Processing Stormshield XDR incidents with SLS

When an incident is detected, an XDR alert is raised. If the automatic activation of playbooks has been enabled, SLS will then apply automatic responses to the alert on Stormshield products. Playbooks can also be manually activated. The status of these incidents can be tracked in several ways:

  • From the SLS dashboard: you can import a dedicated XDR dashboard by going to Settings > Knowledge base > Dashboards > Import and selecting the file dashboardtab.xdr.X.Y.Z-YYMMa.pak (the naming system is the same as the one used for the scenario package) from the scenario package, and then clicking on Activate,

    WARNING
    The dashboard belongs to the account that imported it, and it is the only account that is allowed to access the dashboard. We strongly recommend that you share the dashboard with SLS user groups, by clicking on the small arrow to enable sharing.

  • In e-mail notifications if you have enabled notifications in your configuration,

  • In the SLS Incident tab.

Manually activating playbooks

By default, Stormshield XDR will suggest playbooks to be manually activated. To activate them:

  1. Go to Playbooks > Monitoring.

  2. Click on the Runtime icon of a playbook that has the status Waiting for approval.

  3. Click on the red triangle at the bottom left.

  4. Click on Continue if you wish to trigger the playbook.

You can view the results of each stage by clicking on the Runtimeicon again.

For more information, refer to the SOAR configuration guide and the SLS Playbook guide.

Automatically activating playbooks

In automatic activations, Automation/XDR-Alarm-Trigger is indicated in the Initiated by column. The name of the user who created the trigger is indicated in the Run as column. Whenever a playbook is activated, you will be informed by a pop-up window in the SLS web interface.