Configuring Playbooks

Scenarios

The following describes how to enable this playbook and use it to handle malware and ransomware alerts.

Prerequisites

You have enabled access to HSS alerts and toggled on the automatic converting logs to alerts function on the Settings > Data Integration page in the current workspace. For details, see Data Integration.

Figure 1 Accessing HSS alerts

Configuring and Enabling a Playbook

In SecMaster, the initial version (V1) of the HSS isolation and killing of malware workflow is enabled by default. You do not need to manually enable it. The initial version (V1) of the HSS isolation and killing of malware playbook is also activated by default. To use it, you only need to enable it.

1. Log in to the management console.
2. Click in the upper left corner of the page and choose Security & Compliance > SecMaster.
3. In the navigation pane on the left, choose Workspaces > Management. In the workspace list, click the name of the target workspace.
   Figure 2 Workspace management page
   

4. In the left navigation pane, choose Security Orchestration > Playbooks.
   Figure 3 Accessing the Playbooks tab
   

5. On the Playbooks page, locate the row that contains the HSS isolation and killing of malware playbook and click Enable in the Operation column.
6. In the dialog box displayed, select the initial playbook version v1 and click OK.

Implementation Effect

• The malware has been killed and the alert is closed automatically.
  Figure 4 Alerts automatically closed
  
  If the malware is isolated and killed, a comment will be left indicating that the alert has been cleared.

  Figure 5 Comment on succeeded isolation and killing of malware
  
• If the malware fails to be isolated or killed, a comment will be left indicating that manual handling is required.
  Figure 6 Comment on failed isolation and killing of malware