PLUS and PRO AgileBlue subscribers can leverage the power of AgileBlue's opt-in autonomous response capabilities to ensure threats are contained as soon as they are identified.
Overview
- Autonomous Response can be enabled or disabled by PLUS or PRO subscribers directly from their Alert Playbook page at any time
- Devices can be tagged into four categories depending on the level of autonomous response desired – manual response, task list only, isolation only, or full response – making the feature fully customizable
- Depending on the level of response selected, the actions will kick off as soon as a related case is marked as Malicious in the AgileBlue portal
- The available autonomous response actions include host isolation, disabling of local AD accounts, and blocking malicious IP addresses at the endpoint level
Response Tag Definitions
- Response - Manual Response: Devices with this tag will not receive any autonomous response actions, but are still eligible for manual response by users or the AgileBlue SOC Analyst team
- Response - Task List Only: This category will allow all Response Task List actions to occur on a device as soon as a related case is marked as malicious but the device will not be isolated from the network
- Response - Isolate Only: If tagged for Isolation Only, devices will be isolated from the network as soon as a related case is marked malicious but the response task list actions will not execute
- Response - Full Response: All response task list actions will execute and the device will be isolated from the network as soon as a related case is marked as malicious
Enabling Autonomous Response
- Log in to the AgileBlue SecOps Platform
- In the navigation bar, select Settings then Alert Playbook
- Under Sapphire Insights - Autonomous Response toggle the option on the right-hand side to On
- Once completed, you will be able to view the four response categories listed above to see which devices are tagged for each section
- NOTE: When first enabling Autonomous Response, all devices will default to Manual Response
Enrolling Devices in Autonomous Response
- In your AgileBlue portal, access the Data Sources page
- Filter for your target devices based on device type, name, or existing tags
- Using the check-box columns on the left-hand side, select the devices to be enrolled in Autonomous Response
- Apply the desired tag from the options listed below:
- Response - Manual Response
- Response - Task List Only
- Response - Isolate Only
- Response - Full Response
Need Help?
AgileBlue is always here to support you and ensure you are 100% successful. If there are any issues with the installation or if you have any questions, please reach out to AgileBlue Support.
Email: support@agileblue.com
Phone: (216) 606-9400🚨