Help Center/ SecMaster/ User Guide/ Security Orchestration/ Security Orchestration Overview
Updated on 2023-12-22 GMT+08:00

Security Orchestration Overview

Security orchestration combines security functions of different systems or components in a system involved in security operations of enterprises and organizations based on certain logical relationships to complete a specific security operations process and procedure. It aims to help security teams of enterprises and organizations quickly and efficiently respond to network threats and implement efficient and automatic response and handling of security incidents.

It provides the following functions:

  • Playbook management: you can use the built-in automatic response playbooks or customize playbooks.
  • Workflow: Allows you to draw a playbook triggering flowchart.
  • Instance management: allows you to monitor and manage running instances and view records.
  • Security Orchestration, Automation and Response (SOAR): You can orchestrate workflows to let SecMaster automatically handle security incidents and suspicious incidents.

Limitations and Constraints

  • In a single workspace of an account, the scheduling frequency of a single playbook is greater than or equal to 5 minutes.
  • The maximum number of retries within a day for a single workspace of a single account is as follows:
    • Manual retry: 100. After a retry, the playbook cannot be retried until the current execution is complete.
    • API retry: 100. After a retry, the playbook cannot be retried until the current execution is complete.
  • Restrictions on classification and mapping are as follows:
    • In a single workspace of a single account, a maximum of 50 classification & mapping templates can be created.
    • In a single workspace of a single account, the proportion of a classification to its mappings is 1:100.
    • A maximum of 100 classifications and mappings can be added to a workspace of a single account.

Basic Concepts

  • Playbook

    A playbook is a formal expression of the security operation workflow in the security orchestration system and is usually executed driven by the workflow engine in the orchestrator.

    Orchestrating a playbook is to build the manual security operation workflow and software into a machine playbook.

  • Workflow

    A workflow is a collaborative work mode that integrates various capabilities related to security operation, such as tools, technologies, workflows, and personnel. A workflow is the response flow when a playbook is triggered.

    It combines API-enabled security capabilities, or applications, in SecMaster and manual checkpoints based on certain logical relationships to complete a specific security operations process and procedure.