Built-in Playbooks, Workflows, and Asset Connections
In security orchestration module, SecMaster provides built-in playbooks, workflows, and asset connections. You can use them without extra settings.
Built-in Playbooks
Security Layer |
Playbook Name |
Description |
Data Class |
---|---|---|---|
Server security |
HSS alert synchronization |
Automatically synchronizes HSS alerts generated for servers. |
Alert |
Automatic notification of high-risk vulnerabilities |
Sends email or SMS notifications to specified recipients when vulnerabilities rated as high severity are discovered. |
Vulnerability |
|
Attack link analysis alert notification |
Analyzes attack links. If HSS generates an alert for a server, the system checks the website running on the server. If the website information and alert exist, the system sends an alert notification. |
Alert |
|
Server vulnerability notification |
Checks servers with EIPs bound on the resource manager page and notify of discovered vulnerabilities. |
CommonContext |
|
HSS isolation and killing of malware |
Automatically isolates and kills malware. |
Alert |
|
Application security |
Automatic blocking of attacks with WAF |
Confirms malicious source IP addresses and blocks them with WAF. |
Alert |
SecMaster WAF Address Group Association Policy |
Associates an address group specified by SecMaster with WAF blacklist (IP address group blacklist) rules for all enterprise projects to block IP addresses in the address group. |
CommonContext |
|
Others/General |
Automatic notification of high-risk alerts |
Sends email or SMS notifications when there are alerts rated as High or Fatal. |
Alert |
Alert metric extraction |
Extracts IP addresses from alerts, checks the IP addresses against the intelligence system, sets alert indicators for confirmed malicious IP addresses, and associates the indicators with the source alerts. |
Alert |
|
Automatic disabling of repeated alerts |
Closes the status of duplicate alerts when they are generated next time for the last 7 days and associates the alerts with the same name for the last 7 days. |
Alert |
|
Automatic renaming of alert names |
Generates custom alert names by combining specified key fields. |
Alert |
|
Alert IP metric labeling |
Adds attack source IP address and attacked IP address labels for alerts. |
Alert |
|
Associates with internal and external IP address reputation intelligence. |
Associates alerts with SecMaster intelligence first and ThreatBook intelligence. |
Alert |
Built-in Workflows
Security Layer |
Workflow Name |
Description |
Data Class |
---|---|---|---|
Server security |
HSS alert synchronization |
Automatically synchronizes HSS alerts generated for servers. |
Alert |
Automatic notification of high-risk vulnerabilities |
Sends email or SMS notifications to specified recipients when vulnerabilities rated as high severity are discovered. |
Vulnerability |
|
Vulnerability handling |
Invokes the HSS Interface for fixing vulnerabilities. |
Vulnerability |
|
Policy management – Security group blocking |
Adds the target IP address to all security groups. |
Policy |
|
Policy management – Security group blocking cancellation |
Removes the target IP address from all security groups. |
Policy |
|
One-click host isolation |
Isolates all ports on the target server. |
Alert |
|
One-click host de-isolation |
Removes the target servers from the security groups that block them. |
Alert |
|
Attack link analysis alert notification |
Analyzes attack link and generates alerts when attacks found on websites running on the affected servers. |
Alert |
|
Server vulnerability notification |
Checks servers with EIPs bound on the resource manager page and notify of discovered vulnerabilities. |
CommonContext |
|
HSS isolation and killing of malware |
Automatically isolates and kills malware. |
Alert |
|
Application security |
One-click WAF blocking |
Blocks target IP addresses in all policies in WAF in the current account. |
Alert |
One-click WAF unblocking |
Unblock the target IP addresses from a specific policy group in the WAF in the current account. |
Alert |
|
Automatic blocking of attacks with WAF |
Confirms malicious source IP addresses and blocks them with WAF. |
Alert |
|
Policy management – WAF blocking |
Adds target IP addresses to a WAF blacklist. |
Policy |
|
Policy management – Cancel WAF blocking |
Removes target IP addresses from a WAF blacklist. |
Policy |
|
WAF address group policy |
Applies WAF whitelist or blacklist rules to WAF address groups specified by SecMaster. |
CommonContext |
|
Network security |
One-click CFW blocking |
Adds target IP addresses to a CFW blacklist. |
Alert |
One-click CFW unblocking |
Removes target IP addresses from a CFW blacklist. |
Alert |
|
Policy management – CFW blocking |
Adds target IP addresses to a CFW blacklist. |
Policy |
|
Policy management – Cancel CFW blocking |
Removes target IP addresses from a CFW blacklist. |
Policy |
|
Others/General |
Automatic notification of high-risk alerts |
Sends email or SMS notifications when there are alerts rated as High or Fatal. |
Alert |
Alert metric extraction |
Extracts IP addresses from alerts, verifies them the IP addresses against Threat Book, sets the confirmed malicious IP addresses as threat indicators, and associates indicators with alerts. |
Alert |
|
Automatic disabling of repeated alerts |
Closes the status of duplicate alerts when they are generated next time for the last 7 days and associates the alerts with the same name for the last 7 days. |
Alert |
|
Automatic renaming of alert names |
Generates custom alert names by combining specified key fields. |
Alert |
|
Adding IP address to alert |
Adds attack source IP address and attacked IP address labels for alerts. |
Alert |
|
One-click unblocking |
Applies unblocking processes based on alert data source products. |
Alert |
|
One-click blocking |
Applies blocking processes based on alert data source products. |
Alert |
|
SecMaster report notification |
Sends SecMaster daily reports to subscribers as scheduled or manually. |
CommonContext |
|
IP intelligence association |
Associates alerts with SecMaster intelligence first and ThreatBook intelligence. |
Alert |
Built-in Asset Connections
Connection Name |
Plugin |
Connection Method |
---|---|---|
CFW authentication token |
HTTP |
Cloud service delegation |
CFW-certified asset |
CFW |
Cloud service delegation |
DBSS authentication token |
DBSS |
Cloud service delegation |
ECS authentication token |
ECS |
Cloud service delegation |
EIP authentication token |
EIP |
Cloud service delegation |
EPS authentication token |
HTTP |
Username and password |
HSS authentication token |
HTTP |
Cloud service delegation |
HSS authentication token |
HSS |
Cloud service delegation |
HTTP Default Asset |
HTTP |
Cloud service delegation |
IAM authentication token |
IAM |
Cloud service delegation |
OBS authentication token |
OBS |
AK&SK |
RDS authentication token |
RDS |
Cloud service delegation |
SecMaster authentication token |
HTTP |
Cloud service delegation |
SecMaster layout information token |
HTTP |
Cloud service delegation |
SMN authentication token |
SMN |
Cloud service delegation |
VPC authentication |
VPC |
Cloud service delegation |
WAF authentication token |
HTTP |
Cloud service delegation |
WAF-certified asset |
WAF |
Cloud service delegation |
Alert handling method set |
SecMasterBiz |
-- |
threatbook authentication token |
ThreatBook |
Other |
General tool method set |
SecMasterUtilities |
-- |
SMN notification token for handling personnel |
HTTP |
Cloud service delegation |
SMN notification token for operational personnel |
HTTP |
Cloud service delegation |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.