Help Center/ SecMaster/ User Guide/ Playbook Overview/ Host Defense Alarms Are Associated With Historical Handling Information (HostDefenseAlarmsAreAssociatedWithHistoricalHandlingInformation)
Updated on 2026-02-06 GMT+08:00
View PDF
Share

Host Defense Alarms Are Associated With Historical Handling Information (HostDefenseAlarmsAreAssociatedWithHistoricalHandlingInformation)

Playbook Overview

If SecMaster receives new alerts from HSS within 15 days after an HSS alert of the similar type is closed, the HostDefenseAlarmsAreAssociatedWithHistoricalHandlingInformation playbook will add the comment for the closed HSS alert to the comment area of the new similar HSS alerts. Similar HSS alarms and attacks can trigger this playbook.

If two HSS alerts meet any of the following conditions, they are similar alerts:

  • Their CMD commands are the same.
  • They are reported for the same host.
  • Their attack source IP addresses are the same.
  • They are alerts of the same alert type.

If two HSS alerts meet any of the following conditions, they are similar attacks:

  • The destination IP addresses are the same.
  • They are alerts of the same label.
  • They are alerts of the same alert type.

This playbook is enabled by default. There is no need to manually configure or enable it.

This playbook is triggered when an HSS alert or attack similar to a closed HSS alert is detected in SecMaster. For details about the alert and attack, see Overview.

Prerequisites

  • You have connected the HSS alarm logs to SecMaster and enabled Auto Alert Conversion. For details, see Enabling Log Access.

Limitations and Constraints

  • Your SecMaster professional edition is available.
  • The data source of the alert or attack is HSS.

Implementation Effect

After the playbook takes effect, the closure comments of similar alerts or attacks are automatically added to the new HSS alerts or attacks on SecMaster. The methods for viewing alerts and attacks are similar. The following uses HSS alerts as an example.

  1. Log in to the SecMaster console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane on the left, choose Workspaces > Management. In the workspace list, click the name of the target workspace.

    Figure 1 Workspace management page

  4. In the navigation pane on the left, choose Threats > Alerts.

    Figure 2 Alerts

  5. On the Alerts page, search for HSS alerts by data source filter and click the name of a new HSS alert to go to the details page.
  6. If there are closed similar alerts, the closure comments for the closed alerts will be automatically added to the comment area on the details page of the new HSS alert.

    If two HSS alerts meet any of the following conditions, they are similar alerts:

    • The destination IP addresses are the same.
    • They are alerts of the same label.
    • They are alerts of the same alert type.

    If SecMaster receives new alerts from HSS within 15 days after an HSS alert of the similar type is closed, the HostDefenseAlarmsAreAssociatedWithHistoricalHandlingInformation playbook will add the comment for the closed HSS alert to the comment area of the new similar HSS alerts.

    Figure 3 Adding a closure comment for a historical HSS alert to new similar alerts

Parent topic: Playbook Overview