Configure Simple Response for AWS WAF IP Set: Block External IP Address

Configure an AWS WAF IP Set: Block External IP Address simple response to add the attacker in an incident to an Amazon Web Services (AWS) WAF IP set.

A typical use case for this response is to reduce opportunities for an identified attacker to probe your network further.

Complete the following steps to successfully configure this simple response:

  1. (Optional) Create an exclusion list
  2. Choose the response
  3. Connect to AWS
  4. (Optional) Apply exclusions
  5. Choose when to respond

(Optional) Create an exclusion list

If you want your automation to exclude specific IP addresses, the IP addresses must be defined in one or more exclusion lists. For example, you can create lists of IP addresses for services such as public addresses of your data centers, VPN endpoints, and external scanners. During the simple response creation process, a step is available to apply exclusion lists to your automation. If a list you want to apply does not exist already, use the instructions in Exclusions to create it now.

Choose the response

In the Alert Logic console, click the navigation menu icon (), click Respond, click Automated Response, and then click Simple Responses. Click the add icon (), and then, under AWS WAF IP Set: Block External IP Address, click START.

Connect to AWS

This response requires an AWS IAM Role connection that grants Alert Logic access to update an AWS WAF IP set. In the Connect step, name your response and connect to AWS as follows.

To connect to AWS:

  1. In Response Name, enter a descriptive name for your simple response (example: "Block Attacker IP Address").
  2. If you already have an AWS IAM Role connection that grants Alert Logic permission to perform this response, leave Use an existing connection selected, and then select the connection in Connection. You can use the search bar to help you find the connection.
  3. If you do not have an AWS IAM Role connection that grants Alert Logic permission to perform this response, click Create a connection, and then complete the instructions in Create an AWS IAM Role connection to set it up.
  4. In IPv4 IPSet ARN, enter the ARN of the AWS WAF IPv4 IP set to which you want Alert Logicto add IP addresses for blocking. For more information, see Locate the ARN of the AWS WAF IP set.
  5. In IP Set Scope, select the scope of this IP set as shown in the AWS console:
    • REGIONAL—Regional application
    • CLOUDFRONT—Amazon CloudFront distribution
  6. In Block Expiration in Seconds, enter the number of seconds before you want Alert Logic to deactivate the block, or keep the default value: 604800.
  7. Click TEST to perform a dry run that checks the configuration without performing the response. After a few moments, results appear in a message.
    • If the result is Succeeded, continue to the next step in this procedure.
    • If the result is Failed, use the listed errors to assist with troubleshooting. If necessary, you can click Edit connection above AWS IAM Role Connection, and then use the information in Create an AWS IAM Role connection to check and fix the connection.
  8. If you want the simple response to be active, leave Response is active turned on. Turn it off if you want to save the configuration but not activate the response yet.
  9. Click NEXT to continue to the (Optional) Apply exclusions step.

Create an AWS IAM Role connection

An AWS IAM Role connection securely stores reusable credential information for integrations with Amazon Web Services (AWS). To create the connection, Alert Logic requires the ARN for the AWS IAM role that grants access to update an AWS WAF IP set.

Alert Logic provides the following steps to help you create the connection. For further questions about the steps performed in the AWS console, or if your interface looks different, contact AWS support, or refer to the vendor documentation listed in the technical reference section.

  1. Create an IAM policy in the AWS console
  2. Create an IAM role in the AWS console
  3. Create the connection in the Alert Logic console

Create an IAM policy in the AWS console

The first step in the AWS console is to create an IAM policy that grants access for Alert Logic to update AWS WAF IP sets.

The policy document you use in this procedure grants access for Alert Logic to perform these actions only:

  • Perform policy simulation to help produce better error messages if the policy is not implemented correctly
  • Add IP addresses to an AWS WAF IP set

Before you begin, ensure your setup in AWS meets the following prerequisites for this integration:

  • AWS WAF (v2) Web ACL configured, either regional or CloudFront
  • AWS WAF IPv4 IP set created
  • AWS WAF rule associating the IP set with the Web ACL

To create an IAM policy to update AWS WAF IP sets:

  1. In your AWS account where you want Alert Logic to run automated responses, go to https://console.aws.amazon.com/iamv2/home?#/policies/.
  2. From the IAM Management Console, click Create Policy.
  3. Click the JSON tab.
  4. Copy the contents of the policy document iam-policy-WAF.txt and replace the text in the policy editor.
  5. Click Next: Tags.
  6. Click Next: Review.
  7. On the Review Policy page, type a Policy Name and optional Description for the policy.

Create an IAM role in the AWS console

The next step in the AWS console is to create a role that uses the IAM policy you created.

To create an IAM role in the AWS console:

  1. In your AWS account where you want Alert Logic to run automated responses, go to https://console.aws.amazon.com/iamv2/home#/roles/.
  2. Click Create role.
  3. On the Create role page, click Another AWS Account.
  4. Enter the Account ID: 246648824489.
  5. Click Next: Permissions.
  6. From the list of policies, locate the previously created policy. You can use the Filter Policies option and select Customer managed to help locate the policy.
  7. Select the check box next to the matching policy.
  8. Click Next: Tags.
  9. Click Next: Review.
  10. Type a Role Name and optional Role description, and then click Create Role.
  11. Click the policy name in the green bar at the top of the screen (“The role … has been created.”).
  12. Copy the Role ARN to a text editor for later.
In step 4, the Account ID is different from the main Alert Logic account ID, which you may have used in other AWS role integrations.

Create the connection in the Alert Logic console

Next, go back to the Create a Simple Response page to enter information in the Connect step that grants Alert Logic access to update an AWS WAF IP set.

To create the AWS connection in the Alert Logic console:

  1. In Connection Name, type a descriptive name for the connectionfor example, "AWS IAM Role Connection for Updating an IP Set".
  2. In AWS IAM Role ARN, paste the Role ARN that you noted in Create an IAM role in the AWS console.
  3. Click SAVE.

Locate the ARN of the AWS WAF IP set

This response requires the ARN for the AWS WAF IP set that you want Alert Logic to update.

To locate the AWS WAF IPSet ARN:

  1. In your AWS account where you want Alert Logic to run automated responses, go to https://console.aws.amazon.com/wafv2/homev2/ip-sets/.
  2. Near the top of the page, to the right of IP Sets, select the region of your existing AWS WAF. If you are using CloudFront, select Global (CloudFront) from the region list.
  3. Select the IP Set by clicking the circle to the left of its name.
  4. Click Copy ARN above the list of IP Sets. Save this text for use in the Alert Logic console.

(Optional) Apply exclusions

If you want to exclude IP addresses from the response, in Exclusion List(s), select one or more lists that define the exclusions. You can create exclusion lists from the Exclusions page if necessary, and then come back. For more information, see Exclusions.

After you choose one or more lists, or if you want to skip this step, click NEXT.

Choose when to respond

In this step, choose whether to request approval before Alert Logic runs the response each time. Alert Logic sends the request by email and the Alert Logic Mobile App. You can request approval from multiple users, such as members of your security team. The first user to answer determines whether the response is approved or rejected. Subsequent users who respond receive a message stating that the inquiry was responded to already.

In this step, you also choose the incident analytics that you want to trigger the response. You can respond to incidents generated from all analytics that Alert Logic recommends as triggers, or you can choose specific analytics.

To choose when to respond:

  1. If you do not want to require approval, click Do not require approval.
  2. If you want to require approval, click Send approval request, and then select one or more approval recipients in User(s). You can use the search bar to help you find names and email addresses.
    To improve traceability of approvals, Alert Logic recommends that you choose individuals not a distribution list.
  3. If you want to block external IP addresses detected in incidents generated from all analytics that Alert Logic recommends as triggers for this response, leave Respond to all recommended analytics selected. An example of a recommended analytic for this response is "{vendor} Possible Credential Stuffing Activity Detected from {attacker_ip}."
  4. If you prefer to choose from a list of all analytics available for this response type, click Choose analytics, and then select one or more analytics to use as triggers for the response. You can use the search bar to help you find analytics.
    To learn more about a specific analytic, you can find it in the Threat Intelligence Center. For more information, see Threat Intelligence Center.
  5. Click SAVE.

Technical reference

Simple Response Name

AWS WAF IP Set: Block External IP Address

Vendor documentation

For general information about AWS WAF and IP sets, see:

If you want to allow Alert Logic to update only certain IP sets in your AWS account, you can use resource-level permissions. For more information, see: