Alert Logic Intelligent Response™ provides Professional and Enterprise-level Managed Detection and Response customers with a flexible, scalable, and integrated approach to protecting their environments more efficiently and effectively. Some benefits of Intelligent Response include:
- Minimizing breach impact via embedded automated response capabilities
- Increased response security providing a backstop when attacks bypass prevention tools
- Customer flexibility to adopt automation at their own pace
- Simplified and instant human approval via mobile application
Intelligent Response provides automation for three of the most common and important incident response use cases, developed in consultation with our customers - disabling a user, isolating a host, and shunning an attacker - through our Simple Responses platform, as well as a new mobile application to address those use cases with ease. For example, you can set up a simple response to automatically disable a user in an Amazon Web Services account upon detection of a successful brute force attempt. By setting up this automated response with Intelligent Response, you can minimize the compromised user's damage by eliminating the time it takes to manually disable the user.
Intelligent Response allows customers to confidently enable automation of incident response at their own pace and comfort level. In the Alert Logic console at (navigation menu) > Respond > Automated Response, you will find the following pages and capabilities:
Within the Simple Responses page, you can create and maintain integrations with other technologies. Here, take advantage of detection capabilities, Alert Logic security recommendations, and your devices to respond automatically to common threats.
Simple Response Use Cases
The three core simple response use cases for Intelligent Response currently include:
|Use case||For what outcome?||Example incident||Simple Response technology|
|Disable user||• Stop leaked credential use
• Minimize danger from compromised user
|• Malware detected for user
• Successful brute force
|• Amazon Web Services (AWS) Identity and Access Management
• Microsoft Azure Active Directory (Office 365)
|Shun attacker||• Disrupt reconnaissance
• Leverage detection in one technology to many devices
|• External brute force attack
• MITRE ATT&CK reconnaissance incidents
|• AWS web application firewall (WAF)
• Alert Logic WAF
|Isolate host||• Contain compromised host
• Stop lateral movement of ongoing attack
|• Endpoint detection and response / antivirus failures
• Host detected as internal attacker
• Microsoft Defender for Endpoint
For more details on these simple response types, see the Intelligent Response Simple Responses Automation Types knowledge base article.
Set Up a Simple Response
To set up incident automation through Simple Response, select the Simple Response + icon (). Set-up of Simple Response actions is step-by-step within the Alert Logic console. Review this general set-up overview:
- Connect to the third-party system by inputting credentials from that third party. Credentials are stored securely by Alert Logic.
- Apply exclusions for this automated response, as desired.
- Choose whether to request approval before Alert Logic runs a response. If you choose to include human approval, Alert Logic will send the request by email and through the Alert Logic mobile app.
For more details on setting up a Simple Response with a third party, see our Simple Response Configuration Guide documentation.
Simple History logs the various actions that have been taken on your account through Simple Response and whether they were successful or not. Here, you have the option to revert, rerun, or retry any response action that has been attempted.
On the Exclusions page, you can exclude specific users, IP addresses, or hosts from your automated simple response by defining them here. You can then apply the list when you create a simple response. This establishes that you and any other critical security team members, hosts, or IP addresses will not be locked out or blocked due to automated simple response actions.
The Approvals list includes any outstanding actions Alert Logic is waiting for customers to respond to. Any simple response that you opt to include human approval on will appear here.
Alert Logic Mobile App
The Alert Logic mobile application is available for iOS and Android devices and allows you to review key metrics of your environment and act on Simple Response approvals you have opted into. The Alert Logic mobile app complements the Alert Logic console; it provides you with quick access to key actions and data that will help you choose whether to act immediately or review later.
For more details on the Alert Logic mobile app, see our Alert Logic Mobile Application knowledge base article.
For additional information on Intelligent Response, see these Alert Logic support resources:
- Alert Logic Mobile Application
- Intelligent Response Simple Responses Automation Types
- Intelligent Response Simple Responses Workflow
- Intelligent Response Simple Responses Customer Approval Workflow
- How do I log in to the Alert Logic mobile app?
- Intelligent Response Keyword Glossary
- Intelligent Response Frequently Asked Questions
- Get Started with Automated Response
- Get Started with Simple Responses
- Simple Response Configuration Guide
Please sign in to leave a comment.