Configuring Playbooks
Scenarios
The following describes how to enable this playbook and use it to handle malware and ransomware alerts.
Prerequisites
You have enabled access to HSS alerts and toggled on the automatic converting logs to alerts function on the Data Integration.
page in the current workspace. For details, seeConfiguring and Enabling a Playbook
In SecMaster, the initial version (V1) of the HSS isolation and killing of malware workflow is enabled by default. You do not need to manually enable it. The initial version (V1) of the HSS isolation and killing of malware playbook is also activated by default. To use it, you only need to enable it.
- Log in to the management console.
- Click in the upper left corner of the page and choose Security & Compliance > SecMaster.
- In the navigation pane on the left, choose Workspaces > Management. In the workspace list, click the name of the target workspace.
Figure 2 Workspace management page
- In the navigation pane on the left, choose Security Orchestration > Playbooks.
Figure 3 Accessing the Playbooks tab
- On the Playbooks page, locate the row that contains the HSS isolation and killing of malware playbook and click Enable in the Operation column.
- In the dialog box displayed, select the initial playbook version v1 and click OK.
Implementation Effect
- The malware has been killed and the alert is closed automatically.
Figure 4 Alerts automatically closed
If the malware is isolated and killed, a comment will be left indicating that the alert has been cleared.Figure 5 Comment on succeeded isolation and killing of malware
- If the malware fails to be isolated or killed, a comment will be left indicating that manual handling is required.
Figure 6 Comment on failed isolation and killing of malware
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.