Get Started with Automated Response (Beta)

This document is intended for early-access customers, and it is updated as Automated Response features are enhanced.

Gain full security value from the Managed Detection and Response (MDR) platform by setting up automated responses to threats that Alert Logic detects. As part of Intelligent Response, the Automated Response feature in the Alert Logic console helps you create workflows between Alert Logic and your applications to respond to common security threats automatically. When you automate routine security tasks and responses to common threats, response times decrease. Your security team can focus on new or more complex threats that require human analysis and intervention.

Intelligent Response requires an Alert Logic MDR Professional subscription.

Simple responses versus playbooks

Automated response includes two main features: Simple Responses and Playbooks.

Simple Responses is a core capability in MDR. A simple response is an automated action that Alert Logic recommends that you take in response to a common security threat. Simple responses allow you to achieve a security outcome with an interaction between Alert Logic and a third-party device or service that you already have. The "simple" in simple responses refers to the guided interface that makes it easier to enable even complex response actions. The Alert Logic console steps you through the setup with a workflow that captures common practices and actions that Alert Logic recommends. No knowledge of programming or automation is required for setup.

Available simple responses cover key use cases for the MDR platform:

  • Isolating a host
  • Disabling a user
  • Blocking external attacker IP addresses

The Playbooks feature is available for organizations that want to go beyond Alert Logic recommendations made available in the core simple responses. A playbook is a series of automated workflow actions between Alert Logic and your systems that you define. A playbook can also integrate the Alert Logic console with your devices to achieve a security outcome. However, creating a playbook requires your team to define the logic instead of taking advantage of Alert Logic expertise and a guided interface. A knowledge of programming and workflow automation is helpful for creating playbooks but is not required. Several playbook templates are available to help you get started.

Alert Logic recommends that you start by implementing the simple responses that apply to your environment and devices. Then consider creating a playbook if your organization has security needs that require different or more complex automation workflows.

Access Automated Response

The Automated Response page is available under Respond in the Alert Logic console.

Automated Response page

On the Automated Response page, you can access additional pages for creating, managing, and viewing automated response features.

Simple Responses

On the Simple Responses page, you can add a simple response to take actions that Alert Logic recommends, using features in the Alert Logic console and devices or services that you already have. After you choose the security outcome you want to achieve with your device, a guided interface steps you through the process, from connecting your device through choosing a recommended response.

For more information, see:

Simple Response History

The Simple Response History page lists the run history for all your simple responses. The records include information such as each time the response ran, the start and end time, and the run status. The history provides an audit trail of all actions taken.

The following table defines the simple response statuses and the action you can perform when the response is in each state. On the Simple Response History page, actions appear in the Action column. If the column is hidden, you can use Choose Columns to show it.

Internal State Status Status Description Available Action
blocking Running Simple response is in progress Stop—Cancels a response that is in progress
blocked Succeeded Response succeeded Revert—Rolls back a response that succeeded
timeout_blocking Response Timed Out Simple response was initiated but did not occur within approximately 5 minutes, so it timed out Retry—Tries again to run the response
block_fail Failed Response failed for a reason other than timing out Retry—Tries again to run the response
unblocking Reverting Reversion request is running Stop—Cancels the revert action that is in progress
unblocked Reverted Revert request succeeded Rerun—Runs the response again, undoing the revert action
timeout_unblocking Reversion Timed Out Revert action was initiated but did not occur within approximately 5 minutes, so it timed out Retry—Tries again to revert the response
unblock_fail Reversion Failed Revert request failed for a reason other than timing out Retry—Tries again to revert the response
wait Action Pending A pending action must complete before another action can be requested. For example, if you stop a response, you cannot perform another action until the stop action completes. Not applicable because an action is already pending

Exclusions

If you want your simple response to exclude specific users, IP addresses, or hosts, you can define them in exclusion lists. Then, when you set up your simple response, you can choose one or more of the lists to exclude the items from your automation.

For more information, see Exclusions.

Playbooks

A playbook is a series of automated workflow actions between Alert Logic and your systems that you define. On the Playbooks page, you can add a playbook and configure it to run automatically in response to triggers, with or without an approval step. You can also run a playbook on a specific incident. Alert Logic provides templates you can use as a starting point to create playbooks for common scenarios.

For more information, see:

Triggers

Playbooks can run automatically when defined criteria, called triggers, are met. A few examples of playbook triggers include threat level, MITRE classification, and targeted asset group. You can also configure a trigger to run a playbook at a scheduled time. More than one playbook can use the same trigger.

History

The History page lists the run history for all your playbooks, tasks, and actions. The records include information such as each time the item ran, the start and end time, and the run status (for example, succeeded, failed, or pending). The history provides an audit trail of all actions taken. You can open the item to view details, which can help you troubleshoot your automation during its initial creation and testing.

Approvals

The Approvals page lists all simple responses and playbooks that require approval and their approval status. On this page, you can view and manage approval requests that are pending. You can see which responses and playbooks are waiting for a human response to an approval request sent to an email address, pushed to a business application via a connector (applies to playbooks only), and pushed to the Alert Logic Mobile App. You can take action directly from the page to respond to pending requests. Users with roles that grant permission to make changes to an account are allowed to approve responses in that account.