Automation rules

更新时间:
复制 MD 格式

Automation rules in Agentic SOC orchestrate security systems and services through SOAR (Security Orchestration, Automation, and Response), enabling automated responses to alerts and incidents.

Background

Security experts spend significant time on routine tasks like security reviews and handling trojans and mining programs, limiting their focus on critical work such as network defense and security research.

SOAR automates daily security routines and accelerates incident response. This frees security experts to focus on advanced persistent threats (APTs). Routine processes documented as clear, executable standards in SOAR provide best practices for others.

Terms

Key concepts for automation rules:

Term

Description

playbook

  • A structured response plan that defines the steps to take when specific incidents or threats are detected.

  • Set Run Playbook as the action of an automation rule to automatically handle alerts and incidents.

  • Each playbook contains a single process. You can apply version control, run input/output tests, track execution counts, and analyze results.

  • Playbook types:

    • Predefined Playbook: Ready-to-use playbooks for common cloud security threats. Apply them directly in automation rules. For example, a built-in playbook can block high-risk inbound IP addresses through an Alibaba Cloud security group.

    • Custom Playbook: User-defined playbooks with flexible component configurations. Ideal for complex logic or specific business scenarios.

process

  • A series of sequentially executed tasks or actions that achieve a specific goal through predefined steps. Examples include automatic notification and immediate remediation processes.

  • Build automated processes like standard flowcharts. Each process contains start, judgement, action, and end nodes composed of connected components. Edit the process visually on a canvas and define actions for each component, such as the network disabling action for the terminal management component.

  • A process can be triggered after it is created. For example, creating a ticket can trigger an automatic ticket review process.

component

  • A component corresponds to an external system or service, such as WAF, firewall, Ticket System, a database, or a notification service. Components act as connectors — they do not contain complex logic but delegate to the connected external systems.

  • After you select a component, you must select assets and actions for the component.

  • Components are classified into process orchestration components, basic orchestration components, and security handling components.

resource instance

A specific resource within an external service. For example, if you use the MySQL component, you must specify which MySQL database to connect to.

action

A capability provided by a component. Each component supports multiple actions. For example, the terminal management component offers actions like disabling accounts, isolating networks, and sending notifications.

Process flowchart

image