Help Center/ SecMaster/ User Guide/ Playbook Overview/ Auto Blocking for High-risk Alerts
Updated on 2024-11-21 GMT+08:00

Auto Blocking for High-risk Alerts

Playbook Overview

This playbook can automatically block source IP addresses identified in high-risk alerts through WAF, CFW, VPC security groups, and IAM.

The Auto Blocking for High-Risk Alerts playbook has matched the Auto Blocking for High-Risk Alerts workflow.

Figure 1 Auto Blocking for High-risk Alerts

Prerequisites

  • You have enabled access to WAF access logs or WAF attack logs on the Data Integration page under Settings in the current workspace. For details, see Data Integration.
    Figure 2 Enabling access to WAF logs
  • The ThreatBook quota is sufficient.

Step 1: Configure an Asset Connection

Before using the Auto Blocking for High-Risk Alerts workflow, you need to configure the API key of the ThreatBook plug-in used for the workflow. You can obtain it in the threatbook authentication token asset connection.
  1. Log in to the management console.
  2. Click in the upper left corner of the page and choose Security & Compliance > SecMaster.
  3. In the navigation pane on the left, choose Workspaces > Management. In the workspace list, click the name of the target workspace.
    Figure 3 Workspace management page
  4. In the navigation pane on the left, choose Security Orchestration > Playbooks. On the displayed page, click the Asset Connections tab.
    Figure 4 Asset connection tab page
  5. On the Asset connection page, locate the row that contains the threatbook authentication token asset connection and click Edit in the Operation column.
  6. On the Edit pane sliding out from the right, configure the token.
    • freeApiKey or payApiKey: Set either of them. The value can be obtained after you buy ThreatBook quota.
    • redisHost: IP address of your Redis resources. If there are no IP addresses, leave this parameter blank.
    • redisPort: Port of your Redis resources. If there are no such ports, leave this parameter blank.
    • redisPassword: Passwords of your Redis resources. If there are no such passwords, leave this parameter blank.
  7. Click OK.

Step 2: Configure and Enable the Playbook

In SecMaster, the initial version (V1) of the Auto Blocking for High-Risk Alerts workflow is enabled by default. You do not need to manually enable it. The initial version (V1) of the Auto Blocking for High-Risk Alerts playbook is also activated by default. To use it, you only need to enable it.

  1. On the Playbooks page, locate the row that contains the Auto Blocking for High-Risk Alerts playbook and click Enable in the Operation column.
  2. In the dialog box displayed, select the initial playbook version v1 and click OK.

Implementation Effect

The following uses WAF as an example.

If an IP address is blocked, it will be included in the WAF blacklist. The procedure is as follows:

  1. Log in to the WAF console, go to the Policies page, and click the name of the target protection policy.
  2. On the protection policy details page, click Blacklist and Whitelist in the Protection Details area. You can see that the IP address is listed in an address group in the WAF blacklist.
    Figure 5 Blacklist and Whitelist