Help Center/ SecMaster/ User Guide/ Playbook Overview/ Web Login Brute-force Attack Interception (Web login Burst Interception)
Updated on 2026-02-06 GMT+08:00
View PDF
Share

Web Login Brute-force Attack Interception (Web login Burst Interception)

Playbook Overview

The Web login Burst Interception playbook has been associated with the web login burst interception process. The Web login Burst Interception playbook checks the source IP address carried in the alert whose Alarm Type is Brute-force attack.

  • If the alert source IP address is not in the ThreatBook whitelist, SecMaster automatically generates an interception notification and a to-do task. After the to-do task is approved, SecMaster adds the IP address to the WAF blocking policy and sends the policy to WAF.
  • If the alert source IP address is in the ThreatBook whitelist, no action is taken.

Playbook trigger conditions:

  • Condition 1: The alert name contains login burst attack.
  • Condition 2: The Alarm Type is Brute-force attack.

After the playbook is applied, SecMaster automatically delivers an emergency policy to WAF to block malicious attack source IP addresses.

You need to enable this playbook manually.

Prerequisites

  • Your SecMaster professional edition is available.
  • You have connected the WAF attack log to SecMaster. For details about how to connect logs to SecMaster, see Enabling Log Access.
  • You have available quota for querying indicators in ThreatBook.
  • You have created an alert model using the built-in template Application-Login Blasting Attack and enabled the model.

Step 1: Use the Built-in Template Application-Login Blasting Attack to Create and Enable an Alert Model

  1. Log in to the SecMaster console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane on the left, choose Workspaces > Management. In the workspace list, click the name of the target workspace.

    Figure 1 Workspace management page

  4. In the navigation pane on the left, choose Modeling Analysis > Intelligent Modeling and select the Model Templates tab.

    Figure 2 Model Templates tab

  5. In the model template list, click Details in the Operation column of the Application-Login Blasting Attack template. The template details page is displayed on the right.
  6. On the model template details page, click Create Model in the lower right corner. The page for creating an alert model is displayed.
  7. On the Create Alert Model page, configure basic information about the model. If you use a built-in model template to create a model, you are advised to retain the default settings.

    Table 1 Basic parameters of an alert model

    Parameter

    Description

    Pipeline Name

    Name of the data table from which the model data comes.

    If you use a built-in model template to create a model, retain the default settings.

    Model Name

    Name of the custom alert model.

    If you use a built-in model template to create a model, retain the default settings.

    Severity

    Severity of alerts reported by the alert model. If you use a built-in model template to create a model, retain the default settings.

    • Critical: A critical alert indicates that the system is severely attacked, which may cause data loss, system breakdown, or long service interruption. For example, such alerts are generated if ransomware encryption behaviors or malware is detected. You need to handle them immediately to avoid severe system damage.
    • High: A high-risk alert indicates that the system may be under an attack that has not caused serious damage. For example, such alerts are generated if unauthorized login attempts are detected or unsafe commands (for deleting critical system files or modifying system settings) are executed. You need to investigate and take measures in a timely manner to prevent attacks from spreading.
    • Medium: A medium-risk alert indicates that the system has potential security threats, but there are no obvious signs of being attacked. For example, if abnormal modifications of a file or directory are detected, there may be potential attack paths or configuration errors in the system. You need to further analyze and take proper preventive measures to enhance system security.
    • Low: A low-risk alert indicates that a minor security threat exists in the system but does not have significant impact on your system. For example, such alerts are generated if port scans are detected, indicating that there may be attackers trying to find system vulnerabilities. These alerts do not require immediate emergency measures. If you have high requirements for asset security, you should also pay attention to alerts at this level.
    • Informational: A potential error exists and may affect services. If you have high requirements for asset security, you should also pay attention to alerts at this level.

    Alert Type

    Alert type displayed after the alert model is triggered.

    If you use a built-in model template to create a model, retain the default settings.

    Model Type

    The default value is Rule model. It cannot be edited or modified.

    The threat model created using query rules and trigger conditions is a rule model. For details about the query rules and trigger conditions, see Configuring Model Logic.

    Description

    Description of the alert model.

    If you use a built-in model template to create a model, retain the default settings.

    Status

    The alert model status. You can change the alert model status after the model is configured.

    • If the Enable button is enabled, the alert model is enabled. When the model rules are met, it can generate alerts.
    • If the Enable button is disabled, the alert model is disabled.

  8. Click Next in the lower right corner of the page. The page for configuring the model logic is displayed.
  9. Configure the model logic. For details about the parameters, see the following table. If you use a built-in model template to create a model, you are advised to retain the default settings.

    Table 2 Configuring model logic

    Parameter

    Description

    Query Rule

    Configure alert query rules. After the setting is complete, click Run and view the running result. If you use a built-in model template to create a model, retain the default settings.

    A query analysis statement consists of a query statement and an analysis statement. The format is Query Statement|Analysis Statement. For details about the syntax of query analysis statements, see Overview.
    NOTE:

    If the reserved field is of the text type, MATCH_QUERY is used for word segmentation queries by default.

    Query Plan

    Configure an alert query plan. If you use a built-in model template to create a model, retain the default settings.

    • Query Interval: Set it to xx min/hour/day.

      If you select min, set this parameter to a value ranging from 5 to 59 minutes. If you select hour, set this parameter to a value ranging from 1 to 23 hours. If you select day, set this parameter to a value ranging from 1 to 14 days.

    • Time Window: Set it to xx min/hour/day.

      If the time window is by minute, the value ranges from 5 minutes to 59 minutes. If the time window is by hour, the value ranges from 1 hour to 23 hours. If the time window is by day, the value ranges from 1 day to 14 days.

    • Execution Delay: Set it to xx min. The value ranges from 0 to 5 minutes.

    Advanced Alarm Settings

    If you use a built-in model template to create a model, retain the default settings.

    • Custom Information: Customize extended alert information.

      Click Add, and set the Key and Value information.

    • Alarm Details: Enter the alarm name, description, and handling suggestions.

    Trigger Condition

    Set alert triggering conditions. If you use a built-in model template to create a model, retain the default settings.

    The value can be greater than, equal to, not equal to, or less than xx.

    If there are multiple trigger conditions, click Add and add them. A maximum of five trigger conditions can be added.

    If there are multiple trigger conditions, SecMaster scans log data to hit each trigger condition from top to bottom and generates all types of alerts for hit trigger conditions.

    Alarm Trigger

    The way to trigger alerts for queried results. If you use a built-in model template to create a model, retain the default settings.

    The options are as follows:

    • One alarm for all query results
    • One alarm for each query result

    Debugging

    Set whether to generate debugging alarms. If you use a built-in model template to create a model, retain the default settings.

    If the alerts generated by the alert model are used only for model debugging, you are advised to enable this function.

    • If Generate debugging alarms is enabled, the value of simulation in the alarm generated by the alert model is true, indicating that the alert is a debugging alert.
    • If Generate debugging alarms is disabled, the value of simulation in the alarm generated by the alarm model is false.

    Suppression

    Set whether to stop the query after an alarm is generated. If you use a built-in model template to create a model, retain the default settings.

    • If Suppression is enabled, the query stops after an alert is generated.
    • If Suppression is disabled, the query is not stopped after an alert is generated.

  10. Complete all settings and click Next in the lower right corner of the page.
  11. Review all settings and click OK in the lower right corner of the page.
  12. After the configuration is complete, return to the Modeling Analysis > Intelligent Modeling page, click the Available Models tab, and view the new alert model. If the Status of the new alert model is Enabled, the alert model has been successfully added and enabled.

Step 2: Configure an Operation Connection

Before using the Web login Burst Interception workflow, configure the API key of the ThreatBook plug-in used for the workflow first. You can obtain it in the threatbook authentication token operation connection.
  1. Log in to the SecMaster console.
  2. In the navigation pane on the left, choose Workspaces > Management. In the workspace list, click the name of the target workspace.
    Figure 3 Workspace management page
  3. In the navigation pane on the left, choose Security Orchestration > Playbooks. On the displayed page, click the Operation Connections tab.
    Figure 4 Operation Connections tab
  4. On the Operation Connection tab, click Edit in the Operation column of the row that contains threatbook authentication token.
  5. On the Edit Operation Connection panel sliding out from the right, configure the token.
    • freeApiKey or paidApiKey: Set either of them. The value can be obtained after you buy ThreatBook quota.
    • redisHost: IP address of your Redis resources. If there are no IP addresses, leave this parameter blank.
    • redisPort: Port of your Redis resources. If there are no such ports, leave this parameter blank.
    • redisPassword: Passwords of your Redis resources. If there are no such passwords, leave this parameter blank.
  6. Click OK.

Step 3: Configure and Enable the Playbook

In SecMaster, the initial version (V1) of the Web login Burst Interception workflow is enabled by default. You do not need to manually enable it. The initial version (V1) of the Web login Burst Interception playbook is also activated by default. To use it, you only need to enable it.

  1. On the Playbooks tab, click Enable in the Operation column of Web login Burst Interception playbook.
  2. In the dialog box displayed, select the initial playbook version v1 and click OK.

Implementation Effect

The Web login Burst Interception playbook checks the source IP address carried in the alert whose Alarm Type is Brute-force attack.

  • If the alert source IP address is not in the ThreatBook whitelist, SecMaster automatically generates an interception notification and a to-do task. After the to-do task is approved, SecMaster adds the IP address to the WAF blocking policy and sends the policy to WAF.
  • If the alert source IP address is in the ThreatBook whitelist, no action is taken.
  1. When an alert whose Alarm Type is Brute-force attack exists, the Web login Burst Interception playbook checks the intelligence of the source IP address carried in the alert. If the alert source IP address is not in the ThreatBook whitelist, SecMaster automatically generates an interception notification and a to-do task. In the navigation pane on the left of the SecMaster workspace, choose Situation Awareness > Task Center. On the To-Dos page, you can check the Manually review whether WAF blocking is performed task whose Associated Object is Web login Burst Interception.
Figure 5 Notification generated by the Web login Burst Interception playbook

Figure 6 To-do task generated by the Web login Burst Interception playbook

  1. On the To-Dos page, locate the Manually review whether WAF blocking is performed task whose Associated Object is Web login Burst Interception and click Review in the Operation column. On the Playbook - Node Review pane displayed on the right, select Continue.
  2. After the approval, SecMaster automatically adds the IP address to the WAF blocking policy and delivers the policy to WAF. In the navigation pane on the left, choose Risk Prevention > Security Policy. On the displayed page, select the Emergency Policies tab to go to the emergency policy management page.

  3. On the Policy View tab displayed by default, view the policy generated by the playbook and sent to WAF.
Figure 7 The playbook automatically generating a WAF emergency policy

Parent topic: Playbook Overview