Skip to content

Incident Response

LogSentinel SIEM has several distinct incident response capabilities:

  • Agent-based incident response
  • Incident response automation
  • Incident management

Incident response automation

From LogSentinel SIEM you can use one of several options for automation:

  • Built-in straightforward sequence of steps
  • Python scripts - execute custom python scripts that are given the alert context
  • SSH-based response - execute a custom command to the target host(s) over SSH
  • Ansible playbooks - you can utilized the full power of Ansible by triggering a playook when an alert is triggered
  • IFTTT and Zapier integration - we can invoke IFTTT applets and Zapier zaps thus leveraging the ease of use of these automation technologies for incident reporting and incidemtn management

Agent-based incident response

Using our OSSEC-based LogSentinel Agent allows for the following actions to be performed remotely on each machine, as a result of a detected incident:

  • block an IP address in the local firewall - allows you to "kick" a malicious actor out based on their IP
  • kill a malicious process - if a process is identified as malicious, it can be killed remotely
  • shutdown - shutdown the machine to stop the spread of malware, until further information is obtained
  • disable a user account - disallow a compromised user account to perform further actions
  • any custom script - you can define any OS-specific script to be executed

Incidenet management

LogSentinel SIEM has a simple functioanlity for classifying security events as incidents and tracking the progress of their remediation, including by opening tickets and attacking relevant information. You can check the documentation here.

We support integration with most ticketing systems (through IFTT and Zapier).