Home

Related Products
ADManager Plus

Active Directory Management & Reporting
Download | Demo
ADAudit Plus

Real-time Active Directory Auditing and UBA
Download | Demo
ADSelfService Plus

Self-Service Password Management
Download | Demo
Exchange Reporter Plus

Exchange Server Auditing & Reporting
Download | Demo
AD360

Integrated Identity & Access Management
Download | Demo
Log360

Comprehensive SIEM and UEBA
Download | Demo

Click here to expand

Incident workflow management

You can mitigate security incidents in your network before they result in a breach by automating response workflows when alerts are triggered. EventLog Analyzer allows you to create workflows to automatically perform actions such as disabling USB ports, shutting down systems, and changing firewall rules when security incidents are detected.

Steps to create a workflow

In EventLog Analyzer, click on the Alerts tab.
Click on the More tools icon present at the top-right corner of the page.
Click on Workflow to open the Manage Workflow page and click on the +Create Workflow button.
Enter a name for the workflow in the Workflow Name field.
Click on the Description link next to the Workflow Name field to enter an appropriate description for the workflow.
Create a workflow by dragging and dropping the workflow blocks from the left pane into the space provided. Ensure that these blocks are logically arranged to execute an event in your infrastructure.

EventLog Analyzer contains multiple workflow blocks to help you configure workflows to perform the required actions. The logic blocks are categorized under different sections.

The list of workflow blocks and the details to be specified while configuring workflows using them are given below:

Logic blocks	Details to be specified
Logic actions
Decision Allows you to branch the workflow based on the status of the previous action.
Time Delay Allows you to introduce a time delay in the execution of the workflow.	The time delay in minutes.
Network actions
Ping Device Allows you to ping a device within your network to check connectivity	The name of the device to be pinged. Number of echo request messages to be sent. Size of the packet to be sent. Timeout for the action. Number of action retries within the specified time.
Trace Route Allows you to run a trace route function to a device in your network to identify the path.	The name of the device you wish to trace the route to. The maximum number of hops. Timeout for the action.
Process actions
Test Process Allows you to test whether a process is running on a device.	The name of the device on which you want to test the process. The process you want to test. ExecutablePath and CommandLine to execute the process.
Start Process Allows you to start a process on a device	The name of the device on which you want to start a process. The process working directory. The command to start the process.
Stop Process Allows you to stop a process on a device.	The name of the device on which you want to stop the process. The process you want to stop. ExecutablePath and CommandLine to execute the process.
Service actions
Test Service Allows you to test whether a service is running on a device.	The name of the device on which you want to test the service. The service you want to test
Start Service Allows you to start a service on a device.	The name of the device on which you wish to start a service. The service to be started.
Stop Service Allows you to stop a service on a device.	The name of the device on which you wish to stop a service. The service to be stopped
Windows actions
Log Off Allows you to log off from the currently active session on a device.	The name of the device you want to log off from. Select whether you'd like to force this action.
Shut Down System Allows you to shut down a Windows device.	The name of the device to be shut down. Select whether you'd like to force this action.
Restart System Allows you to restart a Windows device.	The name of the device to be restarted. Select whether you'd like to force this action.
Execute Windows Script Allows you to execute a specified script file on a Windows device.	The name of the device on which you want to execute the script file. The type of script file. Upload the script file to be executed. Arguments to the script, if any. You can separate multiple arguments using commas. Timeout for the action. The working directory for the script's execution.
Disable USB Allows you to disable the USB port on a device.	The name of the device on which you want to disable the USB port.
Linux actions
Shut Down Linux Allows you to shut down a Linux device.	The name of the device to be shut down. Select whether you'd like to force this action.
Restart Linux Allows you to restart a Linux device.	The name of the device to be restarted. Select whether you'd like to force this action.
Execute Linux Script Allows you to execute a specified script file on a Linux device.	The name of the device on which you want to execute the script file. The type of script file. Upload the script file to be executed. Arguments to the script, if any. You can separate multiple arguments using commas. Timeout for the action. The working directory for the script's execution.
Notification actions
Send Pop-Up Message Allows you to display a pop-up message on a device.	The name of the device on which you want to display the message. The message to be displayed.
Send Email Allows you to send an email message.	The recipient's email address. The email subject and body.
Send SMS Allows you to send an SMS message.	The recipient's mobile number. The SMS content.
Send SNMP Trap Allows you to send SNMP traps to the required destination.	Community. Port number. Enterprise OID. SNMP Manager. Message content. Version.
Active Directory actions
Disable User Allows you to disable a user's account.	The name of the user account you want to disable.
Delete User Allows you to delete a user account.	The name of the user account you want to delete.
Disable Computer Allows you to disable a computer account.	The name of the computer account you want to disable
Firewall Actions
Cisco ASA Deny Inbound Rule Allows you to add an deny inbound rule.	The name of the firewall device. The Interface name. Source address. Destination address.
Cisco ASA Deny Outbound Rule Allows you to add an deny outbound rule.	The name of the firewall device. The Interface name. Source address. Destination address.
Fortigate Deny Access Rule Allows you to add an deny access rule.	Name of the firewall device. Source address. Destination address. Name of the source interface. Name of the destination interface.
PaloAlto Deny Access Rule Allows you to add an deny access rule.	Name of the firewall device. Source address. Destination address. Name of the source zone. Name of the destination zone. Type of Rule (Universal, Intrazone or Interzone).
SophosXG Deny Access Rule Allows you to add an deny access rule.	Name of the firewall device. Source address. Destination address.
Barracuda CloudGen Deny Access Rule Allows you to add an deny access rule.	Name of the firewall device. Source address. Destination address. Name of the source interface. Name of the destination interface. Type of Rule (Inbound or Outbound).
Miscellaneous actions
Write to File Allows you to write a message to a file	The name of the device on which the file is located. The file name. The absolute file path. The text to be written to the file. Select whether you would like to append to or overwrite a file if it already exists.
CSV Lookup Allows you to search for values within a CSV file.	Upload the CSV file to perform by clicking on "Browse". Specify the header or column number. Select the field to be matched.
Forward Logs Allows you to forward logs to the required destination.	Name of the destination server. The protocol to be used. Port number and standard.
HTTP Request Allows you to send an HTTP request to a URL.	The URL to which you want to send an HTTP request to. Specify the Method you want to use (Get or Post). Add the required parameters.

You can enter a brief description for each logic block to record its purpose in the workflow. This makes it easier for you to understand and edit the workflow later.
Click on the Save button to create the workflow.

To edit an existing workflow you can click on the edit icon present against the workflow name in the Manage Workflow page.

Managing workflows

You can view and edit existing workflows in EventLog Analyzer by navigating to the Alerts tab and clicking on Workflow from the More tools icon. The Manage Workflows page displays the list of workflows, their descriptions, the number of alert profiles associated with each workflow, and their histories. You can enable or disable, delete, edit, and copy the workflows by clicking on the respective icons.

Updating workflow credentials

You can automate workflows on Windows, Linux, and Cisco devices for which you have administrative privileges. You have to update credentials of these devices in EventLog

Analyzer for seamless execution of the workflows.

To automate workflows in Windows devices:

If the Windows devices have already been added to EventLog Analyzer, workflows can be executed by using the devices credentials or the domain credentials of the devices. So, you need not manually update credentials for Windows devices.

To automate workflows in Linux devices

You can configure a set of common credentials for executing workflows in all Linux devices by following the steps given below:

Click on the Workflow Credentials link present in the Manage Workflow page.
Select credential type as Linux Devices.
Enter the username, password, and port number.
Click on Update to store and use these credentials to execute workflows in all Linux devices.

To automate workflows in Cisco devices

You must configure the REST API agent in the Cisco firewall to execute workflows by following the steps given in this link. (The Cisco REST API supported versions are listed here).

You can configure a set of common credentials for executing workflows in all Cisco devices using EventLog Analyzer by following the steps given below:

Click on the Workflow Credentials link present in the Manage Workflow page.
Select credential type as Cisco Devices.
Enter the username and password.
Click on Update to store and use these credentials to execute workflows in all Cisco devices.

If the common credentials do not work for certain Cisco Devices, you need to configure the credentials for those devices by following the steps given below:

Navigate to Settings → Configuration → Manage Devices → Syslog Devices.
Hover your mouse pointer near the device on which you want to execute workflows and click on the edit icon.
In the Update Device pop-up menu, click on Advanced.
Select the Configure REST API Credentials check box.
Enter a username and password.
Click on Verify Credential to send a REST API call to the Cisco device to verify if the credentials are valid.
Click on Update to store and use the specified credentials for executing workflows.

To automate workflows in Fortigate devices

In order to generate an API token to execute workflows in Fortigate devices, you need to create a new REST API Admin using the steps given below:

Step-1: Create Administrator profile

Navigate to System from the sections listed on the left in the dashboard.
Click on the Admin Profiles under the System section.
Click the Create icon to start creating a new admin profile.
You will see the New Admin Profile window open up.
Enter an appropriate name for your admin profile.
Select access control permissions for different functionalities between None, Read, Read/Write or Custom.
Select Read/Write for both Policy and Address options under Firewall Option.
Click OK to create your new admin profile

Step-2: Create a REST API Admin and generate an API key

Navigate to System from the sections listed on the left in the dashboard.
Select Administrators under System section.
Click on the Create New icon.
Select REST API Admin option.
You will see the New REST API Admin window open up.
Enter an appropriate username for your REST API admin profile.
Select your previously created Administrator Profile from the drop down menu.
Click on OK to confirm your New REST API Admin.
Once you are done with this process, the system will automatically generate a new API key, which will be displayed only once.
Copy the generated API key before shutting it down.

Note: In case you lose your newly generated API key, you can go back to the Administrator section and click on the Regenerate icon.

After this process, You can configure a set of common credentials for executing workflows in all Fortigate devices using EventLog Analyzer by following the steps given below:

Click on the Workflow Credentials present on the top-right corner of the Manage Workflow page.
Select credential type as Fortigate Devices.
Enter the generated API key along with the Username in the workflow credentials page.
Click on Update to store and use these credentials to execute workflows in all Fortigate devices.

To automate workflows in PaloAlto devices

To execute workflows successfully, API access should be enabled by following the steps given here. Please note that the required permissions for the user under XML API are:

Configuration
Operational Requests
Commit

You can configure a set of common credentials for executing workflows in all PaloAlto devices by following the steps given below:

Click on Workflow Credentials on the top-right corner of the Manage Workflow page.
Select credential type as PaloAlto Devices.
Enter the created administrator Username/Password.
Click on Update to store and use these credentials to execute workflows in all PaloAlto devices.

To automate workflows in SophosXG devices

You must configure the encrypted password to execute workflows of SophosXG devices to to execute workflows in them. First, generate the encrypted password using the steps given in the links below:

Step 1: Create an Administrator Profile.

Step 2: Create an Administrator.

Step 3: Allow API Access.

Step 4: Generate Encrypted password.

After generating the encrypted password, you can configure a set of common credentials for executing workflows in all SophosXG devices by following the steps given below:

Click on the Workflow Credentials present on the top-right corner of the Manage Workflow page.
Select credential type as SophosXG Devices.
Enter the encrypted password along with the Username in the workflow credentials page.
Click on Update to store and use these credentials to execute workflows in all SophosXG devices.

To automate workflows in Barracuda CloudGen devices

In order to execute workflows in Barracuda CloudGen devices, you need to create an X-API Token using the steps given below:

Step 1: Enable the REST API for HTTPS.

Step 2: Create an Administrator Profile for REST API authentication.

Step 3: Create an X-API Token for authentication.

After finishing the process, you can configure a set of common credentials for executing workflows in all Barracuda CloudGen devices by following the steps given below:

Click on the Workflow Credentials present on the top-right corner of the Manage Workflow page.
Select credential type as Barracuda CloudGen Devices
Enter the generated Access Token along with the Username in the workflow credentials page.
Click on Update to store and use these credentials to execute workflows in all Barracuda CloudGen devices.

Help Document