Overview
Scenario
After a domain name was attacked, the attacker typically further attacked the backend servers. SecMaster provides an attack link analysis playbook that will automatically send alert notifications to specified operations personnel once it detects server attacks.
How the Playbook Works
The Attack link analysis alert notification playbook has been matched the Attack link analysis alert notification workflow. This workflow needs to use Simple Message Notification (SMN) to send notifications. So you need to create and subscribe to a notification topic in SMN.
The Attack link analysis alert notification workflow queries the list of website assets associated with the assets affected by HSS alerts through asset associations. By default, a maximum of 3 website assets can be queried.
- If there are associated website assets, the workflow queries WAF alerts generated for each website asset from 3 hours ago to the current time. A maximum of 3 alerts can be queried. The alert types include XSS, SQL injection, command injection, local file inclusion, remote file inclusion, web shell, and vulnerability exploits.
- If there is an alert generated in WAF, the workflow associates the WAF alert with the corresponding HSS alert and sends a notification the email box you specified through SMN.
Prerequisites
- You have enabled HSS and WAF alert access in SecMaster on the Data Integration page under the Settings pane in the current workspace.
For details about how to enable HSS and WAF alert access in SecMaster, see Data Integration.Figure 2 Alert access
- On the Resource Manager page in the current SecMaster workspace, click an asset name. On the asset details page displayed, associate the website asset with the server asset.
Figure 3 Associated Assets
Verification
After the attack link analysis notification playbook is executed, server assets and the website assets will be associated based on corresponding HSS and WAF alerts.
Comments on the corresponding alert added to the playbook
Alert notification email sent to specified personnel
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot