Updated on 2024-11-06 GMT+08:00

Configuring Playbooks

Scenarios

This topic describes how to configure the playbook. After you configure this playbook, once this playbook discovers that attacks are approaching servers, it notifies operations personnel.

Prerequisites

  • You have enabled access to HSS and WAF alerts on the SecMaster > Data Integration.

    You have enabled the function to automatically convert logs into alerts for HSS and WAF. For details about how to enable HSS and WAF alert access in SecMaster, see Data Integration.

  • On the Resource Manager page in the current SecMaster workspace, click an asset name. On the asset details page displayed, associate the website asset with the server asset.

Step 1: Create and Subscribe to a Topic

The Attack link analysis alert notification workflow needs to use Simple Message Notification (SMN) to create and subscribe to a notification topic.
  1. Log in to the management console.
  2. In the upper left corner of the page, click and choose Management & Governance > Simple Message Notification.
  3. Create a topic.
    1. In the navigation pane on the left, choose Topic Management > Topics. In the upper right corner of the displayed page, click Create Topic.
    2. In the Create Topic dialog box displayed, configure topic information and click OK.
      • Topic Name: SecMaster-Notification is recommended.
      • Display Name: SecMaster notification topic is recommended.
      • Retain the default settings for other parameters.
  4. Add a subscription.
    1. On the Topics page, locate the row that contains the SecMaster-Notification topic and click Add Subscription in the Operation column.
    2. On the displayed Add Subscription slide-out panel, configure subscription information and click OK.
      • Protocol: Select Email.
      • Endpoint: Enter the email address of the subscription endpoint, for example, username@example.com.

Step 2: Configure and Enable the Playbook

In SecMaster, the initial version (V1) of the Attack link analysis alert notification workflow is enabled by default. You do not need to manually enable it. The initial version (V1) of the attack link analysis alarm notification playbook is also activated by default. To use it, you only need to enable it.
  1. Click in the upper left corner of the page and choose Security & Compliance > SecMaster.
  2. In the navigation pane on the left, choose Workspaces > Management. In the workspace list, click the name of the target workspace.
    Figure 1 Workspace management page
  3. In the navigation pane on the left, choose Security Orchestration > Playbooks.
    Figure 2 Accessing the Playbooks tab
  4. On the Playbooks page, locate the row that contains the Attack link analysis alert notification playbook and click Enable in the Operation column.
  5. In the dialog box displayed, select the initial playbook version v1 and click OK.

Implementation Effect

After the attack link analysis notification playbook is executed, server assets and the website assets will be associated based on corresponding HSS and WAF alerts.

Figure 3 Associated alerts

Comments on the corresponding alert added to the playbook

Figure 4 Comment

Alert notification email sent to specified personnel

Figure 5 Email notifications