Click here to expand

    Incident workflow management


    You can mitigate security incidents in your network before they result in a breach by automating response workflows when alerts are triggered. EventLog Analyzer allows you to create workflows to automatically perform actions such as disabling USB ports, shutting down systems, and changing firewall rules when security incidents are detected.

    Steps to create a workflow

    1. In EventLog Analyzer, click on the Alerts tab.
    2. Click on the More tools icon present at the top-right corner of the page.
    3. Click on Workflow to open the Manage Workflow page and click on the +Create Workflow button.
    4. Enter a name for the workflow in the Workflow Name field.
    5. Click on the Description link next to the Workflow Name field to enter an appropriate description for the workflow.
    6. Create a workflow by dragging and dropping the workflow blocks from the left pane into the space provided. Ensure that these blocks are logically arranged to execute an event in your infrastructure.

    EventLog Analyzer contains multiple workflow blocks to help you configure workflows to perform the required actions. The logic blocks are categorized under different sections.

    The list of workflow blocks and the details to be specified while configuring workflows using them are given below:

    Logic blocks Details to be specified
    Logic actions
    Decision

    Allows you to branch the workflow based on the status of the previous action.

     
    Time Delay

    Allows you to introduce a time delay in the execution of the workflow.

    The time delay in minutes.
    Network actions
    Ping Device

    Allows you to ping a device within your network to check connectivity

    • The name of the device to be pinged.
    • Number of echo request messages to be sent.
    • Size of the packet to be sent.
    • Timeout for the action.
    • Number of action retries within the specified time.
    Trace Route

    Allows you to run a trace route function to a device in your network to identify the path.

    • The name of the device you wish to trace the route to.
    • The maximum number of hops.
    • Timeout for the action.
    Process actions
    Test Process

    Allows you to test whether a process is running on a device.

    • The name of the device on which you want to test the process.
    • The process you want to test.
    • ExecutablePath and CommandLine to execute the process.
    Start Process

    Allows you to start a process on a device

    • The name of the device on which you want to start a process.
    • The process working directory.
    • The command to start the process.
    Stop Process

    Allows you to stop a process on a device.

    • The name of the device on which you want to stop the process.
    • The process you want to stop.
    • ExecutablePath and CommandLine to execute the process.
    Service actions
    Test Service

    Allows you to test whether a service is running on a device.

    • The name of the device on which you want to test the service.
    • The service you want to test
    Start Service

    Allows you to start a service on a device.

    • The name of the device on which you wish to start a service.
    • The service to be started.
    Stop Service

    Allows you to stop a service on a device.

    • The name of the device on which you wish to stop a service.
    • The service to be stopped
    Windows actions
    Log Off

    Allows you to log off from the currently active session on a device.

    • The name of the device you want to log off from.
    • Select whether you'd like to force this action.
    Shut Down System

    Allows you to shut down a Windows device.

    • The name of the device to be shut down.
    • Select whether you'd like to force this action.
    Restart System

    Allows you to restart a Windows device.

    • The name of the device to be restarted.
    • Select whether you'd like to force this action.
    Execute Windows Script

    Allows you to execute a specified script file on a Windows device.

    • The name of the device on which you want to execute the script file.
    • The type of script file.
    • Upload the script file to be executed.
    • Arguments to the script, if any. You can separate multiple arguments using commas.
    • Timeout for the action.
    • The working directory for the script's execution.
    Disable USB

    Allows you to disable the USB port on a device.

    • The name of the device on which you want to disable the USB port.
    Linux actions
    Shut Down Linux

    Allows you to shut down a Linux device.

    • The name of the device to be shut down.
    • Select whether you'd like to force this action.
    Restart Linux

    Allows you to restart a Linux device.

    • The name of the device to be restarted.
    • Select whether you'd like to force this action.
    Execute Linux Script

    Allows you to execute a specified script file on a Linux device.

    • The name of the device on which you want to execute the script file.
    • The type of script file.
    • Upload the script file to be executed.
    • Arguments to the script, if any. You can separate multiple arguments using commas.
    • Timeout for the action.
    • The working directory for the script's execution.
    Notification actions
    Send Pop-Up Message

    Allows you to display a pop-up message on a device.

    • The name of the device on which you want to display the message.
    • The message to be displayed.
    Send Email

    Allows you to send an email message.

    • The recipient's email address.
    • The email subject and body.
    Send SMS

    Allows you to send an SMS message.

    • The recipient's mobile number.
    • The SMS content.
    Send SNMP Trap

    Allows you to send SNMP traps to the required destination.

    • Community.
    • Port number.
    • Enterprise OID.
    • SNMP Manager.
    • Message content.
    • Version.
    Active Directory actions
    Disable User

    Allows you to disable a user's account.

    The name of the user account you want to disable.
    Delete User

    Allows you to delete a user account.

    The name of the user account you want to delete.
    Disable Computer

    Allows you to disable a computer account.

    The name of the computer account you want to disable
    Cisco ASA actions
    Add Inbound Rule

    Allows you to add an inbound rule.

    • The name of the firewall device.
    • The Interface name.
    • Source address.
    • Destination address.
    Add Outbound Rule

    Allows you to add an outbound rule.

    • The name of the firewall device.
    • The Interface name.
    • Source address.
    • Destination address.
    Miscellaneous actions
    Write to File

    Allows you to write a message to a file

    • The name of the device on which the file is located.
    • The file name.
    • The absolute file path.
    • The text to be written to the file.
    • Select whether you would like to append to or overwrite a file if it already exists.
    CSV Lookup

    Allows you to search for values within a CSV file.

    • Upload the CSV file to perform by clicking on "Browse".
    • Specify the header or column number.
    • Select the field to be matched.
    Forward Logs

    Allows you to forward logs to the required destination.

    • Name of the destination server.
    • The protocol to be used.
    • Port number and standard.
    HTTP Request

    Allows you to send an HTTP request to a URL.

    • The URL to which you want to send an HTTP request to.
    • Specify the Method you want to use (Get or Post).
    • Add the required parameters.
    1. You can enter a brief description for each logic block to record its purpose in the workflow. This makes it easier for you to understand and edit the workflow later.
    2. Click on the Save button to create the workflow.

    To edit an existing workflow you can click on the edit icon present against the workflow name in the Manage Workflow page.

    Managing workflows

    You can view and edit existing workflows in EventLog Analyzer by navigating to the Alerts tab and clicking on Workflow from the More tools icon. The Manage Workflows page displays the list of workflows, their descriptions, the number of alert profiles associated with each workflow, and their histories. You can enable or disable, delete, edit, and copy the workflows by clicking on the respective icons.

    Updating workflow credentials

    You can automate workflows on Windows, Linux, and Cisco devices for which you have administrative privileges. You have to update credentials of these devices in EventLog

    Analyzer for seamless execution of the workflows.

    To automate workflows in Windows devices:

    If the Windows devices have already been added to EventLog Analyzer, workflows can be executed by using the devices credentials or the domain credentials of the devices. So, you need not manually update credentials for Windows devices.

    To automate workflows in Linux devices

    You can configure a set of common credentials for executing workflows in all Linux devices by following the steps given below:

    • Click on the Workflow Credentials link present in the Manage Workflow page.
    • Click on the Edit link provided for Linux devices.
    • Enter the username, password, and port number.
    • Click on Update to store and use these credentials to execute workflows in all Linux devices.

    To automate workflows in Cisco devices

    You must configure the REST API agent in the Cisco firewall to execute workflows by following the steps given in this link. (The Cisco REST API supported versions are listed here).

    You can configure a set of common credentials for executing workflows in all Cisco devices using EventLog Analyzer by following the steps given below:

    • Click on the Workflow Credentials link present in the Manage Workflow page.
    • Click on the Edit link provided for Cisco devices.
    • Enter the username and password.
    • Click on Update to store and use these credentials to execute workflows in all Cisco devices.

    If the common credentials do not work for certain Cisco Devices, you need to configure the credentials for those devices by following the steps given below:

    • Navigate to Settings → Configuration → Manage Devices → Syslog Devices.
    • Hover your mouse pointer near the device on which you want to execute workflows and click on the edit icon.
    • In the Update Device pop-up menu, click on Advanced.
    • Select the Configure REST API Credentials check box.
    • Enter a username and password.
    • Click on Verify Credential to send a REST API call to the Cisco device to verify if the credentials are valid.
    • Click on Update to store and use the specified credentials for executing workflows.
    Get download link