With Alert Logic Intelligent Response simple responses, customers can automate incident response in three key areas and become more efficient at responding to incidents. Simple responses are standardized workflows, designed by Alert Logic to allow you to safely and confidently add automation to your incident response process. The standardized workflow targets different response types and technology integrations, but all workflows share common best practices such as human-guided approvals.
You can choose to run simple responses automatically when Alert Logic detects an applicable incident in your environment. You can also choose which analytics (incident types) trigger each simple response or start with a recommendation from Alert Logic.
Use this Simple Response quick start guide to begin understanding how Intelligent Response can work for you, and which supported types of automation may work best for your environment.
Disable Compromised Users
This automation enables Alert Logic to disable users in your environment based on incidents we have detected. Automatically disabling compromised users can stop leaked credential use, minimize danger from compromised users, and support implementation of an incident response plan involving disabling a user while you complete an investigation. Alert Logic recommends this automation to customers who are concerned about serious compromise of their environments.
The automatic disabling of compromised users is applicable to customers using a central service to control passwords and employee access, such as Amazon Web Services (AWS) or Microsoft Azure Active Directory / Office 365.
Shun Attackers
This automation enables Alert Logic to block external attackers at the edge of your network, based on incidents we have detected. Automatically shunning attackers can disrupt reconnaissance and attack from outside your network. This is not a replacement for a firewall or WAF (web application firewall); it is a mechanism for pushing detection data from the Alert Logic incident system into a firewall or WAF for quick response.
The automatic shunning of attackers is applicable to customers utilizing supported devices, such as AWS WAF or Alert Logic WAF.
Isolate Hosts
This automation enables Alert Logic to isolate hosts in your environment based on incidents we have detected, typically by disabling their network access. This action can prevent a compromised laptop or server from further compromising your network, or can allow your security team to review endpoint detection and response (EDR) findings before responding to a potential threat.
The automatic isolation of hosts is applicable to customers utilizing EDR software, such as SentinelOne or Windows Defender for Endpoint (formerly Azure Advanced Threat Protection).
Quick Start for Simple Responses
Simple responses can be enabled in the Alert Logic console at (navigation menu) > Respond > Automated Response > Simple Responses > + Simple Responses icon (). This page also shows the complete and current list of supported response types. For more details on Simple Responses, see our Get Started with Simple Responses documentation.
You can also create a simple response when viewing incident details in the Incidents console at > Respond > Incidents > click into a specific incident's details > Add Simple Response.
Additional Resources
For additional information on Intelligent Response, see these Alert Logic support resources:
- Intelligent Response for Managed Detection & Response
- Alert Logic Mobile Application
- Intelligent Response Simple Responses Workflow
- Intelligent Response Simple Responses Customer Approval Workflow
- How do I log in to the Alert Logic mobile app?
- Intelligent Response Keyword Glossary
- Intelligent Response Frequently Asked Questions
- Get Started with Automated Response
- Get Started with Simple Responses
- Simple Response Configuration Guide
- Exclusions
Comments
0 comments
Please sign in to leave a comment.