Automated Incident Response - Paybooks
A
Andreson Martinato Souto
"Creating rules with actions in automatic playbooks, in addition to taking actions within the EDR itself, may also, if necessary, integrate via API with other devices, for example: Taking action when the EDR identifies something malicious such as: terminating the process, deleting the file, or cleaning data persistence."
i
ilgaz
hi Andreson Martinato Souto, could you please share an example use case? I want to fully understand your requirement to provide you the best solution possible.
A
Andreson Martinato Souto
Dear ilgaz
By integrating the ability to create rules with actions in automatic playbooks and enabling API integration with other devices, we can significantly expand the scope of automated responses. For instance:
Firewall Action:
Automate firewall updates to block traffic related to the IP address associated with the malicious process.
SIEM Alert:
Automatically send a detailed alert to the SIEM, providing crucial information about the detected activity.
Machine Isolation:
Integrate with network isolation systems to isolate the affected machine from the rest of the network until further analysis is conducted.
Email or Messaging Notification:
Configure immediate notifications to the security team via email or instant messages, keeping them informed in real-time.
When communicating with any malicious process, having the flexibility to choose whether the machine will be isolated, or if the process will be terminated, or even sent to a trigger via API for some decision-making script or device alteration.
i
ilgaz
Andreson Martinato Souto thank you very much for the detailed information. This will allow us to divide and conquer each requirement to provide faster deliverables. We will analyze these in detail and get back to you with proper timeline.
CyberStrategy1
ilgazhow is this coming along?