Follow

What are Tasks?

Automation is one of the strongest features of NormShield. Time is a key criteria for information security specialists and waste of time on manual work-force should be minimized in order to maximize the clever output out of these rarely-found-in-companies specialists.

NormShield has the ability to automate a huge range of the administrative and notification tasks for vulnerabilities, compliance controls and alarms. 

Administrators may want to;

  • Open Tickets to a certain user or user group or
  • Get notified by email
  • Change the status of the vulnerability/controls/alarms

when a certain type of event occurs. Therefore, there are three parts of a task; sources, actions and filters.

  • Sources are vulnerabilities, alarms and compliance controls that exist and change in NormShield eco-system and tasks will operate on.
  • Actions answer the when and what questions for a task. Such as "when a new vulnerability is found, open a ticket to a certain group" or "when the status of an existing compliance control changes, send e-mail to corresponding asset owners", etc.
  • Filters are a list of criteria that provide more granule actions, such as "vulnerabilities with Urgent and Critical severities" or "alarms that are related to SSL Grading NormShield service", etc.

Hence, actions and filters may vary according to the source selected. Actions and filters that can be selected when source set to be is a vulnerability are different when the source set to be is an alarm.

The already defined tasks can be updated or deleted with the related icons in tabular tasks list under the interface through Admin-Tasks sub menu shown in Figure 1.

Figure 1 - List of existing tasks of a selected company

In order to create an automated task, New Task button should be clicked after opening the interface through Admin->Tasks sub menu. Dialog is shown in Figure 2.

Figure 2 - Creating a new automated task interface for vulnerabilities

The action and filter parts change according to the source selected as explained before;

  • Task Name should be given as an appropriate name for the new task
  • Task Source should be one of vulnerability, alarm or control

Vulnerability Related Task

Let's assume that vulnerability is selected as the source as shown in Figure 2. There are three options for the action part;

  • Trigger: Includes "When New Vulnerability", "When Status Changed" and "When Detected in a Scan" options. The first and the second options are clear, however, the third option should be selected when an action is wanted to be triggered every time a unique vulnerability instance is found in recurring scans.
  • Action Type: Includes "Open Ticket to User/Group", "Change Status", "Alert with SMS", "Alert with E-Mail", "Alert Me with SMS", "Alert Me with E-mail", "Mail To Asset Owners" options.
  • Naturally, every "Action Type" has a different third option. For example, when "Alert with SMS" is selected as the action type, then the third input area becomes SMS number that should be sent short messages, etc.

Filters for vulnerability source are shown in Figure 2. Let's go over each of them;

  • Severity: One or more vulnerability severities (Urgent, Critical, etc.) for matching
  • Responsible: One or more responsible types (Developer, Network Administrators, Database Administrators, etc.) for matching
  • Asset OS: One or more asset OS types (Unix, Windows, etc.) for matching
  • Scanner Source: One or more scanner sources defined in NormShield for matching
  • Risk: A range of NS Risk Score.
  • Patch Date: The date of the patch (if it exists and comes from a vulnerability scanner source) for the vulnerabilities filtered
  • Asset: One or more assets for matching
  • Asset FQDN: The hostname or DNS name of an asset for matching
  • Exclude Labels: Behaviour when asset labels are provided, should it be exclusion or inclusion
  • Asset Label: One or more labels of which the assets
  • Vulnerability Category (Vuln. Cat.): One or more vulnerability categories

Compliance Control Related Task

Now let's assume that control is selected as the source as shown in Figure 3.

Figure 3 - Creating a new automated task interface for compliance controls

There are three options for the action part;

  • Trigger: Includes "When New Control", "When Status Changed" and "When Detected in a Scan" options. The first and the second options are clear, however, the third option should be selected when an action is wanted to be triggered every time a unique control instance is found in recurring scans.
  • Action Type: Includes "Open Ticket to User/Group", "Change Status", "Alert with SMS", "Alert with E-Mail", "Alert Me with SMS", "Alert Me with E-mail", "Mail To Asset Owners" options.
  • Naturally, every "Action Type" has a different third option. For example, when "Alert with SMS" is selected as the action type, then the third input area becomes SMS number that should be alerted. etc.

Filters for control source are shown in Figure 3. Let's go over each of them;

  • Asset OS: One or more asset OS types for matching
  • Asset: One or more assets for matching
  • Asset FQDN: The hostname or DNS name of an asset for matching
  • Exclude Labels: Behaviour when asset labels are provided, should it be exclusion or inclusion
  • Asset Label: One or more labels of which the assets
  • Standard: One or more standards that the controls belongs to, such as NIST-800-53 or PCI-DSS
  • Group Name: One or more standard control group names that the control belongs to, such as Access Control, Audit and Accountability for standard "NIST-800-53"
  • Short Name: One or more short names that the control belongs, such as AC-1 or AC-2 for "Access Control" group name under standard "NIST-800-53"

Alarm Related Task

Although NormShield On-Premise versions provide a small number of alarm types, NormShield Cloud provides a huge range of possible alarm types including the intelligence and SOC Radar related ones. Now let's assume that alarm is selected as the source as shown in Figure 4.

Figure 4 - Creating a new automated task interface for alarms

There are three options for the action part;

  • Trigger: Includes only "When New Alarm Inserted" option.
  • Action Type: Includes "Change Status", "Alert with SMS", "Alert with E-Mail", "Alert Me with SMS", "Alert Me with E-mail" options.
  • Every "Action Type" has a different third option. For example, when "Alert with SMS" is selected as the action type, then the third input area becomes SMS number that should be alerted. etc.

Filters for alarm source are shown in Figure 4. Let's go over each of them;

  • Service: Alarms are grouped into services in NormShield. Such as "CPM-SSL Grading" or "CTI-Data Leakage". Not every services are defined in NormShield On-Premise versions.
  • Type: One or more alarm types defined under the selected Service. Such as "Data Leakage - IP Address" when "CTI-Data Leakage" is selected above.
  • Priority: One or more alarm priorities for matching. Alarms has priorities just like vulnerabilities have severities.

 

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.
Powered by Zendesk