Overview

Scenario

After a domain name was attacked, the attacker typically further attacked the backend servers. SecMaster provides an attack link analysis playbook that will automatically send alert notifications to specified operations personnel once it detects server attacks.

How the Playbook Works

The Attack link analysis alert notification playbook has been matched the Attack link analysis alert notification workflow. This workflow needs to use Simple Message Notification (SMN) to send notifications. So you need to create and subscribe to a notification topic in SMN.

The Attack link analysis alert notification workflow queries the list of website assets associated with the assets affected by HSS alerts through asset associations. By default, a maximum of 3 website assets can be queried.

If there are associated website assets, the workflow queries WAF alerts generated for each website asset from 3 hours ago to the current time. A maximum of 3 alerts can be queried. The alert types include XSS, SQL injection, command injection, local file inclusion, remote file inclusion, web shell, and vulnerability exploits.
If there is an alert generated in WAF, the workflow associates the WAF alert with the corresponding HSS alert and sends a notification the email box you specified through SMN.

Figure 1 Attack link analysis alert notification

Prerequisites

You have enabled HSS and WAF alert access in SecMaster on the Data Integration page under the Settings pane in the current workspace.
For details about how to enable HSS and WAF alert access in SecMaster, see Data Integration.
Figure 2 Alert access
On the Resource Manager page in the current SecMaster workspace, click an asset name. On the asset details page displayed, associate the website asset with the server asset.
Figure 3 Associated Assets

Verification

After the attack link analysis notification playbook is executed, server assets and the website assets will be associated based on corresponding HSS and WAF alerts.

Figure 4 Associated alerts