Getting Started with Respond
Respond helps security teams manage the triage, investigation, and actioning of incidents within an automated, tiered, or escalated response workflow with cyber fusion-powered collaboration between your internal security teams for a 360-degree response.
The following illustration shows the overall threat management workflow in Respond.
Onboard Threat
When an organization encounters a security threat, Respond helps security analysts onboard threats for the triage, investigation, and eradication of the threat. Respond seamlessly integrates with security orchestration tools using OpenAPI to help ingest threats from other security tools, such as SIEM, TIP, EDR, firewalls, and more.
Threat Analysis
Security threats seldom occur in isolation and involve multiple points of attack. To effectively respond to a threat, it is important to bring together the attack points to draw contextual information about the origin, trajectory, and root cause of the threat. The Connect the Dots and Threat Intel features help security analysts collect contextual information and enrich threat intel to identify the root cause of a threat.
Collect Contextual Information
Connect the Dots helps security analysts collect contextual information about a threat by bringing together all the modules related to the threat, such as vulnerabilities, threat actors, malware, devices, users, applications, related incidents, campaigns, and more, to provide you with a holistic view of the threat landscape.
Enrich Threat Intel
Threat Intel helps security analysts enrich threat intel related to the threat by connecting the Indicators of Compromise (IOCs) with an incident, such as IP, Domain, URL, Hash, and more.
Threat Response
After identifying the root cause of a threat, create appropriate actions and assign them to security analysts to respond to the threat. You can automate incident response using security orchestration tools such as Orchestrate. Orchestrate provides out-of-the-box Playbooks to retrieve indicator details and respond to incidents automatically. After successfully responding to a threat, enter all mandatory fields of the incident and close all associated actions to close the incident.
Post Threat Response Activity
Based on the learnings from the threat response, take necessary measures to prevent similar threats in the future. Respond enables you to take the following preventive measures:
Create knowledge base articles and associate them with the incident to enable security teams to quickly respond to similar incidents.
Create threat briefings to keep the security team members updated about the attack tactics.
Create enhancements to update the security framework of the organization to prevent similar incidents.
Generate reports to keep the SOC managers, incident managers, and other stakeholders updated about the incidents.
Monitor the dashboards to identify attack patterns and take necessary preventive measures.
Learn all about the administrative features in Respond to manage all the key configurations to onboard users and enable users to get started with the application.
Basic Configurations
This section highlights the necessary configurations that you must perform to get started. You can also review and configure other platform-specific settings as required. For more information, see Other Configurations.
Step 1 | Authenticate users to sign in to the application by configuring your preferred authentication method: LDAP, Username-Password, SAML, or Google Sign-In. | |
Step 2 | Configure an email server to send out communication emails from the application. | |
Step 3 | Configure a proxy server to prevent direct access to the internet or public cloud applications. | |
Step 4 | Configure the key parameters, such as locations, business units, sources, OS types, manufacturers, and labels. The key parameters are required to add users, create incidents, add assets, and categorize modules. | |
Step 5 | Configure user groups to define Role-Based Access Control (RBAC) of the features and add users to the application. | |
Step 6 | Define the permissions and criteria to close, reopen, and merge incidents. You can also configure cost tracking and pause SLA preferences for incidents. |
Other Configurations
Configure the settings that impact the management of incidents, such as incident workflows, Service Level Agreements (SLAs), templates, and other incident settings. | |
Configure the settings that impact the management of actions, such as the form to create actions, Service Level Agreements (SLAs), templates, and other action settings. | |
Configure the unique fields for each Assets module, such as Devices, Users, Applications, and Software, to ensure data integrity and remove duplicate data during bulk import of the assets. | |
Configure the forms for each module to enable users to provide the required data while creating entries. | |
Generate OpenAPI credentials to integrate Respond with other applications and access the features using the REST API protocol. | |
Integrate Orchestrate, Intel Exchange, Slack, and Google Maps to enable users to effectively manage incidents. | |
Configure the rules to run Orchestrate Playbooks in incidents automatically. | |
Configure rosters to organize shift rotations and shift duration schedules of the users. | |
Create tenants from the parent instance to enable peers, clients, and vendors to utilize the advanced threat response and automation capabilities of Respond independently. | |
Customize the HTML email template to notify the stakeholders about key updates in incidents, actions, user authentication, and more. | |
View and track the status of all the services run by the application. | |
View all the user activities and API request logs in one place. | |
Configure the general settings of the application, such as the logo, general user account settings, Google Recaptcha, tenant settings, email settings, cost configuration, and local timezone settings. | |
View your license details, such as license key, expiry date, tenant name, tenant code, and the application version. You can also view the alert components that display the usage of user accounts. |