Help Center> SecMaster> User Guide> Security Orchestration> Built-in Playbooks and Workflows
Updated on 2024-06-07 GMT+08:00

Built-in Playbooks and Workflows

In security orchestration module, SecMaster provides built-in playbooks and workflows. You can use them without extra settings.

Built-in Playbooks

The following playbooks are enabled by default:

HSS alert status synchronization, automatic notification of high-risk vulnerabilities, historical handling information associated with host defense alarms, SecMaster and WAF address group association policy, historical handling information associated with application defense alarms, historical handling information associated with network defense alarms, automatic closure of repeated alarms, and alarm IP metric marking Asset protection status statistics notification, automatic alarm statistics notification, and automatic high-risk alarm notification

Table 1 Built-in playbooks

Security Layer

Playbook Name

Description

Data Class

Server security

HSS alert synchronization

Automatically synchronizes HSS alerts generated for servers.

Alert

Automatic notification of high-risk vulnerabilities

Sends email or SMS notifications to specified recipients when vulnerabilities rated as high severity are discovered.

Vulnerability

Attack link analysis alert notification

Analyzes attack links. If HSS generates an alert for a server, the system checks the website running on the server. If the website information and alert exist, the system sends an alert notification.

Alert

Server vulnerability notification

Checks servers with EIPs bound on the resource manager page and notifies of discovered vulnerabilities.

CommonContext

HSS isolation and killing of malware

Automatically isolates and kills malware.

Alert

Mining host isolation

Isolates the server for which an alert of mining program or software was generated. The playbook also adds the server into a security group that allows no inbound or outbound traffic.

Alert

Ransomware host isolation

Isolates the server for which an alert of ransomware was generated. The playbook also adds the server into a security group that allows no inbound or outbound traffic.

Alert

Host Defense Alarms Are Associated With Historical Handling Information

Associates new HSS alerts with HSS alerts handled earlier and adds historical handling details to the comment area for the corresponding HSS alerts.

Alert

Application security

SecMaster WAF Address Group Association Policy

Associates an address group specified by SecMaster with WAF blacklist (IP address group blacklist) rules for all enterprise projects to block IP addresses in the address group.

CommonContext

WAF clear Non-domain Policy

Checks WAF protection policies at 09:00 every Monday and deletes policies with no rules included.

CommonContext

Application Defense Alarms Are Associated With Historical Handling Information

Associates new WAF alerts with WAF alerts handled earlier and adds historical handling details to the comment area for the new alerts.

Alert

O&M security

Real-time notification of critical Organization and Management operations

Sends real-time notifications for O&M alerts generated by models. Currently, SMN notifications can be sent for three key O&M operations: attaching NICs, creating VPC peering connections, and binding EIPs to resources.

Alert

Identity security

Identity Defense Alarms Are Associated With Historical Handling Information

Associates new IAM alerts with IAM alerts handled earlier and adds historical handling details to the comment area for the new alerts.

Alert

Network security

Network Defense Alarms Are Associated With Historical Handling Information

Associates new CFW alerts with CFW alerts handled earlier and adds historical handling details to the comment area for new alerts.

Alert

Others/General

Automatic notification of high-risk alerts

Sends email or SMS notifications when there are alerts rated as High or Fatal.

Alert

Alert metric extraction

Extracts IP addresses from alerts, checks the IP addresses against the intelligence system, sets alert indicators for confirmed malicious IP addresses, and associates the indicators with the source alerts.

Alert

Automatic disabling of repeated alerts

Associates the alerts with the same names and close the duplicated ones generated within the past seven days.

Alert

Automatic renaming of alert names

Generates custom alert names by combining specified key fields.

Alert

Alert IP metric labeling

Adds attack source IP address and attacked IP address labels for alerts.

Alert

IP intelligence association

Associates alerts with SecMaster intelligence first and ThreatBook intelligence.

Alert

Asset Protection Status Statistics Notification

Collects statistics on asset protection status every week and sends notifications to customers by email or SMS.

CommonContext

Alert statistics Notify

At 19:00 every day, collects statistics on alerts that are not cleared and sends notifications to customers by email or SMS.

Alert

Automatic security blocking of high-risk alerts

If a source IP address launched more than three attacks, triggered high-risk or critical alerts, and hit the malicious label in ThreatBook, this playbook triggers the corresponding security policies in WAF, VPC, CFW, or IAM to block the IP address.

Alert

Built-in Workflows

Table 2 Built-in workflows

Security Layer

Workflow Name

Description

Data Class

Server security

HSS alert synchronization

Automatically synchronizes HSS alerts generated for servers.

Alert

Automatic notification of high-risk vulnerabilities

Sends email or SMS notifications to specified recipients when vulnerabilities rated as high severity are discovered.

Vulnerability

Vulnerability handling

Invokes the HSS Interface for fixing vulnerabilities.

Vulnerability

Policy management – Security group blocking

Adds the target IP address to all security groups.

Policy

Policy management – Security group blocking cancellation

Removes the target IP address from all security groups.

Policy

One-click host isolation

Isolates all ports on the target server.

Alert

One-click host de-isolation

Releases the target servers from the isolation security group.

Alert

Attack link analysis alert notification

Analyzes attack link and generates alerts when attacks found on websites running on the affected servers.

Alert

Server vulnerability notification

Checks servers with EIPs bound on the resource manager page and notifies of discovered vulnerabilities.

CommonContext

HSS isolation and killing of malware

Automatically isolates and kills malware.

Alert

Host Defense Alarms Are Associated With Historical Handling Information

Parent workflow. This workflow determines which type of child workflow needs to be invoked based on HSS alerts. The workflow also associates new alerts with historical alerts and adds handling details to the comment area. The following child workflows may be invoked: Host defense alarms are associated with historical handling information - Threat Modeling - Process, Host defense alarms are associated with historical handling information - Threat Modeling - Login, and Host defense alarms are associated with historical handling information - Automatic conversion to alerts.

Alert

Host defense alarms are associated with historical handling information - Threat Modeling - Process

A child workflow. This workflow associates process alerts constructed in threat modeling with historical handling details and adds them to the comment area for the alerts.

Alert

Host defense alarms are associated with historical handling information - Threat Modeling - Login

A child workflow. This workflow associates login alerts constructed in threat modeling with historical handling details and adds them to the comment area for the alerts.

Alert

Host Defense Alarms Are Associated With Historical Handling Information - Automatic conversion to alerts.

A child workflow. This workflow associates HSS alerts that are automatically converted to SecMaster alerts with historical handling details and add them to the comment area for such SecMaster alerts.

Alert

Host isolation - Malware

If suspicious malware (such as ransomware and mining) was detected on a server, a manual review is triggered. The malware details (such as the type, affected server, process command, and file path) are displayed for operation personnel to review. If the malware is confirmed, affected servers will be isolated automatically.

Alert

Application security

One-click WAF blocking

Blocks target IP addresses in all policies in WAF in the current account.

Alert

One-click WAF unblocking

Unblocks the target IP addresses from a specific policy group in the WAF in the current account.

Alert

Policy management – WAF blocking

Adds target IP addresses to a WAF blacklist.

Policy

Policy management – Cancel WAF blocking

Removes target IP addresses from a WAF blacklist.

Policy

WAF address group policy

Applies WAF whitelist or blacklist rules to WAF address groups specified by SecMaster.

CommonContext

Application Defense Alarms Are Associated With Historical Handling Information

Associates WAF alerts with alerts handled earlier and adds historical handling details to the comment area for new alerts.

Alert

WAF clear Non-domain Policy

Checks WAF protection policies at 09:00 every Monday and deletes policies with no rules included.

CommonContext

Network security

One-click CFW blocking

Adds target IP addresses to a CFW blacklist.

Alert

One-click CFW unblocking

Removes target IP addresses from a CFW blacklist.

Alert

Policy management – CFW blocking

Adds target IP addresses to a CFW blacklist.

Policy

Policy management – Cancel CFW blocking

Removes target IP addresses from a CFW blacklist.

Policy

Network Defense Alarms Are Associated With Historical Handling Information

Associates CFW alerts with alerts handled earlier and adds historical handling details to the comment area for new alerts.

Alert

Identity authentication

Identity Defense Alarms Are Associated With Historical Handling Information

Associates IAM alerts with alerts handled earlier and adds historical handling details to the comment area for new alerts.

Alert

Policy Management – IAM blocking (IAM interception for policy delivery)

Triggers emergency policies and changes the status of an IAM user to Disabled.

Policy

Policy management – Cancel IAM blocking (Policy Delivery IAM Decapsulation)

Triggers emergency policies and changes the status of an IAM user to Enabled.

Policy

Others/General

Automatic notification of high-risk alerts

Sends email or SMS notifications when there are alerts rated as High or Fatal.

Alert

Alert metric extraction

Extracts IP addresses from alerts, verifies them the IP addresses against Threat Book, sets the confirmed malicious IP addresses as threat indicators, and associates indicators with alerts.

Alert

Automatic disabling of repeated alerts

Associates the alerts with the same names and close the duplicated ones generated within the past seven days.

Alert

Automatic renaming of alert names

Generates custom alert names by combining specified key fields.

Alert

Adding IP address to alert

Adds attack source IP address and attacked IP address labels for alerts.

Alert

One-click unblocking

Applies unblocking workflows based on alert data source products.

Alert

One-click blocking

Applies blocking workflows based on alert data source products.

Alert

IP intelligence association

Associates alerts with SecMaster intelligence first and ThreatBook intelligence.

Alert

Asset Protection Status Statistics Notification

Collects statistics on asset protection status every week and sends notifications to customers by email or SMS.

CommonContext

Alert statistics Notify

At 19:00 every day, collects statistics on alerts that are not cleared and sends notifications to customers by email or SMS.

Alert

Automatic security blocking of high-risk alerts

If a source IP address launched more than three attacks, triggered high-risk or critical alerts, and hit the malicious label in ThreatBook, this playbook triggers the corresponding security policies in WAF, VPC, CFW, or IAM to block the IP address.

CommonContext

Real-time Close Alert Automatically

Clears the current alert.

CommonContext

Real-time notification of critical Organization and Management operations

Sends real-time notifications for O&M alerts generated by models. Currently, SMN notifications can be sent for three key O&M operations: attaching NICs, creating VPC peering connections, and binding EIPs to resources.

Alert

Querying historical alarms

Associates an alert with the child workflow that is used to handle similar alerts before.

Queries comments for historical alerts for a specified period of time and returns de-duplicated comments.

CommonContext