Preconfigured Playbooks

Server security

HSS alert synchronization

Automatically synchronizes HSS alerts generated for servers.

Auto High-Risk Vulnerability Notification

Sends email or SMS notifications to specified recipients when vulnerabilities rated as high severity are discovered.

Attack Link Analysis Alert Notification

Analyzes attack links. If HSS generates an alert for a server, the system checks the website running on the server. If the website information and alert exist, the system sends an alert notification.

Server vulnerability notification

Checks servers with EIPs bound on the resource manager page and notifies of discovered vulnerabilities.

HSS Isolation and Killing of Malware

Automatically isolates and kills malware.

Mining host isolation

Isolates the server for which an alert of mining program or software was generated. The playbook also adds the server into a security group that allows no inbound or outbound traffic.

Ransomware host isolation

Isolates the server for which an alert of ransomware was generated. The playbook also adds the server into a security group that allows no inbound or outbound traffic.

Host Defense Alarms Are Associated With Historical Handling Information

Associates new HSS alerts with HSS alerts handled earlier and adds historical handling details to the comment area for the corresponding HSS alerts.

Add host asset protection status notification

Checks new servers and notifies you of servers unprotected by HSS.

HSS High-Risk Alarm Interception Notification

Checks HSS high-risk alarms and generates to-do task notifications for source IP addresses that are not blocked by security groups. The to-do tasks will be reviewed manually. Once confirmed, the source IP addresses will be added to VPC block policy in SecMaster.

Automated handling of host Rootkit event attacks

If a Rootkit alert is generated, this playbook automatically isolates the affected host by adding it to a security group that blocks all inbound and outbound traffic, and closes the alert.

Automated handling of host rebound Shell attacks

If a reverse shell alert is generated, this playbook automatically isolates the affected host by adding it to a security group that blocks all inbound and outbound traffic, and closes the alert.

Application security

SecMaster WAF Address Group Association Policy

Associates SecMaster and WAF blacklist address groups for all enterprise projects.

WAF clear Non-domain Policy

Checks WAF protection policies at 09:00 every Monday and deletes policies with no rules included.

Application Defense Alarms Are Associated With Historical Handling Information

Associates new WAF alerts with WAF alerts handled earlier and adds historical handling details to the comment area for the new alerts.

Web login burst interception

Checks IP addresses that establish brute-force login connections. If the IP addresses are not whitelisted, the workflow generates a to-do task. The do-to task will be reviewed manually. Once it is confirmed that the IP addresses should be blocked, the IP addresses will be added to a WAF block policy in SecMaster.

O&M security

Real-time Notification of Critical Organization and Management Operations

Sends real-time notifications for O&M alerts generated by models. Currently, SMN notifications can be sent for three key O&M operations: attaching NICs, creating VPC peering connections, and binding EIPs to resources.

Identity security

Identity Defense Alarms Are Associated With Historical Handling Information

Associates new IAM alerts with IAM alerts handled earlier and adds historical handling details to the comment area for the new alerts.

Network security

Network Defense Alarms Are Associated With Historical Handling Information

Associates new CFW alerts with CFW alerts handled earlier and adds historical handling details to the comment area for new alerts.

Others/General

Automatic Notification of High-Risk Alerts

Sends email or SMS notifications when there are alerts rated as High or Fatal.

Alert metric extraction

Extracts IP addresses from alerts, checks the IP addresses against the intelligence system, sets alert indicators for confirmed malicious IP addresses, and associates the indicators with the source alerts.

Automatic Disabling of Repeated Alerts

Closes the status of duplicate alerts when they are generated next time for the last 7 days and associates the alerts with the same name for the last 7 days.

Automatic renaming of alert names

Generates custom alert names by combining specified key fields.

Alert IP metric labeling

Adds attack source IP address and attacked IP address labels for alerts.

IP intelligence association

Associates alerts with SecMaster intelligence (preferred) and ThreatBook intelligence.

Asset Protection Status Statistics Notification

Collects statistics on asset protection status every week and sends notifications to customers by email or SMS.

Alert statistics Notify

At 19:00 every day, collects statistics on alerts that are not cleared and sends notifications to customers by email or SMS.

Auto Blocking for High-risk Alerts

If a source IP address launched more than three attacks, triggered high-risk or critical alerts, and hit the malicious label in ThreatBook, this playbook triggers the corresponding security policies in WAF, VPC, CFW, or IAM to block the IP address.

Automatic clearing of low-risk alerts

This playbook automatically clear low-risk and informative alerts.

CFW Synchronizes Black IP Addresses to Intelligence

This playbook synchronizes the IP address blacklist configured in CFW to the Indicators page in SecMaster.

WAF Synchronizes Black IP Addresses to Intelligence

This playbook synchronizes the IP address blacklist configured in WAF to the Indicators page in SecMaster.