Orchestration and automation


Integrations

Alertflex provides orchestration and automation functions for several third-party applications. The system integrates the next open-source projects: Cuckoo Sandbox, MISP, TheHive, JIRA, ElasticStack, Graylog, OWASP Zap, Nmap, etc. For sending notifications about alerts from Alertflex, the user can use SMS service Twilio, Slack, email. All integrations (except MISP) can be done via Alertflex console web-form.

../_images/integrations.png

Initial integration with MISP is performed during of installation the Alertflex controller. See MISP specific parameters in env.sh file. Alertlex controller does a direct JDBC query to a MISP database to find matching IOC. After installation, a user must enable the IOC check operations by select of checkbox in MISP menu (see web-form above). Parameters URL and Key are used by Alertflex for creating a new IOC attribute via MISP REST API.


Credentials

Some automation operations required SSH/SFTP credentials. To simplify configuration such operations Alertflex uses credential and host profiles.

../_images/credentials.png ../_images/host.png

Playbooks

Alertflex implements liner playbooks which are sequentially executing jobs. Playbooks can be run in five different ways:

  • Multi-times via time schedule
  • One-time via a time schedule
  • Automatically via REST API
  • As an action in response profile
  • Manually via Alertflex console
../_images/playbook.png

Jobs

The jobs represent different types of automation operations:

  • Run scripts on remote hosts/agents
  • Copy/move of files between hosts
  • Send files from hosts to Sandbox for malware analysis
  • Perform of scans (OWASP ZAP, Nmap and etc)
  • Update of rules and IP blocking lists for IDS
  • Generate an email reporting
../_images/job.png

Depending on configuration parameters, one type of job can also perform different operations, for example, job Sandbox can check files in several types of Sandbox:

  • Quckoo
  • Hybrid Analysis
  • Vmray