Skip to main content

How can we help you?

Search

SaaS Alerts - Respond

Not yet followed by anyone
Updated: Jesse Garcia Edited:

The "Respond" module allows partners to create customizable rules which trigger automated actions in order to minimize the risk when some conditions are met, it gives the ability to react faster to real time events being managed by SaaS Alerts.

Requirements

  1. SaaS Alerts "MSP Admin" privileges
  2. Sign in with Microsoft, K1 or Google OAuth or Enable MFA in SaaS Alerts user settings
  3. Accept all "Respond" module security permissions
  4. A Global Admin account that is specific to the organization domain to connect to Respond.

    *Note - Please make sure you disable MFA if you choose to use Google, K1 or Microsoft Authentication

IMPORTANT NOTE: If the Global Admin account used to create a Respond connection has its permissions diminished, password changed, or sign-in blocked the Respond connection will break and have to be re-established once the account is restored to Global Admin and sign-in is unblocked for that account.

Rules

After the "Respond" permissions requirements are accepted you will land on the "Rules" screen. From here partners will be able to create a new rule and manage existing rules, or turn off the "Respond" module completely. 

mceclip1.png

Creating a Rule

Before creating a rule it's important to understand how rules are structured.  Rules apply to one or more organizations, at least one account (typically a user account), and must be "listening" for at least one event.  Rules can then have "Responses" or actions that are taken if the rule conditions are observed "triggering" the response.   It is possible to select a "no-action" which is the equivalent of creating a new SaaS Alerts event.

The anatomy of a rule can be described as:
Observed Event(s) for Customer Organization(s) and SaaS Application Account(s) which
Trigger actions selected by the MSP Admin to perform automated Response(s). 

Creating a Rule:

  1. From the Respond "Rules" screen click on the mceclip3.png button.
  2. Click on "Untitled Rule" to edit the name of the new rule.
  3. Select "Events" to create the Respond Rule.
  4. Under the "Trigger" section. Select the application to be monitored. Next, select the "Organizations and Accounts" button.

 

2023-05-22_08_56_58-.png

 

2023-05-22_08_16_42-SaaS_Alerts_.png

 

     5. Select the "Organizations" and "Accounts" to be monitored. Partners have the option to select one, all, or multiple organizations and accounts. 

Note: If "Trigger rules for all organizations" or "Trigger rules for all accounts" is active this will include all Organizations and Accounts to be added in the future. By clicking on the "Trigger rule for all organizations" checkmark box, you are going to be able to exclude organizations as well.

 

2023-05-22_08_18_42-.png

When the "Fire rule only if respond is enabled for the organization" setting is unselected and a customer has not been connected to Respond, the rule will still trigger however no actions will be completed and the remediation will fail unless there is a Respond connection, this option is useful for alert notifications, for when the rule actions has been set to "Do nothing". If the "Fire rule only if respond is enabled for the organization" setting is selected then only organizations with a Respond connection will trigger the rule.

 

6. Click On the "Conditions" button to go to the next screen.  Here you can select the event or "Alert Description" that needs to occur in order for this rule to be triggered. Select the event, and set the number of occurrences and the timeframe. The minimum occurrence is 1, and the minimum timeframe is 15 minutes.  Partners will also have the option to add multiple events with equal or different parameters with the ability to combine them as well.  Logical "OR" and "AND" operators are available to create complex event monitoring flows.

Note: Respond will scan every 5 minutes and it will checks for the occurrence of the conditions set in the rule.

2023-05-22_09_29_54-.png

 

Filters:

For each event selected within the rule, a filter may be applied. Filters allow for additional criteria to be set based on a subset of event details. As an example Country Contains US or Country does not contain US. This will then include or exclude instances of an event depending upon the filter.

Two specific operators, ‘Matches Pattern’ and ‘Does not match pattern’, are powerful tools designed to enhance text search capabilities in the UI. These operators within a filter allow users to include or exclude results based on patterns defined using wildcard characters. Currently they are only available for File Name and Description Details filters.

Key Features

  • Wildcards Supported: ‘*’ or ‘?’
  • Flexible Matching: Easily find or exclude text patterns in fields to suit your search requirements.
  • Enhanced Usability: Quickly narrow down search results by defining specific text patterns.

Wildcard Characters and Their Meaning

Wildcard Description Example Matches
* Matches zero or more characters *Drive "OneDrive", "Google Drive"
? Matches exactly one character D?ve

"Dive", "Dave"

Matches Pattern: The Matches Pattern filter retrieves fields containing text that matches the specified pattern. Below are examples of how to use this filter effectively:

Match text containing a specific term:

  • Pattern: --OneDrive
  • Description: Matches any field where "--OneDrive" appears anywhere in the text.
  • Example Matches: "--OneDrive File Sharing", "Introduction to --OneDrive", "Manage Your --OneDrive Files"

Match text ending with a specific term:

  • Pattern: *OneDrive
  • Description: Matches any field where the text ends with "OneDrive."
  • Example Matches: "Shared with OneDrive", "Export to OneDrive"

Match text starting with a specific term:

  • Pattern: OneDrive*
  • Description: Matches any field where the text starts with "OneDrive."
  • Example Matches: "OneDrive Files Management", "OneDrive Account Settings"

Does Not Match Pattern: The Does Not Match Pattern filter excludes fields containing text that matches the specified pattern. This is useful for eliminating unwanted results from your search.

Exclude text containing a specific term:

  • Pattern: OneDrive
  • Description: Excludes any field where "OneDrive" appears anywhere in the text.
  • Example Matches: "OneDrive File Sharing", "Manage Your OneDrive Files"

Exclude text ending with a specific term:

  • Pattern: *OneDrive
  • Description: Excludes any field where the text ends with "OneDrive."
  • Example Matches: "Shared with OneDrive", "Export to OneDrive"

Exclude text starting with a specific term:

  • Pattern: OneDrive*
  • Description: Excludes any field where the text starts with "OneDrive."
  • Example Matches: "OneDrive Files Management", "OneDrive Account Settings"

Wildcard searches are case-sensitive, depending on the field configuration. Use these filters judiciously, as patterns with leading wildcards (e.g., *OneDrive) can impact performance for large datasets.

 

7. Next, click on the "Summary" button to review the "Trigger" section. If you want to add, change or remove any of the "Trigger" settings, please click on the edit pencil or the numbers to go back to the previous screen. If everything looks correct please scroll down and advance to the "Response" section.

                                                                      2023-05-22_09_45_47-SaaS_Alerts_.png                                                                

 

8. Under the "Response" section. Select the response for the trigger previously set. Then select the "Action Approval Type" where you can choose if the response for the trigger will execute automatically or a manual approval by the "MSP Admin" is needed.

 

Pro tip: If the rule is set to manual approval and the admin does not approved the remediation within the first 15 minutes, then a reminder will be send every 15 minutes but after the 3rd reminder the rule will be set to auto ignored if no action is taken.

 

Click on the "Alert Configuration" button to go to the next screen.     

 

2023-05-22_09_58_58-SaaS_Alerts_.png

 

2023-05-22_10_02_24-SaaS_Alerts_.png

 

 

9. On the "Alert Configuration" screen partners can customize the "Alert Severity" such as Critical, Medium, or Low for the created event.  Additionally, you can configure the "Event Alert Assignment".  This will allow you to customize how events are assigned in Event Reports on SaaS Alerts.

 

2023-05-22_10_19_22-.png

 

10. The "Alert Notifications" screen is where a MSP Admin can provide a phone number, Email address or opt-in to receive push notifications in via the Mobile app to enable the capability to receive notifications when a rule gets triggered. Multiple phone numbers and Email addresses can be added. 

 

The Initial step has an explanation of the notification you are about to receive and a checkbox requiring approval.

After the checkbox is confirmed, you can enter phone numbers and Emails.
 
Notes for SMS: First time a number is entered you will get the prompt to send the Opt In message to the phone number.
Screenshot 2023-06-20 163848.png
Once opt in message has been sent, the wording next to phone number indicating the Opt In has happened will change as well as a toaster message at the top right.
Screenshot 2023-06-20 164204.png

If user opts out on their mobile device, the phone number will display as Opted Out.

Screenshot 2023-06-21 113854.png
 
If they have opted out, you can send an email to them which will bring the user to this article. To opt back in the user must reply START to the original text message or they can text +1 (910) 765-8953 (for US users).

 

11. Next, click on the "Summary" button to review the "Response" section. If you want to add, change or remove any of the "Response" settings, please click on the edit pencil or the numbers to go back to the previous screen. You can also double-check the "Schedule" as well.   

 

2023-05-22_10_35_28-.png

 

     12. Under the "Schedule" section, partners can set a schedule to limit the time where the "Rule" will be active. It can be set to "Always On" and the "Rule" will remain active 24/7.  

mceclip15.png

     13. Partners can set it to a "Specific Time and Duration" with a start and end date.

mceclip16.png

     14. It can be also set to "Recurring" where partners have the option to run the rule on a daily, weekly or monthly basis. 

mceclip17.png

 

     14. Now that you have specified the "Trigger", configure the "Response" and added the "Schedule", Please click on the "Save Rule" button. If you choose to continue working where you left it later, then click on the "Save As Draft" button.

mceclip18.png


Important notes:
SaaS Alerts Respond is a separate Enterprise  App from the "original" SaaS Alerts Enterprise App.  This design choice was made to provide additional security features.

  • When you connect Respond to a Customer Organization, a new Enterprise App will be added to the tenant. Without this Enterprise App, Respond cannot function. Each Customer Organization must be individually authenticated and connected to Respond.



    Screen_Shot_2022-06-16_at_12.55.05_PM.png
  • Respond can be disconnected at any time by selecting "Turn off Respond" in the SaaS Alerts control panel, or by deleting the Enterprise App from the Azure AD / Enterprise Apps control page.

 

FAQ and Updates

We have recently completed an update to Respond concerning how it tracks events in conjunction with the trigger criteria. This redesign of Rule Triggers brings several improvements listed below.   

  • Reduce rule trigger noise, each rule will only trigger once when the conditions match instead of every 5 minutes
  • Catch possibly missed rule triggers with the previous 4 hour cooldown period per rule per account being removed
  • Enhance the tracking of events related to a rule by: 
    • adding Pending Rule Reminders. These reminders will be limited to 4 reminders every 15 minutes. 
    • adding Remediation Failed Reminders. These reminders will be limited to 4 reminders every 15 minutes.
    • ability for the MSP admin to mark the rule trigger as Ignored or Remediated Manually
    • when reminders are still not addressed after the fourth, automatically setting a rule trigger to Ignored
  • Clear status of a rule with a History of the events associated with each rule trigger on the rule trigger page as an audit trail. The Rule Trigger details page will have three sections: 
    • Trigger Details - outlines the criteria of the rule
    • History Details - a timelapse view of the trigger statuses 
    • Events Between - a table of the events associated with the rule trigger

 

Can Respond Rules be converted into an IoC?

Yes, by simply clicking on the "Convert to IOC" button.

 

Use the following links for video examples of various Respond rules being created.

Click here to set up a Respond rule to alert for VPN logins. 

Click here to set up a Respond rule to alert for file events based on file name. 

Click here to set up a Respond rule to alert for unusual login methods.

Click here to set up a Respond rule to alert for applications being downloaded.

Was this article helpful?
1 out of 1 found this helpful
Return to top

Related articles

Comments

0 comments

Article is closed for comments.