Alert Logic Intelligent Response allows Professional and Enterprise-level Managed Detection and Response customers to utilize automation to better protect their environments. The following list of frequently asked questions is intended to help you better understand and proactively answer questions you may have about the Intelligent Response experience.
Frequently Asked Questions
- What kinds of incidents can trigger a Simple Response action?
Only incidents from Alert Logic analytics can trigger a simple response; incidents from customer-defined log correlations and the like will not trigger a simple response.
- When does response happen?
Response occurs at the same time a notification is generated, after Alert Logic has completed automated or manual analysis of an incident. For more information on the response workflow, see the Intelligent Response Simple Responses Workflow knowledge base article.
- Are there limits on the number of Simple Responses and exclusions I can have enabled?
You are limited to 20 simple responses enabled at one time and to 200 items per exclusion list.
- How do I know whether there has been a response to an incident?
Review the Simple History tab in the Alert Logic console at (navigation menu) > Respond > Automated Response > Simple History to see what actions have been taken on an incident.
- Does Alert Logic recommend using the same IAM policy, Microsoft Azure app registration, or other credential for both data collection and response?
Alert Logic recommends using a separate credential, if possible, to clearly identify which actions were taken by Intelligent Response and provide the ability to easily disable response without disabling collection.
- Can I respond to a simple response approval request in a managed account?
You cannot respond directly to an approval request in a managed account, but a user in that managing account can be configured to approve responses in managed accounts.
- Can I choose to require approval for some analytics and not others for a given integration?
You can accomplish this by creating two simple responses and reusing the connection in both. Each simple response can have its own set of approvers, exclusions, and analytics.
- Who should I choose as an approver? Should it be an individual person or an email distribution list?
Alert Logic recommends selecting individual users as approvers for response actions. Data on who approved a response is stored with that approval record, which provides a clear audit trail of critical response actions.
- Can I close an incident using Intelligent Response automation?
The ability to close or comment on an incident is not currently available; however, the existing functions for this are available in the Alert Logic console at > Respond > Incidents.
- What happens to an approval if no one responds to it?
If an approval is not responded to within six hours, it is withdrawn, and the requested response is rejected.
- If a service I already have has response capabilities, what is the benefit of integrating with Alert Logic?
Even if a service offers automation or blocking capabilities, Intelligent Response integration can improve your incident response processes. Intelligent Response offers approvals, exclusions of critical resources, and a single-pane-of-glass experience across your entire security estate.
- Does adding an IP, user name, or host name to an Intelligent Response exclusion affect how Alert Logic detects incidents?
Intelligent Response exclusions do not affect incident generation. Adding an IP, user name, or host name to an exclusion list will not prevent creation of incidents including that data. For help with incident tuning, open a ticket with Alert Logic Support.
For additional information on Intelligent Response, see these Alert Logic support resources:
- Intelligent Response for Managed Detection & Response
- Alert Logic Mobile Application
- Intelligent Response Simple Responses Automation Types
- Intelligent Response Simple Responses Workflow
- Intelligent Response Simple Responses Customer Approval Workflow
- How do I log in to the Alert Logic mobile app?
- Intelligent Response Keyword Glossary
- Get Started with Automated Response
- Get Started with Simple Responses
- Simple Response Configuration Guide