Automated Response (Beta)

This document is intended for early-access customers, and it is updated as Automated Response features are enhanced.

The Automated Response page, available under Respond in the Alert Logic console, lists your automated response playbooks. On this page, you can create and manage playbooks, view the playbook history, and view inquiries.

Process to Define an Automated Response Playbook

  1. Create the playbook
  2. Design the playbook workflow
  3. Validate the playbook
  4. Test the playbook
  5. (Optional) Specify criteria to run the playbook automatically
  6. (Optional) Run the playbook on demand

Create the playbook

  1. Enter details about the playbook.
  2. (Optional) Select the Input tab, and view the list of input parameters for this playbook.

    The playbook publishes the parameter values when it runs, and you can reference the parameters in your playbook tasks. For an incident playbook, the values are:

    • account_id—Your Alert Logic Managed Detection and Response customer account identification number (for example, 12345678)
    • payload_type—Incident

    • payload—The payload of an Alert Logic incident. For the incident payload schema, variable descriptions, and an example, see Incident Schema.

    You can also specify additional input parameters (for example, an account identifier for an internal system).

  3. (Optional) Select the Variables tab to view the list of variables for use in this playbook and their descriptions.

    Tasks in your playbooks can request these variables. The first three are the ones listed on the Input tab, followed by the payload variables described in Incident Schema.

  4. (Optional) Select the Result tab to define variables that you want to include in the overall result of your playbook.

    For each variable, enter its name and value. The value can be a default value or an expression. You can write expressions in either Yet Another Query Language (YAQL) or Jinja2 format. YAQL format is <% expression %>. Jinja2 format is {{ expression }}. The result appears in the Output section of the playbook history.

    If a task in your playbook is to create an Alert Logic incident in your ticketing system, a result of the task is an incident ID. You can add the variable for it on the Result tab to publish it not only for subsequent playbook tasks, but also for the overall playbook result. Type the variable name in the Variable field, for example, ticketing_incident_id. In the Value field, type either <% ctx().ticketing_incident_id %> or {{ ctx().ticketing_incident_id }}. The ctx() part of the expression publishes the variable and its value to the overall playbook result.

Design the playbook workflow

After you create the playbook, the next step is to design the playbook workflow. The playbook workflow defines the tasks that you want the playbook to perform either on demand or automatically when criteria are met.

Building blocks for your playbooks include the following:

  • Playbook context—The context is the information you provided when you create the playbook and the variables available for your playbook and listed on the Variables tab.
  • Task
  • Condition
  • Join

Task

A task is an action that you want the playbook to perform. To add a task, click the add task icon () in the workflow diagram, and then enter the required information.

For a list of available tasks and their descriptions, see Playbook tasks.

Condition

A condition tells the playbook what to do if a task succeeds or fails. To add a condition, click the add condition icon () in the workflow diagram, and then enter the required information.

This example shows a task to send an approval email and the conditions added to transition to the next task. The next task depends on whether the email is approved or not.

Join

If your playbook includes parallel tasks (such as one task for the playbook to carry out if an action is approved and another task to carry out if the action is not approved), you can create a join to specify that the playbook must wait for the parallel tasks to complete before proceeding to the next task. To add a join, click the add join icon () in the workflow diagram, and then enter required information.

Validate the playbook

To ensure that your playbook has all required information, the next step is to validate it. Click the VALIDATE icon. A message indicates if validation is successful. If validation fails, one or more messages appear to indicate the missing information.

As you work, Alert Logic recommends that you save often as soon as you have a successful configuration. Click the SAVE icon to save your work and validate the playbook. The playbook does not save if the playbook is not valid.

Test the playbook

After you validate the playbook, you can test it. This step runs the playbook with a sample incident payload. To test the playbook, click the TEST icon. You can then check that the playbook results are what you expected and edit your playbook as necessary.

Specify criteria to run the playbook automatically

If you want the playbook to run automatically if certain incident criteria are met, you must specify the criteria on the Incident Notifications page. Criteria include threat levels and escalation status. For more information about setting up an incident notification, see Incident Notifications. In the step where you choose recipients, click Subscribe Playbook, and then select your playbook.

In a future release, you will be able to select criteria for running the playbook when you create the playbook instead.

Run the playbook on demand

You can run a playbook to respond to a specific incident.

To run the playbook on demand:

  1. In the Alert Logic console, click the navigation menu icon (), click Respond, and then click Incidents.
  2. Open the incident for which to run the playbook.
  3. Click the PLAYBOOK icon.

Playbook tasks

The tasks support blocking attackers and disabling user accounts in an Amazon Web Services (AWS) environment.

Task Action Description

Alert Logic: Run Alert Logic Action

Run an Alert Logic SDK Python action for an Alert Logic service.

Alert Logic: Send Message to Connector

Send a message or open a service ticket via a webhook or email connector.

Microsoft: Post Incident to Microsoft Teams Connector Post incident details to a Microsoft Teams connector.
Slack: Post Incident to Slack Connector Post incident details to a Slack connector.
ServiceNow: Create ServiceNow Incident Open an incident in ServiceNow.
Alert Logic: Add Incident Feedback Add a feedback note to an existing incident.
Alert Logic: Close Incident Close an incident and provide the reason for closing the incident.
Alert Logic: Reopen Incident Reopen a closed incident.
Alert Logic: Send Approval Request to User Request approval from a user via an email or a push notification to the Alert Logic Mobile App.

AWS: Run AWS Action

Run any action supported by AWS SDK for Python (Boto3) for an AWS service.

AWS: Send Event to Amazon EventBridge

Send events to Amazon EventBridge for a serverless infrastructure such as AWS Lambda.

AWS: Publish Message to SNS Topic

Publish a message to an Amazon Simple Notification Service (SNS) topic.

AWS: Disable AWS User Disable an AWS user and its access keys.
AWS: AWS WAF Block IP Address - CloudFront

Block an IP address in an Amazon CloudFront web distribution integrated with the AWS WAF (web application firewall) service.

AWS: AWS WAF Block IP Address - Regional Block an IP address in a regional AWS WAF (web application firewall).
AWS: AWS WAF Unblock IP Address - CloudFront

Unblock an IP address in an Amazon CloudFront web distribution integrated with the AWS WAF (web application firewall) service.

AWS: AWS WAF Unblock IP Address - Regional Unblock an IP address in a regional AWS WAF (web application firewall).
built-in: Send HTTP Request

Invoke REST API to carry out HTTP requests.

built-in: Do Nothing Do nothing, such as while waiting for a parallel task to complete or when transitioning from one condition to another.
built-in: Pause Playbook Pause running of the playbook.
built-in: Print Message Print a message to the playbook for troubleshooting purposes.
built-in: Carry Out Remote Command Carry out a remote command securely with the SSH protocol.
Zendesk: Create Zendesk Ticket Create a ticket on Zendesk.