CYBERQUEST includes an automation module which can be triggered to perform mitigation and certain actions. The actions can be grouped together into a "playbook", which basically represents a certain flow of actions which need to be performed to perform mitigation. Playbooks are added / removed graphically. In order to work correctly, each action requires:
- Input data (parameters)
The user can customize on editing individual actions in the playbook, all required the inputs that are needed to run the action successfully. The parameters are dynamic, and their values are calculated on playbook run. When debugging playbooks (see Troubleshooting section), we employ the "Execution History" section in order to find out exactly what are the values that went into the execution of a specific action.
Playbook execution can be triggered into multiple ways: - Automatic: as a direct result of a specific alert. On each alert generation, the action is automatically triggered. The current alert instance, becomes global playbook inputData, and can be referenced in the playbook as placeholders.
For automatically playbook execution for a specific alert, you have to go to Settings > Alerts > Realtime and access Has Action choosing the PlayBooks.PLAYBOOK paramter:
- Manual from event browser: as a user interactive GUI click on a specific Event:
- Manual from alert browser: as a user interactive GUI click on a specific Alert:
Please refer to the "Management / Playbooks" section for adding / editing mitigation flows.
The types of actions are:
Specific to technologies / vendors
Specific technologies / vendors
CYBERQUEST has integrated an ever expanding technology vendors list in order to automate certain aspects of day-to-day mitigation and / or security administration. The list is enriched automatically on every new update in order to bring more vendors / actions to the mitigation workflow.
Usually, vendors offer API integration with their own products. Complete API documentation is available on their specific websites. The list of vendors / actions which are already implemented is available in the "Supported vendors" section.
In order to better orchestrate the mitigation response, CYBERQUEST employs several "actions" which helps customize the response. They are found under the "CYBERQUEST Playbook" vendor:
IF : tests a given condition. The response is boolean, and helps to split the flows from true/false perspective
Count: counts a given variable. Assumes that the variable is an array or else interrupts execution.
Code: executes a DTS object (which has been already predefined)