See Configure approval settings for a asset in the Administer manual. SLAs can be set on events, phases, and tasks. Approvals are sent to the asset owners and contain a service level agreement (SLA) dictating the expected response time. Owners receive approvals, which are requests to run a particular action on an asset. The person responsible for managing assets in your organization. Actions are run in playbooks or manually from the web interface. Ī high level primitive used throughout the platform, such as get process dump, block ip, suspend vm, or terminate process. See Define a workflow in a case using workbooks in. See Use playbooks to automate analyst workflows in in the Build Playbooks with the Playbook Editor manual.Ī template providing a list of standard tasks that analysts can follow when evaluating containers or cases. Or you can configure running a playbook as part of the workflow in a workbook. For example, you can configure a playbook to run actions against all new containers with a specific label. Ī series of automation tasks that act on new data entering. Indicators are the smallest unit of data that can be acted upon in. Indicator or Indicator of Compromise (IOC)Ī piece of data such as an IP address, host name, or file hash that populates the Common Event Format (CEF) fields in an artifact. Doing this lets you consolidate your investigation rather than having to investigate each container individually.Ī piece of information added to a container, such as a file hash, IP address, or email header. For example, if you have several closely related containers for a security incident, you can promote one of those containers to a case and then add the other related containers to the case. See Configure labels to apply to containers in the Administer manual.Ī special kind of container that can hold other containers. You can create custom labels in as needed. You can then run a playbook against all containers with the same label. For example, containers from the same asset can all have the same label. Labels are used to group related containers together. Containers have the default label of Events. If your environment has multiple firewalls, you can configure one asset for each firewall.Ī security event that is ingested into. You can configure an asset with the specific connection details for this firewall. For example, you might have a Palo Alto Network (PAN) Firewall app that connects the firewall to. Each asset represents a physical or virtual device within your organization such as a server, endpoint, router, or firewall. See Add and configure apps and assets to provide actions in in the Administer manual.Ī specific instance of an app. Some apps also provide a visual component such as widgets that can be used to render data produced by the app. The connection allows to access and run actions provided by the third-party technologies. Playbook 2 runs actions from the PhishTank and PAN Firewall version 3.0 assets whenever a specific workbook is used in a case.įor more information about each component in the diagram, see the following table:Ī connection to third-party security technologies.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |