While you are using the Logsign Unified Security Operations Platform product for log analysis, you can also trigger the security device/product you have. When the alert rules on the Logsign are triggered, you can take action for the policy you have created in your security device/product.
To use the Logsign Custom Action Device service, the device/product must be added as a source on Logsign.
Using the Logsign WEB interface, we click the Settings -> Integrations -> Responses tab.
After the response integrations are defined, the desired action can be used for the desired alarms.
Go to Settings> Alerts & Behaviors> Action Rules and click on "+Add" button to create a new Action Rule.
In the opened window; the name of the action is defined, the alarms to be taken are selected and sent to the right. Then click on the next button and proceed.
In the new window that opens, the "New Action" button is clicked and the desired action is created by selecting the integrations defined under response before.
The desired response is selected from the response integration list and the required fields are filled according to this integration as follows.
Device: Response Integration
Method: Actions that can be taken according to the selected integration.
IP: Column name to take action
Group Name: Group name containing blocked IPs in the integration.
Expire Time: It is determined how long the IPs that enter the group will remain in this list.
Click on the next button for the next stage.
The specified settings are checked and the action rule is saved.