Get Started with Automated Response

Gain full security value from the Managed Detection and Response (MDR) platform by setting up automated responses to threats that Alert Logic detects. As part of Intelligent Response, the Automated Response feature in the Alert Logic console helps you create workflows between Alert Logic and your applications to respond to common security threats automatically. When you automate routine security tasks and responses to common threats, response times decrease. Your security team can focus on new or more complex threats that require human analysis and intervention.

Intelligent Response requires an Alert Logic MDR Professional subscription.

Access Automated Response

The Automated Response page is available under Respond in the Alert Logic console.

Automated Response page

On the Automated Response page, you can access additional pages for creating, managing, and viewing automated response features.

Simple Responses

On the Simple Responses page, you can add a simple response to take actions that Alert Logic recommends, using features in the Alert Logic console and devices or services that you already have. After you choose the security outcome you want to achieve with your device, a guided interface steps you through the process, from connecting your device through choosing a recommended response.

For more information, see:

Simple Response History

The Simple Response History page lists the run history for all your simple responses. The records include information such as each time the response ran, the start and end time, and the run status. The history provides an audit trail of all actions taken.

The following table defines the simple response statuses and the action you can perform when the response is in each state. On the Simple Response History page, actions appear in the Action column. If the column is hidden, you can use Choose Columns to show it.

Internal State Status Status Description Available Action
blocking Running Simple response is in progress Stop—Cancels a response that is in progress
blocked Succeeded Response succeeded Revert—Rolls back a response that succeeded
timeout_blocking Response Timed Out Simple response was initiated but did not occur within approximately 5 minutes, so it timed out Retry—Tries again to run the response
block_fail Failed Response failed for a reason other than timing out Retry—Tries again to run the response
unblocking Reverting Reversion request is running Stop—Cancels the revert action that is in progress
unblocked Reverted Revert request succeeded Rerun—Runs the response again, undoing the revert action
timeout_unblocking Reversion Timed Out Revert action was initiated but did not occur within approximately 5 minutes, so it timed out Retry—Tries again to revert the response
unblock_fail Reversion Failed Revert request failed for a reason other than timing out Retry—Tries again to revert the response
wait Action Pending A pending action must complete before another action can be requested. For example, if you stop a response, you cannot perform another action until the stop action completes. Not applicable because an action is already pending


If you want your simple response to exclude specific users, IP addresses, or hosts, you can define them in exclusion lists. Then, when you set up your simple response, you can choose one or more of the lists to exclude the items from your automation.

For more information, see Exclusions.


The Approvals page lists all simple responses that require approval and their approval status. On this page, you can view and manage approval requests that are pending. You can see which responses are waiting for a human response to an approval request sent to an email address and pushed to the Alert Logic Mobile App. You can take action directly from the page to respond to pending requests. Users with roles that grant permission to make changes to an account are allowed to approve responses in that account.