Auto Blocking for High-risk Alerts
Playbook Overview
This playbook can automatically block source IP addresses identified in high-risk alerts through WAF, CFW, VPC security groups, and IAM.
The Auto Blocking for High-Risk Alerts playbook has matched the Auto Blocking for High-Risk Alerts workflow.
Prerequisites
- You have enabled access to WAF access logs or WAF attack logs on the Data Integration page under Settings in the current workspace. For details, see Data Integration.
Figure 2 Enabling access to WAF logs
- The ThreatBook quota is sufficient.
Step 1: Configure an Asset Connection
- Log in to the management console.
- Click in the upper left corner of the page and choose Security & Compliance > SecMaster.
- In the navigation pane on the left, choose Workspaces > Management. In the workspace list, click the name of the target workspace.
Figure 3 Workspace management page
- In the navigation pane on the left, choose Asset Connections tab.
Figure 4 Asset connection tab page
. On the displayed page, click the - On the Asset connection page, locate the row that contains the threatbook authentication token asset connection and click Edit in the Operation column.
- On the Edit pane sliding out from the right, configure the token.
- freeApiKey or payApiKey: Set either of them. The value can be obtained after you buy ThreatBook quota.
- redisHost: IP address of your Redis resources. If there are no IP addresses, leave this parameter blank.
- redisPort: Port of your Redis resources. If there are no such ports, leave this parameter blank.
- redisPassword: Passwords of your Redis resources. If there are no such passwords, leave this parameter blank.
- Click OK.
Step 2: Configure and Enable the Playbook
In SecMaster, the initial version (V1) of the Auto Blocking for High-Risk Alerts workflow is enabled by default. You do not need to manually enable it. The initial version (V1) of the Auto Blocking for High-Risk Alerts playbook is also activated by default. To use it, you only need to enable it.
- On the Playbooks page, locate the row that contains the Auto Blocking for High-Risk Alerts playbook and click Enable in the Operation column.
- In the dialog box displayed, select the initial playbook version v1 and click OK.
Implementation Effect
The following uses WAF as an example.
If an IP address is blocked, it will be included in the WAF blacklist. The procedure is as follows:
- Log in to the WAF console, go to the Policies page, and click the name of the target protection policy.
- On the protection policy details page, click Blacklist and Whitelist in the Protection Details area. You can see that the IP address is listed in an address group in the WAF blacklist.
Figure 5 Blacklist and Whitelist
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot