SecOps is used for Incident Management
Pre-requisites to use SecOps and DNIF
Outbound access required for connectivity between DNIF Setup and SecOps
|Protocol||Source IP||Source Port||Direction||Destination IP||Destination Port|
The above rule assumes both request and response in enabled
SecOps trigger plugin functions
Details of the function that can be used with the SecOps trigger is given in this section.
This function allows for data present in the DNIF module to be pushed into the SecOps.
Custom message to be pushed to SecOPs as short description
The message has to be present between double quotes("")
_fetch * from event where $Duration=10d group count_unique $DevSrcIP limit 1 >>_raise module test_karthik test_mod $DevSrcIP 5 1d >>_trigger api secops create_ticket "DNIF_SecOPS Test Module _Name_ is raised for Event _EvtName_ of Type _EvtType_", DNIFTESTCUSTOMER
The Field is replaced with actual value of $Field present in data stack for example EvtName is replaced by value of $EvtName present in stack
The DNIFTESTCUSTOMER is replaced with actual name of customer for whom ticket is created
For this integration we need to add the following tags to the respective modules with their Corresponding values mentioned in SecOPS as follows:
- Category: "Category":"<Value of Category as present in SecOps>"
- SubCategory: "SubCategory":"<Value of SubCategory as present in SecOps>"
- StageOfAttack: "StageOfAttack":"<Value of StageOfAttack as present in SecOps>"
- Priority: "Priority":"<Value of Priority as present in SecOps>"
- Impact: "Impact":"<Value of Impact as present in SecOps>"
For adding tags to module:
- Select the package containing the module:
* In the package edit the module to add the tags to:
* Select the add tags:
* Add the Category,SubCategory,StageOfAttack,Impact,Priority tags with their relevant values present in SecOPS
The output of the trigger call has the following structure (for the available data)
|$SecOpsStatusCode||Returns the http status code for the create incident call|
|$SecOpsStatus||Successfully created incident|
Using the SecOps API and DNIF
Getting started with SecOps API and DNIF
- Place the secops.tar.gz in the /var/tmp location of host machine
- Login to your Data Store, Correlator containers. ACCESS DNIF CONTAINER VIA SSH
- Copy the files on the server from location /var/tmp to the relevant location using below commands:
cp /var/tmp/secops.tar.gz /dnif/<D-Key>/trigger_plugins/
- Move to the ‘/dnif/<D-Key>/trigger_plugins’ folder path.
- Extract the secops.tar.gz using the following command
tar -xvzf secops.tar.gz
Move to the ‘/dnif/<D-Key>/trigger_plugins/secops/’ folder path and edit the dnifconfig.yml configuration file
Replace the tag: <Add_your_secops_*> with your SecOps credentials
trigger_plugin: SECOPS_USR: <Add_your_secops_user> SECOPS_PASS: <<Add_your_secops_pass>> https_proxy: <<Add_your_https_proxy details if no proxy is used the value is Null>>