Incident Response¶
LogSentinel SIEM has several distinct incident response capabilities:
- Agent-based incident response
- Incident response automation
- Incident management
Built-in incident response activities¶
LogSentinel SIEM performs the following actions when an alert is fired, without any extra steps or configuration needed. These can be then reviewed in the alert triage page.
- IP and domain WHOIS on all IPs and domains in the alert
- Reverse DNS query for IPs
- IP and domain reputation score extraction
- VirusTotal hash match
- Extraction of abuse content for the external IP/domain
Incident response automation¶
From LogSentinel SIEM you can use one of several options for automation:
- Built-in straightforward sequence of steps
- Python scripts - execute custom python scripts that are given the alert context
- SSH-based response - execute a custom command to the target host(s) over SSH
- Ansible playbooks - you can utilized the full power of Ansible by triggering a playbook when an alert is triggered
- IFTTT and Zapier integration - we can invoke IFTTT applets and Zapier zaps thus leveraging the ease of use of these automation technologies for incident reporting and incident management
Agent-based incident response¶
Using our OSSEC-based LogSentinel Agent allows for the following actions to be performed remotely on each machine, as a result of a detected incident:
- block an IP address in the local firewall - allows you to "kick" a malicious actor out based on their IP
- kill a malicious process - if a process is identified as malicious, it can be killed remotely
- shutdown - shutdown the machine to stop the spread of malware, until further information is obtained
- disable a user account - disallow a compromised user account to perform further actions
- any custom script - you can define any OS-specific script to be executed
Incident management¶
LogSentinel SIEM has a simple functionality for classifying security events as incidents and tracking the progress of their remediation, including by opening tickets and attacking relevant information. You can check the documentation here.
We support integration with most ticketing systems (through IFTT and Zapier).