Overview
Scenario
SecMaster provides this built-in playbook to automatically blacklist source IP addresses reported in high-risk alerts in WAF.
How the Playbook Works
The Automatic security blocking of WAF attacks playbook has matched the Automatic security blocking of WAF attacks workflow.
![](https://support.huaweicloud.com/intl/en-us/usermanual-secmaster/en-us_image_0000001765552717.png)
Prerequisites
- You have enabled WAF access logs or WAF attack logs on the Data Integration page under Settings in the current workspace. For details, see Data Integration.
Figure 2 Enabling Access to WAF logs
- The ThreatBook quota is sufficient.
Verification
If the IP address is blocked, the IP address should be included in the WAF blacklist. The procedure is as follows:
- Log in to the WAF console, go to the Policies page, and click the name of the target protection policy.
- On the protection policy details page, click Blacklist and Whitelist in the Protection Details area. You can see that the IP address is listed in the WAF blacklist.
![](https://support.huaweicloud.com/intl/en-us/usermanual-secmaster/en-us_image_0000001717969598.png)
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot