Responding & Remediating

Once you’ve investigated an alert, SpyCloud Compass makes it easy to take next steps – whether you’re remediating manually or integrating alert flows into your SIEM/SOAR tools.

This page outlines how to respond to alerts, escalate exposures, and automate key workflows based on risk level.

🔁 Standard Remediation Workflow

1. 🕵️ Investigate the alert using metadata and selector pivots
2. 📣 Notify the exposed user or responsible team (via ticket or email)
3. 🔐 Remediate with password resets, MFA enforcement, or device isolation
4. 🧾 Record the resolution in your ticketing system or internal tracker
5. ♻️ Reassess similar alerts by domain, log_id, or password reuse

Your steps may vary slightly by source type, user role, or automation level.

🔧 Suggested Playbooks

🤖 Automation Recommendations

You can build automated response flows with Compass alert exports or API integrations.

Suggested Automations

• If severity ≥ 20 and domain_owner_match = true → create Jira ticket
• If source_type = "malware" → isolate device via CrowdStrike API
• If password_plaintext is reused → trigger IAM workflow for rotation
• Send alert metadata to Splunk or Sentinel for enrichment and alert correlation

📎 Example Ticket Payload (JSON)

{
  "event_type": "compass_alert",
  "email": "[email protected]",
  "source_type": "malware",
  "severity": 25,
  "password_plaintext": "summer2023!",
  "malware_family": "Redline",
  "domain_owner_match": true,
  "log_id": "9ac0...123"
}

🔌 Integration Targets

Compass integrates with a wide range of platforms. Use alerts as automation triggers or context enrichments across your stack: