How to configure an automatic response rule by using SOAR - Security Center

Security Orchestration Automation Response (SOAR) provided by Security Center is a comprehensive security solution in which different systems and services are orchestrated and connected based on specific logic. This solution supports automated orchestration and quick response during security O&M and helps enterprises strengthen security defense capabilities and improve the efficiency of response to security events. This topic describes how to use SOAR.

Background information

In daily security practices, security experts need to perform a large number of trivial operations such as security-related review, and trojan and mining program processing, which are laborious. Security experts cannot devote themselves to important undertakings such as network attack and defense practices and security research even if they are familiar with internal environments of enterprises and information of counterparts and are equipped with knowledge to study the behavior pattern of attackers.

SOAR is designed to automate and streamline daily routines, and accelerate response to security events. This can free security experts from onerous and trivial work, and ensure that security experts can focus on handling advanced persistent threats (APTs). The processes that are obtained from daily routines can be accumulated as interpretable and executable standards in SOAR and can be used as best practices for others.

Terms

Before you get started with SOAR, you must understand the terms that are related to SOAR. The following table introduces the terms.

Term	Description
playbook	A playbook is an automated process that contains start, judgement, action, and end nodes. You can create a playbook in the same manner as you draw a standard flowchart. You can create various automated processes, such as automatic notification processes and automatic immediate remediation processes. A process consists of multiple components that are connected to each other. A process can be triggered after it is created. For example, after a ticket is created, an automatic ticket review process is triggered. You can edit a process on a canvas in a visualized manner and define actions for each component in the process. For example, you can define the network disabling action for the terminal management component.
component	A component corresponds to an external system or service, such as Web Application Firewall (WAF), Cloud Firewall, Ticket System, a database service, or a notification service. Extensible components provide more service capabilities. A component can be interpreted as a connector that connects to an external system or service. A component does not include complex logic. Complex logic is provided by the external systems or services that are connected to components. After you select a component, you must select assets and actions for the component. Components are classified into process orchestration components, basic orchestration components, and security application components.
asset	An asset can be interpreted as a resource of an external service. Take the MySQL component as an example. An enterprise may use multiple MySQL databases. You must decide the database to which you want to connect when you use the MySQL component.
action	An action is a type of capability provided by a component. Each component can have multiple actions. For example, the terminal management component supports actions such as disabling accounts, isolating networks, and sending notifications.

Step 1: Create a playbook

A playbook is a predefined logical process or script and can help identify, classify, judge, and respond to security events. A playbook contains multiple steps and is used to perform specific operations to determine whether threats exist and how to respond to the threats and mitigate the impacts of the threats. You can tailor a playbook based on the types and threat levels of security events to meet different security requirements. SOAR helps improve the efficiency and consistency of response to security events by virtue of playbooks.

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose Threat Analysis > SOAR.
On the Playbook tab, click New script.
In the New script panel, enter a name and a description for the playbook. Then, click OK.

On the Edit Playbook page, orchestrate components for the playbook.

剧本编辑

No.	Description
1	The top menu bar in which entry points for different operations are displayed. Save: After the orchestration is complete, you can click Save to save the playbook as a draft. The draft version is temporarily saved. If you roll back from an official version, the draft version may be overwritten. If you want to permanently save the playbook, click Save and Publish. Check: You can click Check to check whether the process in the playbook is normal. You can publish the playbook only if the check result is normal. Save and Publish: You can click Save and Publish to save and publish the playbook. Only published playbooks can be used in automatic response rules. You can view the version information of the playbook on the details page of the playbook. For more information, see Related operations. Debug: You can click Debug, and enter parameters for debugging on the Input Parameters(Debug) tab to test whether the playbook can be run as expected. Implement breakpoint debugging: When you edit components on the canvas, you can select a component and click the icon to add a breakpoint for the component. This way, when you debug the playbook, the execution of the playbook ends at the upstream node of the component. View Published Version: You can click View Published Version to view the latest version of the playbook that is published. More: You can click More and perform more operations, such as saving the playbook as an XML file, importing an XML file, saving the playbook as an image, undoing an operation, and deleting a component or node.
2	The nodes in a playbook, including Start, End, Parallel Gateway, Conditional Gateway, and Sub-playbook nodes. Each process must start with a start node and can have multiple end nodes. Note You can move the pointer over a node and view the description of the node.
3	The basic orchestration components, including IT-related common components such as components used to write data to databases, write data to Log Service, and call Python 3.0 to process scripts.
4	The security handling components, including components related to Alibaba Cloud security services such as the component used to stop Server Guard and the blocking component in Cloud Firewall.
5	The canvas. You can drag the desired components to the canvas and draw lines to connect the components based on the logical relationships between the components. On the canvas, you can double-click the start node that is indicated by the icon and configure basic information, input parameters, and trigger methods for the node. On the canvas, you can double-click the desired basic orchestration component or security handling component and configure basic information, execution conditions, and actions. On the canvas, you can double-click the end node that is indicated by the icon and configure basic information for the node.
6	The debugging area. After you click Debugging in the top menu bar or the icon in the lower-right corner of the Edit Playbook page, the debugging area is displayed. You can test whether a playbook can be run as expected in the debugging area. Input Parameters(Debug): On this tab, you can enter parameters for debugging and click Run. The parameters for debugging must be in the JSON format. You can click View Sample Input to view sample input parameters. Run Logs: After you run a playbook, you can click Run Logs to view the execution result and details of the playbook. Historical debugging records: You can click Historical Debugging Records to view historical debugging records of a playbook.

If the debugging is successful and the check result of the process is normal, click Save and Publish.
In the Publish Notes dialog box, enter a description for the publish operation and click OK.
If the current version of the playbook is published, you can view the comparison between the current version and the latest version of the playbook and the check result after you click Save and Publish. After you confirm that the version information is correct, click OK.

Step 2: Create an automatic response rule

Automatic response rules are used to enable the system to perform the predefined response actions when alerts or events are triggered. Automatic response rules can enable the system to perform specific actions, such as isolating malicious software or files or disconnecting networks, and to respond to specific security events, such as malware infection and intrusion attempts.

After you configure an automatic response rule, the system matches security events based on the effective period and rule settings that you configure. After security events are matched, the system performs the actions that you predefine in the rule to help you quickly respond to the security events and mitigate the impacts of the security events.

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose Threat Analysis > SOAR.
On the Automatic response rule tab, click Add rules.

In the Create automatic response rules panel, configure parameters in the sections that are described in the following table and click OK.

Section	Description
Basic Info	In this section, you can specify a name and an execution mode for the automatic response rule. The execution mode specifies the time when the automatic response rule takes effect. The following execution modes are supported: Alert Trigger: performs matches based on the alert feature field and the policy field. If an alert is matched, the system automatically performs the actions that are predefined in the automatic response rule on the alert-triggering object, such as an IP address, file, or process. Event Trigger: performs matches based on the event feature field and the policy field. If an event is matched, the system automatically performs the actions that are predefined in the automatic response rule on the event-triggering object, such as an IP address, file, or process.
Rule policy settings	In this section, you can click + Add Field to add multiple policies. If you add multiple policies, the actions that are predefined in the automatic response rule can be triggered only if all policies are matched. Note The feature fields that you need to configure vary based on the execution mode.
Action	In this section, you can configure the actions that you want to perform on an alert-triggering object or an event-triggering object. You can click Add action to predefine the actions that need to be performed. If you set the Execution Method parameter to Alert Trigger, you can select only Run the script. If you set the Execution Method parameter to Event Trigger, you can select Run the script, Modify event status, and Modify threat level. Run the script: If a policy is matched, the system runs the playbook that you select. Important Automatic response rules can be associated with only playbooks that are configured with input parameters in the fixed format. The input parameter types of the selected playbook must include the IP address of requests, host process, host file, hostname, or Alibaba Cloud account in the start node. Modify event status: If a policy is matched, the system changes the status of an event to Handled. Modify threat level: If a policy is matched, the system changes the threat level of an event to high, medium, or low. You can click + Add Field to add multiple actions. If you add multiple actions, the actions are performed at the same time after all policies are matched.

On the Automatic response rule tab, find the automatic response rule that you create and click the icon in the Status column to enable the rule.

Related operations

Manage playbooks

After you create a playbook, you can find the playbook on the Playbook tab and manage the playbook.

View the details of the playbook
In the playbook list on the Playbook tab, find the playbook and click its ID in the Script ID column or Details in the Actions column to go to the details page of the playbook. On the details page, you can view the basic information about the playbook, and the details and historical execution records of the playbook. On the details page, you can perform the following operations:
- Click the icon next to the name of the current playbook and select another playbook to view the details of the selected playbook.
- On the Basic Info tab, view the basic information about the playbook, enable or disable the playbook, and view historical versions of the playbook.
  Important
  If you perform a version rollback on a playbook, the draft version that is saved but not published on the playbook editing page is overwritten and cannot be recovered. Make sure that a version rollback does not affect your workloads before you perform this operation.
  - In the Release History section, find the desired version and click Rollback and publish in the Actions column to overwrite the draft version of the playbook on the playbook editing page with the current version and publish the playbook.
  - In the Release History section, find the desired version and click Roll back to edit in the Actions column to overwrite the draft version of the playbook on the playbook editing page with the current version.
- On the Playbook tab, view the processes of different versions of the playbook, run the playbook of a specific version, and go to the playbook editing page.
- On the Historical execution record tab, query the historical execution records of the playbook by version number, execution result, or execution time.
Edit the playbook
In the playbook list on the Playbook tab, find the playbook and click Edit in the Solution column to go to the playbook editing page. On this page, you can modify the playbook.
Delete the playbook
In the playbook list on the Playbook tab, find the playbook and click Delete in the Solution column to delete the playbook.
Note
You cannot delete predefined playbooks.

Manage automatic response rules

After you configure an automatic response rule, you can find the automatic response rule on the Automatic response rule tab and perform operations on the rule.

Modify the automatic response rule
In the automatic response rule list on the Automatic Response Rule tab, find the automatic response rule and click Edit in the Solution column to go to the Create Automatic Response Rule panel. In this panel, you can modify information about the automatic response rule.
Delete the automatic response rule
In the automatic response rule list on the Automatic Response Rule tab, find the automatic response rule and click Delete in the Solution column to delete the rule.