Creating a Workspace

Scenario

Workspaces are top-level workbenches in SecMaster. A workspace can be associated with general projects, regions, and enterprise projects to support security operations in different scenarios.

Before using baseline inspection, alert management, security analysis, and security orchestration in SecMaster, you need to create at least one workspace first. You can use workspaces to group your resources by application scenario. This will make security operations more efficient.

This section describes how to create a workspace.

Limitations and Constraints

Paid SecMaster: A maximum of five workspaces can be created for an account in a region.
Free SecMaster: Only one workspace can be created for an account in a region.
The newly created workspace needs to be initialized. After the workspace is created, wait for about 10 minutes and refresh the page to view the workspace. You can check workspaces by referring to Viewing a Workspace.

Creating a Workspace

Log in to the SecMaster console.
Click in the upper left corner of the management console and select a region or project.
Click in the upper left corner of the page and choose Security & Compliance > SecMaster.
In the navigation pane on the left, choose Workspaces > Management.

Figure 1 Workspaces > Management
(Optional) Complete authorization. Authorization is required only the first time you access the workspace management page.
1. In the upper part of the workspace management page, choose Entrusted Service Authorization - Current Tenant.
2. On the page for assigning permissions, select all required permissions (which are selected by default), select Agree to authorize, and click Confirm.
On the Management page, click Create. The Create Workspace slide-out panel is displayed.

Configure workspace parameters by referring to the following table.

**Table 1** Parameters for creating a workspace
Parameter	Description
Region	Select the region where you want to create the workspace.
Project Type	Select the type of project that the workspace you want to create belongs to.
Workspace Name	Specify the workspace name. The name must meet the following requirements: Only letters (A to Z and a to z), numbers (0 to 9), and the following special characters are allowed: -_() A maximum of 64 characters are allowed.
Tag (Optional)	(Optional) Tag of the workspace, which is used to identify the workspace and help you classify and track your workspaces. TMS's predefined tag function is recommended for adding the same tag to different cloud resources. You can also create tags when purchasing SecMaster.
Description (Optional)	(Optional) You provide a description of the workspace.

Click OK.
Choose Workspaces > Management in the navigation pane on the left. On the displayed page, check the new workspace.

New Workspace Initialization

After a workspace is created, the system initializes layouts, operations objects, playbook orchestration, cloud service access, and models. The details are as follows:

Layout initialization: When a workspace is created, its layout is initialized. A layout determines how pages in the service are displayed. Go to the Workspaces page and choose Security Orchestration > Layouts in the navigation pane on the left. The layout management page is displayed by default. You can view the preset layout. When a workspace is created, the following content is initialized in the preset layout: alert list, alert details, incident list, incident details, indicator list, indicator details, vulnerability list, vulnerability details, asset list, asset details, daily report, monthly report, and weekly report. For details about how to view the layout, see Viewing a Layout.
Operations object initialization: You can check basic concepts of operations objects in Overview. Data classes and types are initialized during workspace initialization.
- Initialized data classes: indicator, vulnerability, common context, policy record, policy, alert, asset, service system, baseline inspection, department, incident, and evidence. For details about data class management, see Viewing Data Classes.
- Initialization types: alert, incident, threat intelligence, and vulnerability types. For details about built-in types, see Built-in Types. To view their details, see Viewing Alert Types, Viewing Incident Types, Viewing Threat Intelligence Types, and Viewing Existing Vulnerability Types.

Playbook orchestration initialization: To learn about what is a playbook or workflow, see Overview. When a workspace is added, some playbooks, workflows, and plugins will be initialized.

**Table 2** Initialized playbooks, workflows, and plugins
Category	Initialization Content
Playbooks	Server vulnerability notification
	Asset protection status statistics notification
	New server protection status notification
	Alert metric extraction
	Automated handling of host Rootkit event attacks
	WAF Synchronizes Black IP Addresses to Intelligence
	CFW Synchronizes Black IP Addresses to Intelligence
	HSS alert synchronization
	Network Defense Alarms Are Associated With Historical Handling Information
	Identity Defense Alarms Are Associated With Historical Handling Information
	Application Defense Alarms Are Associated With Historical Handling Information
	Host Defense Alarms Are Associated With Historical Handling Information
	Unified buy
	Real-time Notification of Critical Organization and Management Operations
	Automatic Disabling of Repeated Alerts
	Attack Link Analysis Alert Notification
	HSS Isolation and Killing of Malware
	Automatic Notification of High-Risk Alerts
	Automatic clearing of low-risk alerts
	Automated handling of host rebound Shell attacks
	SecMaster WAF Address Group Association Policy
	Web login burst interception
	IP intelligence association
	Automatic renaming of alert names
	Auto High-Risk Vulnerability Notification
	Mining host isolation
	Alert statistics Notify
	Auto Blocking for High-risk Alerts
	Alert IP metric labeling
	HSS High-Risk Alarm Interception Notification
	Ransomware host isolation
	WAF clear Non-domain Policy
Workflows	HSS alert synchronization
	CIS_PostgreSQL Restricting the IP Addresses That Can Connect to Databases
	Asset protection information notification
	Host Auto Storage AirGap Breaker
	CIS_MySQL Enabling Database Audit Log
	Policy Management_VPC
	Auto Host Backup and Copy Tampering Prevention
	Unbinding The WAF IP Group from Policies
	CIS_Enabling ECS Logs in LTS
	CIS_Enabling ELB Access Logging
	Auto High-Risk Vulnerability Notification
	CIS_Enabling LTS and Collecting Container Logs
	CIS_Ensuring That the Minimum Password Age Is Set
	One-click WAF blocking
	HSS High-Risk Alarm Interception Notification
	CIS_Enabling FunctionGraph Logging
	Network Defense Alarms Are Associated With Historical Handling Information
	Policy Management – Cancel CFW blocking
	Policy Management – WAF blocking
	CIS_Enabling MFA for the Administrator Account
	Create Intelligence
	Host defense alarms are associated with historical handling information - Threat Modeling - Login
	CIS_Enabling Re-confirmation for Deleting Backup Data
	CIS_DDS Enabling Encrypted Communication
	CIS_Using a Dedicated Resource Pool
	CIS_Enabling Access Key Management
	One-click unblocking
	IP intelligence association
	CIS_MySQL Disabling Default Ports
	WAF address group association policy
	CIS_Using an IP Address Whitelist for Access to Notebook
	Web login burst interception
	Auto Blocking for High-risk Alerts
	Medium-Risk Host Auto Snapshot and Policy Configuration
	CIS_GaussDB WAL Archiving Configuration
	Policy Management_CFW
	CIS_Enabling the Key Event Notifications in CTS
	CIS_DDS Setting Maximum Connections
	CIS_Ensuring That Only One Active Access Key Is Available for an IAM User
	CIS_PostgreSQL Enabling Log Recording for User Logins
	CIS_DDS Setting Second-Level Monitoring and Alarm Rules
	Alert metric extraction
	High-Risk Host Auto Snapshot and Policy Configuration
	Application Defense Alarms Are Associated With Historical Handling Information
	CFW Synchronizes Black IP Addresses to Intelligence
	Querying historical alarms
	CIS_GaussDB User Password Security
	Attack Link Analysis Alert Notification
	CIS_Enabling Encryption for Private Images
	CIS_Enabling Kerberos Authentication
	Host Defense Alarms Are Associated With Historical Handling Information
	Policy Management – IAM interception for policy delivery
	CIS _MySQL Avoiding Binding an EIP to Access RDS for MySQL over Internet
	Policy Management_WAF
	Policy Management – Cancel WAF blocking
	CIS_GaussDB Security Authentication
	Policy Management_IAM
	One-click host de-isolation
	CIS_GaussDB Configuring Maximum Number of Concurrent Database Connections
	Vulnerability handling
	HSS Isolation and Killing of Malware
	Automatic Renaming of Alert Names
	CIS_PostgreSQL Enabling the Backup Function and Configuring a Backup Policy
	CIS_PostgreSQL Disabling Default Ports
CIS_DDS Enabling Database Audit Log
CIS_Ensuring IAM Policies Are Not Created to Allow Wildcard Administrative Permissions
WAF Synchronizes Black IP Addresses to Intelligence
Automatic Disabling of Repeated Alerts
Real-time Close Alert Automatically
One-click CFW blocking
CIS_Using a Key Pair to Securely Log In to a BMS
CIS_PostgreSQL Enabling Database Audit Log
CIS_Enabling the CFW Log Management Capability
CIS_Creating an IAM User with Non-Administrator Permissions
CIS_Protecting the Cluster API Server
CIS_Preventing Cluster Nodes from Being Exposed to Public Networks
Adding IP address to alert
Automatic Notification of High-Risk Alerts
Labeled Hosts Backup
CIS_MySQL Updating the Database Version to the Latest
Identity Defense Alarms Are Associated With Historical Handling Information
Host defense alarms are associated with historical handling information - Threat Modeling - Process
One-click CFW unblocking
CIS_PostgreSQL Configuring a Client Authentication Timeout
CIS_Enabling the Container Security Edition of HSS
Low-Risk Host Auto Snapshot and Policy Configuration
Real-time Notification of Critical Organization and Management Operations
Host Defense Alarms Are Associated With Historical Handling Information - Automatic conversion to alerts.
One-click Blocking
WAF clear Non-domain Policy
Unified buy
CIS_Creating a VPC Flow Log
Policy Management – Policy Delivery IAM Decapsulation
CIS_Enabling Log File Integrity Verification
CIS_Configuring an ACL
Alert statistics Notify
Server vulnerability notification
CIS_Enabling Encrypted Storage of Log Files
Report Baseline Inspection Results
One-click WAF unblocking
Policy Management – CFW blocking
Host Isolation - Malware
Policy Management – Security group blocking
Policy Management – Security group blocking cancellation
One-click host isolation
Asset protection status statistics notification
CIS_DDS Enabling Disk Encryption
CIS_DDS Disabling the Script Running Function
Plugins	SecMasterWebTools
	SMN
	FunctionGraph
	DDS
	ELB
	EPS
	IMS
	LTS
	CFW
	Kafka
	SFS
	SecMasterBiz
	CSBS
	VPC
	HTTP
	DBSS
	HSS
	ECS
	BSS
	IAM
	ThreatBook
	HBRD
	EVS
	SecMasterUtilities
	RMS
	GaussDB
	EIP
	OBS
	WAF
	CCE
	SecMaster
	VoiceCall
	RDS
	CTS
	BMS
	Organizations
	MRS
	ModelArts
	APIE

Cloud service access initialization: Logs of other cloud services are aggregated to SecMaster. For details about the cloud service logs that can be accessed by SecMaster, see Cloud Service Log Access Supported by SecMaster. For details about how to manually access cloud service logs, see Enabling Log Access. The following table lists the cloud service logs that are accessed by default when a workspace is created.

**Table 3** Logs accessed by default
Security Category	Service	Service Type	Log	Log Description
Server security	Host Security Service (HSS)	Tenant-side cloud service	hss-alarm	HSS security alarms
Server security	Host Security Service (HSS)	Tenant-side cloud service	hss-log	HSS security logs
Application security	Web Application Firewall (WAF)	Tenant-side cloud service	waf-attack	WAF attack logs
	Web Application Firewall (WAF)	Tenant-side cloud service	waf-access	WAF access logs
	Cloud Trace Service (CTS)	Tenant-side cloud service	cts-audit	CTS logs
Network security	NIP	Huawei device	nip-attack	IPS attack logs
	Cloud Firewall (CFW)	Tenant-side cloud service	cfw-block	Access control logs
	Cloud Firewall (CFW)	Tenant-side cloud service	cfw-risk	Attack logs

Model initialization: SecMaster uses models to scan logs in pipelines. If SecMaster detects data that hits the trigger in a model, SecMaster generates an alert. Models are created based on templates. So you need to use available model templates to create models. SecMaster provides multiple model templates based on common scenarios. When a workspace is created, some models are automatically created by default. For details about how to view models, see Viewing a Model. For details about how to manage models, see Managing Models.

**Table 4** Initialized model
Category	Initialization Content
Model	Application - Distributed URL Traversal Attack
	Application - Source IP Brute-Forcing Domain Names
	Application - Source IP Conducting URL Traversal
	Application - WAF Key Attack Alert
	Host - Virtual Machine Lateral Connection
	Network - High-Risk Port Exposure to the Outside
	Network - Login Brute Force Alarm
	HSS - Abnormal Network Connection
	Network - Source IP Attacking Multiple Targets
	Network - Command Injection Alert
	Network - Malicious External Communications
	Host - Rootkit Events
	Host - Reverse Shell
	Host - Remote Login
	Host - Abnormal Shell
	Host - Weak Password
	Host - Malware
	Host - Brute Force Crack Success
	Host - High-risk Command Detection
	Network - Abnormal connection detection
	Network - Hacking tool detection
	Network - Malware (worms, viruses, Trojans) detection
	Network - Botnets
	Network - Backdoors
	Application - Possible source code leakage risks
	Application - Possible Log4j 2 vulnerabilities
	O&M - Attaching a NIC
	O&M - Creating a VPC peering connection
	O&M - Binding EIPs to resources
	Application - Possible Fastjson vulnerabilities
	Application - Possible Java framework common code execution vulnerabilities
	Application - Possible Apache Shiro vulnerabilities
	Network - Abnormal CFW external connections
	Network - Suspicious DoS attacks
	Application - Login Brute Force Attack
	Host - Abnormal file attribute modifications
	Host - Malicious scheduled tasks
	Host - Hidden processes and ports
	Host - Abnormal file permission modifications
	HSS - Key file path change
	Host - Abnormal outbound connections
	Host - File/Directory changes
	Host - Brute force cracking attempt
	Host - File accessed by suspicious process
	Host - Container Startup Exception
	Host - Untrusted Process Execution
	Host - Suspicious Crontab Task
	Host - User Account Change
	Network - CFW Malicious External Attacks

Operations You Can Do with a Workspace

You can perform security operations after adding a workspace. Functions you can use vary depending on the SecMaster edition in use. For details, see Functions.

Checking the Situation Overview, Checking Security Situation through Large Screens, Security Reports, and Task Center: Check the security situation in a workspace, create security reports, handle to-do tasks, and check security situation on large screens.
Resource Manager: Manage assets centrally.
Risk Prevention: Prevent risks through baseline inspections, vulnerability management, emergency vulnerability notifications, and security policy management.
Threats: Manage threats, including incidents, alerts, and indicators, use intelligent modeling, and perform security analysis.
Security Orchestration: Implement security orchestration. Security orchestration combines security functions of different systems or components in a system involved in security operations in your organizations based on certain logical relationships to complete a specific security operations process and procedure. It aims to help security teams of enterprises and organizations quickly and efficiently respond to network threats and implement efficient and automatic response and handling of security incidents. You can manage operations objects, playbooks, page layouts, and plug-ins.