Help Center/ SecMaster/ User Guide/ Playbook Overview/ Identity Defense Alerts Associated with Historical Handling Information (IdentityWithHistoricalHandlingInformation)
Updated on 2026-02-06 GMT+08:00
View PDF
Share

Identity Defense Alerts Associated with Historical Handling Information (IdentityWithHistoricalHandlingInformation)

Playbook Overview

If SecMaster receives new IAM alerts within 15 days after a similar type of IAM alert is closed, the IdentityWithHistoricalHandlingInformation playbook will add the comment for the closed IAM alert to the comment area of the new similar IAM alerts. This playbook is applied to alerts only. Attacks cannot trigger it. For details about the differences between alerts and attacks, see Overview.

If two IAM alerts meet any of the following conditions, they are similar alerts:

  • Their attack source IP addresses are the same.
  • Their usernames are the same.
  • They belong to the same alert type.

This playbook is enabled by default. There is no need for you to configure or enable it. This playbook is triggered when SecMaster receives new alerts from IAM and the new alerts are similar to a closed IAM alert.

Limitations and Constraints

  • Your SecMaster professional edition is available.
  • The alert data source is IAM.

Implementation Effect

After the playbook is triggered, SecMaster adds the closure comments for similar closed alerts to new IAM alerts in SecMaster.

  1. Log in to the SecMaster console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane on the left, choose Workspaces > Management. In the workspace list, click the name of the target workspace.

    Figure 1 Workspace management page

  4. In the navigation pane on the left, choose Threats > Alerts.

    Figure 2 Alerts

  5. On the Alerts page, search for IAM alerts by data source filter and click the name of a new IAM alert to go to the details page.
  6. If there are closed similar alerts, the closure comments for the closed alerts will be automatically added to the comment area on the details page of the new IAM alert.

    If two IAM alerts meet any of the following conditions, they are similar alerts:

    • Their attack source IP addresses are the same.
    • Their usernames are the same.
    • They belong to the same alert type.

    After the IdentityWithHistoricalHandlingInformation playbook takes effect, the closure comments for the closed alerts will be automatically added to the comment area on the details page of the new similar IAM alerts.

    Figure 3 Adding a closure comment for a historical IAM alert to new similar alerts

Parent topic: Playbook Overview