Automatic Renaming of Alert Names

Playbook Overview

This built-in playbook can automatically rename alerts. You can customize alert names with this playbook to meet your needs.

The Auto Alert Renaming playbook has matched the Auto Alert Renaming workflow. To configure this playbook, you need to configure the matched workflow and plug-ins the workflow uses.

The Auto Alert Renaming workflow has four plug-in nodes, one for obtaining alert type IDs, one for obtaining alert details, one SecMasterBiz node, and one for updating alert names. In this workflow, you only need to configure the SecMasterBiz node. This node is used to customize alert names.

Figure 1 Automatic renaming of alarm names workflow

Limitations and Constraints

Currently, only names for web shell attack alerts can be modified.

Configuring and Enabling the Playbook

This topic walks you through on how to configure the SecMasterBiz node, enable the Auto Alert Renaming workflow, and enable the Auto Alert Renaming playbook.

1. Log in to the management console.
2. Click in the upper left corner of the page and choose Security & Compliance > SecMaster.
3. In the navigation pane on the left, choose Workspaces > Management. In the workspace list, click the name of the target workspace.
   Figure 2 Workspace management page
   

4. Configure and enable the workflow.
   1. Copy a workflow version.
      1. In the navigation pane on the left, choose Security Orchestration > Playbooks. Click Workflows.
         Figure 3 Workflows tab page
         
      2. Locate the row containing the Auto Alert Renaming workflow. In the Operation column, click Version Management.
         Figure 4 Version Management page
         
      3. On the Version Management page displayed, go to the Version Information area, locate the row where the initial version (v1) is listed, and click Clone in the Operation column.
      4. In the displayed dialog box, click OK.
   2. Edit and submit the workflow version.
      1. On the Version Management slide-out panel for the Auto Alert Renaming workflow, go to the Version Information area, locate the row containing the copied workflow version, and click Edit in the Operation column.
      2. On the drawing page, click the SecMasterBiz plug-in and configure Input parameters on the pane displayed from the left.

         Details about SecMasterBiz plug-in parameters are listed below.

         Figure 5 SecMasterBiz plug-in
         

         SecMasterBiz is a plug-in used in the workflow for automatically renaming alert names. It analyzes and processes web shell alert names. You can combine alert names in the way you want and let the system return the alert names as you configured.

         The SecMasterBiz plug-in contains multiple actions. The changeWebshellAlertName action provides several input parameters for you to customize. Each input parameter indicates an analysis dimension.

         You can select different dimension parameters as required to combine alert names. If a parameter is not selected, then it will not be returned in alert names by default. If you enter y, this parameter is selected. If you enter n, this parameter is not selected. If you leave this parameter blank, this parameter is not selected.

         Table 1 Parameter configuration description

         Parameter	Description	Value Range
         severity	Alert severity.	y/n
         createTime	Time the alert was created.	y/n
         srcIp	Attack source IP address.	y/n
         sourceCountryCity	Country or city from where the attack source IP address originated.	y/n
         destinationIp	IP addresses attacked.	y/n
         destinationCountryCity	Country or city where the attacked object locates.	y/n

      3. After the configuration is complete, click Save and Submit in the upper right corner. In the dialog box displayed, click OK.
   3. Review the workflow version.
      1. On the Workflows page, locate the Auto Alert Renaming workflow and click Version Management in the Operation column.
      2. On the displayed Version Management page, locate the row that contains the edited workflow version, and click Review in the Operation column.
      3. In the displayed dialog box, set Comment to Passed and click OK.
   4. Activate the workflow version.
      1. On the Version Management page, locate the row that contains the reviewed workflow version and click Activate in the Operation column.
      2. In the displayed dialog box, click OK.

         After a workflow version is activated, the workflow is enabled by default.

5. Configure and enable the playbook.
   1. In the navigation pane on the left, choose Security Orchestration > Playbooks.
      Figure 6 Accessing the Playbooks tab
      
   2. On the Playbooks, locate the row that contains the playbook for automatically renaming alert names, and click Enable in the Operation column.
   3. In the dialog box displayed, select the initial playbook version v1 and click OK.

Verifying the Playbook

If the playbook for Automatic renaming of alarm names is enabled, you can verify the playbook status.

This topic describes how to verify a playbook.

1. In the navigation pane on the left, choose Threat Operations > Alerts.
   Figure 7 Alerts
   

2. Click Add. Configure parameters in the Add slide-out panel.
   • Alert Name: Enter a name for the alert.
   • Alert Type: Select Web attacks and then Web shell.
   • First Occurrence Time: Set the time when the alert occurs for the first time.
   • Debugging data: Select Yes.
   • Description: Description of the custom alert.
   • Retain the default values for other parameters.

3. Click OK.
4. Refresh the page and check whether alert names have been updated.

   If the playbook is enabled, the playbook automatically processes new alerts and displays new alert names.

   Figure 8 Output when no parameters are selected (default)
   
   Figure 9 Output when only severity is selected
   

Implementation Effect

The following figure shows default alert names.

Figure 10 Before processing

The following figure shows customized alert names.

Figure 11 After processing