Workflows
Last updated
Last updated
Dive into the world of advanced security improvement by creating customized workflows using Event Streams. These workflows provide the backbone for even more effective detection of potential attacks. With just a few clicks, you have the ability to correlate different logs and integrate alerts related to created scenarios.
Click "Add Workflow" to create a new workflow. Assign a unique name and a short description. Below this, define a "severity level". The choices here are: Low, Medium, High and Critical. The selected severity level will be displayed later under Incidents and will help you to prioritize quickly.
Now select an event stream from the list and define the condition under which the workflow is to be triggered. With the help of the text modules, numerous scenarios can be created. Add further conditions via the "Add Workflow condition" button to optimally adapt your workflow to your scenario.
Under "Type" you have the choice between:
Filter Set a field name here, which is relevant for the event. Under Operator you can now decide whether this field should be equal or unequal to a value.
Group Use this field to consider the connection within the protocols. Example: Imagine you want to track events where a user logs in and then logs out within a short period of time. By setting the process ID to "Group", you can analyze a user's logon behavior. This way you avoid the alert being triggered every time user A logs in and user B logs out.
Display Field Specify fields here that you want to be displayed directly in the captured event (without having to browse the detail view first).
By clicking on "Add Refinement", you can include further fields of the previously defined stream.
By clicking on "Add workflow condition", you can also include events from other streams.
Finally, add your workflow by clicking on the "Add Workflow" field.