Configuring SLS

SLS embeds a Security Orchestration, Automation and Response (SOAR) engine, with which automatic responses to some incidents can be configured. This is disabled by default. To enable it:

  1. Go to Settings > System Settings > General.

  2. Select Enable SOAR in SLS.

  3. Click on Save.

You will then need a SOAR license:

  1. Contact Stormshield, and provide your hardware key. This key can be found in Settings > System Settings > Licenses.

  2. Once you have obtained the license, click on Upload Licence on the same page.

  3. Select SOAR.

  4. Click on Browse and select your license.

  5. Accept the terms of the end user license agreement.

  6. Click on Submit.

For more information on enabling SOAR, refer to the SLS SOAR quickstart guide.

To import the SOAR package named soar.xdr.X.Y.Z-YYMMa.zip (the naming system is the same as the one used with the scenario package) from the scenario package, go to Settings > SOAR Settings > Import/Backup and click on Upload New File.

This package contains the configuration of playbooks, triggers and all SOAR settings, such as instances and their templates.

For more information on configuring SOAR, refer to the SLS SOAR configuration guide.

NOTE
After the Stormshield SOAR package is imported into SLS, default instances will be available for SNS, SMC and SES. To locate them, go to Settings > SOAR Settings > Playbook Integrations and search for SNS, SMC or SES in the search bar. Edit values by clicking on them. New instances can also be created from templates.

Creating SNS instances

  1. In Settings > SOAR Settings > Playbook Integrations > Manage integrations, click on the Stormshield Network Security template.

  2. Indicate the following parameters:

    • username_base64: SNS administrator's user name in base64,

    • password_base64: SNS administrator's password in base64,

      NOTE
      The SNS administrator account entered in these fields must hold read and write privileges on filter rules and objects.

    • fqdn: FQDN or IP address of the SNS instance,

    • port: default SNS listening port.

Creating SMC instances

  1. In Settings > SOAR Settings > Playbook Integrations > Manage integrations, click on the Stormshield Management Center template.

  2. Indicate the following parameters:

    • api_key: SMC API key,

    • fqdn: FQDN of the SMC instance.

Creating SES instances

  1. In Settings > SOAR Settings > Playbook Integrations > Manage integrations, click on the Stormshield Endpoint Security template.

  2. Indicate the following parameters:

    • api_key: SES API key,

    • fqdn: FQDN of the SES backend.

Nomalization policies have to be correctly applied in SLS so that logs generated by SNS and SES can be analyzed.

  1. In Settings > Configuration > Normalization policies, select the stormshield policy.

  2. Ensure that StormshieldCompiledNormalizer and StormshieldEndpointSecurityNormalizer have been selected in the right side of the Compiled normalizer.

  3. Click on Submit.

  1. Go to Settings > Configuration > Enrichment Source.

  2. If there are files from an earlier version of the scenario package that have the same names as the files you are about to import, delete the older files by clicking on the bin icon.

  3. Click on Add.

  4. Select CSV from the menu on the left.

  5. Enter SES_Alllogs in the Name field and select semicolon-separated in the Delimiter field.

  6. Click on Browse, select the file SES_AllLogs.csv from the scenario package, and click on Upload.

  7. Click on Save.

  8. Repeat the process for the SNS_Alarms.csv file by entering SNS_Alarms in the Name field

  1. Go to Settings > Knowledge Base > Lists and Tables.

  2. Select Tables from the drop-down menu on the top left side and click on Add.

  3. Create a table entitled THREATS_TABLE with entries having a lifetime of 30 minutes, then click on Save.

  4. Create a table entitled THREATS_TABLE_12H with entries having a lifetime of 12 hours, then click on Save.

  5. Create a table entitled TRIGGERED_ALARMS_TABLE with entries having a lifetime of 30 minutes, then click on Save.

  6. Create a table entitled HOSTS_TABLE with entries having a lifetime of 12 hours, then click on Save.

  1. Go to Settings > Knowledge Base > Macros.

  2. If there are files from an earlier version of the scenario package that have the same names as the files you are about to import, delete the older files by clicking on the bin icon.

  3. Click on Import.

  4. Import the file macros.xdr.xxx.pak from the scenario package.

  5. Click on Submit.

  1. Go to Settings > Knowledge Base > Alert Rules and click on Import.

  2. Import the file alertrules.xdr.xxx.pak from the scenario package.

  3. You can click on the bell to enable notifications. For more information, refer to the section Creating Incident from Alert Rule in the SLS alerts and incidents guide.

  4. Click on Submit.

WARNING
Alert rules belong to the account that imported them, and it is the only account that is allowed to view the incidents arising from these rules. We strongly recommend that you share these rules with SLS user groups, by clicking on the small arrow to enable sharing.

Imported rules can be seen in the My rules section, which can be accessed from the drop-down list at the top of the page.

Incidents will now appear in the Incident menu when alert rules are triggered.

The SOAR engine relies on lists of pre-programmed actions in reaction to events, known as playbooks. When an incident occurs, SLS suggests running a playbook in response to the incident. Playbooks are manually activated by default, but they can be automated. To do so, go to Playbooks > Triggers, and enable XDR-Alarm-Trigger. Access the list of playbooks by clicking on the Playbooks button in the menu on the left. For more information on playbooks and how to use them with SLS, refer to the SLS Playbook guide.

When you imported the package soar.xdr.X.Y.Z-YYMMa.zip, the playbooks and sub-playbooks in the table below were automatically created in SLS. When an incident occurs, the playbook XDR - Alarms hub will always be the first to be activated. Next, it will call up the playbook corresponding to the incident that follows the name of the triggered SLS alert.

NOTE
Some playbooks are in fact sub-playbooks that are called up by a playbook (see the table of descriptions below). Keep this in mind whenever you edit or create your own playbooks.

Playbook descriptions

Name Called up by Action Input parameters Called up SOAR actions Called up sub-playbook
XDR - Alarms hub Trigger "XDR-Alarm-Trigger" Calls up the playbook matching the alarm name start_time, end_time, query, rows_count, name, incident_id   Depending on the name of the alarm
XDR Alarm - Compromised database Incident alarm "XDR Alarm - Compromised database" (via XDR - Alarms hub) Blocks Internet access to the targeted host start_time, end_time, query, rows_count, incident_id  

Sub - SNS block internet access to IP address
XDR Alarm - Compromised host with dropper from USB key Incident alarm "XDR Alarm - Compromised host with dropper from USB key" (via XDR - Alarms hub) Blocks Internet access to the targeted host, and kills the process start_time, end_time, query, rows_count, incident_id endpoint-process-termination

Sub - SNS block internet access to IP address
XDR Alarm - Malicious file execution Incident alarm "XDR Alarm - Malicious file execution" (via XDR - Alarms hub) Quarantines the file, kills the process, and isolates the workstation from the network start_time, end_time, query, rows_count, incident_id endpoint-file-quarantine, endpoint-process-termination Sub - SES Network Isolation
XDR Alarm - Connection to a suspicious URL Incident alarm "XDR Alarm - Connection to a suspicious URL" (via XDR - Alarms hub) Blocks the source IP address of the attack start_time, end_time, query, rows_count, incident_id   Sub - SNS authentication, Sub - SNS block IP address
XDR Alarm - Ransomware activity Incident alarm "XDR Alarm - Ransomware activity" (via XDR - Alarms hub) Isolates the workstation from the network, and restores files that were encrypted by the ransomware start_time, end_time, query, rows_count, incident_id   Sub - SES Network Isolation, Sub - SES Ransomware files restoration
XDR Alarm - Security incident alert Incident alarm "XDR Alarm - Security incident alert" (via XDR - Alarms hub) Blocks the source IP address of the attack start_time, end_time, query, rows_count, incident_id   Sub - SNS authentication, Sub - SNS block IP address
XDR Alarm - Web site defacement Incident alarm "XDR Alarm - Web site defacement" (via XDR - Alarms hub) Blocks the source IP address of the attack start_time, end_time, query, rows_count, incident_id   Sub - SNS authentication, Sub - SNS block IP address
XDR Alarm - Windows logs deletion Incident alarm "XDR Alarm - Windows logs deletion" (via XDR - Alarms hub) Kills the process, and isolates the workstation from the network start_time, end_time, query, rows_count, incident_id endpoint-process-termination Sub - SES Network Isolation
XDR Alarm - Wiper detection Incident alarm "XDR Alarm - Wiper detection" (via XDR - Alarms hub) Quarantines the file, kills the process, and isolates the workstation from the network start_time, end_time, query, rows_count, incident_id endpoint-file-quarantine, endpoint-process-termination Sub - SES Network Isolation
XDR Alarm - internal discover with exploit Incident alarm "XDR Alarm - internal discover with exploit" (via XDR - Alarms hub) Blocks the source IP address of the attack start_time, end_time, query, rows_count, incident_id  

Sub - SMC block IP address
Sub - SNS authentication

Description of sub-playbooks

Name Action Input parameters

Called up SOAR actions

 Comments
Sub - SES Network Isolation Isolates the workstation from the network through SES Evolution agent_guid endpoint-network-isolation  
Sub - SES Ransomware files restoration Restores the files that were encrypted by the ransomware agent_guid endpoint-ransomware-files-restoration  
Sub - SNS authentication Authenticates with the HTTPS protocol over SNS for future use agent_guid, file_list_path sns-auth-get-session-cookie, sns-auth-get-session-id  
Sub - SNS block IP address Adds the IP address to the list of IP addresses that XDR will block in SNS ip_to_block, session_id, cookie, incident_id sns-send-command

The playbook will add the IP address to be blocked into the group XDR_IP_blocked (see Creating the object groups XDR_IP_blocked and XDR_internet_blocked_IP).

Source and destination rules must have been set for this group on the SNS firewall(s).
Sub - SNS block internet access to IP address Adds the IP address to the list of IP addresses that XDR will block on outgoing Internet connections in SNS ip_to_block, session_id, cookie, incident_id sns-send-command (x9)

The playbook will add the IP address to be blocked into the group XDR_internet_blocked_IP (see Creating the object groups XDR_IP_blocked and XDR_internet_blocked_IP).

Source, destination and Internet rules must have been set for this group on the SNS firewall(s).
Sub - SMC block IP address Adds the IP address to the list of IP addresses that XDR will block in SMC ip_to_block, incident_id get-all-objects, create-group-objects, , create-ip-object, update-object

The playbook will add the IP address to be blocked into the group XDR_IP_blocked (see Creating the object groups XDR_IP_blocked and XDR_internet_blocked_IP).

Source and destination rules must have been set for this group in SMC.
Sub - SMC block internet access to IP address Adds the IP address to the list of IP addresses that XDR will block on outgoing Internet connections in SMC ip_to_block, incident_id get-all-objects, create-group-objects, , create-ip-object, update-object

The playbook will add the IP address to be blocked into the group XDR_internet_blocked_IP (see Creating the object groups XDR_IP_blocked and XDR_internet_blocked_IP).

Source, destination and Internet must have been set for this group in SMC.