Security Orchestration Automation Response (SOAR) provided by Security Center is a comprehensive security solution in which different systems and services are orchestrated and connected based on specific logic. This solution supports automated orchestration and quick response during security O&M and helps enterprises strengthen security defense capabilities and improve the efficiency of response to security events. This topic describes how to use SOAR.
Background information
In daily security practices, security experts need to perform a large number of trivial operations such as security-related review, and trojan and mining program processing, which are laborious. Security experts cannot devote themselves to important undertakings such as network attack and defense practices and security research even if they are familiar with internal environments of enterprises and information of counterparts and are equipped with knowledge to study the behavior pattern of attackers.
SOAR is designed to automate and streamline daily routines, and accelerate response to security events. This can free security experts from onerous and trivial work, and ensure that security experts can focus on handling advanced persistent threats (APTs). The processes that are obtained from daily routines can be accumulated as interpretable and executable standards in SOAR and can be used as best practices for others.
Terms
Before you get started with SOAR, you must understand the terms that are related to SOAR. The following table introduces the terms.
Term | Description |
playbook | A playbook is a predefined and structured response plan that is designed to handle specific types of events or threats. A playbook outlines the steps and actions that need to be performed when specific conditions are triggered, such as when specific security events are detected. You can specify Run Playbook as the action of an automatic response rule and select a playbook to automatically handle alerts and events. A playbook consists of only one process. You can implement versioning on the process, conduct input and output tests, track the number of executions of the process, and analyze the process results. |
process | A process is a series of sequentially executed tasks or actions. A process is designed to achieve a specific goal or implement a specific feature by performing predefined steps. You can create an automated process in the same manner as you draw a standard flowchart. An automated process contains start, judgement, action, and end nodes. You can create different automated processes, such as automatic notification processes and automatic immediate remediation processes. A process consists of multiple components that are connected to each other. A process can be triggered after it is created. For example, after a ticket is created, an automatic ticket review process is triggered. You can edit a process on a canvas in a visualized manner and define actions for each component in the process. For example, you can define the network disabling action for the terminal management component. |
component | A component corresponds to an external system or service, such as Web Application Firewall (WAF), Cloud Firewall, Ticket System, a database service, or a notification service. Extensible components provide more service capabilities. A component can be interpreted as a connector that connects to an external system or service. A component does not include complex logic. Complex logic is provided by the external systems or services that are connected to components. After you select a component, you must select assets and actions for the component. Components are classified into process orchestration components, basic orchestration components, and security application components. |
asset | An asset can be interpreted as a resource of an external service. Take the MySQL component as an example. An enterprise may use multiple MySQL databases. You must decide the database to which you want to connect when you use the MySQL component. |
action | An action is a type of capability provided by a component. Each component can have multiple actions. For example, the terminal management component supports actions such as disabling accounts, isolating networks, and sending notifications. |
Step 1: Create a playbook
A playbook is a predefined logical process or script and can help identify, classify, judge, and respond to security events. A playbook contains multiple steps and is used to perform specific operations to determine whether threats exist and how to respond to the threats and mitigate the impacts of the threats. You can tailor a playbook based on the types and threat levels of security events to meet different security requirements. SOAR helps improve the efficiency and consistency of response to security events by virtue of playbooks.
Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.
In the left-side navigation pane, choose .
On the Custom Playbook tab, click Create Playbook.
In the Create Playbook panel, enter a name and a description for the playbook. Then, click OK.
On the Edit Playbook page, orchestrate components for the playbook.
No.
Description
1
The top menu bar in which entry points for different operations are displayed.
Save: After the orchestration is complete, you can click Save to save the playbook as a draft.
The draft version is temporarily saved. If you roll back from an official version, the draft version may be overwritten. If you want to permanently save the playbook, click Save and Publish.
Detect: You can click Detect to check whether the process in the playbook is normal. You can publish the playbook only if the check result is normal.
Save and Publish: You can click Save and Publish to save and publish the playbook. Only published playbooks can be used in automatic response rules.
You can view the version information of the playbook on the details page of the playbook. For more information, see Related operations.
Debug: You can click Debug, and enter parameters for debugging on the Input Parameters (Debug) tab to test whether the playbook can be run as expected.
Implement breakpoint debugging: When you edit components on the canvas, you can select a component and click the icon to add a breakpoint for the component. This way, when you debug the playbook, the execution of the playbook ends at the upstream node of the component.
View Published Version: You can click View Published Version to view the latest version of the playbook that is published.
More: You can click More and perform more operations, such as saving the playbook as an XML file, importing an XML file, saving the playbook as an image, undoing an operation, and deleting a component or node.
2
The nodes in a playbook, including Start, End, Parallel Gateway, Conditional Gateway, and sub-playbook nodes. Each process must start with a start node and can have multiple end nodes.
NoteYou can move the pointer over a node and view the description of the node.
3
The basic orchestration components, including IT-related common components such as components used to write data to databases, write data to Simple Log Service, and call Python 3.0 to process scripts.
4
The security handling components, including components related to Alibaba Cloud security services such as the component used to stop Server Guard and the blocking component in Cloud Firewall.
5
The canvas. You can drag the desired components to the canvas and draw lines to connect the components based on the logical relationships between the components.
On the canvas, you can double-click the start node that is indicated by the icon and configure basic information, input parameters, and trigger methods for the node.
On the canvas, you can double-click the desired basic orchestration component or security handling component and configure basic information, execution conditions, and actions.
On the canvas, you can double-click the end node that is indicated by the icon and configure basic information for the node.
6
The debugging area. After you click Debug in the top menu bar or the icon in the lower-right corner of the Edit Playbook page, the debugging area is displayed. You can test whether a playbook can be run as expected in the debugging area.
Input Parameters (Debug): On this tab, you can enter parameters for debugging and click Run.
The parameters for debugging must be in the JSON format. You can click View Sample Input to view sample input parameters.
Run Logs: After you run a playbook, you can click the Run Logs tab to view the execution result and details of the playbook.
Historical Debugging Records: You can click the Historical Debugging Records tab to view historical debugging records of a playbook.
If the debugging is successful and the check result of the process is normal, click Save and Publish.
In the Publish Notes dialog box, enter a description for the publish operation and click OK.
If the current version of the playbook is published, you can view the comparison between the current version and the latest version of the playbook and the check result after you click Save and Publish. After you confirm that the version information is correct, click OK.
Step 2: Create an automatic response rule
Automatic response rules are used to enable the system to perform the predefined response actions when alerts or events are triggered. Automatic response rules can enable the system to perform specific actions, such as isolating malicious software or files or disconnecting networks, and to respond to specific security events, such as malware infection and intrusion attempts.
After you configure an automatic response rule, the system matches security events based on the rule settings. After security events are matched, the system performs the actions that you configure in the rule to help you quickly respond to the security events and mitigate the impacts of the security events.
Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.
In the left-side navigation pane, choose .
On the Automatic Response Rule tab, click Create Rule.
In the Create Automatic Response Rule panel, configure parameters in the sections that are described in the following table and click OK.
Section
Description
Basic Information
In this section, you can specify a name and an execution method for the automatic response rule. The execution method specifies the time when the automatic response rule takes effect. The following execution methods are supported:
Alert Trigger: performs matches based on the alert feature field and the rule condition field. If an alert is matched, the system automatically performs the actions that are predefined in the automatic response rule on the alert-triggering object, such as an IP address, file, or process.
Event Trigger: performs matches based on the event feature field and the rule condition field. If an event is matched, the system automatically performs the actions that are predefined in the automatic response rule on the event-triggering object, such as an IP address, file, or process.
Rule Settings
In this section, you can click Add to add a rule condition. If you add multiple rule conditions, the actions that are predefined in the automatic response rule can be performed only if all rule conditions are matched.
NoteThe feature fields that you need to configure vary based on the execution method.
Rule Action
In this section, you can configure the actions that need to be performed on an alert-triggering or event-triggering object.
You can click Add to add an action. If you set the Execution Method parameter to Alert Trigger, you can select only Run Playbook for the Action field. If you set the Execution Method parameter to Event Trigger, you can select Run Playbook, Change Event Status, or Change Risk Level for the Action field.
Run Playbook: If a rule condition is matched, the system automatically runs the playbook that you select for the Specific Playbook field.
ImportantAutomatic response rules can be associated with only playbooks that are configured with input parameters in the fixed format. The input parameter types of the selected playbook must include the IP address of requests, host process, host file, hostname, or Alibaba Cloud account in the start node.
Change Event Status: If a rule condition is matched, the system changes the status of an event to Handled.
Change Risk Level: If a rule condition is matched, the system changes the threat level of an event to high, medium, or low.
You can click Add to add an action. If you add multiple actions, the actions are performed at the same time when all rule conditions that you configure are matched.
On the Automatic Response Rule tab, find the automatic response rule that you created and click the icon in the Enabling Status column to enable the rule.
Related operations
Manage playbooks
You can only copy and view the details of a predefined playbook. After you create a custom playbook, you can find and manage the playbook on the Custom Playbook tab. For example, you can view the playbook details and modify the playbook.
View the details of the playbook
In the playbook list on the Custom Playbook tab, find the playbook and click its ID in the Playbook Name/Playbook ID column or Details in the Actions column to go to the details page of the playbook. On the details page, you can perform the following operations:
Click the icon next to the name of the current playbook and select another playbook to view the details of the selected playbook.
On the Basic Information tab, view the basic information about the playbook, enable or disable the playbook, and view historical versions of the playbook.
ImportantIf you perform a version rollback on a playbook, the draft version that is saved but not published on the playbook editing page is overwritten and cannot be recovered. Make sure that a version rollback does not affect your workloads before you perform this operation.
In the Release History section, find the desired version and click Roll Back and Publish in the Actions column to overwrite the draft version of the playbook on the playbook editing page with the current version and publish the playbook.
In the Release History section, find the desired version and click Roll Back to Edit in the Actions column to overwrite the draft version of the playbook on the playbook editing page with the current version.
On the Playbook tab, view the processes of different versions of the playbook, run the playbook of a specific version, and go to the playbook editing page.
On the Historical Execution Records tab, query the historical execution records of the playbook by version number, execution result, or execution time.
Copy the playbook
In the playbook list on the Custom Playbook tab, find the playbook and click Copy in the Actions column to go to the Copy Playbook panel. In the panel, configure the Playbook Name and Playbook Description parameters and click OK. A copy of the playbook is created. You can modify the copy based on your business requirements.
Modify the playbook
In the playbook list on the Custom Playbook tab, find the playbook and click Edit in the Actions column to go to the playbook editing page. On this page, you can modify the playbook.
Delete the playbook
In the playbook list on the Custom Playbook tab, find the playbook and click Delete in the Actions column to delete the playbook.
NoteYou cannot delete predefined playbooks.
Manage automatic response rules
After you configure an automatic response rule, you can find the automatic response rule on the Automatic Response Rule tab and perform operations on the rule.
Modify the automatic response rule
In the automatic response rule list on the Automatic Response Rule tab, find the automatic response rule and click Edit in the Actions column to go to the Create Automatic Response Rule panel. In this panel, you can modify information about the automatic response rule.
Delete the automatic response rule
In the automatic response rule list on the Automatic Response Rule tab, find the automatic response rule and click Delete in the Actions column to delete the rule.