HSS High-Risk Alarm Interception Notification
Playbook Overview
The HSS High-Risk Alarm Interception Notification playbook has been associated with the HSS High-Risk Alarm Interception Notification process. The HSS High-Risk Alarm Interception Notification playbook can be applied to server alerts of the High or Critical level. If the source IP address in an alert is not added to the VPC security group, SecMaster automatically generates an interception notification and a to-do task. After the to-do task is manually approved, SecMaster adds the IP address to the VPC policy for blocking and adds the IP address to the VPC security group.
Playbook trigger conditions:
- Condition 1: The alert severity is High or Critical.
- Condition 2: The alert source is a server.
You need to enable this playbook manually.
Prerequisites
- Your SecMaster professional edition is available.
- The HSS security alarm log has been connected to SecMaster, and the Auto Alert Conversion button has been enabled. For details about how to connect logs to SecMaster, see Enabling Log Access.
Enabling a Playbook
- Log in to the SecMaster console.
- In the navigation pane on the left, choose Workspaces > Management. In the workspace list, click the name of the target workspace.
Figure 1 Workspace management page
- In the navigation pane on the left, choose Security Orchestration > Playbooks.
Figure 2 Accessing the Playbooks tab
- On the Playbooks page, search for the HSS High-Risk Alarm Interception Notification playbook and click Enable in its Operation column.
- In the dialog box displayed, select the initial playbook version v1 and click OK. If the Playbook Status of the HSS High-Risk Alarm Interception Notification playbook changes to Enabled, the playbook has been enabled successfully.
Implementation Effect
The HSS High-Risk Alarm Interception Notification playbook can be applied to server alerts of the High or Critical level. If the source IP address in an alert is not added to the VPC security group, SecMaster automatically generates an interception notification and a to-do task. After the to-do task is manually approved, SecMaster adds the IP address to the VPC policy for blocking and adds the IP address to the VPC security group.
- If a server alert of the High or Critical level is generated and the source IP address in the alert is not added to the VPC security group, the playbook automatically generates an interception to-do task. In the navigation pane on the left of the SecMaster workspace, choose . On the To-Dos page, you can check the review task on security-group-based blocking whose Associated Object is HSS High-Risk Alarm Interception Notification.
Figure 3 To-do task generated by the HSS High-Risk Alarm Interception Notification playbook
- On the To-Dos page, locate the review task on security-group-based blocking whose Associated Object is HSS High-Risk Alarm Interception Notification and click Review in the Operation column. On the Playbook - Node Review pane displayed on the right, select Continue.
- After the approval, SecMaster automatically adds the IP address to the VPC blocking policy and delivers the policy to the VPC. In the navigation pane on the left, choose . On the displayed page, select the Emergency Policies tab to go to the emergency policy management page.
- On the Policy View tab displayed by default, view the policy generated by the playbook and sent to VPC.
Figure 4 The playbook automatically generating a VPC emergency policy
- After the VPC is blocked, SecMaster sends a notification.
Figure 5 Email notification on successful VPC blocking by the HSS High-Risk Alarm Interception Notification playbook
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
