Skip to content

Incident Response

LogSentinel SIEM has several distinct incident response capabilities:

  • Agent-based incident response
  • Incident response automation
  • Incident management

Built-in incident response activities

LogSentinel SIEM performs the following actions when an alert is fired, without any extra steps or configuration needed. These can be then reviewed in the alert triage page.

  • IP and domain WHOIS on all IPs and domains in the alert
  • Reverse DNS query for IPs
  • IP and domain reputation score extraction
  • VirusTotal hash match
  • Extraction of abuse content for the external IP/domain

Incident response automation

From LogSentinel SIEM you can use one of several options for automation:

  • Built-in straightforward sequence of steps
  • Python scripts - execute custom python scripts that are given the alert context
  • SSH-based response - execute a custom command to the target host(s) over SSH
  • Ansible playbooks - you can utilized the full power of Ansible by triggering a playbook when an alert is triggered
  • IFTTT and Zapier integration - we can invoke IFTTT applets and Zapier zaps thus leveraging the ease of use of these automation technologies for incident reporting and incident management

Agent-based incident response

Using our OSSEC-based LogSentinel Agent allows for the following actions to be performed remotely on each machine, as a result of a detected incident:

  • block an IP address in the local firewall - allows you to "kick" a malicious actor out based on their IP
  • kill a malicious process - if a process is identified as malicious, it can be killed remotely
  • shutdown - shutdown the machine to stop the spread of malware, until further information is obtained
  • disable a user account - disallow a compromised user account to perform further actions
  • any custom script - you can define any OS-specific script to be executed

Incident management

LogSentinel SIEM has a simple functionality for classifying security events as incidents and tracking the progress of their remediation, including by opening tickets and attacking relevant information. You can check the documentation here.

We support integration with most ticketing systems (through IFTT and Zapier).