Application Defense Alarms Are Associated With Historical Handling Information
Playbook Overview
If SecMaster receives new alerts from WAF within 15 days and there are closed WAF alerts of the similar type, the Application Defense Alarms Are Associated With Historical Handling Information playbook will add the comment for the closed WAF alerts to the comment area of the new similar WAF alerts. This playbook is applied to alerts only. Attacks cannot trigger it. For details about the differences between alerts and attacks, see Overview.
If two WAF alerts meet any of the following conditions, they are similar alerts:
- They have the same source IP address.
- They are generated for the same attacked domain names.
- They belong to the same alert type.
This playbook is enabled by default. There is no need for you to configure or enable it. This playbook is triggered when SecMaster receives new alerts from WAF and the new alerts are similar to a closed WAF alert.
Prerequisites
- Your SecMaster professional edition is available.
- You have connected WAF attack logs to SecMaster. For details, see Enabling Log Access.
- You have created an alert model using the built-in Application-XXXXX model template (the data source of this model template is WAF attack logs) and enabled the alert model. For details, see Creating an Alert Model Using a Preconfigured Model Template and Managing Models.
Limitations and Constraints
- The alert data source is WAF.
Implementation Effect
After the playbook is triggered, SecMaster adds the closure comments for similar closed alerts to new WAF alerts in SecMaster.
- Log in to the SecMaster console.
- Click
in the upper left corner of the management console and select a region or project. - In the navigation pane on the left, choose Workspaces > Management. In the workspace list, click the name of the target workspace.
Figure 1 Workspace management page
- In the navigation pane on the left, choose .
Figure 2 Alerts
- On the Alerts page, filter WAF alerts by data source and click the name of a new WAF alert to go to the details page.
- If there are closed similar alerts, the closure comments for the closed alerts will be automatically added to the comment area on the details page of the new WAF alert. If two WAF alerts meet any of the following conditions, they are similar alerts:
- They have the same source IP address.
- They are generated for the same attacked domain names.
- They belong to the same alert type.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
