Built-in Playbooks and Workflows
In security orchestration module, SecMaster provides built-in playbooks and workflows. You can use them without extra settings.
Built-in Playbooks
The following playbooks are enabled by default:
HSS alert status synchronization, automatic notification of high-risk vulnerabilities, historical handling information associated with host defense alarms, SecMaster and WAF address group association policy, historical handling information associated with application defense alarms, historical handling information associated with network defense alarms, automatic closure of repeated alarms, and alarm IP metric marking Asset protection status statistics notification, automatic alarm statistics notification, and automatic high-risk alarm notification
Security Layer |
Playbook Name |
Description |
Data Class |
|---|---|---|---|
Server security |
HSS alert synchronization |
Automatically synchronizes HSS alerts generated for servers. |
Alert |
Automatic notification of high-risk vulnerabilities |
Sends email or SMS notifications to specified recipients when vulnerabilities rated as high severity are discovered. |
Vulnerability |
|
Attack link analysis alert notification |
Analyzes attack links. If HSS generates an alert for a server, the system checks the website running on the server. If the website information and alert exist, the system sends an alert notification. |
Alert |
|
Server vulnerability notification |
Checks servers with EIPs bound on the resource manager page and notifies of discovered vulnerabilities. |
CommonContext |
|
HSS isolation and killing of malware |
Automatically isolates and kills malware. |
Alert |
|
Mining host isolation |
Isolates the server for which an alert of mining program or software was generated. The playbook also adds the server into a security group that allows no inbound or outbound traffic. |
Alert |
|
Ransomware host isolation |
Isolates the server for which an alert of ransomware was generated. The playbook also adds the server into a security group that allows no inbound or outbound traffic. |
Alert |
|
Host Defense Alarms Are Associated With Historical Handling Information |
Associates new HSS alerts with HSS alerts handled earlier and adds historical handling details to the comment area for the corresponding HSS alerts. |
Alert |
|
Application security |
SecMaster WAF Address Group Association Policy |
Associates an address group specified by SecMaster with WAF blacklist (IP address group blacklist) rules for all enterprise projects to block IP addresses in the address group. |
CommonContext |
WAF clear Non-domain Policy |
Checks WAF protection policies at 09:00 every Monday and deletes policies with no rules included. |
CommonContext |
|
Application Defense Alarms Are Associated With Historical Handling Information |
Associates new WAF alerts with WAF alerts handled earlier and adds historical handling details to the comment area for the new alerts. |
Alert |
|
O&M security |
Real-time notification of critical Organization and Management operations |
Sends real-time notifications for O&M alerts generated by models. Currently, SMN notifications can be sent for three key O&M operations: attaching NICs, creating VPC peering connections, and binding EIPs to resources. |
Alert |
Identity security |
Identity Defense Alarms Are Associated With Historical Handling Information |
Associates new IAM alerts with IAM alerts handled earlier and adds historical handling details to the comment area for the new alerts. |
Alert |
Network security |
Network Defense Alarms Are Associated With Historical Handling Information |
Associates new CFW alerts with CFW alerts handled earlier and adds historical handling details to the comment area for new alerts. |
Alert |
Others/General |
Automatic notification of high-risk alerts |
Sends email or SMS notifications when there are alerts rated as High or Fatal. |
Alert |
Alert metric extraction |
Extracts IP addresses from alerts, checks the IP addresses against the intelligence system, sets alert indicators for confirmed malicious IP addresses, and associates the indicators with the source alerts. |
Alert |
|
Automatic disabling of repeated alerts |
Associates the alerts with the same names and close the duplicated ones generated within the past seven days. |
Alert |
|
Automatic renaming of alert names |
Generates custom alert names by combining specified key fields. |
Alert |
|
Alert IP metric labeling |
Adds attack source IP address and attacked IP address labels for alerts. |
Alert |
|
IP intelligence association |
Associates alerts with SecMaster intelligence first and ThreatBook intelligence. |
Alert |
|
Asset Protection Status Statistics Notification |
Collects statistics on asset protection status every week and sends notifications to customers by email or SMS. |
CommonContext |
|
Alert statistics Notify |
At 19:00 every day, collects statistics on alerts that are not cleared and sends notifications to customers by email or SMS. |
Alert |
|
Automatic security blocking of high-risk alerts |
If a source IP address launched more than three attacks, triggered high-risk or critical alerts, and hit the malicious label in ThreatBook, this playbook triggers the corresponding security policies in WAF, VPC, CFW, or IAM to block the IP address. |
Alert |
Built-in Workflows
Security Layer |
Workflow Name |
Description |
Data Class |
|---|---|---|---|
Server security |
HSS alert synchronization |
Automatically synchronizes HSS alerts generated for servers. |
Alert |
Automatic notification of high-risk vulnerabilities |
Sends email or SMS notifications to specified recipients when vulnerabilities rated as high severity are discovered. |
Vulnerability |
|
Vulnerability handling |
Invokes the HSS Interface for fixing vulnerabilities. |
Vulnerability |
|
Policy management – Security group blocking |
Adds the target IP address to all security groups. |
Policy |
|
Policy management – Security group blocking cancellation |
Removes the target IP address from all security groups. |
Policy |
|
One-click host isolation |
Isolates all ports on the target server. |
Alert |
|
One-click host de-isolation |
Releases the target servers from the isolation security group. |
Alert |
|
Attack link analysis alert notification |
Analyzes attack link and generates alerts when attacks found on websites running on the affected servers. |
Alert |
|
Server vulnerability notification |
Checks servers with EIPs bound on the resource manager page and notifies of discovered vulnerabilities. |
CommonContext |
|
HSS isolation and killing of malware |
Automatically isolates and kills malware. |
Alert |
|
Host Defense Alarms Are Associated With Historical Handling Information |
Parent workflow. This workflow determines which type of child workflow needs to be invoked based on HSS alerts. The workflow also associates new alerts with historical alerts and adds handling details to the comment area. The following child workflows may be invoked: Host defense alarms are associated with historical handling information - Threat Modeling - Process, Host defense alarms are associated with historical handling information - Threat Modeling - Login, and Host defense alarms are associated with historical handling information - Automatic conversion to alerts. |
Alert |
|
Host defense alarms are associated with historical handling information - Threat Modeling - Process |
A child workflow. This workflow associates process alerts constructed in threat modeling with historical handling details and adds them to the comment area for the alerts. |
Alert |
|
Host defense alarms are associated with historical handling information - Threat Modeling - Login |
A child workflow. This workflow associates login alerts constructed in threat modeling with historical handling details and adds them to the comment area for the alerts. |
Alert |
|
Host Defense Alarms Are Associated With Historical Handling Information - Automatic conversion to alerts. |
A child workflow. This workflow associates HSS alerts that are automatically converted to SecMaster alerts with historical handling details and add them to the comment area for such SecMaster alerts. |
Alert |
|
Host isolation - Malware |
If suspicious malware (such as ransomware and mining) was detected on a server, a manual review is triggered. The malware details (such as the type, affected server, process command, and file path) are displayed for operation personnel to review. If the malware is confirmed, affected servers will be isolated automatically. |
Alert |
|
Application security |
One-click WAF blocking |
Blocks target IP addresses in all policies in WAF in the current account. |
Alert |
One-click WAF unblocking |
Unblocks the target IP addresses from a specific policy group in the WAF in the current account. |
Alert |
|
Policy management – WAF blocking |
Adds target IP addresses to a WAF blacklist. |
Policy |
|
Policy management – Cancel WAF blocking |
Removes target IP addresses from a WAF blacklist. |
Policy |
|
WAF address group policy |
Applies WAF whitelist or blacklist rules to WAF address groups specified by SecMaster. |
CommonContext |
|
Application Defense Alarms Are Associated With Historical Handling Information |
Associates WAF alerts with alerts handled earlier and adds historical handling details to the comment area for new alerts. |
Alert |
|
WAF clear Non-domain Policy |
Checks WAF protection policies at 09:00 every Monday and deletes policies with no rules included. |
CommonContext |
|
Network security |
One-click CFW blocking |
Adds target IP addresses to a CFW blacklist. |
Alert |
One-click CFW unblocking |
Removes target IP addresses from a CFW blacklist. |
Alert |
|
Policy management – CFW blocking |
Adds target IP addresses to a CFW blacklist. |
Policy |
|
Policy management – Cancel CFW blocking |
Removes target IP addresses from a CFW blacklist. |
Policy |
|
Network Defense Alarms Are Associated With Historical Handling Information |
Associates CFW alerts with alerts handled earlier and adds historical handling details to the comment area for new alerts. |
Alert |
|
Identity authentication |
Identity Defense Alarms Are Associated With Historical Handling Information |
Associates IAM alerts with alerts handled earlier and adds historical handling details to the comment area for new alerts. |
Alert |
Policy Management – IAM blocking (IAM interception for policy delivery) |
Triggers emergency policies and changes the status of an IAM user to Disabled. |
Policy |
|
Policy management – Cancel IAM blocking (Policy Delivery IAM Decapsulation) |
Triggers emergency policies and changes the status of an IAM user to Enabled. |
Policy |
|
Others/General |
Automatic notification of high-risk alerts |
Sends email or SMS notifications when there are alerts rated as High or Fatal. |
Alert |
Alert metric extraction |
Extracts IP addresses from alerts, verifies them the IP addresses against Threat Book, sets the confirmed malicious IP addresses as threat indicators, and associates indicators with alerts. |
Alert |
|
Automatic disabling of repeated alerts |
Associates the alerts with the same names and close the duplicated ones generated within the past seven days. |
Alert |
|
Automatic renaming of alert names |
Generates custom alert names by combining specified key fields. |
Alert |
|
Adding IP address to alert |
Adds attack source IP address and attacked IP address labels for alerts. |
Alert |
|
One-click unblocking |
Applies unblocking workflows based on alert data source products. |
Alert |
|
One-click blocking |
Applies blocking workflows based on alert data source products. |
Alert |
|
IP intelligence association |
Associates alerts with SecMaster intelligence first and ThreatBook intelligence. |
Alert |
|
Asset Protection Status Statistics Notification |
Collects statistics on asset protection status every week and sends notifications to customers by email or SMS. |
CommonContext |
|
Alert statistics Notify |
At 19:00 every day, collects statistics on alerts that are not cleared and sends notifications to customers by email or SMS. |
Alert |
|
Automatic security blocking of high-risk alerts |
If a source IP address launched more than three attacks, triggered high-risk or critical alerts, and hit the malicious label in ThreatBook, this playbook triggers the corresponding security policies in WAF, VPC, CFW, or IAM to block the IP address. |
CommonContext |
|
Real-time Close Alert Automatically |
Clears the current alert. |
CommonContext |
|
Real-time notification of critical Organization and Management operations |
Sends real-time notifications for O&M alerts generated by models. Currently, SMN notifications can be sent for three key O&M operations: attaching NICs, creating VPC peering connections, and binding EIPs to resources. |
Alert |
|
Querying historical alarms |
Associates an alert with the child workflow that is used to handle similar alerts before. Queries comments for historical alerts for a specified period of time and returns de-duplicated comments. |
CommonContext |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
