Built-in Playbooks

Server security

HSS alert synchronization

Automatically synchronizes HSS alerts generated for servers.

Alert

Auto High-Risk Vulnerability Notification

Sends email or SMS notifications to specified recipients when vulnerabilities rated as high severity are discovered.

Vulnerability

Attack Link Analysis Alert Notification

Analyzes attack links. If HSS generates an alert for a server, the system checks the website running on the server. If the website information and alert exist, the system sends an alert notification.

Alert

Server vulnerability notification

Checks servers with EIPs bound on the resource manager page and notifies of discovered vulnerabilities.

CommonContext

HSS Isolation and Killing of Malware

Automatically isolates and kills malware.

Alert

Mining host isolation

Isolates the server for which an alert of mining program or software was generated. The playbook also adds the server into a security group that allows no inbound or outbound traffic.

Alert

Ransomware host isolation

Isolates the server for which an alert of ransomware was generated. The playbook also adds the server into a security group that allows no inbound or outbound traffic.

Alert

Host Defense Alarms Are Associated With Historical Handling Information

Associates new HSS alerts with HSS alerts handled earlier and adds historical handling details to the comment area for the corresponding HSS alerts.

Alert

Add host asset protection status notification

Checks new servers and notifies you of servers unprotected by HSS.

Resource

HSS High-Risk Alarm Interception Notification

Checks HSS high-risk alarms and generates to-do task notifications for source IP addresses that are not blocked by security groups. The to-do tasks will be reviewed manually. Once confirmed, the source IP addresses will be added to VPC block policy in SecMaster.

Alert

Automated handling of host Rootkit event attacks

If a Rootkit alert is generated, this playbook automatically isolates the affected host by adding it to a security group that blocks all inbound and outbound traffic, and closes the alert.

Alert

Automated handling of host rebound Shell attacks

If a reverse shell alert is generated, this playbook automatically isolates the affected host by adding it to a security group that blocks all inbound and outbound traffic, and closes the alert.

Alert

Application security

SecMaster WAF Address Group Association Policy

Associates SecMaster and WAF blacklist address groups for all enterprise projects.

CommonContext

WAF clear Non-domain Policy

Checks WAF protection policies at 09:00 every Monday and deletes policies with no rules included.

CommonContext

Application Defense Alarms Are Associated With Historical Handling Information

Associates new WAF alerts with WAF alerts handled earlier and adds historical handling details to the comment area for the new alerts.

Alert

Web login burst interception

Checks IP addresses that establish brute-force login connections. If the IP addresses are not whitelisted, the workflow generate a to-do task. The do-to task will be reviewed manually. Once it is confirmed that the IP addresses should be blocked, the IP addresses will be added to a WAF block policy in SecMaster.

Alert

O&M security

Real-time Notification of Critical Organization and Management Operations

Sends real-time notifications for O&M alerts generated by models. Currently, SMN notifications can be sent for three key O&M operations: attaching NICs, creating VPC peering connections, and binding EIPs to resources.

Alert

Identity security

Identity Defense Alarms Are Associated With Historical Handling Information

Associates new IAM alerts with IAM alerts handled earlier and adds historical handling details to the comment area for the new alerts.

Alert

Network security

Network Defense Alarms Are Associated With Historical Handling Information

Associates new CFW alerts with CFW alerts handled earlier and adds historical handling details to the comment area for new alerts.

Alert

Others/General

Automatic Notification of High-Risk Alerts

Sends email or SMS notifications when there are alerts rated as High or Fatal.

Alert

Alert metric extraction

Extracts IP addresses from alerts, checks the IP addresses against the intelligence system, sets alert indicators for confirmed malicious IP addresses, and associates the indicators with the source alerts.

Alert

Automatic Disabling of Repeated Alerts

Closes the status of duplicate alerts when they are generated next time for the last 7 days and associates the alerts with the same name for the last 7 days.

Alert

Automatic renaming of alert names

Generates custom alert names by combining specified key fields.

Alert

Alert IP metric labeling

Adds attack source IP address and attacked IP address labels for alerts.

Alert

IP intelligence association

Associates alerts with SecMaster intelligence (preferred) and ThreatBook intelligence.

Alert

Asset Protection Status Statistics Notification

Collects statistics on asset protection status every week and sends notifications to customers by email or SMS.

CommonContext

Alert statistics Notify

At 19:00 every day, collects statistics on alerts that are not cleared and sends notifications to customers by email or SMS.

Alert

Auto Blocking for High-risk Alerts

If a source IP address launched more than three attacks, triggered high-risk or critical alerts, and hit the malicious label in ThreatBook, this playbook triggers the corresponding security policies in WAF, VPC, CFW, or IAM to block the IP address.

Alert

Automatic clearing of low-risk alerts

This playbook automatically clear low-risk and informative alerts.

Alert