The "Respond" module allows partners to create customizable rules which trigger automated actions in order to minimize the risk when some conditions are met, it gives the ability to react faster to real time events being managed by SaaS Alerts.

Requirements

1. SaaS Alerts "MSP Admin" privileges
2. Sign in with Microsoft or Google Oauth or Enable MFA in SaaS Alerts user settings
3. Accept all "Respond" module security permissions
4. A Global Admin account that is specific to the organization domain to connect to Respond.
   
   *Note - Please make sure you disable MFA if you choose to use Google or Microsoft Authentication

IMPORTANT NOTE: If the Global Admin account used to create a Respond connection has its permissions diminished, password changed, or sign-in blocked the Respond connection will break and have to be re-established once the account is restored to Global Admin and sign-in is unblocked for that account.

Rules

After the "Respond" permissions requirements are accepted you will land on the "Rules" screen. From here partners will be able to create a new rule and manage existing rules, or turn off the "Respond" module completely. 

Creating a Rule

Before creating a rule it's important to understand how rules are structured.  Rules apply to one or more organizations, at least one account (typically a user account), and must be "listening" for at least one event.  Rules can then have "Responses" or actions that are taken if the rule conditions are observed "triggering" the response.   It is possible to select a "no-action" which is the equivalent of creating a new SaaS Alerts event.

The anatomy of a rule can be described as:
Observed Event(s) for Customer Organization(s) and SaaS Application Account(s) which
Trigger actions selected by the MSP Admin to perform automated Response(s). 

Creating a Rule:

1. From the Respond "Rules" screen click on the button.
2. Click on "Untitled Rule" to edit the name of the new rule.
3. Select "Events" to create the Respond Rule.
4. Under the "Trigger" section. Select the application to be monitored currently only Microsoft 365 can be selected. Next, select the "Organizations and Accounts" button.

     5. Select the "Organizations" and "Accounts" to be monitored. Partners have the option to select one, all, or multiple organizations and accounts. 

Note: If "Trigger rules for all organizations" or "Trigger rules for all accounts" is active this will include all Organizations and Accounts to be added in the future.

When the "Fire rule only if respond is enabled for the organization" setting is unselected and a customer has not been connected to Respond, the rule will still trigger however no actions will be completed and the remediation will fail unless there is a Respond connection, this option is useful for alert notifications, for when the rule actions has been set to "Do nothing". If the "Fire rule only if respond is enabled for the organization" setting is selected then only organizations with a Respond connection will trigger the rule.

6. Click On the "Conditions" button to go to the next screen.  Here you can select the event or "Alert Description" that needs to occur in order for this rule to be triggered. Select the event, and set the number of occurrences and the timeframe. The minimum occurrence is 1, and the minimum timeframe is 15 minutes.  Partners will also have the option to add multiple events with equal or different parameters with the ability to combine them as well.  Logical "OR" and "AND" operators are available to create complex event monitoring flows.

Note: Respond will scans happens every 5 minutes and it checks for the occurrence of events set in the rule.

7. Next, click on the "Summary" button to review the "Trigger" section. If you want to add, change or remove any of the "Trigger" settings, please click on the edit pencil or the numbers to go back to the previous screen. If everything looks correct please scroll down and advance to the "Response" section.

8. Under the "Response" section. Select the response for the trigger previously set. Then select the "Action Approval Type" where you can choose if the response for the trigger will execute automatically or a manual approval by the "MSP Admin" is needed.

Pro tip: If the rule is set to manual approval and the admin does not approved the remediation within the first 15 minutes, then a reminder will be send every 15 minutes but after the 3rd reminder the rule will be set to auto ignored if no action is taken.

Click on the "Alert Configuration" button to go to the next screen.     

9. On the "Alert Configuration" screen partners can customize the "Alert Severity" such as Critical, Medium, or Low for the created event.  Additionally, you can configure the "Event Alert Assignment".  This will allow you to customize how events are assigned in Event Reports on SaaS Alerts.

Select the Schedule you would like for the Rule

Click on the "SMS Alerts" and select "+Add" to add a phone number.   

10. The "SMS Alerts" screen is where a MSP Admin can provide a phone number in order to enable the capability to receive SMS notifications for when a response gets triggered. Multiple phone numbers can be added. 

The Initial screen has an explanation of SMS Alerts and a checkbox requiring approval before adding phone numbers.

After the checkbox is confirmed, you can enter phone numbers. You will get a validation warning if not in a proper format for the country. 
 
First time a number is entered you will get the prompt to send the Opt In message to the phone number.

Once opt in message has been sent, the wording next to phone number indicating the Opt In has happened will change as well as a toaster message at the top right.

If user opts out on their mobile device, the phone number will display as Opted Out.

 
If they have opted out, you can send an email to them which will bring the user to this article. To opt back in the user must reply START to the original text message or they can text +1 (910) 765-8953 (for US users).

11. Next, click on the "Summary" button to review the "Response" section. If you want to add, change or remove any of the "Response" settings, please click on the edit pencil or the numbers to go back to the previous screen. You can also double-check the "Schedule" as well.   

     12. Under the "Schedule" section, partners can set a schedule to limit the time where the "Rule" will be active. It can be set to "Always On" and the "Rule" will remain active 24/7.  

     13. Partners can set it to a "Specific Time and Duration" with a start and end date.

     14. It can be also set to "Recurring" where partners have the option to run the rule on a daily, weekly or monthly basis. 

     14. Now that you have specified the "Trigger", configure the "Response" and added the "Schedule", Please click on the "Save Rule" button. If you choose to continue working where you left it later, then click on the "Save As Draft" button.

Important notes:
SaaS Alerts Respond is a separate Enterprise  App from the "original" SaaS Alerts Enterprise App.  This design choice was made to provide additional security features.

• When you connect Respond to a Customer Organization, a new Enterprise App will be added to the tenant. Without this Enterprise App, Respond cannot function. Each Customer Organization must be individually authenticated and connected to Respond.

  
  
  
  
• Respond can be disconnected at any time by selecting "Turn off Respond" in the SaaS Alerts control panel, or by deleting the Enterprise App from the Azure AD / Enterprise Apps control page.

FAQ and Updates

We have recently completed an update to Respond concerning how it tracks events in conjunction with the trigger criteria. This redesign of Rule Triggers brings several improvements listed below.   

• Reduce rule trigger noise, each rule will only trigger once when the conditions match instead of every 5 minutes
• Catch possibly missed rule triggers with the previous 4 hour cooldown period per rule per account being removed
• Enhance the tracking of events related to a rule by: 
  • adding Pending Rule Reminders. These reminders will be limited to 4 reminders every 15 minutes. 
  • adding Remediation Failed Reminders. These reminders will be limited to 4 reminders every 15 minutes.
  • ability for the MSP admin to mark the rule trigger as Ignored or Remediated Manually
  • when reminders are still not addressed after the fourth, automatically setting a rule trigger to Ignored
• Clear status of a rule with a History of the events associated with each rule trigger on the rule trigger page as an audit trail. The Rule Trigger details page will have three sections: 
  • Trigger Details - outlines the criteria of the rule
  • History Details - a timelapse view of the trigger statuses 
  • Events Between - a table of the events associated with the rule trigger

Use the following links for video examples of various Respond rules being created.

Click here to set up a Respond rule to alert for VPN logins. 

Click here to set up a Respond rule to alert for file events based on file name. 

Click here to set up a Respond rule to alert for unusual login methods.

Click here to set up a Respond rule to alert for applications being downloaded.