Notifying and Collaborating with LogRhythm SmartResponse Automation

Investigate a threat quicker with automation

When a threat emerges in your environment, you need to investigate it as soon as possible to keep it from incurring damage. For that to happen, you need to be notified that it exists in the first place.

A typical security information and event management (SIEM) platform has a number of built-in methods to notify users of alarming events. Some SIEMs use email notifications, while others might rely on text. No matter the method, the faster your team is notified of a threat, the faster the issue can be triaged and resolved. And the best way to rapidly receive information is to make sure the tool you use most alerts you.

If a SIEM sends a security operations center (SOC) analyst an email notification, but that analyst doesn’t use email regularly, that notification is not doing its job. You simply don’t want your users to be notified of events; you want them to be notified of an event and armed with as much information as possible, so they can quickly make a decision and act accordingly.

Today’s security teams are becoming more agile when it comes to communication. They are quick to adopt new technologies and tools for collaboration, such as Twilio, Slack, or PagerDuty. A SIEM solution should be just as agile as the teams managing it and should keep pace with emerging technologies. So, if you prefer to use Slack for workplace communication, it is ideal that your SIEM would also communicate via Slack. That’s where security, orchestration, automation, and response (SOAR) can help.

Using SmartResponse Automation to Notify the Right Stakeholders

With LogRhythm RespondX, you can use SmartResponse automation to automate steps in your workflow and save you time wherever possible. They can be largely categorized into three groups based on the function they automate: notification and collaboration, gathering contextual information, and remediation.

Notification and collaboration SmartResponse actions alert the right people about an incident and give them enough information to immediately determine the priority of the potential incident and begin an investigation, if warranted. You can set up SmartResponse actions to automatically notify your security team or other stakeholders of an incident on their preferred channel for communication, so they can jump into action the moment it crosses their screens.

What’s the result? A reduced mean time to detect and mean time to respond to a threat or incident.

Let’s take a closer look at how a notification and collaboration SmartResponse automation can help you mitigate a phishing attack faster.

Automating Notification and Collaboration of a Phishing Attack

Most organizations deal with constant phishing attacks. Understandably, you don’t want notifications for each phishing email. If you are, you’re likely spending more time dealing with notifications than dealing with security.

When does a phishing email warrant a notification? That’s up to your discretion. You can opt to have different criteria that, when satisfied, would trigger a notification. You might choose to be notified when someone opens an attachment on a suspicious email. Maybe you only want a notification when people opened the email, but failed to report it. Or maybe you require links in the email to be checked against known malicious links in VirusTotal and you choose to be notified when links receive a certain score. In any case, the incident will have to meet some criteria to trigger an alarm, so you won’t be bombarded.

Suppose five employees receive a phishing email. Two employees report the email with LogRhythm Phishing Intelligence Engine (PIE) and three simply open it. This satisfies your criteria, and LogRhythm fires a phishing alarm via email, text, and your security team’s Slack channel. While you don’t always look at your phone or email, you tend to have Slack open at work, so you see the notification the moment it appears. And with this notification, you’ll have immediate access to all of the information you need to make an informed decision, such as affected users or hosts, other supporting information, and even the raw logs. With this detailed information, any member of your team can determine the alarm priority without logging into a separate interface.

What Happens Next After You Meet Your Phishing Alarm Criteria?

At this point you can use case management to kick off your investigation. Your case is included in your notification. It relays all the information you need regarding the incident, including details of the email itself, who received it, and who opened the email, but didn’t report it as phishing.

Because the phishing alert goes directly to the security teams’ channel, your whole team is notified of the incident and can collaborate on an appropriate response. You can divide and conquer this incident or work multiple incidents simultaneously.

You set the criteria. You choose what constitutes a notification and this notification comes to you in such a way that allows you and your team to work together — fast. You’re now in a position in which your team can move to gather contextual information around the alarm and remediate it to stop the threat before it can cause damage.

LogRhythm SmartResponse automation isn’t just a notification tool for security teams. For example, SmartResponse actions can also be configured to notify DevOps when an operational issue occurs.

Using SmartResponse to Alert to A DevOps Incident

Your DevOps team may be responsible for troubleshooting technical web issues. LogRhythm AI Engine can detect when you receive an abnormal volume of error messages from your web servers, and you can configure a SmartResponse action to fire and alert the team. When your website generates an alarming number of error messages, you’ll typically see one of two results: At best, this translates to an unpleasant experience for your end user, whether that person be internal or external. At worst, these errors could mean lost revenue. In either situation, you want your DevOps team to become aware of the problem and remedy it quickly.

Let’s say an employee pushes a change to your website and the volume of errors logged on that web server increases significantly. You dive into the error messages only to discover that there was a misconfiguration in the web change that was not caught in review and, as a result, your Request a Demo page is no longer working. Of course, this means that no one can schedule a demo via your website and your business experiences loss of revenue.

LogRhythm fires an alarm to your DevOps team’s Slack channel and alerts it to the uptick in error messages. You don’t have to wait for an employee or worse, a customer, to notice this issue. Your SIEM tracks your web data, baselines patterns, and notices troubling abnormalities for you.

Just as in a security use case, LogRhythm will automatically open a case to ensure your DevOps team has all of the information it needs to quickly resolve this issue.

These notifications can be sent via your preferred channel — whether that is email, text, Slack, or an alternative form of communication. You can notify the users of your choosing that have the ability to take action. In this example, you can configure the website error alarm notification to be sent to your DevOps Slack channel.

LogRhythm’s automation behaves differently for the same integration, such as Slack. The automation can change depending on which alarm is triggered and which use case is in play. When the phishing rule fires, it notifies the security team, and when the website error volume rule fires, it notifies the operations team. You can get the right message in front of the right people — enabling them to get to work as quickly as possible.

Working Faster to Protect the Business

When your security team is rapidly notified of a phishing incident, you can avoid loss of mission critical data or systems by stopping the threat before damage occurs. On the other hand, when your DevOps team is rapidly notified of a web issue, you can avoid loss of revenue or mitigate a potential business impact. All of these are notifications are more effective by coming in via your preferred method of communication.

Start Utilizing SmartResponse Automation Today

SmartResponse actions are available on the LogRhythm Community now. At LogRhythm, we build this content so that you can put it in place and start taking advantage of automation. You can create or customize actions to ensure they fit your specific needs. Check out our library of prewritten SmartResponse actions today.