LogicHub expedites both detection and response through intelligent automated playbooks. Every threat is fully investigated and triaged to follow the correct incident response process, which can be customized to meet each organization’s unique requirements and operating policies. When malware is detected, a playbook can automatically respond in multiple ways, weighing factors like severity, time of day, and asset type. For example, if malware is detected after hours, a laptop might be automatically quarantined until a security analyst can review it during regular hours, while the same response is queued up for one-click execution during normal SOC hours. No matter what the details, LogicHub can rapidly quarantine any number of hosts based on accurate threat detection and consistent processes that adapt to any organization requirements.

LogicHub playbooks can automatically analyze events and alerts from an EDR solution and perform actions like identifying relevant IOCs and correlating multiple instances of suspicious activity. For example, when an EDR alert is received, the source IP can be extracted and sent to one or more threat intelligence platforms for analysis, and the reputation scores can automatically be added to the associated case. LogicHub can also take additional actions, like retrieving user data or potentially overlooked alerts from a SIEM for additional analysis. Based on the combination of results, LogicHub can use automated decision making and triage to ensure that you're focusing your time immediately responding to true positive threats.

LogicHub playbooks can automatically analyze emails to identify potential phishing attacks and triage alerts to rapidly detect true threats. Typically manual actions like extracting and submitting URLs and message headers to threat intelligence platforms and attachments to a sandbox technology for inspection can be fully automated. Each email can then be rapidly assigned an accurate risk score so that analysts can stay focused on investigating and remediating true positives.

LogicHub playbooks can automatically analyze and investigate all SIEM alerts and perform rapid, fully automated triage after assessing multiple factors. For example, if an alert from Splunk comes through indicating suspicious network activity, an automated playbook can analyze, investigate and triage each alert in seconds or minutes, giving an accurate risk score based on multiple factors. Automated decision making processes determine how each alert is addressed depending on the risk score. Any true positive automatically generates a case and the appropriate incident response processes can be recommended, fully automated, or can immediately execute after one-click approval.

LogicHub playbooks can establish automated baselines of standard user behavior. When behavior varies from normal activity, you can automatically take steps to respond to the incident, either in a fully automated fashion, or by alerting appropriate personnel and letting them authorize the correct response through a one-click approval process.

LogicHub playbooks can automatically detect and respond to this type of activity and help expedite response in multiple ways. When Amazon detects exposed AWS API keys, they send an email notifying the appropriate resources. LogicHub can continuously watch for those emails and when one is received, can automatically pull the API key from the email and disable it to prevent it from being used in an attack. LogicHub can also automatically hunt for exposed keys on repositories like Github or Pastebin and then notify the appropriate personnel while disabling the exposed key. And LogicHub can also use machine learning to baseline normal activity tied to the use of AWS API keys to automatically detect and respond to malicious activity.

LogicHub’s ability to use machine learning to baseline behavior associated with user, host and network activities allows you to create playbooks that automatically hunt for abnormal actions indicating a potential insider threat. For example, a server hosting critical financial data may have a finite number of regular users, so LogicHub will identify any new user and check a baseline to see if other members of their OU have commonly accessed that data. Even if they have valid permissions, additional investigations can be automatically performed to check for activities tied to insider threats or potentially compromised accounts. This includes investigating where they have sent outbound emails, if they have downloaded unusually large amounts of data, or if they have performed additional suspicious activity like creating new admin accounts. When a possible insider threat is detected, the user account in question can be disabled automatically or with one-click authorization, and the appropriate personnel can be notified to take further action.

LogicHub playbooks automate the analysis and investigation of powershell activity to rapidly and accurately identify suspicious and malicious activity. Using a combination of machine learning and external integrations, LogicHub automatically creates baselines of expected Powershell behavior and establishes profiles of known malicious Powershell activity. Any new Powershell actions are automatically analyzed and assigned an appropriate risk score. When malicious activity is detected, it can be immediately stopped and future Powershell attacks of the same kind can be automatically prevented.

LogicHub’s 24x7 MDR analysts analyze audit logs either collected directly from G-Suite via API, or from any SIEM/log management platform, depending on the individual organization. Using a combination of built-in machine learning and expert-defined feedback in our playbooks, analysts can establish an automated baseline of multiple vectors, like authentication and login behavior, geolocation and activity volume. Deviations like suspicious login activity from multiple sites in an unlikely timeframe or abnormal activity during non working hours can be investigated and triaged for either immediate one-click or fully automated response, or for additional investigation by the LogicHub SOC.

LogicHub’s 24x7 MDR analysts analyze audit logs either collected directly from O365 via API, or from any SIEM/log management platform, depending on the individual organization. Using a combination of built-in machine learning and expert-defined feedback in our playbooks, analysts can establish an automated baseline of multiple vectors, like authentication and login behavior, geolocation and activity volume. Deviations like suspicious login activity from multiple sites in an unlikely timeframe or abnormal activity during non working hours can be investigated and triaged for either immediate one-click or fully automated response, or for additional investigation by the LogicHub SOC.

LogicHub uses its SOAR+ platform to deliver automated incident response capabilities that are customized to meet the individual requirements of every MDR+ customer, with the option to require one-click authorization for any action. And each response can be built to adapt to different scenarios, like threat severity, specific device types or user groups, or time of day. For example, with critical threats an organization can require one-click authorization before taking invasive actions like quarantining a device or disabling a user account during normal hours of operation, while fully automating the same actions after hours. LogicHub’s SOC analysts are still investigating and validating threats on a 24x7 basis, but individual organizations can take control of the response process for each individual scenario without requiring a 24x7 operation of their own. This allows any organization to determine how to respond to any type of threat in the way that they need. And because the process is built into a playbook, we eliminate the risk of human error that could lead to an improper response.

LogicHub playbooks can be set up to investigate and respond to user report threats in many different formats. For example, one playbook can automatically retrieve and analyze user reported phishing attempts from a SOC inbox, extract relevant details from the emails, perform rapid investigations, and execute the proper incident response processes. Another might be set up to watch for security-related requests entered into a trouble ticketing system, like a password reset request. The playbook could automatically extract user data, look for any IOCs like unusual authentication or other activity by that user, check with the user if the request is legitimate, and based on the results either notify the user via text that the password has been reset or notify the correct resource that the account has been compromised.

LogicHub playbooks can automatically baseline github activity, profiling a broad range of data points, including the typical number of github repositories and authorized users, unique logins from specific IP addresses, and the expected behavior of individual users within the repository. This establishes a profile of expected behavior that can be used to identify when a user is behaving abnormally. Rather than waiting for indications that a breach has occurred, LogicHub can proactively hunt for suspicious activity and automatically disable an account before it is used to perform malicious actions like stealing critical data.

LogicHub can automatically analyze and triage network events at scale from any tool in your stack, including SIEM, IDS, DPI, NGFW, etc, , by enriching them with additional critical context from threat intelligence platforms and performing automated decision making. Relevant event detail is automatically extracted and sent to one or more threat intelligence platforms to identify traffic with suspicious or malicious IPs and domains. LogicHub can automatically assign a new risk rating and compare that against additional information from other sources, like potential IOCs flagged by a proxy service. An overall risk score is then generated and the alert or event is automatically triaged to immediately initiate the appropriate incident response process.