Response Procedure Configuration#
Overview#
The Response Procedure configuration panel allows you to define an automated response to a correlated event. Each Response Procedure can be assigned to one or more Correlation Rules while also containing and/or executing one or more of the following responses:
Action |
Description |
---|---|
Alert |
Visually show the alert in the alert views within the User Interface. |
An email will be sent to the recipients address and contain the Policy and Correlation Rule details that are triggered. Additionally, any data that is extracted from the correlated event will be included. |
|
Control |
Executes the selected Control Script as a result of the correlated event. Data from the correlated event will be passed to the script as well. These scripts can be utilized as run-book and/or automated remediation. |
Forward |
The forward allows the correlated event to be forwarded to another Arbitrator Correlation platform. |
Create a Response Procedure#
To create a response procedure:
Click the “Calendar” icon at the top of the Configuration panel.
Click the plus icon in the bottom left of the Response Procedure name panel. A box will open up where you can fill in the name of your response procedure.
The panel to the right is broken into two sections:
Response Procedure Details – This is the section that you select to add the elements defined in the table above.
Do Not Run Windows – Allows you to define certain date and times that you don’t want the system to take the actions within the Response Procedure.
Assign an Alert to a Response Procedure#
To assign the Alert function to a response procedure:
Click the Alert check box in the top left of the Response Procedure Details panel.
If this system you are configuring is intended to be the redundant platform then click the Disable on Failover box to allow all data to flow but no actions to take place.
Delete a Response Procedure#
To delete a Response Procedure:
Click the box next to the Response Procedure name.
Click the minus icon at the bottom of the Response Procedure name panel.
Click the Save icon to save your changes.
Enable ServiceNow Integration#
Navigate to Configuration (cog icon) on the arbitrator.
Navigate to Control and click + to enter a new control.
In the Name text box enter ServiceNow.
Uncheck Custom.
Fill in the following details:
Select Category: ServiceNow
Select Script: PushToServiceNow
Service Now IP Address / Hostname:
Service Now Username:
Service Now Password:
Tick the blue tick box.
Click the Save.
Navigate to the Response Procedure Configuration menu.
Apply the control to the required IRP, such as the default IRP.
ServiceNow One Way Incident Integration#
As the Correlation Platform detects new incidents a response procedure is defined to send the event into ServiceNow utilizing their API. Incident Response Procedures (IRP) are defined on an incident basis. Thus you can choose which events need to be sent to ServiceNow based on severity, type, threshold, or others. When the IRP kicks off it will create an event, insert the following fields and send it to ServiceNow:
short description: Arbitrator Policy, Rule and Reference_Id
description: full message from arbitrator
severity: severity
urgency: based on severity
impact: based on severity
category: software
comments: full message from Arbitrator
ServiceNow Requirements#
ServiceNow URL
ServiceNow User with SOAP API rights to insert Incidents
ServiceNow Password
Arbitrator Correlation Configuration#
Version Required: 4.0001-15b
Script:
servicenow/PushToServiceNow.pl
parameters:
URL_TO_SERVICENOW_INSTANCE
USERNAME
PASSWORD
ServiceNow images: