Creating and managing incident workflows


EventLog Analyzer allows you to automate incident response through the use of incident workflows. An incident workflow describes a series of automated measures to be taken in response to a security incident. You can create multiple incident workflows using the flexible workflow builder and assign each of them to one or more security incidents. In this page, you can learn how to:


Manage workflows

The Manage Workflows page allows you to view the:

 

Access this page by navigating to:

Alerts > Manage Workflows

 

EventLog Analyzer also provides you with several predefined workflow templates which you will find on this page. You can use the Manage Workflows page to:

Simply navigate your cursor over the required workflow and select the icon corresponding to the action you wish to take.

Adding credentials

Often, the actions automated by a workflow require administrative privileges. If the device on which the action is to be taken has already been added in EventLog Analyzer, the stored credentials are used. If the device has not been added or the stored credentials don't work, you also have the option of storing alternate credentials through the Manage Workflows page. Simply click on the Workflow credentials button and select Edit to add new credentials or edit the ones that are already stored:

 

Note: Only one set of credentials can be stored for each type of device.

Using the workflow builder

The workflow builder is an intuitive drag-and-drop interface which helps you build workflows by selecting actions from a provided menu and arranging them in the required order.

 

The workflow builder can be accessed in two ways:

You can even create a copy of a workflow and edit it if required.

 

 

Currently, the following actions and logical blocks are provided:

Action

Parameters to be set

Network actions

Ping device: Ping a device within your network to check connectivity.
    • The device to be pinged.
    • Number of echo request messages to be sent.
    • Size of the packet to be sent.
    • Timeout for the action.
    • Number of times to retry the action within the specified time.
Trace route: Run a trace route function to a device in your network.
    • The device you wish to trace a route to.
    • The maximum number of hops before stopping the trace.
    • Timeout for the action.

Process actions

Test process: Test whether a process is running on a device.
    • The device on which you wish to test the process.
    • The process you wish to test.
    • Optionally, provide additional parameters to find the process required, such as the ExecutablePath and CommandLine.
Start process: Start a process on a device.
    • The device on which you wish to start a process.
    • The working directory for the process.
    • The command to start the process.
Stop process: Stop a process on a device.
    • The device on which you wish to stop the process.
    • The process you wish to stop.
    • Optionally, provide additional parameters to find the process required, such as the ExecutablePath and CommandLine.

Service actions

Test service: Test whether a service is running on a device.
    • The device on which you wish to test the service.
    • The service you wish to test.
Start service: Start a service on a device.
    • The device on which you wish to start a service.
    • The service to be started.
Stop service: Stop a service on a device.
    • The device on which you wish to stop a service.
    • The service to be stopped.

Windows actions

Log off: Log off from the currently active session on a device.
    • The device to be logged off.
    • Select whether you'd like to force this action.
Shut down system: Shut down a Windows device.
    • The device to be shut down.
    • Select whether you'd like to force this action.
Restart system: Restart a Windows device.
    • The device to be restarted.
    • Select whether you'd like to force this action.
Execute Windows script: Execute a specified script file on a Windows device.
    • The device on which to execute the script file.
    • The type of script file.
    • Upload the script file to be executed.
    • Arguments to the script, if any. Separate multiple arguments using commas.
    • Timeout for the action.
    • The working directory for the script's execution.
Disable USB: Disable the USB port on a device.
    • The device on which to disable the USB port.

Linux actions

Shut down Linux: Shut down a Linux device.
    • The device to be shut down.
    • Select whether you'd like to force this action.
Restart Linux: Restart a Linux device.
    • The device to be restarted.
    • Select whether you'd like to force this action.
Execute Linux script: Execute a specified script file on a Linux device.
    • The device on which to execute the script file.
    • The type of script file.
    • Upload the script file to be executed.
    • Arguments to the script, if any. Separate multiple arguments using commas.
    • Timeout for the action.
    • The working directory for the script's execution.

Notification actions

Send pop-up message: Display a pop-up message on a device.
    • The device on which to display the message.
    • The message to be displayed. You can select macros from the adjacent list to customize your message to a particular incident.
Send email: Send an email message.
    • The recipient's email address.
    • The email subject and body. You can select macros from the adjacent list to customize your message to a particular incident.
Send SMS: Send an SMS message.
    • The recipient's mobile number.
    • The SMS content. You can select macros from the adjacent list to customize your message to a particular incident.

Active Directory actions

Disable user: Disable a user's account.
    • The user account you wish to disable.
Delete user: Delete a user account.
    • The user account you wish to delete.
Disable computer: Disable a computer account.
    • The computer account you wish to disable.

Miscellaneous actions

Write to file: Write a message to a file.
    • The device on which the file is located.
    • The file name.
    • The absolute file path.
    • The text to be written to the file. You can select macros from the adjacent list to customize the text to a particular incident.
    • Select whether you would like to append to or overwrite a file if it already exists.

Logic blocks

Decision: Use this to branch the workflow based on the status of the previous action.  
Time delay: Use this to introduce a time delay in the execution of the workflow.
    • The time delay in minutes

 

Apart from the parameters specified above, you can also give each action or block in your workflow a unique name and description to make your workflow more meaningful. You can also provide a name and description for the overall workflow in the space provided in the top left of the interface.

 

Once you have created a workflow, click Save. You can edit it at any later time using the edit icon for this workflow on the Manage Workflows page.

 

Note

When you disable the USB port on a Windows device, you can follow the below procedure to reenable it:

  1. Open regedit
  2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbstor
  3. Double click Start
  4. Change the value to 3

 

Get download link