Automated Responses

Creating Defenses


When defining a response, you can associate a set of defensive countermeasures to be run when an incoming alert is dispatched. Defenses can be useful to stop or slow an attacker while you mount a defense. It is especially useful to prevent Advanced Persistent Threats from gaining a foothold.

Defenses are created from the Response page. Click on the Add Defense button and the defense dialog will be displayed.

Add Defense

First select the appropriate defense name. After selecting the defense, relevant parameter fields may be displayed. For example: the run-http defense will prompt for the HTTP method, url, headers and post data. You can add multiple defenses for a single response.

List of Defenses


This defense blocks the attacker at the local host (iptables) firewall. The attacker will be immediately banned from the host. You can specify the duration for the ban in seconds and a list of IP addresses to exempt from the ban.


This defense will kill a banned process. This defense can only be used by the banned-process threat check. It takes no parameters and will kill the offending process.


The run-command defense can be used to run any local command on the host. The command should be an absolute path name to a program or script. The command is run as root.


This defense can be used to run arbitrary HTTP requests. The parameters are:


Run an AWS Lambda function. This will take the parameters:


This defense will slow the attackers network traffic. This can be useful to slow the attacker without making the attacker aware they have been detected.


Stop the affected host. This will issue an AWS Stop Instance command. All ephemeral instance data is lost.


Terminate the affected host. This will issue an AWS Terminate Instance command. The instance is lost.


See Also

© SenseDeep® LLC. All rights reserved. Generated at 05:29:12 Sep 22, 2017. Privacy Policy and Terms of Use.