SecOps
  • 2 Minutes to read
  • Contributors
  • Dark
    Light
  • PDF

SecOps

  • Dark
    Light
  • PDF

SecOps is used for Incident Management

Pre-requisites to use SecOps and DNIF

Outbound access required for connectivity between DNIF Setup and SecOps

Protocol Source IP Source Port Direction Destination IP Destination Port
TCP DS,CR Any Egress SecOps_Domain SecOps_PORT
Note

The above rule assumes both request and response in enabled

SecOps trigger plugin functions

Details of the function that can be used with the SecOps trigger is given in this section.

create_ticket

This function allows for data present in the DNIF module to be pushed into the SecOps.

Input

Custom message to be pushed to SecOPs as short description

Note

The message has to be present between double quotes("")

Customer name

Example

_fetch * from event where $Duration=10d group count_unique $DevSrcIP
limit 1
>>_raise module test_karthik test_mod $DevSrcIP 5 1d
>>_trigger api secops create_ticket "DNIF_SecOPS Test Module _Name_ is
raised for Event _EvtName_ of Type _EvtType_", DNIFTESTCUSTOMER

:::(Info) (Note

  • The Field is replaced with actual value of $Field present in data stack for example EvtName is replaced by value of $EvtName present in stack

  • The DNIFTESTCUSTOMER is replaced with actual name of customer for whom ticket is created
    :::

  • For this integration we need to add the following tags to the respective modules with their Corresponding values mentioned in SecOPS as follows:

    • Category: "Category":"<Value of Category as present in SecOps>"
    • SubCategory: "SubCategory":"<Value of SubCategory as present in SecOps>"
    • StageOfAttack: "StageOfAttack":"<Value of StageOfAttack as present in SecOps>"
    • Priority: "Priority":"<Value of Priority as present in SecOps>"
    • Impact: "Impact":"<Value of Impact as present in SecOps>"
  • For adding tags to module:

    • Select the package containing the module:

image.png

* In the package edit the module to add the tags to:

image.png

* Select the add tags:

image.png

* Add the Category,SubCategory,StageOfAttack,Impact,Priority tags with their relevant values present in SecOPS

image.png

Output

image.png

The output of the trigger call has the following structure (for the available data)

Field Description
$SecOpsStatusCode Returns the http status code for the create incident call
$SecOpsStatus Successfully created incident

Using the SecOps API and DNIF

Getting started with SecOps API and DNIF

  • Place the secops.tar.gz in the /var/tmp location of host machine
  • Login to your Data Store, Correlator containers. ACCESS DNIF CONTAINER VIA SSH
  • Copy the files on the server from location /var/tmp to the relevant location using below commands:
cp /var/tmp/secops.tar.gz /dnif/<D-Key>/trigger_plugins/
  • Move to the ‘/dnif/<D-Key>/trigger_plugins’ folder path.
cd /dnif/<D-Key>/trigger_plugins/
  • Extract the secops.tar.gz using the following command
tar -xvzf secops.tar.gz
  • Move to the ‘/dnif/<D-Key>/trigger_plugins/secops/’ folder path and edit the dnifconfig.yml configuration file

  • Replace the tag: <Add_your_secops_*> with your SecOps credentials

trigger_plugin:
 SECOPS_USR: <Add_your_secops_user>
 SECOPS_PASS: <<Add_your_secops_pass>>
 https_proxy: <<Add_your_https_proxy details if no proxy is used the
value is Null>>

Was this article helpful?

What's Next