Playbook Configuration - User Guide - 2 - Cortex XPANSE - Cortex - Security Operations

Cortex Xpanse Expander User Guide

Product
Cortex XPANSE
Version
2
Creation date
2024-08-29
Last date published
2024-10-11
Category
User Guide
Solution
Cloud
Abstract

Customize the email and ticket notifications generated by the Active Response playbook.

You can customize the following notifications and information sent by the Active Response playbook:

  • The subject and body text of email or ticket notifications sent by the playbook to potential service owners.

  • The subject and body text of email or ticket notifications sent to the service owner after an alert was resolved by automated remediation.

  • The Jira project key that will be associated with any Jira tickets created by the playbook.

In addition to specifying the text to include in notifications, you can also include system variables. Variables enable you to include the alert-specific information that your organization uses in their workflow.

Customizing the playbook notifications is optional. If you do not customize the notifications, the playbook will use the default text and formats described in Active response templates.

Customize the Active Response Playbook Notifications

The following steps explain how to customize the Active Response playbook notifications. All of these fields use plain text. See Supported Variables in Active Response Notifications for the list of variables that can be used in notifications.

  1. Navigate to AutomationPlaybook Configuration.

  2. In the Email/Ticketing Notification Subject field, enter the text to be used in the subject field of emails and ticketing notifications sent to service owners.

  3. In the Email/Ticketing Notification Body field, enter the text to be used in the body of emails or ticket notifications sent by the playbook to potential service owners.

  4. In the Automated Remediation Subject field, enter the text to be used in the subject field of email and ticketing notifications sent to service owners after remediation.

  5. In the Automated Remediation Body field, enter the text to be used in the body of email or ticket notifications sent by the playbook to service owners after remediation.

  6. In the Jira Project Key field, enter the Jira project key to be used for any tickets created or updated by the playbook.

Supported Variables in Active Response Notifications
Abstract

Use variables in custom Active Response email and ticketing notifications to generate notifications with alert-specific information.

The following system variables can be used in the body of Active Response email and ticketing notifications. Copy the value from the Variable Name field (including the $) and paste it into your custom notification.

Variable Name

Description

Example

${alert.asmattacksurfacerulecategory}

Category associated with the Attack Surface Rule

Remote Access Services

${alert.name}

Name of the ASM alert

RDP Server at x.x.x.x

${alert.details}

Details related to the ASM alert

Remote Desktop Protocol (RDP) servers provide remote access to a computer over a network connection. Externally accessible RDP servers pose a significant security risk as they are frequent targets for attackers and can be vulnerable to a variety of documented exploits.

${alert.asmremediation.action}

Summary of the remediation action that was taken

Closed service port from internet.

${alert.asmremediation.outcome}

Summary of the outcome of the remediation outcome

Success

${alert.asmserviceowner.name}

Name of service owner. Either name or email will be present.

John Smith

${alert.asmserviceowner.email}

Email of the service owner.

jsmith@xpanse.com

${alert.asmserviceowner.source}

Where the service owner was found based on data from integrations

AWS

${Remediation Guidance}

Guidance for remediation of the ASM alert

Recommendations to reduce the likelihood of malicious RDP attempts are as follows:

  • Best practice is to not have RDP publicly accessible on the internet and instead only on trusted local networks.