Configure Simple Response for Alert Logic WAF: Block External IP Address

Configure an Alert Logic WAF: Block External IP Address simple response to block the attacker in an incident with the Alert Logic WAF automatically.

A typical use case for this response is to reduce opportunities for an identified attacker to probe your network further. Although the Alert Logic WAF is the primary defense against attacks for the websites it protects, you can use this simple response to implement another layer of protection for incidents originating from other detection sources. For example, Alert Logic collects log messages from hosts in your network. Log-based analysis can show that an attacker is sending bad requests indicating a brute-force attempt from outside your network. This simple response can then block the attacker on the Alert Logic WAF. Alert Logic pushes the attacker IP address to the WAF so the attacker is blocked from even accessing your website.

Complete the following steps to successfully configure this simple response:

  1. (Optional) Create an exclusion list
  2. Choose the response
  3. Connect to Alert Logic WAF
  4. (Optional) Apply exclusions
  5. Choose when to respond

(Optional) Create an exclusion list

If you want your automation to exclude specific IP addresses, the IP addresses must be defined in one or more exclusion lists. For example, you can create lists of IP addresses for services such as public addresses of your data centers, VPN endpoints, and external scanners. During the simple response creation process, a step is available to apply exclusion lists to your automation. If a list you want to apply does not exist already, use the instructions in Exclusions to create it now.

Choose the response

In the Alert Logic console, click the navigation menu icon (), click Respond, click Automated Response, and then click Simple Responses. Click the add icon (), and then, under Alert Logic WAF: Block External IP Address, click START.

Connect to Alert Logic WAF

In the Connect step, name your response and connect to Alert Logic WAF as follows.

To connect to Alert Logic WAF:

  1. In Response Name, enter a descriptive name for your simple response (example: "Block Attacker IP Address").
  2. In WAF Cluster, select the Alert Logic WAF cluster to use for the response. All WAFs in the selected cluster will receive the IP address block. For questions about which cluster to choose, open a ticket with Alert Logic Support.
  3. In Block Expiration in Seconds, enter the number of seconds before you want Alert Logic to deactivate the block, or keep the default value: 604800.
  4. Click TEST to perform a dry run that checks the configuration without performing the response. After a few moments, results appear in a message.
    • If the result is Succeeded, continue to the next step in this procedure.
    • If the result is Failed, use the listed errors to assist with troubleshooting.
  5. If you want the simple response to be active, leave Response is active turned on. Turn it off if you want to save the configuration but not activate the response yet.
  6. Click NEXT to continue to the (Optional) Apply exclusions step.

(Optional) Apply exclusions

If you want to exclude IP addresses from the response, in Exclusion List(s), select one or more lists that define the exclusions. You can create exclusion lists from the Exclusions page if necessary, and then come back. For more information, see Exclusions.

After you choose one or more lists, or if you want to skip this step, click NEXT.

Choose when to respond

In this step, choose whether to request approval before Alert Logic runs the response each time. Alert Logic sends the request by email and the Alert Logic Mobile App. You can request approval from multiple users, such as members of your security team. The first user to answer determines whether the response is approved or rejected. Subsequent users who respond receive a message stating that the inquiry was responded to already.

In this step, you also choose the incident analytics that you want to trigger the response. You can respond to incidents generated from all analytics that Alert Logic recommends as triggers, or you can choose specific analytics.

To choose when to respond:

  1. If you do not want to require approval, click Do not require approval.
  2. If you want to require approval, click Send approval request, and then select one or more approval recipients in User(s). You can use the search bar to help you find names and email addresses.
    To improve traceability of approvals, Alert Logic recommends that you choose individuals not a distribution list.
  3. If you want to block external IP addresses detected in incidents generated from all analytics that Alert Logic recommends as triggers for this response, leave Respond to all recommended analytics selected. An example of a recommended analytic for this response is "{vendor} Possible Credential Stuffing Activity Detected from {attacker_ip}."
  4. If you prefer to choose from a list of all analytics available for this response type, click Choose analytics, and then select one or more analytics to use as triggers for the response. You can use the search bar to help you find analytics.
    To learn more about a specific analytic, you can find it in the Threat Intelligence Center. For more information, see Threat Intelligence Center.
  5. Click SAVE.

Technical reference

Simple Response Name

Alert Logic WAF: Block External IP Address