Get Started with Automated Response (Beta)
Gain full security value from the Managed Detection and Response (MDR) platform by setting up automated responses to threats that Alert Logic detects. As part of Intelligent Response, the Automated Response feature in the Alert Logic console helps you create workflows between Alert Logic and your applications to respond to common security threats automatically. When you automate routine security tasks and responses to common threats, response times decrease. Your security team can focus on new or more complex threats that require human analysis and intervention.
Intelligent Response requires an Alert Logic MDR Professional subscription.
Simple responses versus playbooks
Automated response includes two main features: Simple Responses and Playbooks.
Simple Responses is a core capability in MDR. A simple response is an automated action that Alert Logic recommends that you take in response to a common security threat. Simple responses allow you to achieve a security outcome with an interaction between Alert Logic and a third-party device or service that you already have. The "simple" in simple responses refers to the guided interface that makes it easier to enable even complex response actions. The Alert Logic console steps you through the setup with a workflow that captures common practices and actions that Alert Logic recommends. No knowledge of programming or automation is required for setup.
Available simple responses cover key use cases for the MDR platform:
- Isolating a host
- Disabling a user
- Blocking external attacker IP addresses
The Playbooks feature is available for organizations that want to go beyond Alert Logic recommendations made available in the core simple responses. A playbook is a series of automated workflow actions between Alert Logic and your systems that you define. A playbook can also integrate the Alert Logic console with your devices to achieve a security outcome. However, creating a playbook requires your team to define the logic instead of taking advantage of Alert Logic expertise and a guided interface. A knowledge of programming and workflow automation is helpful for creating playbooks but is not required. Several playbook templates are available to help you get started.
Alert Logic recommends that you start by implementing the simple responses that apply to your environment and devices. Then consider creating a playbook if your organization has security needs that require different or more complex automation workflows.
Access Automated Response
The Automated Response page is available under Respond in the Alert Logic console.
Automated Response page
On the Automated Response page, you can access additional pages for creating, managing, and viewing automated response features.
On the Simple Responses page, you can add a simple response to take actions that Alert Logic recommends, using features in the Alert Logic console and devices or services that you already have. After you choose the security outcome you want to achieve with your device, a guided interface steps you through the process, from connecting your device through choosing a recommended response.
For more information, see:
Simple Response History
The Simple Response History page lists the run history for all your simple responses. The records include information such as each time the response ran, the start and end time, and the run status. The history provides an audit trail of all actions taken.
The following table defines the simple response statuses and the action you can perform when the response is in each state. On the Simple Response History page, actions appear in the Action column. If the column is hidden, you can use Choose Columns to show it.
|Internal State||Status||Status Description||Available Action|
|blocking||Running||Simple response is in progress||Stop—Cancels a response that is in progress|
|blocked||Succeeded||Response succeeded||Revert—Rolls back a response that succeeded|
|timeout_blocking||Response Timed Out||Simple response was initiated but did not occur within approximately 5 minutes, so it timed out||Retry—Tries again to run the response|
|block_fail||Failed||Response failed for a reason other than timing out||Retry—Tries again to run the response|
|unblocking||Reverting||Reversion request is running||Stop—Cancels the revert action that is in progress|
|unblocked||Reverted||Revert request succeeded||Rerun—Runs the response again, undoing the revert action|
|timeout_unblocking||Reversion Timed Out||Revert action was initiated but did not occur within approximately 5 minutes, so it timed out||Retry—Tries again to revert the response|
|unblock_fail||Reversion Failed||Revert request failed for a reason other than timing out||Retry—Tries again to revert the response|
|wait||Action Pending||A pending action must complete before another action can be requested. For example, if you stop a response, you cannot perform another action until the stop action completes.||Not applicable because an action is already pending|
If you want your simple response to exclude specific users, IP addresses, or hosts, you can define them in exclusion lists. Then, when you set up your simple response, you can choose one or more of the lists to exclude the items from your automation.
For more information, see Exclusions.
A playbook is a series of automated workflow actions between Alert Logic and your systems that you define. On the Playbooks page, you can add a playbook and configure it to run automatically in response to triggers, with or without an approval step. You can also run a playbook on a specific incident. Alert Logic provides templates you can use as a starting point to create playbooks for common scenarios.
For more information, see:
Playbooks can run automatically when defined criteria, called triggers, are met. A few examples of playbook triggers include threat level, MITRE classification, and targeted asset group. You can also configure a trigger to run a playbook at a scheduled time. More than one playbook can use the same trigger.
The History page lists the run history for all your playbooks, tasks, and actions. The records include information such as each time the item ran, the start and end time, and the run status (for example, succeeded, failed, or pending). The history provides an audit trail of all actions taken. You can open the item to view details, which can help you troubleshoot your automation during its initial creation and testing.
The Approvals page lists all simple responses