Extensibility has been one of the bedrocks upon which we’ve built and grown the Demisto platform over the years. It’s the ideal that has guided our 160+ partner integrations, open REST APIs, free community edition, open-source playbook standards, and more. In the same vein of providing value where our users find it convenient, we are excited to announce the beta launch of an Alexa integration with Demisto Enterprise!
While security is a 24/7 job, you may not always have ready access to your consoles for checking SOC health, conducting queries, and managing initial incident flows. Our Alexa integration hopes to bridge this divide, with a focus on providing actions that help you capture the pulse of your security posture and fill in the gaps before you access your console again.
Setting up Alexa for Demisto
The Alexa integration is available to all users of Demisto Enterprise and the Community Edition. Activate the Alexa integration by saying “Alexa, ask Demisto” or "Alexa, open Demisto" to your Alexa device. The device will then run you through the steps of connecting the integration with your Demisto instance. Once that is done and you've filled in the required credentials, you’re free to use and experiment with the initial commands and actions available.
Note: The Alexa integration will only work if your Demisto instance can be accessed over the internet.
Demisto Commands for Alexa
Here is the list of commands currently available with Demisto’s Alexa integration:
Incident Management Commands
- Assign incident: Spoken with the incident ID as a parameter, you can assign incidents to analysts within your environment. For example, “Assign incident 17344 to DBot”.
- Close incident: Spoken with the incident ID as a parameter, you can close incidents within your environment. For example, “Close incident 17344”.
- Lightly loaded analyst: Alexa can check the most lightly loaded analyst in your environment, which will be helpful in assigning future incidents. Say “Who is the least loaded analyst”.
- Suggested owner: Alongside the lightly loaded analyst command, you can ask Alexa for suggested owners of an incident using the ID as a parameter. For example, “Suggested owner for incident 17344”.
- Get incident details: Using incident ID as a parameter, you can retrieve important incident details using Alexa.
- Get recent alerts: You can query Alexa for recent alerts in your Demisto instance. You can use parameters such as severity and time here to modify your queries. For example, “Get recent alerts with high severity within last two weeks,” or “Get recent alerts with critical severity”.
- SOC summary: Alexa can give you a full SOC summary for the day, including number of incidents, their severity, the most recent incident, and how many incidents your team has closed today. Say “Show my SOC summary”.
- Start investigation: To start the investigation (playbook run) on an incident, say “start investigation” using the incident ID as a parameter. For example, “Start investigation for incident 17344.”
- Invite expert for help: To add more experts to the War Room of an incident, say “invite expert for help” using the incident ID as a parameter. For example, “Invite expert DBot for help for incident 17344.”
- Best next steps: After the initial playbook has run, you can ask Alexa for the best next steps by saying “best next steps” using the incident ID as a parameter. For example, “Best next steps for incident 17344.”
We’d Love Feedback
We invite you to try out the Alexa integration and share your thoughts on:
- What commands work well.
- What commands don’t work well and can be changed.
- What other commands you hope to see in this integration.
- Any other feedback you'd like to provide.
If you’re interested in exploring our product further, download the Free Community Edition below.