Respond module

The Respond module allows you to create customizable rules which trigger automated actions in order to minimize the risk when some conditions are met, it gives the ability to react faster to real time events being managed by SaaS Alerts.

Requirements

SaaS Alerts MSP Admin privileges.
Sign in with Microsoft or Google OAuth, or enable MFA in SaaS Alerts user settings.
Accept all Respond module security permissions.
A global admin account that is specific to the organization domain to connect to Respond.

NOTE Make sure you disable MFA if you choose to use Google or Microsoft authentication.

IMPORTANT If the global admin account used to create a Respond connection has its permissions diminished, password changed, or sign-in blocked, the Respond connection will break and have to be re-established once the account is restored to global admin and sign-in is unblocked for that account.

Rules

After the Respond permissions requirements are accepted, you will land on the Rules page. From here, you will be able to create a new rule, manage existing rules, or turn off the Respond module completely.

Creating a rule

Before creating a rule, it's important to understand how rules are structured. Rules apply to one or more organizations, at least one account (typically a user account), and must be listening for at least one event. Rules can then have responses, or actions, that are taken if the rule conditions are observed triggering the response. Refer to Respond module actions.

It is possible to select a no-action, which is the equivalent of creating a new SaaS Alerts event. The anatomy of a rule can be described as observed event(s) for customer organization(s) and SaaS Application account(s) that trigger actions selected by the MSP Admin to perform automated response(s).

Steps

From the Rules page, click New Rule.
Click Untitled Rule to edit the name of the new rule.
Select Events to create the Respond rule.
In the Trigger section, select the application to be monitored. Currently, only Microsoft 365 can be selected. Next, select Organizations and Accounts.
Select the Organizations and Accountsto be monitored. You have the option to select one, all, or multiple organizations and accounts.

NOTE If Trigger rules for all organizations or Trigger rules for all accounts is active, this will include all organizations and accounts to be added in the future.

When the Fire rule only if respond is enabled for the organization setting is unselected and a customer has not been connected to Respond, the rule will still trigger.
No actions will be completed and the remediation will fail unless there is a Respond connection. This option is useful for alert notifications, for when the rule actions has been set to Do nothing.
If the Fire rule only if respond is enabled for the organization setting is selected, then only organizations with a Respond connection will trigger the rule.

Click Conditions to go to the next page.

Select the event or Alert Description that needs to occur for this rule to be triggered. Set the number of occurrences and the time frame. The minimum occurrence is 1, and the minimum time frame is 15 minutes.
You will also have the option to add multiple events with equal or different parameters with the ability to combine them, as well. Logical OR and AND operators are available to create complex event monitoring flows.

NOTE Respond scans happen every five minutes and check for the occurrence of events set in the rule.

Click Summary to review the Trigger section. If you want to add, change, or remove any of the Trigger settings, click on the edit pencil or the numbers to go back to the previous page. If everything looks correct, scroll down and advance to the Response section.

In the Response section. Select the response for the trigger previously set. Select the Action Approval Type where you can choose if the response for the trigger will execute automatically or a manual approval by the MSP Admin is needed.

NOTE If the rule is set to manual approval and the admin has not approved the remediation within the first 15 minutes, then a reminder will be send every 15 minutes. After the third reminder, the rule will be set to auto-ignored if no action is taken.

Click Alert Configuration to go to the next page.

On the Alert Configuration page, you can customize the alert severity, such as critical, medium, or low, for the created event. Refer to Customizing alert severity. Additionally, you can configure the Event Alert Assignment. This will allow you to customize how events are assigned in event reports in SaaS Alerts.

Select the schedule you would like for the rule.

Click the SMS Alerts and select Add to add a phone number.

The SMS Alerts page is where an MSP Admin can provide a phone number in order to enable the capability to receive SMS notifications for when a response gets triggered. Multiple phone numbers can be added.

The initial page has an explanation of SMS alerts and a check box requiring approval before adding phone numbers.

After the check box is confirmed, you can enter phone numbers. You will get a validation warning if not in a proper format for the country.

The first time a number is entered, you will get the prompt to send the opt-in message to the phone number.
Once the opt-in message has been sent, the wording next to phone number indicating the opt-in has happened will change as well as a toaster message in the upper-right corner.

If user opts out on their mobile device, the phone number will display as Opted Out.

If they have opted out, you can send an email to them which will bring the user to this article. To opt back in, the user must reply START to the original text message, or they can text +1 (910) 765-8953 (for US users).

Click Summary to review the Response section. If you want to add, change or remove any of the Response settings, click the edit pencil icon or the numbers to go back to the previous screen. You can also double-check the Schedule.

In the Schedule section, you can set a schedule to limit the time where the Rule will be active. It can be set to Always On and the Rule will remain active 24/7.

You can set it to a Specific Time and Duration with a start and end date.

It can be also set to Recurring where you have the option to run the rule on a daily, weekly, or monthly basis.

Now that you have specified the Trigger, configured the Response, and added the Schedule, click Save Rule. If you choose to continue working where you left it later, then click Save As Draft.

SaaS Alerts Respond is a separate Enterprise App from the original SaaS Alerts Enterprise App. This design choice was made to provide additional security features:

When you connect Respond to a customer organization, a new Enterprise App will be added to the tenant. Without this Enterprise App, Respond cannot function. Each customer organization must be individually authenticated and connected to Respond.
Respond can be disconnected at any time by selecting Turn off Respond in the SaaS Alerts control panel or by deleting the Enterprise App from the Azure AD / Enterprise Apps control page.

FAQ and updates

We have recently completed an update to Respond concerning how it tracks events in conjunction with the trigger criteria. This redesign of rule triggers brings several improvements listed below.

Reduce rule trigger noise, each rule will only trigger once when the conditions match instead of every 5 minutes
Catch possibly missed rule triggers with the previous 4 hour cooldown period per rule per account being removed
Enhance the tracking of events related to a rule by:
- adding Pending Rule Reminders. These reminders will be limited to 4 reminders every 15 minutes.
- adding Remediation Failed Reminders. These reminders will be limited to 4 reminders every 15 minutes.
- ability for the MSP admin to mark the rule trigger as Ignored or remediated manually
- when reminders are still not addressed after the fourth, automatically setting a rule trigger to Ignored
Clear status of a rule with a History of the events associated with each rule trigger on the rule trigger page as an audit trail. The Rule Trigger details page will have three sections:
- Trigger Details - outlines the criteria of the rule
- History Details - a timelapse view of the trigger statuses
- Events Between - a table of the events associated with the rule trigger

Use the following links for video examples of various Respond rules being created.

VIDEO Set up a Respond rule to alert for VPN logins.

VIDEO Set up a Respond rule to alert for file events based on file name.

VIDEO Set up a Respond rule to alert for unusual login methods.

VIDEO Set up a Respond rule to alert for applications being downloaded.

	Need troubleshooting help? Open the Kaseya Helpdesk.
	Want to talk about it? Head on over to the Community!
	Have an idea for a new feature? Want to learn about upcoming enhancements? Visit the Ideas forum!