Built-in Playbooks
In security orchestration module, SecMaster provides built-in playbooks. You can use them without extra settings.
Built-in Playbooks
The following playbooks are enabled by default:
HSS alert status synchronization, automatic notification of high-risk vulnerabilities, historical handling information associated with host defense alarms, SecMaster and WAF address group association policy, historical handling information associated with application defense alarms, historical handling information associated with network defense alarms, automatic closure of repeated alarms, and alarm IP metric marking Asset protection status statistics notification, automatic alarm statistics notification, and automatic high-risk alarm notification
Security Layer |
Playbook Name |
Description |
Data Class |
---|---|---|---|
Server security |
HSS alert synchronization |
Automatically synchronizes HSS alerts generated for servers. |
Alert |
Auto High-Risk Vulnerability Notification |
Sends email or SMS notifications to specified recipients when vulnerabilities rated as high severity are discovered. |
Vulnerability |
|
Attack Link Analysis Alert Notification |
Analyzes attack links. If HSS generates an alert for a server, the system checks the website running on the server. If the website information and alert exist, the system sends an alert notification. |
Alert |
|
Server vulnerability notification |
Checks servers with EIPs bound on the resource manager page and notifies of discovered vulnerabilities. |
CommonContext |
|
HSS Isolation and Killing of Malware |
Automatically isolates and kills malware. |
Alert |
|
Mining host isolation |
Isolates the server for which an alert of mining program or software was generated. The playbook also adds the server into a security group that allows no inbound or outbound traffic. |
Alert |
|
Ransomware host isolation |
Isolates the server for which an alert of ransomware was generated. The playbook also adds the server into a security group that allows no inbound or outbound traffic. |
Alert |
|
Host Defense Alarms Are Associated With Historical Handling Information |
Associates new HSS alerts with HSS alerts handled earlier and adds historical handling details to the comment area for the corresponding HSS alerts. |
Alert |
|
Add host asset protection status notification |
Checks new servers and notifies you of servers unprotected by HSS. |
Resource |
|
HSS High-Risk Alarm Interception Notification |
Checks HSS high-risk alarms and generates to-do task notifications for source IP addresses that are not blocked by security groups. The to-do tasks will be reviewed manually. Once confirmed, the source IP addresses will be added to VPC block policy in SecMaster. |
Alert |
|
Automated handling of host Rootkit event attacks |
If a Rootkit alert is generated, this playbook automatically isolates the affected host by adding it to a security group that blocks all inbound and outbound traffic, and closes the alert. |
Alert |
|
Automated handling of host rebound Shell attacks |
If a reverse shell alert is generated, this playbook automatically isolates the affected host by adding it to a security group that blocks all inbound and outbound traffic, and closes the alert. |
Alert |
|
Application security |
SecMaster WAF Address Group Association Policy |
Associates SecMaster and WAF blacklist address groups for all enterprise projects. |
CommonContext |
WAF clear Non-domain Policy |
Checks WAF protection policies at 09:00 every Monday and deletes policies with no rules included. |
CommonContext |
|
Application Defense Alarms Are Associated With Historical Handling Information |
Associates new WAF alerts with WAF alerts handled earlier and adds historical handling details to the comment area for the new alerts. |
Alert |
|
Web login burst interception |
Checks IP addresses that establish brute-force login connections. If the IP addresses are not whitelisted, the workflow generate a to-do task. The do-to task will be reviewed manually. Once it is confirmed that the IP addresses should be blocked, the IP addresses will be added to a WAF block policy in SecMaster. |
Alert |
|
O&M security |
Real-time Notification of Critical Organization and Management Operations |
Sends real-time notifications for O&M alerts generated by models. Currently, SMN notifications can be sent for three key O&M operations: attaching NICs, creating VPC peering connections, and binding EIPs to resources. |
Alert |
Identity security |
Identity Defense Alarms Are Associated With Historical Handling Information |
Associates new IAM alerts with IAM alerts handled earlier and adds historical handling details to the comment area for the new alerts. |
Alert |
Network security |
Network Defense Alarms Are Associated With Historical Handling Information |
Associates new CFW alerts with CFW alerts handled earlier and adds historical handling details to the comment area for new alerts. |
Alert |
Others/General |
Automatic Notification of High-Risk Alerts |
Sends email or SMS notifications when there are alerts rated as High or Fatal. |
Alert |
Alert metric extraction |
Extracts IP addresses from alerts, checks the IP addresses against the intelligence system, sets alert indicators for confirmed malicious IP addresses, and associates the indicators with the source alerts. |
Alert |
|
Automatic Disabling of Repeated Alerts |
Closes the status of duplicate alerts when they are generated next time for the last 7 days and associates the alerts with the same name for the last 7 days. |
Alert |
|
Automatic renaming of alert names |
Generates custom alert names by combining specified key fields. |
Alert |
|
Alert IP metric labeling |
Adds attack source IP address and attacked IP address labels for alerts. |
Alert |
|
IP intelligence association |
Associates alerts with SecMaster intelligence (preferred) and ThreatBook intelligence. |
Alert |
|
Asset Protection Status Statistics Notification |
Collects statistics on asset protection status every week and sends notifications to customers by email or SMS. |
CommonContext |
|
Alert statistics Notify |
At 19:00 every day, collects statistics on alerts that are not cleared and sends notifications to customers by email or SMS. |
Alert |
|
Auto Blocking for High-risk Alerts |
If a source IP address launched more than three attacks, triggered high-risk or critical alerts, and hit the malicious label in ThreatBook, this playbook triggers the corresponding security policies in WAF, VPC, CFW, or IAM to block the IP address. |
Alert |
|
Automatic clearing of low-risk alerts |
This playbook automatically clear low-risk and informative alerts. |
Alert |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot