Help Center/ SecMaster/ User Guide/ Playbook Overview/ Ransomware Host Isolation (Ransomware host isolation)
Updated on 2026-02-06 GMT+08:00
View PDF
Share

Ransomware Host Isolation (Ransomware host isolation)

Playbook Overview

The Ransomware host isolation playbook matches the Host Isolation - Malware workflow. This playbook automatically adds the host that triggers the alert whose Alarm Type is Ransomware to a VPC security group, and SecMaster automatically blocks the outbound (access from the host to third parties) and inbound (access from third parties to the host) access. For more details about VPC security groups, see Security Group Overview.

Trigger condition: The alarm source is HSS, and the alarm type is ransomware.

You need to enable this playbook for it to take effect.

Prerequisites

  • Your SecMaster professional edition is available.
  • The HSS security alarm log has been connected to SecMaster, and the Auto Alert Conversion button has been enabled. For details about how to connect logs to SecMaster, see Enabling Log Access.
  • You have created a model using the built-in host ransomware template and enabled the model. For details about how to create and enable a model, see Creating an Alert Model Using a Preconfigured Model Template and Managing Models, respectively.

Enabling a Playbook

In SecMaster, the initial version (V1) of the Host Isolation - Malware workflow is enabled by default. You do not need to manually enable it. The initial version (V1) of the Ransomware host isolation playbook is also activated by default. You only need to enable the playbook.
  1. Log in to the SecMaster console.
  2. In the navigation pane on the left, choose Workspaces > Management. In the workspace list, click the name of the target workspace.
    Figure 1 Workspace management page
  3. In the navigation pane on the left, choose Security Orchestration > Playbooks.
    Figure 2 Accessing the Playbooks tab
  4. On the Playbooks page, search for the Ransomware host isolation playbook and click Enable in the Operation column of the Ransomware host isolation playbook.
  5. In the dialog box displayed, select the initial playbook version v1 and click OK. If the Playbook Status of the Ransomware host isolation playbook changes to Enabled, the playbook has been enabled successfully.

Implementation Effect

The Ransomware host isolation playbook automatically adds the host that triggers the alert whose Alarm Type is Ransomware to a VPC security group, and SecMaster automatically blocks the outbound (access from the host to third parties) and inbound (access from third parties to the host) access.

  1. If an HSS alarm whose Alarm Type is Ransomware is reported, the Ransomware host isolation playbook automatically generates a to-do task for O&M engineers to isolate the host. In the navigation pane on the left of the SecMaster workspace, choose Situation Awareness > Task Center. On the To-Dos page, you can view the task whose name is Review Server Isolation and the Associated Object is Ransomware host isolation.
Figure 3 Manual to-do task generated by the Ransomware host isolation playbook

  1. On the To-Dos page, locate the task whose name is Review Server Isolation and Associated Object is Ransomware host isolation and click Review in the Operation column. On the Playbook - Node Review pane displayed on the right, select Continue.
  2. If the isolation is approved, SecMaster automatically adds the host to the VPC security group. SecMaster automatically blocks the outbound (host access to third parties) and inbound (third parties access to the host) access. You can view the security group named SecMaster_One-Click_Host_Isolation in the VPC service. For details about how to view a security group, see Viewing a Security Group.
    Figure 4 SecMaster_One-Click_Host_Isolation security group
Parent topic: Playbook Overview