Get Started with Simple Responses

Simple Responses is a core capability in MDR. A simple response is an automated action that Alert Logic recommends that you take in response to a common security threat. Simple responses allow you to achieve a security outcome with an interaction between Alert Logic and a third-party device or service that you already have. The "simple" in simple responses refers to the guided interface that makes it easier to enable even complex response actions. The Alert Logic console steps you through the setup with a workflow that captures common practices and actions that Alert Logic recommends. No knowledge of programming or automation is required for setup.

Available simple responses cover key use cases for the MDR platform:

  • Isolating a host
  • Disabling a user
  • Blocking external attacker IP addresses

Automation safeguards

Simple responses include several features that help you confidently and safely adopt automation.

The following safeguards are integrated in the response configuration:

  • Optional approval workflow
  • Optional identification of key exclusions (which will never be the target of a response)

Responses are also easy to revert, retry, or even completely deactivate if you encounter any problems.

Access the Simple Responses page

To access the Simple Responses page, in the Alert Logic console, click Respond on the navigation menu, click Automated Response, and then click the Simple Responses tab.

Simple response creation

You can create a simple response from the Simple Responses page. Click the add icon (), and then choose the type of response.

For instructions on how to configure a specific response, see Simple Response Configuration Guide.

Another method for creating a simple response is to add it from a specific incident on the Incidents page in the Alert Logic console. For more information, see Add a simple response.

View simple responses

The list on the Simple Responses page displays all the simple responses created in your account.

Filter the list

You can apply filters to narrow the list to a specific set of simple responses. Use the list on the left to choose the filters:

  • Response Type—Simple response type (example: AWS IAM: Disable User). For a complete list of responses, see Simple Response Configuration Guide.
  • Response Category—Simple response categories include the security outcomes you can achieve with a simple response:
    • Isolate Host
    • Block External IP Address
    • Disable User
  • Response Status—Simple response status: Active or Inactive.

To narrow the visible filters or find a specific filter, you can start typing a filter value (example: "disable") in search filters.

The number of simple responses that match each filter value appears next to the value.

Filter the list by searching

To further narrow displayed results, you can type a string in the search bar.

Edit a simple response

You can change the details in an existing simple response.

To edit a simple response:

  1. On the Simple Responses page, find the response you want to edit, and then click the Edit icon.
  2. Change any of the available settings.
  3. Click SAVE.

Delete a simple response

On the Simple Responses page, find the simple response that you want to delete, and then click the Delete icon.

Activate or deactivate a simple response

On the Simple Responses page, find the simple response that you want to activate or deactivate.

  • To activate a response, click the Inactive toggle to change the status to Active.
  • To deactivate a response, click the Active toggle to change the status to Inactive.

You can also activate or deactivate a response by editing it.

Stop a simple response

From the Simple Response History page, you can stop a simple response that is running. To prevent future simple responses from acting on the listed response targets, you can choose to add the targets to an existing or new exclusion list. For more information about exclusion lists, see Exclusions.

To stop a simple response:

  1. In the Alert Logic console, click Respond on the navigation menu, click Automated Response, and then click the Simple Response History tab.
  2. (Optional) To show only the simple responses that are currently running, click the Status filter to expand it, and then select the Running check box.
  3. In the Action column, next to the simple response that you want to stop, click Stop.
  4. Choose one of the following options:
    • Stop once—If you want to stop this action but not add the listed response targets to an exclusion list, click this option.
    • Stop and add target(s) to exclusion list—If you want to prevent future simple responses from affecting the listed targets, click this option and then select an existing exclusion list or click create list to add the targets to a new list.
  5. Click SAVE.

Revert a simple response

From the Simple Response History page, you can use the Revert action to roll back a simple response that completed successfully. To prevent future simple responses from acting on the listed response targets, you can choose to add the targets to an existing or new exclusion list. For more information about exclusion lists, see Exclusions.

To revert a simple response:

  1. In the Alert Logic console, click Respond on the navigation menu, click Automated Response, and then click the Simple Response History tab.
  2. (Optional) To show only the simple responses that succeeded, click the Status filter to expand it, and then select the Succeeded check box.
  3. In the Action column, next to the simple response that you want to roll back, click Revert.
  4. Choose one of the following options:
    • Revert once—If you want to stop this action but not add the listed response targets to an exclusion list, click this option.
    • Revert and add target(s) to exclusion list—If you want to prevent future simple responses from affecting the listed targets, click this option and then select an existing exclusion list or click create list to add the targets to a new list.
  5. Click SAVE.

Stop reverting a simple response

From the Simple Response History page, you can stop a simple response reversion that is in progress.

To stop reverting a simple response:

  1. In the Alert Logic console, click Respond on the navigation menu, click Automated Response, and then click the Simple Response History tab.
  2. (Optional) To show only the simple responses that are currently being reverted, click the Status filter to expand it, and then select the Reverting check box.
  3. In the Action column, next to the simple response that you want to stop reverting, click Stop.

Rerun a reverted simple response

From the Simple Response History page, you can rerun a simple response that was previously reverted.

To revert a simple response:

  1. In the Alert Logic console, click Respond on the navigation menu, click Automated Response, and then click the Simple Response History tab.
  2. (Optional) To show only the simple responses that were reverted, click the Status filter to expand it, and then select the Reverted check box.
  3. In the Action column, next to the simple response that you want to rerun, click Rerun.

Retry a simple response or reversion

From the Simple Response History page, you can retry a simple response that timed out or failed.

If you attempted to revert a simple response and the reversion timed out or failed, you can also retry a reversion.

To retry a simple response or reversion:

  1. In the Alert Logic console, click Respond on the navigation menu, click Automated Response, and then click the Simple Response History tab.
  2. (Optional) To filter the list, click the Status filter to expand it, and then select the check box next to a relevant status:
    • Response Timed Out
    • Failed
    • Reversion Timed Out
    • Reversion Failed
  3. In the Action column, next to the simple response that you want to retry to run or revert, click Retry.

Respond to an approval request

When you create a response, you can choose one or more users to receive approval requests via email and the Alert Logic Mobile App. You can view the status of approval requests on the Approvals page. For requests that are pending, you can respond directly from the Approvals page.

If you approve or reject the response and any of the original recipients attempts to respond later, a message informs the user that the inquiry received a response already.

Users with roles that grant permission to make changes to an account are allowed to approve responses in that account.

To approve or reject a response from the Approvals page:

  1. In the Alert Logic console, click Respond on the navigation menu, click Automated Response, and then click the Approvals tab.
  2. (Optional) To show only pending approval requests, click the Status filter to expand it, and then select the Pending check box.
  3. Open the detail view, and then click the RESPOND icon.
  4. Click APPROVE or REJECT.

Run a simple response on an individual incident manually

You can run a simple response manually on an incident from the incident details page. Typical reasons for responding manually include:

  • Testing a simple response before you activate it
  • Running a simple response, even if you do not want it to trigger automatically
  • Running a new simple response retroactively on an old incident

A simple response that is compatible with the incident's analytic must already be configured. However, the analytic does not have to be selected as an automatic trigger in the simple response.

For more information about incidents and the incidents list, see Incidents. For more information about incident details, see Incidents Details.

To run a simple response from an incident:

  1. In the incident list, click the incident that you want to respond to with a simple response.
  2. Click the Respond icon ().
  3. Click Run Simple Response.
  4. In Simple Response, select the simple response that you want to run on the incident.