Get Started with Automated Response
Gain full security value from the Managed Detection and Response (MDR) platform by setting up automated responses to threats that Alert Logic detects. As part of Intelligent Response, the Automated Response feature in the Alert Logic console helps you create workflows between Alert Logic and your applications to respond to common security threats automatically. When you automate routine security tasks and responses to common threats, response times decrease. Your security team can focus on new or more complex threats that require human analysis and intervention.
Intelligent Response requires an Alert Logic MDR Professional subscription.
Access Automated Response
The Automated Response page is available under Respond in the Alert Logic console.
Automated Response page
On the Automated Response page, you can access additional pages for creating, managing, and viewing automated response features.
On the Simple Responses page, you can add a simple response to take actions that Alert Logic recommends, using features in the Alert Logic console and devices or services that you already have. After you choose the security outcome you want to achieve with your device, a guided interface steps you through the process, from connecting your device through choosing a recommended response.
For more information, see:
Simple Response History
The Simple Response History page lists the run history for all your simple responses. The records include information such as each time the response ran, the start and end time, and the run status. The history provides an audit trail of all actions taken.
The following table defines the simple response statuses and the action you can perform when the response is in each state. On the Simple Response History page, actions appear in the Action column. If the column is hidden, you can use Choose Columns to show it.
|Internal State||Status||Status Description||Available Action|
|blocking||Running||Simple response is in progress||Stop—Cancels a response that is in progress|
|blocked||Succeeded||Response succeeded||Revert—Rolls back a response that succeeded|
|timeout_blocking||Response Timed Out||Simple response was initiated but did not occur within approximately 5 minutes, so it timed out||Retry—Tries again to run the response|
|block_fail||Failed||Response failed for a reason other than timing out||Retry—Tries again to run the response|
|unblocking||Reverting||Reversion request is running||Stop—Cancels the revert action that is in progress|
|unblocked||Reverted||Revert request succeeded||Rerun—Runs the response again, undoing the revert action|
|timeout_unblocking||Reversion Timed Out||Revert action was initiated but did not occur within approximately 5 minutes, so it timed out||Retry—Tries again to revert the response|
|unblock_fail||Reversion Failed||Revert request failed for a reason other than timing out||Retry—Tries again to revert the response|
|wait||Action Pending||A pending action must complete before another action can be requested. For example, if you stop a response, you cannot perform another action until the stop action completes.||Not applicable because an action is already pending|
If you want your simple response to exclude specific users, IP addresses, or hosts, you can define them in exclusion lists. Then, when you set up your simple response, you can choose one or more of the lists to exclude the items from your automation.
For more information, see Exclusions.
The Approvals page lists all simple responses that require approval and their approval status. On this page, you can view and manage approval requests that are pending. You can see which responses are waiting for a human response to an approval request sent to an email address and pushed to the Alert Logic Mobile App. You can take action directly from the page to respond to pending requests. Users with roles that grant permission to make changes to an account are allowed to approve responses in that account.