Help Center/ SecMaster/ User Guide/ Playbook Overview/ Network Defense Alarms Are Associated With Historical Handling Information
Updated on 2026-02-06 GMT+08:00
View PDF
Share

Network Defense Alarms Are Associated With Historical Handling Information

Playbook Overview

If SecMaster receives new alerts from CFW within 15 days and there are closed CFW alerts of the similar type, the Network Defense Alarms Are Associated With Historical Handling Information playbook will add the comment for the closed CFW alerts to the comment area of the new similar CFW alerts. This playbook is applied to alerts only. Attacks cannot trigger it. For details about the differences between alerts and attacks, see Overview.

If two CFW alerts meet any of the following conditions, they are similar alerts:

  • They have the same source IP address.
  • They are generated for the same attacked IP addresses.
  • They belong to the same alert type.

This playbook is enabled by default. There is no need for you to configure or enable it. This playbook is triggered when SecMaster receives new alerts from CFW and the new alerts are similar to a closed CFW alert.

Prerequisites

  • Your SecMaster professional edition is available.
  • You have connected SecMaster to CFW to receive attack event logs and access control logs. For details, see Enabling Log Access.

Limitations and Constraints

  • The alert data source is CFW.

Implementation Effect

After the playbook is triggered, SecMaster adds the closure comments for similar closed alerts to new CFW alerts in SecMaster.

  1. Log in to the SecMaster console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane on the left, choose Workspaces > Management. In the workspace list, click the name of the target workspace.

    Figure 1 Workspace management page

  4. In the navigation pane on the left, choose Threats > Alerts.

    Figure 2 Alerts

  5. On the Alerts page, search for CFW alerts by data source filter and click the name of a new CFW alert to go to the details page.
  6. If there are closed similar alerts, the closure comments for the closed alerts will be automatically added to the comment area on the details page of the new CFW alert. If two CFW alerts meet any of the following conditions, they are similar alerts:

    • They have the same source IP address.
    • They are generated for the same attacked IP addresses.
    • They belong to the same alert type.

Parent topic: Playbook Overview