Help Center/ SecMaster/ User Guide/ Playbook Overview/ HSS High-Risk Alarm Interception Notification
Updated on 2026-05-15 GMT+08:00
View PDF
Share

HSS High-Risk Alarm Interception Notification

Playbook Overview

The HSS High-Risk Alarm Interception Notification playbook has been associated with the HSS High-Risk Alarm Interception Notification process. The HSS High-Risk Alarm Interception Notification playbook can be applied to server alerts of the High or Critical level. If the source IP address in an alert is not added to the VPC security group, SecMaster automatically generates an interception notification and a to-do task. After the to-do task is manually approved, SecMaster adds the IP address to the VPC policy for blocking and adds the IP address to the VPC security group.

Playbook trigger conditions:

  • Condition 1: The alert severity is High or Critical.
  • Condition 2: The alert source is a server.

You need to enable this playbook manually.

Prerequisites

  • Your SecMaster professional edition is available.
  • The HSS security alarm log has been connected to SecMaster, and the Auto Alert Conversion button has been enabled. For details about how to connect logs to SecMaster, see Enabling Log Access.
  • You have created and subscribed to a topic to receive notifications from SecMaster. For details, see Step 1: Create and Subscribe to a Topic.
  • SecMaster has obtained the SMN FullAccess permission, which specifies all permissions of SMN.
    Table 1 Permission description

    Permission

    Description

    Principal

    Usage

    SMN FullAccess

    All permissions for SMN.

    SecMaster_Agency

    SecMaster uses SMN to send playbook execution notifications.

    Perform the following steps to check whether SecMaster has obtained the SMN FullAccess permission: If the permission is not allocated, allocate it to SecMaster by referring to Authorizing SecMaster.

    1. Log in to the SecMaster console as an administrator.
    2. Click in the upper left corner of the page and choose Management & Governance > Identity and Access Management.
    3. In the navigation pane on the left, choose Agencies. On the Agencies page, click SecMaster_Agency and then click the Permissions tab to view all authorization records of SecMaster_Agency.
    Figure 1 Viewing agency authorization records

Step 1: Create and Subscribe to a Topic

To receive notifications generated by the Asset Protection Status Statistics Notification playbook, you need to use Simple Message Notification (SMN) to create a SecMaster topic and subscribe to the topic.
  1. Log in to the SecMaster console.
  2. In the upper left corner of the page, click and choose Management & Governance > Simple Message Notification.
  3. Create a topic.
    1. In the navigation pane on the left, choose Topic Management > Topics. In the upper right corner of the displayed page, click Create Topic.
      Figure 2 Create Topic
    2. In the Create Topic dialog box displayed, configure topic information and click OK.
      • Topic Name: Set it to SecMaster-Notification.
      • Display Name: SecMaster notification topic is recommended.
      • Retain default values for other parameters.

      Topic Name must be set to SecMaster-Notification, or playbooks may fail to be executed.

  4. Add a subscription.
    1. On the Topics page, locate the row that contains the SecMaster-Notification topic and click Add Subscription in the Operation column.
    2. On the displayed Add Subscription slide-out panel, configure subscription information and click OK.
      • Protocol: Select a notification method based on your needs. Email is used as an example.
      • Endpoint: Enter the email address of the subscription endpoint, for example, username@example.com.
  5. Confirm the subscription.

    After a subscription is added, a confirmation email will be sent to the email address set in 4. Click the subscription confirmation link in the email. A page for a successful subscription will be displayed.

Step 2: Enable the Playbook

The initial version (V1) of the HSS High-Risk Alarm Interception Notification playbook is also activated by default. You only need to enable the playbook.
  1. Log in to the SecMaster console.
  2. In the navigation pane on the left, choose Workspaces > Management. In the workspace list, click the name of the target workspace.
    Figure 3 Workspace management page

  3. In the navigation pane on the left, choose Security Orchestration > Playbooks.
    Figure 4 Accessing the Playbooks tab
  4. On the Playbooks page, search for the HSS High-Risk Alarm Interception Notification playbook and click Enable in its Operation column.
  5. In the dialog box displayed, select the initial playbook version v1 and click OK. If the Playbook Status of the HSS High-Risk Alarm Interception Notification playbook changes to Enabled, the playbook has been enabled successfully.

Implementation Effect

The HSS High-Risk Alarm Interception Notification playbook can be applied to server alerts of the High or Critical level. If the source IP address in an alert is not added to the VPC security group, SecMaster automatically generates an interception notification and a to-do task. After the to-do task is manually approved, SecMaster adds the IP address to the VPC policy for blocking and adds the IP address to the VPC security group.

  1. If a server alert of the High or Critical level is generated and the source IP address in the alert is not added to the VPC security group, the playbook automatically generates an interception to-do task. In the navigation pane on the left of the SecMaster workspace, choose Situation Awareness > Task Center. On the To-Dos page, you can check the review task on security-group-based blocking whose Associated Object is HSS High-Risk Alarm Interception Notification.
    Figure 5 To-do task generated by the HSS High-Risk Alarm Interception Notification playbook

  1. On the To-Dos page, locate the review task on security-group-based blocking whose Associated Object is HSS High-Risk Alarm Interception Notification and click Review in the Operation column. On the Playbook - Node Review pane displayed on the right, select Continue.
  2. After the approval, SecMaster automatically adds the IP address to the VPC blocking policy and delivers the policy to the VPC. In the navigation pane on the left, choose Risk Prevention > Security Policy. On the displayed page, select the Emergency Policies tab to go to the emergency policy management page.

  3. On the Policy View tab displayed by default, view the policy generated by the playbook and sent to VPC.
    Figure 6 The playbook automatically generating a VPC emergency policy

  1. After the VPC is blocked, SecMaster sends a notification.
    Figure 7 Email notification on successful VPC blocking by the HSS High-Risk Alarm Interception Notification playbook

Parent topic: Playbook Overview