat Detection activity tile.
In the opened Threat detection report page, navigate to the upper-right bar and click the icon to open the chatbot.

The chatbot displays a set of pre-defined questions. The following are a few examples to demonstrate the prompts and expected response:

Table 2. Threat detection report questionnaire
watsonx Prompt	Sample response
Summarize recent threat events	A total of 17 threat events are identified from 2024-09-23 00:00:00 to 2024-09-30 23:59:59. Given the substantial volume of data, answers from the 10 most recent threat events are provided: Multiple use of compromised credentials and abnormal number of device enrollments were observed on September 30th and October 1st, 2024, around 1 PM IST. On both days, a total of 12447 and 12112 anomalous events, respectively, were recorded beyond normal traffic volume. The majority of these events were caused by failed login attempts due to locked passwords or invalid credentials. On September 30th, there was also a potential credential stuffing attack observed in the oidc source type. On September 23rd, around 3:30 PM IST, there was an abnormal number of device enrollments and multiple use of compromised credentials. The IP address 129.41.59.7 was involved in most of these events. No known malicious IPs were found in connection with these incidents. In summary, there have been several anomalous events related to compromised credentials and device enrollments in the given time frame. It is essential to monitor such activities and take necessary precautions to prevent any potential security breaches.
What is this threat about?	The threat is about multiple uses of compromised credentials, an abnormal number of device enrollments, and potential credential stuffing attacks. The issues have been observed in the `clouddirectory` data source, specifically in user passwords and user authentication events. The most significant geographic location of these events is India. The threats have been identified between September 23 and September 30, 2024. The total number of unique compromised users is 1, with Sakamoto being one of them. No known malicious IPs were found in connection with these threats.
What all are cause of failures?	The system failed to authenticate several users due to `INVALID_CREDS`.
Are there any compromised users?	Sure, the compromised user is Sakamoto with IP 129.41.59.7.
Which applications are affected?	The SSO Custom Application is affected.
Which are suspicious IP addresses?	The suspicious IP address with critical severity is 129.41.59.7.
Are there any IP addresses with malicious history?	The IP address 129.41.59.7 is flagged as suspicious in the report. However, it does not necessarily indicate that the IP is malicious. The report only confirms that this IP is identified as potentially suspicious.
Suspicious traffic is coming from which locations?	The suspicious traffic is originating from India.
Which compromised users performed management activity?	Sakamoto, with IP 129.41.59.7, performed management activities.

See Generating a threat detection report for further details.