Help Center/ SecMaster/ User Guide/ Playbook Overview/ Automatic Blocking of High-Risk Alerts (AutomaticSecurityBlockingOfHig-riskAlarms)
Updated on 2026-02-06 GMT+08:00
View PDF
Share

Automatic Blocking of High-Risk Alerts (AutomaticSecurityBlockingOfHig-riskAlarms)

Playbook Overview

The AutomaticSecurityBlockingOfHig-riskAlarms playbook matches the AutomaticSecurityBlockingOfHig-riskAlarms workflow to automatically deliver emergency policies to block the attack source IP addresses in high-risk or critical alerts. The attack source IP addresses in high-risk or critical alerts must meet the following conditions:

  • Condition 1: The number of attacks from the source IP address reaches the threshold (more than 3).
  • Condition 2: The attack source IP address matches malicious labels of ThreatBook.

After the playbook takes effect, SecMaster automatically delivers emergency policies to block malicious attack source IP addresses in high-risk or critical alerts. The protection types of the emergency policies are as follows:

  • If the data source of high-risk or critical alerts is HSS, the SecMaster Auto Blocking of High-risk Alerts playbook automatically delivers VPC emergency policies to block malicious IP addresses.

You need to enable this playbook manually.

Trigger condition: This playbook is triggered when a new high-risk or critical alert is reported to SecMaster and the attack source IP address in the alert meets the following conditions:

  • Condition 1: The number of attacks from the source IP address reaches the threshold (more than 3).
  • Condition 2: The attack source IP address matches malicious labels of ThreatBook.

Prerequisites

  • The HSS alarm log has been connected to SecMaster, and the Auto Alert Conversion button has been toggled on. For details about how to connect logs to SecMaster, see Enabling Log Access.
  • You have available quota for querying indicators in ThreatBook.

Limitations and Constraints

  • Your SecMaster professional edition is available.

Step 1: Configure an Asset Connection/Operation Connection

Before using the AutomaticSecurityBlockingOfHig-riskAlarms workflow, configure the API key of the ThreatBook plug-in used for the workflow first. You can obtain it in the threatbook authentication token operation connection.
  1. Log in to the SecMaster console.
  2. In the navigation pane on the left, choose Workspaces > Management. In the workspace list, click the name of the target workspace.
    Figure 1 Workspace management page
  3. In the navigation pane on the left, choose Security Orchestration > Playbooks. On the displayed page, click the Operation Connections tab.
    Figure 2 Operation Connections tab
  4. On the Operation Connection tab, click Edit in the Operation column of the row that contains threatbook authentication token.
  5. On the Edit Operation Connection panel sliding out from the right, configure the token.
    • freeApiKey or paidApiKey: Set either of them. The value can be obtained after you buy ThreatBook quota.
    • redisHost: IP address of your Redis resources. If there are no IP addresses, leave this parameter blank.
    • redisPort: Port of your Redis resources. If there are no such ports, leave this parameter blank.
    • redisPassword: Passwords of your Redis resources. If there are no such passwords, leave this parameter blank.
  6. Click OK.

Step 2: Configure and Enable the Playbook

In SecMaster, the initial version (V1) of the Auto Blocking of High-Risk Alerts workflow is enabled by default. You do not need to manually enable it. The initial version (V1) of the Auto Blocking of High-Risk Alerts playbook is also activated by default. To use it, you only need to enable it.

  1. On the Playbooks page, locate the row that contains the Auto Blocking of High-Risk Alerts playbook and click Enable in the Operation column.
  2. In the dialog box displayed, select the initial playbook version v1 and click OK.

Implementation Effect

The auto blocking of high-risk alerts playbook automatically delivers emergency policies to block the attack source IP addresses in high-risk or critical alerts. If the data source of high-risk or critical alerts is HSS, the SecMaster Auto Blocking of High-risk Alerts playbook automatically delivers VPC emergency policies to block malicious IP addresses.

  1. Go to the IP Address Groups page.
    Figure 3 Viewing IP address groups in a VPC

  2. In the IP address group list, click the hyperlink of the IP address group name. The basic information page of the IP address group is displayed. Click different tabs to view the required information.
    1. On the Basic Information tab page, view the basic information and IP address entries added to the IP address group.
      Figure 4 Viewing IP address information in an IP address group

    2. On the Associated Resources tab page, view the resources associated with the IP address group. Click the resource name of SecMaster_One-Click_Host_Isolation to view the inbound and outbound rules of the IP address group.
    Figure 5 SecMaster_One-Click_Host_Isolation security group

Parent topic: Playbook Overview