Webinar: What's New in Graylog 6.0? | Watch On-Demand >> ​

Selling Stakeholders on Automated Threat Response

Most organizations use their SIEM solution to automate repetitive security tasks, saving analysts time. But the reality is your system could be doing—and saving—so much more by blocking the obvious threat actors attempting to connect with your network, systems, and assets.

For most analysts, this is a no-brainer. With automated blocking, analysts can focus on higher value activities than responding to obvious security threats that can be safely handled with an automated response. The pushback often happens when other stakeholders are concerned that automated threat response will hamper legitimate traffic. In our latest guide, Threat Intelligence Integration: From Source to Secure, our experts looked at two ways to sell stakeholders on automating threat response. Here’s an overview.


If your stakeholders are nervous that automation will block legitimate communication and operations, frame the risk for them. What will hurt more? Potentially blocking legit traffic or interacting with a known threat?

One of the best ways to make your case is to provide cold, hard facts. Share how automated blocking would’ve benefited the organization in the recent past by:

·      Choosing a rule set you’d recommend to start automated blocking

·      Researching how many incidents this would’ve identified and eliminated in the past month, quarter, or year

·      Computing the manual hours these efforts took and assign a dollar value—this value is the money automated threat response would’ve saved

It’s hard for stakeholders in any business unit to argue with clear proof that automated threat response can save money.


Another way to reassure stakeholders is to set a high bar for automated blocking. This action means setting specific rules the system will use that have a high probability of correctly detecting a threat actor. You can do this a number of ways, including:

·      Using indicator confidence scores

·      Restricting blocking to attempts on critical assets only

·      Setting multilayer rules (such as mandating that simple attempts to/from a known indicator won’t be blocked but an attempt accompanied by an alert from a second technology will)

Focusing the scope in this way ensures that anything being automatically blocked by the system is most likely an actual threat, helping stakeholders rest easier.


Getting stakeholders on board is critical to avoid conflict and free analysts to do higher level security review. To learn more about Threat Intelligence, download our Threat Intelligence guide.

Get the Monthly Tech Blog Roundup

Subscribe to the latest in log management, security, and all things Graylog blog delivered to your inbox once a month.