Skip to content

Incident Response

LogSentinel SIEM has several distinct incident response capabilities:

  • Agent-based incident response
  • Incident response automation
  • Incident management

Agent-based incident response

Using our OSSEC-based LogSentinel Agent allows for the following actions to be performed remotely on each machine, as a result of a detected incident:

  • block an IP address in the local firewall - allows you to "kick" a malicious actor out based on their IP
  • kill a malicious process - if a process is identified as malicious, it can be killed remotely
  • shutdown - shutdown the machine to stop the spread of malware, until further information is obtained
  • disable a user account - disallow a compromised user account to perform further actions
  • any custom script - you can define any OS-specific script to be executed

Incident response automation

From LogSentinel SIEM you can use one of several options for automation:

  • built-in straightforward sequence of steps
  • SOAR integration - we support integration with Swimlane, Siemplify and Cortex XSOAR (formerly Demisto)
  • Ansible playbooks - you can utilized the full power of Ansible by triggering when an alert is triggered
  • IFTTT and Zapier integration - we can invoke IFTTT applets and Zapier zaps thus leveraging the ease of use of these automation technologies for incident reporting and incidemtn management

Incidenet management

LogSentinel SIEM has a simple functioanlity for classifying security events as incidents and tracking the progress of their remediation, including by opening tickets and attacking relevant information.

We support integration with most ticketing systems (either directly or through IFTT and Zapier).