lhs-panel Click here to expand

Incident workflow management


You can mitigate security incidents in your network before they result in a breach by automating response workflows when alerts are triggered. EventLog Analyzer allows you to create workflows to automatically perform actions such as disabling USB ports, shutting down systems, and changing firewall rules when security incidents are detected.

Steps to create a workflow

  1. In EventLog Analyzer, click on the Alerts tab.
  2. Click on the More tools icon present at the top-right corner of the page.
  3. Click on Workflow to open the Manage Workflow page and click on the +Create Workflow button.
  4. Enter a name for the workflow in the Workflow Name field.
  5. Click on the Description link next to the Workflow Name field to enter an appropriate description for the workflow.
  6. Create a workflow by dragging and dropping the workflow blocks from the left pane into the space provided. Ensure that these blocks are logically arranged to execute an event in your infrastructure.
  7. EventLog Analyzer contains multiple workflow blocks to help you configure workflows to perform the required actions. The logic blocks are categorized under different sections.

    The list of workflow blocks and the details to be specified while configuring workflows using them are given below:

    Logic blocks Details to be specified
    Logic actions
    Decision

    Allows you to branch the workflow based on the status of the previous action.

     
    Time Delay

    Allows you to introduce a time delay in the execution of the workflow.

    The time delay in minutes.
    Network actions
    Ping Device

    Allows you to ping a device within your network to check connectivity

    • The name of the device to be pinged.
    • Number of echo request messages to be sent.
    • Size of the packet to be sent.
    • Timeout for the action.
    • Number of action retries within the specified time.
    Trace Route

    Allows you to run a trace route function to a device in your network to identify the path.

    • The name of the device you wish to trace the route to.
    • The maximum number of hops.
    • Timeout for the action.
    Process actions
    Test Process

    Allows you to test whether a process is running on a device.

    • The name of the device on which you want to test the process.
    • The process you want to test.
    • ExecutablePath and CommandLine to execute the process.
    Start Process

    Allows you to start a process on a device

    • The name of the device on which you want to start a process.
    • The process working directory.
    • The command to start the process.
    Stop Process

    Allows you to stop a process on a device.

    • The name of the device on which you want to stop the process.
    • The process you want to stop.
    • ExecutablePath and CommandLine to execute the process.
    Service actions
    Test Service

    Allows you to test whether a service is running on a device.

    • The name of the device on which you want to test the service.
    • The service you want to test
    Start Service

    Allows you to start a service on a device.

    • The name of the device on which you wish to start a service.
    • The service to be started.
    Stop Service

    Allows you to stop a service on a device.

    • The name of the device on which you wish to stop a service.
    • The service to be stopped
    Windows actions
    Log Off

    Allows you to log off from the currently active session on a device.

    • The name of the device you want to log off from.
    • Select whether you'd like to force this action.
    Shut Down System

    Allows you to shut down a Windows device.

    • The name of the device to be shut down.
    • Select whether you'd like to force this action.
    Restart System

    Allows you to restart a Windows device.

    • The name of the device to be restarted.
    • Select whether you'd like to force this action.
    Execute Windows Script

    Allows you to execute a specified script file on a Windows device.

    • The name of the device on which you want to execute the script file.
    • The type of script file.
    • Upload the script file to be executed.
    • Arguments to the script, if any. You can separate multiple arguments using commas.
    • Timeout for the action.
    • The working directory for the script's execution.
    Disable USB

    Allows you to disable the USB port on a device.

    • The name of the device on which you want to disable the USB port.
    Linux actions
    Shut Down Linux

    Allows you to shut down a Linux device.

    • The name of the device to be shut down.
    • Select whether you'd like to force this action.
    Restart Linux

    Allows you to restart a Linux device.

    • The name of the device to be restarted.
    • Select whether you'd like to force this action.
    Execute Linux Script

    Allows you to execute a specified script file on a Linux device.

    • The name of the device on which you want to execute the script file.
    • The type of script file.
    • Upload the script file to be executed.
    • Arguments to the script, if any. You can separate multiple arguments using commas.
    • Timeout for the action.
    • The working directory for the script's execution.
    Notification actions
    Send Pop-Up Message

    Allows you to display a pop-up message on a device.

    • The name of the device on which you want to display the message.
    • The message to be displayed.
    Send Email

    Allows you to send an email message.

    • The recipient's email address.
    • The email subject and body.
    Send SMS

    Allows you to send an SMS message.

    • The recipient's mobile number.
    • The SMS content.
    Send SNMP Trap

    Allows you to send SNMP traps to the required destination.

    • Enterprise OID.
    • SNMP Manager.
    • Message content.
    Active Directory actions
    Disable User

    Allows you to disable a user's account.

    The name of the user account you want to disable.
    Delete User

    Allows you to delete a user account.

    The name of the user account you want to delete.
    Disable Computer

    Allows you to disable a computer account.

    The name of the computer account you want to disable
    Firewall Actions
    Cisco ASA Deny Inbound Rule

    Allows you to add an deny inbound rule.

    • The name of the firewall device.
    • The Interface name.
    • Source address.
    • Destination address.
    Cisco ASA Deny Outbound Rule

    Allows you to add an deny outbound rule.

    • The name of the firewall device.
    • The Interface name.
    • Source address.
    • Destination address.
    Fortigate Deny Access Rule

    Allows you to add an deny access rule.

    • Name of the firewall device.
    • Source address.
    • Destination address.
    • Name of the source interface.
    • Name of the destination interface.
    PaloAlto Deny Access Rule

    Allows you to add an deny access rule.

    • Name of the firewall device.
    • Source address.
    • Destination address.
    • Name of the source zone.
    • Name of the destination zone.
    • Type of Rule (Universal, Intrazone or Interzone).
    SophosXG Deny Access Rule

    Allows you to add an deny access rule.

    • Name of the firewall device.
    • Source address.
    • Destination address.
    Barracuda CloudGen Deny Access Rule

    Allows you to add an deny access rule.

    • Name of the firewall device.
    • Source address.
    • Destination address.
    • Name of the source interface.
    • Name of the destination interface.
    • Type of Rule (Inbound or Outbound).
    Miscellaneous actions
    Write to File

    Allows you to write a message to a file

    • The name of the device on which the file is located.
    • The file name.
    • The absolute file path.
    • The text to be written to the file.
    • Select whether you would like to append to or overwrite a file if it already exists.
    CSV Lookup

    Allows you to search for values within a CSV file.

    • Upload the CSV file to perform by clicking on "Browse".
    • Specify the header or column number.
    • Select the field to be matched.
    Forward Logs

    Allows you to forward logs to the required destination.

    • Name of the destination server.
    • The protocol to be used.
    • Port number and standard.
    HTTP Request

    Allows you to send an HTTP request to a URL.

    • The URL to which you want to send an HTTP request to.
    • Specify the Method you want to use (Get or Post).
    • Add the required headers.
    • Add the required parameters.
    ADManager Plus actions
    Workflow Blocks Details to be specified
    Disable User

    Allows you to disable a user account

    • The name of the block.
    • The action to be performed (here, Disable User).
    • A brief description for this block to record its purpose in the workflow.
    • The username of the user account you want to disable.
    Delete User

    Allows you to delete a user account

    • The name of the block.
    • The action to be performed (here, Delete User).
    • A brief description for this block to record its purpose in the workflow.
    • The username of the user account you want to delete.
    Disable Computer

    Allows you to disable a computer account.

    • The name of the block.
    • The action to be performed (here, Disable Computer).
    • A brief description for this block to record its purpose in the workflow.
    • The device name of the computer account you want to disable.
    Reset user password

    Allows the user to reset their password

    • The name of the block.
    • The action to be performed (here, Reset user password).
    • A brief description for this block to record its purpose in the workflow.
    • The username of the user account you want to reset the password.
    • The type of password that you want: Random or Custom.
    Add user to group

    Allows you to add a user to a particular group

    • The name of the block.
    • The action to be performed (here, Add user to group).
    • A brief description for this block to record its purpose in the workflow.
    • The username of the user account you want to add to the group.
    • The name of the group you want to add the user.
    Remove user from group

    Allows you to remove a user from a particular group

    • The name of the block.
    • The action to be performed(here, Remove user from group).
    • A brief description for this block to record its purpose in the workflow.
    • The username of the user account you want to remove from the group.
    • The name of the group that you want to remove the user from, or remove the user from all the groups that are available.
    Enable user

    Allows you to enable a disabled user account

    • The name of the block.
    • The action to be performed(here, Enable user).
    • A brief description for this block to record its purpose in the workflow
    • The username of the user account you want to enable.
    Unlock user

    Allows you to unlock a locked user account

    • The name of the block.
    • The action to be performed(here, Unlock user).
    • A brief description for logic block to record its purpose in the workflow.
    • The username of the user account you want to unlock.
    Update user

    Allows you to update an attribute of a user

    • The name of the block.
    • The action to be performed(here, Update user).
    • A brief description for this block to record its purpose in the workflow.
    • The username of the user account you want to update.
    • The attribute that you want to update in the user account's data.
    • The value of the attribute that needs to be updated.
    Delete Computer

    Allows you to delete a computer account

    • The name of the block.
    • The action to be performed(here, Delete Computer).
    • A brief description for this block to record its purpose in the workflow.
    • The device name of the computer account you want to delete.
    Enable computer

    Allows you to enable a disabled computer account

    • The name of the block.
    • The action to be performed(here, Enable Computer).
    • A brief description for this block to record its purpose in the workflow.
    • The device name of the computer account you want to enable.
    Endpoint Central actions
    Workflow Blocks Details to be specified
    Install Patch

    Allows you to install a patch on a specific device for a detected vulnerability.

    • The name of the block.
    • Name/IP of the destination device to install patch
    • Name of the deployment configuration
    • Description for the deployment configuration
    • Vulnerability identifier will be extracted from alert criteria
    • Deployment policy to be applied
    Approve Patch

    Allows you to approve patches for the detected vulnerability.

    • The name of the block
    • Vulnerability identifier will be extracted from alert criteria.

    Note: To utilize the Endpoint Central actions, please configure data enrichment for ManageEngine Endpoint Central. Click here to know how.

  8. You can enter a brief description for each logic block to record its purpose in the workflow. This makes it easier for you to understand and edit the workflow later.
  9. Click on the Save button to create the workflow.

To edit an existing workflow you can click on the edit icon present against the workflow name in the Manage Workflow page.

NOTE:

List of devices supported:

  • All types of Windows operating system.
  • Linux operating systems :
    • Ubuntu
    • Debian
    • Fedora
    • CentOS
    • Red Hat Enterprise Linuc (RHEL)
    • Arch Linux
    • SUSE Linux Enterprise Server (SLES)
    • openSUSE
    • Gentoo OS

Managing workflows

You can view and edit existing workflows in EventLog Analyzer by navigating to the Alerts tab and clicking on Workflow from the More tools icon. The Manage Workflows page displays the list of workflows, their descriptions, the number of alert profiles associated with each workflow, and their histories. You can enable or disable, delete, edit, and copy the workflows by clicking on the respective icons.

Updating workflow credentials

You can automate workflows on Windows, Linux, and Cisco devices for which you have administrative privileges. You have to update credentials of these devices in EventLog

Analyzer for seamless execution of the workflows.

To automate workflows in Windows devices:

If the Windows devices have already been added to EventLog Analyzer, workflows can be executed by using the devices credentials or the domain credentials of the devices. So, you need not manually update credentials for Windows devices.

To automate workflows in Linux devices

You can configure a set of common credentials for executing workflows in all Linux devices by following the steps given below:

  • Click on the Workflow Credentials link present in the Manage Workflow page.
  • Select credential type as Linux Devices.
  • Enter the username, password, and port number.
  • Click on Update to store and use these credentials to execute workflows in all Linux devices.

To automate workflows in Cisco devices

You must configure the REST API agent in the Cisco firewall to execute workflows by following the steps given in this link. (The Cisco REST API supported versions are listed here).

You can configure a set of common credentials for executing workflows in all Cisco devices using EventLog Analyzer by following the steps given below:

  • Click on the Workflow Credentials link present in the Manage Workflow page.
  • Select credential type as Cisco Devices.
  • Enter the username and password.
  • Click on Update to store and use these credentials to execute workflows in all Cisco devices.

If the common credentials do not work for certain Cisco Devices, you need to configure the credentials for those devices by following the steps given below:

  • Navigate to Settings → Configuration → Manage Devices → Syslog Devices.
  • Hover your mouse pointer near the device on which you want to execute workflows and click on the edit icon.
  • In the Update Device pop-up menu, click on Advanced.
  • Select the Configure REST API Credentials check box.
  • Enter a username and password.
  • Click on Verify Credential to send a REST API call to the Cisco device to verify if the credentials are valid.
  • Click on Update to store and use the specified credentials for executing workflows.

To automate workflows in Fortigate devices

In order to generate an API token to execute workflows in Fortigate devices, you need to create a new REST API Admin using the steps given below:

Step-1: Create Administrator profile

  • Navigate to System from the sections listed on the left in the dashboard.
  • Click on the Admin Profiles under the System section.
  • Click the Create icon to start creating a new admin profile.
  • You will see the New Admin Profile window open up.
  • Enter an appropriate name for your admin profile.
  • Select access control permissions for different functionalities between None, Read, Read/Write or Custom.
  • Select Read/Write for both Policy and Address options under Firewall Option.
  • Click OK to create your new admin profile

Step-2: Create a REST API Admin and generate an API key

  • Navigate to System from the sections listed on the left in the dashboard.
  • Select Administrators under System section.
  • Click on the Create New icon.
  • Select REST API Admin option.
  • You will see the New REST API Admin window open up.
  • Enter an appropriate username for your REST API admin profile.
  • Select your previously created Administrator Profile from the drop down menu.
  • Click on OK to confirm your New REST API Admin.
  • Once you are done with this process, the system will automatically generate a new API key, which will be displayed only once.
  • Copy the generated API key before shutting it down.

Note: In case you lose your newly generated API key, you can go back to the Administrator section and click on the Regenerate icon.

After this process, You can configure a set of common credentials for executing workflows in all Fortigate devices using EventLog Analyzer by following the steps given below:

  • Click on the Workflow Credentials present on the top-right corner of the Manage Workflow page.
  • Select credential type as Fortigate Devices.
  • Enter the generated API key along with the Username in the workflow credentials page.
  • Click on Update to store and use these credentials to execute workflows in all Fortigate devices.

To automate workflows in PaloAlto devices

To execute workflows successfully, API access should be enabled by following the steps given here. Please note that the required permissions for the user under XML API are:

  • Configuration
  • Operational Requests
  • Commit

You can configure a set of common credentials for executing workflows in all PaloAlto devices by following the steps given below:

  • Click on Workflow Credentials on the top-right corner of the Manage Workflow page.
  • Select credential type as PaloAlto Devices.
  • Enter the created administrator Username/Password.
  • Click on Update to store and use these credentials to execute workflows in all PaloAlto devices.

To automate workflows in SophosXG devices

You must configure the encrypted password to execute workflows of SophosXG devices to to execute workflows in them. First, generate the encrypted password using the steps given in the links below:

Step 1: Create an Administrator Profile.

Step 2: Create an Administrator.

Step 3: Allow API Access.

Step 4: Generate Encrypted password.

After generating the encrypted password, you can configure a set of common credentials for executing workflows in all SophosXG devices by following the steps given below:

  • Click on the Workflow Credentials present on the top-right corner of the Manage Workflow page.
  • Select credential type as SophosXG Devices.
  • Enter the encrypted password along with the Username in the workflow credentials page.
  • Click on Update to store and use these credentials to execute workflows in all SophosXG devices.

To automate workflows in Barracuda CloudGen devices

In order to execute workflows in Barracuda CloudGen devices, you need to create an X-API Token using the steps given below:

Step 1: Enable the REST API for HTTPS.

Step 2: Create an Administrator Profile for REST API authentication.

Step 3: Create an X-API Token for authentication.

After finishing the process, you can configure a set of common credentials for executing workflows in all Barracuda CloudGen devices by following the steps given below:

  • Click on the Workflow Credentials present on the top-right corner of the Manage Workflow page.
  • Select credential type as Barracuda CloudGen Devices
  • Enter the generated Access Token along with the Username in the workflow credentials page.
  • Click on Update to store and use these credentials to execute workflows in all Barracuda CloudGen devices.

Automating workflows in ADManager Plus

ADManager Plus , an IGA solution with hybrid AD management, reporting, and automation capabilities, must be integrated with EventLog Analyzer for the successful execution of response workflows. The list of actions that can be added to the workflow are called workflow blocks. These actions include:

  • Enabling, disabling, updating and deleting a user
  • Enabling, disabling and deleting a computer
  • Resetting a user's password
  • Adding to, and removing users from a group

Only after the integration is complete, can any of these actions be carried out.

You can set up an integration in EventLog Analyzer to execute actions via ADManager Plus. Here are the steps:

  1. Click on Workflow Credentials at the top-right corner of the Manage Workflow page.
  2. Select credential type as ADManager Plus
  3. Fill in the required details about the Host, Protocol, Port and Auth Token.
  4. Click on Update, to integrate ADManager Plus with EventLog Analyzer.
  5. Automating workflows in ADManager Plus
  6. If the SOAR Workflow in ADManager Plus is not enabled, integration failure will occur.
  7. Automating workflows in ADManager Plus
  8. After a successful integration, the user can begin constructing the workflow.
  9. Automating workflows in ADManager Plus

Additionally, the user will not be able to construct workflows following an unsuccessful integration.

Automating workflows in ADManager Plus
Note:
  • Event Log Analyzer version above 12430 and ADManager Plus version above 7224 are required for this integration.
  • Integration must also be enabled for EventLog Analyzer in the ADManager Plus integration configuration page.
  • One help desk technician (HDT) license can only be used to perform a maximum of 50 actions per day. To perform more actions, ensure you have additional HDT licenses purchased in ADManager Plus.
  • The default admin account will not be considered as a HDT account.

Enabling tight integration for EventLog Analyzer in ADManager Plus

To perform Workflow actions from Eventlog Analyzer, tight integration must be enabled from within ADManager Plus. Here are the steps to do this:

  1. In ADManager Plus, click on the Admin tab.
  2. Click on Integrations under System Settings.
  3. Select EventLog Analyzer under Log Forwarding.
  4. Automating workflows in ADManager Plus
  5. Enable SOAR workflow by checking the Allow LOG360 SIEM to execute AD Management actions box.
  6. Click the Test Connection and Save button.
  7. This will enable SOAR workflow in ADManager Plus to execute workflow actions from EventLog Analyzer.
  8. Automating workflows in ADManager Plus

Automating workflows in SNMP TRAP

To automate all SNMP Trap workflows using EventLog Analyzer, you can configure a common credential by following these steps:

  • Navigate to the Manage Workflow page and click on the Workflow Credentials link.
  • Choose SNMP Trap as the credential type.
  • Enter the SNMP credential.
  • Click Add/Update to save. This credential will now be used to execute all SNMP Trap workflows.
  • Automating workflows in SNMP TRAP

Note: Refer to the port management page for details on how to update credentials.

Copyright © 2020, ZOHO Corp. All Rights Reserved.

Get download link