Help Center/ SecMaster/ User Guide/ Playbook Overview/ Mining Host Isolation (Mining host isolation)
Updated on 2026-02-06 GMT+08:00
View PDF
Share

Mining Host Isolation (Mining host isolation)

Playbook Overview

The Mining host isolation playbook automatically isolates the hosts whose Alarm Type is Mining program or Mining software and adds the hosts to a VPC security group. SecMaster automatically blocks the inbound (access from the hosts to third-party applications) and outbound (access from the third-party applications to the hosts) traffic.

Trigger condition: The alarm source is HSS, and the alert type is mining program or mining software.

You need to enable this playbook for it to take effect.

Prerequisites

  • Your SecMaster professional edition is available.
  • The HSS security alarm log has been connected to SecMaster, and the Auto Alert Conversion button has been enabled. For details about how to connect logs to SecMaster, see Enabling Log Access.
  • You have created a model using the built-in CSB_MODEL_Host_Miningbehaviordetection template and enabled the host-mining behavior detection model. For details about how to create and enable a model, see Creating an Alert Model Using a Preconfigured Model Template and Managing Models, respectively.

Enabling the Mining Host Isolation Playbook

In SecMaster, the initial version (V1) of the Host Isolation - Malware workflow is enabled by default. You do not need to manually enable it. The initial version (V1) of the Mining host isolation playbook is also activated by default. You only need to enable the playbook.
  1. Log in to the SecMaster console.
  2. In the navigation pane on the left, choose Workspaces > Management. In the workspace list, click the name of the target workspace.
    Figure 1 Workspace management page
  3. In the navigation pane on the left, choose Security Orchestration > Playbooks.
    Figure 2 Accessing the Playbooks tab
  4. On the Playbooks page, search for the Mining host isolation playbook and click Enable in the Operation column of the Mining host isolation playbook.
  5. In the dialog box displayed, select the initial playbook version v1 and click OK. If the Playbook Status of the Mining host isolation playbook changes to Enabled, the playbook has been enabled successfully.

Implementation Effect

Mining host isolation automatically isolates the hosts whose Alarm Type is Mining program or Mining software and adds the hosts to a VPC security group. SecMaster automatically blocks the inbound (access from the hosts to third-party applications) and outbound (access from the third-party applications to the hosts) traffic.

  1. If an HSS alarm whose Alarm Type is Mining program or Mining software is reported, the Mining host isolation playbook automatically generates a to-do task for O&M engineers to isolate the host. In the navigation pane on the left of the SecMaster workspace, choose Situation Awareness > Task Center. On the To-Dos page, you can view the task whose name is Review Server Isolation and the Associated Object is Mining host isolation.
Figure 3 Manual to-do task generated by the Mining host isolation playbook

  1. On the To-Dos page, click Review in the Operation column of the to-do task whose task name is Review Server Isolation. On the Playbook - Node Review pane displayed on the right, select Continue.
  2. If the isolation is approved, SecMaster automatically adds the host to the VPC security group. SecMaster automatically blocks the outbound (host access to third parties) and inbound (third parties access to the host) access. You can view the security group named SecMaster_One-Click_Host_Isolation in the VPC service. For details about how to view a security group, see Viewing a Security Group.
    Figure 4 SecMaster_One-Click_Host_Isolation security group
Parent topic: Playbook Overview