AWS WAF

Integration version: 5.0

Use Cases

Active actions - manage IP Sets, Rule Groups, Pattern Sets, Web ACLs.

Configure AWS WAF integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Instance Name	String	N/A	No	Name of the Instance you intend to configure integration for.
Description	String	N/A	No	Description of the Instance.
AWS Access Key ID	String	N/A	Yes	AWS Access Key ID to use in integration.
AWS Secret Key	Password	N/A	Yes	AWS Secret Key to use in integration.
AWS Default Region	String	N/A	Yes	AWS default region to use in integration, for example us-west-2.
Run Remotely	Checkbox	Unchecked	No	Check the field in order to run the configured integration remotely. Once checked, the option appears to select the remote user (agent).

Actions

Ping

Description

Test connectivity to AWS WAF with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.

Parameters

N/A

Run On

This action doesn't run on entities.

Action Results

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

Case Wall

Result Type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: If successful: "Successfully connected to the AWS WAF server with the provided connection parameters!" The action should fail and stop a playbook execution: If not successful: "Failed to connect to the AWS WAF server! Error is {0}".format(exception.stacktrace)	General

Result Type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If successful: "Successfully connected to the AWS WAF server with the provided connection parameters!"

The action should fail and stop a playbook execution:

If not successful: "Failed to connect to the AWS WAF server! Error is {0}".format(exception.stacktrace)

General

Create IP Set

Description

Create an IP Set in AWS WAF, based on entities.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Name	String	N/A	Yes	Specify the name of the IP set. Note: action will create an IP set in the following format: Siemplify_{Name}_{IP Type}. The name must have 1-128 characters. Valid characters: A-Z, a-z, 0-9, - (hyphen), and _ (underscore).
Scope	DDL	CloudFront Possible values: CloudFront Regional Both	Yes	Specify what should be the scope for the creation of IP sets. If "Both" is selected, action will create an IP set in Regional and Amazon CloudFront scopes.
Description	String	N/A	No	Specify the description for the IP set.
Tags	CSV	N/A	No	Specify additional tags that should be added to the IP set. Format: key_1:value_1,key_2:value_1.

Run On

This action runs on the IP Address entity.

Action Results

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

JSON Result

{
"Regional": ["IPv4_set", IPv6_set"]
"Cloudfront":  ["IPv4_set", IPv6_set"]
}

Case Wall

Result Type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: If successful and at least one of the provided entities were used to create an IP set (is_success = true): "Successfully created {0} {1} IP Set '{2}' in AWS WAF with the following IPs: \n {3}".format("Regional"/"Cloudfront", "IPv4"/"IPv6", full_name, entity.identifier list) If fail to use specific entities(is_success = true): "Action was not able to use the following IPs in order to create AWS WAF IP Set\n: {0}".format([entity.identifier]) If fail to use all entities (is_success = false): "No IP Sets were created. Reason: None of the provided IP entities were valid." If All Sets Already exist (is_success=false) or if only partially sets already exist (is_success=true): "The following {0} IP Pattern Sets '{1}' already exist: \n.".format("Regional/CloudFront", list_of_full_names) The action should fail and stop a playbook execution: If fatal error, like wrong credentials, no connection to server, other: "Error executing action "Create IP Set". Reason: {0}''.format(error.Stacktrace)

Result Type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If successful and at least one of the provided entities were used to create an IP set (is_success = true): "Successfully created {0} {1} IP Set '{2}' in AWS WAF with the following IPs: \n {3}".format("Regional"/"Cloudfront", "IPv4"/"IPv6", full_name, entity.identifier list)

If fail to use specific entities(is_success = true): "Action was not able to use the following IPs in order to create AWS WAF IP Set\n: {0}".format([entity.identifier])

If fail to use all entities (is_success = false): "No IP Sets were created. Reason: None of the provided IP entities were valid."

If All Sets Already exist (is_success=false) or if only partially sets already exist (is_success=true): "The following {0} IP Pattern Sets '{1}' already exist: \n.".format("Regional/CloudFront", list_of_full_names)

The action should fail and stop a playbook execution:

If fatal error, like wrong credentials, no connection to server, other: "Error executing action "Create IP Set". Reason: {0}''.format(error.Stacktrace)

Add IP To IP Set

Description

Add IP addresses to the IP Set in AWS WAF.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
IP Set Names	CSV	N/A	Yes	Specify the comma-separated list of IP set names. Example: name_1,name_2
Scope	DDL	CloudFront Possible values: CloudFront Regional Both	Yes	Specify what should be the scope of the IP set. If "Both" is selected, action will add IP addresses to IP sets in Regional and CloudFront scopes.

Parameter Display Name

Type

Default Value

Is Mandatory

Description

IP Set Names

CSV

N/A

Yes

Specify the comma-separated list of IP set names. Example: name_1,name_2

Scope

DDL

CloudFront

Possible values:

CloudFront
Regional
Both

Yes

Specify what should be the scope of the IP set. If "Both" is selected, action will add IP addresses to IP sets in Regional and CloudFront scopes.

Run On

This action runs on the IP Address entity.

Action Results

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

Case Wall

Result Type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: If successful and at least one IP addresses was added to one IP set(is_success = true): "Successfully added the following IPs to the {0} IP Set '{1}' in AWS WAF: \n {2}".format("Regional"/"Cloudfront", full_name, entity.identifier list) If fail to add specific entities to one of the IP Sets(is_success = true): "Action was not able to add the following IPs to the {0} IP Set '{1}' in AWS WAF\n: {2}".format("Regional"/"Cloudfront", full_name,[entity.identifier]) If fail to find one of the IP sets (is_success = true): "Action wasn't able to find the following '{0}' IP Sets in the AWS WAF:\n {1}".format("Regional"/Cloudfront",list of IP sets that were not found in that scope) If fail to find all of the provided IP sets in the desired scope or scopes (is_success=false): "Action didn't find the provided IP sets." The action should fail and stop a playbook execution: if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Add IP To IP Set". Reason: {0}''.format(error.Stacktrace)	General

Result Type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If successful and at least one IP addresses was added to one IP set(is_success = true): "Successfully added the following IPs to the {0} IP Set '{1}' in AWS WAF: \n {2}".format("Regional"/"Cloudfront", full_name, entity.identifier list)

If fail to add specific entities to one of the IP Sets(is_success = true): "Action was not able to add the following IPs to the {0} IP Set '{1}' in AWS WAF\n: {2}".format("Regional"/"Cloudfront", full_name,[entity.identifier])

If fail to find one of the IP sets (is_success = true): "Action wasn't able to find the following '{0}' IP Sets in the AWS WAF:\n {1}".format("Regional"/Cloudfront",list of IP sets that were not found in that scope)

If fail to find all of the provided IP sets in the desired scope or scopes (is_success=false): "Action didn't find the provided IP sets."

The action should fail and stop a playbook execution:

if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Add IP To IP Set". Reason: {0}''.format(error.Stacktrace)

General

Create Regex Pattern Set

Description

Create a Regex Pattern Set in AWS WAF based on entities.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Name	String	N/A	Yes	Specify the name of the Regex Pattern set. Note: The name must have 1-128 characters. Valid characters: A-Z, a-z, 0-9, - (hyphen), and _ (underscore).
Scope	DDL	CloudFront Possible values: CloudFront Regional Both	Yes	Specify what should be the scope for the creation of Regex Pattern sets. If "Both" is selected,, action will create a Regex Pattern set in Regional and CloudFront scopes.
Description	String	N/A	No	Specify the description for the Regex Pattern set.
Tags	CSV	N/A	No	Specify additional tags that should be added to the Regex Pattern set. Format: key_1:value_1,key_2:value_1.
Domain Pattern	Checkbox	Checked	No	If enabled, action will retrieve domain part out of urls and create a regex pattern based on them. Example: http://test.com/folder will be converted to a pattern ^(http\|https)(:\/\/)(\Qtest.com\E).*".format(entity)
IP Pattern	Checkbox	Checked	No	If enabled, action will construct a proper regex pattern out of IP address instead of using raw value. Example: 10.0.0.1 will be converted into ^(http\|https)(:\/\/)(\Q10.0.1\E).*".format(entity)

Run On

This action runs on the following entities:

IP Address
URL

Action Results

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

JSON Result

{
"Regional": "Regex_set"
"Cloudfront":  "Regex_set"
}

Case Wall

Result Type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: if successful and at least one of the provided entities were used to create an Regex set (is_success = true): "Successfully created {0} Regex Pattern Set '{1}' in AWS WAF with the following entities: \n {2}".format("Regional"/"Cloudfront", name, entity.identifier list) If more than 10 entities are going to be used to create a regex pattern set: "Action wasn't able to create regex pattern sets with all of the provided entities, because the limit is exceeded. The following entities were skipped: {0}".format(entity.identifier) If Set Already exists (is_success=false): "{0} Regex Pattern Set '{1}' already exists.".format("Regional/CloudFront", name) The action should fail and stop a playbook execution: If fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Create Regex Pattern Set". Reason: {0}''.format(error.Stacktrace)	General

Result Type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:

if successful and at least one of the provided entities were used to create an Regex set (is_success = true): "Successfully created {0} Regex Pattern Set '{1}' in AWS WAF with the following entities: \n {2}".format("Regional"/"Cloudfront", name, entity.identifier list)

If more than 10 entities are going to be used to create a regex pattern set: "Action wasn't able to create regex pattern sets with all of the provided entities, because the limit is exceeded. The following entities were skipped: {0}".format(entity.identifier)

If Set Already exists (is_success=false): "{0} Regex Pattern Set '{1}' already exists.".format("Regional/CloudFront", name)

The action should fail and stop a playbook execution:

If fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Create Regex Pattern Set". Reason: {0}''.format(error.Stacktrace)

General

Create Web ACLs

Description

Create a Web ACL in AWS WAF.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Name	String	N/A	Yes	Specify the name of the Web ACL. Note: The name must have 1-128 characters. Valid characters: A-Z, a-z, 0-9, - (hyphen), and _ (underscore).
Rule Source Type	DDL	IP Set Possible value IP Set Rule Group	Yes	Specify what rule type should be used.
Rule Source Name	String	N/A	Yes	Specify the name of the source, which should be used for Web ACL. If "Rule Source Type" is "IP Set", action will search for IP Sets with that name. If "Rule Source Type" is "Rule Group", action will search for Rule Groups with that name.
Scope	DDL	CloudFront Possible values: CloudFront Regional Both	Yes	Specify what should be the scope for the creation of the web acl. If "Both" is selected, action will create a Web ACL in Regional and CloudFront scopes.
Enable Sampled Requests	Checkbox	Unchecked	Yes	If enabled, AWS WAF will store a sampling of the web requests that match the rules.
Enable CloudWatch Metrics	Checkbox	Unchecked	Yes	If enabled, the associated resource sends metrics to CloudWatch.
CloudWatch Metric Name	Checkbox	Unchecked	Yes	Specify the name of the CloudWatch Metric. Note: The name must have 1-128 characters. Valid characters: A-Z, a-z, 0-9, - (hyphen), and _ (underscore).
Default Action	DDL	Allow Possible values: Allow Block	Yes	Specify what should be the default action for requests that don't match any rules.
IP Set Action	DDL	Block Possible value: Allow Block Count	No	Specify what should be the action for rules that are based on the IP set.
Rule Priority	Integer	N/A	Yes	Specify what should be the priority of the rule. Priorities in Web ACL should be unique.
Description	String	N/A	No	Specify the description for the Web ACL.
Tags	CSV	N/A	No	Specify additional tags that should be added to the Web ACL. Format: key_1:value_1,key_2:value_1.

Run On

This action doesn't run on entities.

Action Results

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

JSON Result

{
"Regional": "Web_Acl_name"
"Cloudfront":  "Web_Acl_name"
}

Case Wall

Result Type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: If successfully listed available IP Sets(is_success = true) and "Scope" == "Both": "Successfully created Web ACL {0} in Regional and Cloudfront scopes.".format(name) If successfully listed available IP Sets(is_success = true) and "Scope" == "Regional": "Successfully created Web ACL {0} in Regional.".format(name) If successfully listed available IP Sets(is_success = true) and "Scope" == "Cloudfront": "Successfully created Web ACL {0} in Cloudfront scope.".format(name) If the Web ACL exists: Print "The Web ACL {} already exists in {} scope.".format(web ACL name, scope). If IP Set / Rule Group wasn't found: "Action wasn't able to create Web ACL. Reason: {0} {1} wasn't found in AWS WAF".format("IP Set/Rule Group", Rule Source Name) The action should fail and stop a playbook execution: if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Create Web ACL". Reason: {0}''.format(error.Stacktrace)

Result Type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If successfully listed available IP Sets(is_success = true) and "Scope" == "Both": "Successfully created Web ACL {0} in Regional and Cloudfront scopes.".format(name)

If successfully listed available IP Sets(is_success = true) and "Scope" == "Regional": "Successfully created Web ACL {0} in Regional.".format(name)

If successfully listed available IP Sets(is_success = true) and "Scope" == "Cloudfront": "Successfully created Web ACL {0} in Cloudfront scope.".format(name)

If the Web ACL exists:

Print "The Web ACL {} already exists in {} scope.".format(web ACL name, scope).

If IP Set / Rule Group wasn't found: "Action wasn't able to create Web ACL. Reason: {0} {1} wasn't found in AWS WAF".format("IP Set/Rule Group", Rule Source Name)

The action should fail and stop a playbook execution:

if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Create Web ACL". Reason: {0}''.format(error.Stacktrace)

Add Rule To Web ACL

Description

Add a rule based on IP Sets or Rule Groups to Web ACL in AWS WAF. Note: at maximum Web ACL can contain 1500 rules.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Web ACL Names	CSV	N/A	Yes	Specify the comma-separated list of Web ACL names. Example: name_1,name_2
Rule Source Type	DDL	IP Set Possible values: IP Set Rule Group	Yes	Specify what rule type should be used.
Rule Source Name	String	N/A	Yes	Specify the name of the source, which should be used for Web ACL. If "Rule Source Type" is "IP Set", action will search for IP Sets with that name. If "Rule Source Type" is "Rule Group", action will search for Rule Groups with that name.
Scope	DDL	CloudFront Possible values: CloudFront Regional Both	Yes	Specify what should be the scope for the new rules. If "Both" is selected, action will add a Rule to a Web ACL in Regional and CloudFront scopes.
Rule Priority	Integer	N/A	Yes	Specify what should be the priority of the rule. Priorities in Web ACL should be unique.
IP Set Action	DDL	Block Possible value: Allow Block Count	No	Specify what should be the action for rules that are based on the IP set.

Run On

This action doesn't run on entities.

Action Results

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

Case Wall

Result Type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: if successful and at least one rule was added to one Web ACL(is_success = true): "Successfully added a rule to the following {0} Web ACLs '{1}' in AWS WAF.".format("Regional"/"Cloudfront", list of name) If fail to find one of the Web ACLs(is_success = true): "Action wasn't able to find the following '{0}' Web ACLs in the AWS WAF:\n {1}".format("Regional"/Cloudfront", list of Web ACLs that were not found in that scope) If rule with name already exists per Web ACL in Scope (is_success=true): "Action wasn't able to add {0} rules to the Web ACL in AWS WAF. Reason: {0} with name '{1}' already exists in the following Web ACLs:\n{2}".format( rule source type, rule source name, list Web ACL with scope - structure {0} - {1}.format(scope, web acl name)) The action should fail and stop a playbook execution: If fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Add Rule To Web ACL". Reason: {0}''.format(error.Stacktrace)	General

Result Type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:

if successful and at least one rule was added to one Web ACL(is_success = true): "Successfully added a rule to the following {0} Web ACLs '{1}' in AWS WAF.".format("Regional"/"Cloudfront", list of name)

If fail to find one of the Web ACLs(is_success = true): "Action wasn't able to find the following '{0}' Web ACLs in the AWS WAF:\n {1}".format("Regional"/Cloudfront", list of Web ACLs that were not found in that scope)

If rule with name already exists per Web ACL in Scope (is_success=true): "Action wasn't able to add {0} rules to the Web ACL in AWS WAF. Reason: {0} with name '{1}' already exists in the following Web ACLs:\n{2}".format( rule source type, rule source name, list Web ACL with scope - structure {0} - {1}.format(scope, web acl name))

The action should fail and stop a playbook execution:

If fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Add Rule To Web ACL". Reason: {0}''.format(error.Stacktrace)

General

Create Rule Group

Description

Create a rule group in AWS WAF.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Name	String	N/A	Yes	Specify the name of the rule group. Note: The name must have 1-128 characters. Valid characters: A-Z, a-z, 0-9, - (hyphen), and _ (underscore).
Scope	DDL	CloudFront Possible values: CloudFront Regional Both	Yes	Specify what should be the scope for the creation of the rule group. If "Both" is selected, action will create a Rule Group in Regional and CloudFront scopes.
Capacity	Integer	100	Yes	Specify the capacity of the rule group. Note: you can't change the capacity after the group is created. Maximum is 1500.
Enable Sampled Requests	Checkbox	Unchecked	Yes	If enabled, AWS WAF will store a sampling of the web requests that match the rules.
Enable CloudWatch Metrics	Checkbox	Unchecked	Yes	If enabled, the associated resource sends metrics to CloudWatch.
CloudWatch Metric Name	Checkbox	Unchecked	Yes	Specify the name of the CloudWatch Metric. Note: The name must have 1-128 characters. Valid characters: A-Z, a-z, 0-9, - (hyphen), and _ (underscore).
Description	String	N/A	No	Specify the description for the Rule Group.
Tags	CSV	N/A	No	Specify additional tags that should be added to the Rule Group. Format: key_1:value_1,key_2:value_1.

Run On

This action doesn't run on entities.

Action Results

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

Case Wall

Result Type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: If successfully listed available IP Sets(is_success = true) and "Scope" == "Both": "Successfully created Rule Group {0} in Regional and Cloudfront scopes.".format(name) >If successfully listed available IP Sets(is_success = true) and "Scope" == "Regional": "The Rule Group {} already exists in {} scope.".format(web ACL name, scope). If successfully listed available IP Sets(is_success = true) and "Scope" == "Cloudfront": "Successfully created Rule Group {0} in Cloudfront scope.".format(name) If the Rule Group exists: "Successfully created Rule Group {0} in Cloudfront scope.".format(name) If the creation of the Rule Group Fails "Action was not able to create Rule Group {} in {} scope".format(web ACL name, scope). The action should fail and stop a playbook execution: If fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Create Rule Group". Reason: {0}''.format(error.Stacktrace)	General

Result Type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If successfully listed available IP Sets(is_success = true) and "Scope" == "Both": "Successfully created Rule Group {0} in Regional and Cloudfront scopes.".format(name)

>If successfully listed available IP Sets(is_success = true) and "Scope" == "Regional": "The Rule Group {} already exists in {} scope.".format(web ACL name, scope).

If successfully listed available IP Sets(is_success = true) and "Scope" == "Cloudfront": "Successfully created Rule Group {0} in Cloudfront scope.".format(name)

If the Rule Group exists: "Successfully created Rule Group {0} in Cloudfront scope.".format(name)

If the creation of the Rule Group Fails "Action was not able to create Rule Group {} in {} scope".format(web ACL name, scope).

The action should fail and stop a playbook execution:

If fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Create Rule Group". Reason: {0}''.format(error.Stacktrace)

General

Add Entity To Regex Pattern Set

Description

Add string patterns based on entities to the Regex Pattern Set in AWS WAF.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Regex Pattern Set Names	CSV	N/A	Yes	Specify the comma-separated list of Regex Pattern set names. Example: name_1,name_2
Scope	DDL	CloudFront Possible values: CloudFront Regional Both	Yes	Specify what should be the scope of the regex pattern set. If "Both" is selected, action will add patterns based on entities to Regex Pattern sets in Regional and CloudFront scopes.
Domain Pattern	Checkbox	Checked	No	If enabled, action will retrieve domain part out of urls and create a regex pattern based on them. Example: http://test.com/folder will be converted to a pattern ^(http\|https)(:\/\/)(\Qtest.com\E).*".format(entity)
IP Pattern	Checkbox	Checked	No	If enabled, action will construct a proper regex pattern out of IP address instead of using raw value. Example: 10.0.0.1 will be converted into ^(http\|https)(:\/\/)(\Q10.0.1\E).*".format(entity)

Run On

This action runs on the following entities:

IP Address
URL

Action Results

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

Case Wall

Result Type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: if successful and at least one entity was added to one Regex Pattern set(is_success = true): "Successfully added the following entity patterns to the {0} Regex Pattern Set '{1}' in AWS WAF: \n {2}".format("Regional"/"Cloudfront", name, list of entity patterns) If more than 10 entities are going to be used to create a regex pattern set: "Action wasn't able to add patterns to {0} Regex Pattern Set {1} based on all of the provided entities, because the limit is exceeded. The following entities were skipped: {2}".forma("Regional"/"Cloudfront", name, entity.identifier) If fail to find one of the sets (is_success = true): "Action wasn't able to find the following '{0}' Regex Pattern Sets in the AWS WAF:\n {1}".format("Regional"/Cloudfront",list of Regex Pattern sets that were not found in that scope) If fail to find all of the provided sets in the desired scope or scopes (is_success=false): "Action didn't find the provided Regex Pattern sets." The action should fail and stop a playbook execution: if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Add Entity To Regex Pattern Set". Reason: {0}''.format(error.Stacktrace)	General

Result Type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:

if successful and at least one entity was added to one Regex Pattern set(is_success = true): "Successfully added the following entity patterns to the {0} Regex Pattern Set '{1}' in AWS WAF: \n {2}".format("Regional"/"Cloudfront", name, list of entity patterns)

If more than 10 entities are going to be used to create a regex pattern set: "Action wasn't able to add patterns to {0} Regex Pattern Set {1} based on all of the provided entities, because the limit is exceeded. The following entities were skipped: {2}".forma("Regional"/"Cloudfront", name, entity.identifier)

If fail to find one of the sets (is_success = true): "Action wasn't able to find the following '{0}' Regex Pattern Sets in the AWS WAF:\n {1}".format("Regional"/Cloudfront",list of Regex Pattern sets that were not found in that scope)

If fail to find all of the provided sets in the desired scope or scopes (is_success=false): "Action didn't find the provided Regex Pattern sets."

The action should fail and stop a playbook execution:

if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Add Entity To Regex Pattern Set". Reason: {0}''.format(error.Stacktrace)

General

Add Pattern To Regex Pattern Set

Description

Add string patterns to the Regex Pattern Set in AWS WAF.

Parameters

Parameter Display Name

Type

Default Value

Is Mandatory

Description

Regex Pattern Set Names

CSV

N/A

Yes

Specify the comma-separated list of Regex Pattern set names. Example: name_1,name_2

Patterns

CSV

N/A

Yes

Specify the comma-separated list of patterns that should be added to the Regex Pattern set. Example: pattern_1,pattern_2

Scope

DDL

CloudFront

Possible values:

CloudFront
Regional
Both

Yes

Specify what should be the scope of the regex pattern set. If "Both" is selected, action will add patterns based on entities to Regex Pattern sets in Regional and CloudFront scopes.

Run On

This action doesn't run on entities.

Action Results

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

Case Wall

Result Type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: If successful and at least one pattern was added to one Regex Pattern set(is_success = true):"Successfully added the following patterns to the {0} Regex Pattern Set '{1}' in AWS WAF: \n {2}".format("Regional"/"Cloudfront", name, list of patterns) If fail to find one of the sets (is_success = true):t "Action wasn't able to find the following '{0}' Regex Pattern Sets in the AWS WAF:\n {1}".format("Regional"/Cloudfront",list of Regex Pattern sets that were not found in that scope). If fail to find all of the provided sets in the desired scope or scopes (is_success=false): "Action didn't find the provided Regex Pattern sets." The action should fail and stop a playbook execution: if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Add Pattern To Regex Pattern Set". Reason: {0}''.format(error.Stacktrace)	General

Result Type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If successful and at least one pattern was added to one Regex Pattern set(is_success = true):"Successfully added the following patterns to the {0} Regex Pattern Set '{1}' in AWS WAF: \n {2}".format("Regional"/"Cloudfront", name, list of patterns)

If fail to find one of the sets (is_success = true):t "Action wasn't able to find the following '{0}' Regex Pattern Sets in the AWS WAF:\n {1}".format("Regional"/Cloudfront",list of Regex Pattern sets that were not found in that scope).

If fail to find all of the provided sets in the desired scope or scopes (is_success=false): "Action didn't find the provided Regex Pattern sets."

The action should fail and stop a playbook execution:

if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Add Pattern To Regex Pattern Set". Reason: {0}''.format(error.Stacktrace)

General

Remove Rule From Web ACL

Description

Remove a rule from Web ACL in AWS WAF.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Web ACL Names	CSV		Yes	Specify the comma-separated list of Web ACL names. Example: name_1,name_2
Scope	DDL	CloudFront Possible values: CloudFront Regional Both	Yes	Specify what should be the scope for the removal of the web acl. If "Both" is selected, action will remove a Web ACL in Regional and CloudFront scopes.
Rule Name	String	N/A	Yes	Specify the name of the rule that should be deleted.

Parameter Display Name

Type

Default Value

Is Mandatory

Description

Web ACL Names

CSV

Yes

Specify the comma-separated list of Web ACL names. Example: name_1,name_2

Scope

DDL

CloudFront

Possible values:

CloudFront
Regional
Both

Yes

Specify what should be the scope for the removal of the web acl. If "Both" is selected, action will remove a Web ACL in Regional and CloudFront scopes.

Rule Name

String

N/A

Yes

Specify the name of the rule that should be deleted.

Run On

This action doesn't run on entities.

Action Results

Script Result

Script Result Name	Value Options
is_success	is_success=False
is_success	is_success=True

Case Wall

Result Type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: if successful and at least one rule was removed from one Rule Group: print "Successfully removed a rule from the following {0} Web ACLs '{1}' in AWS WAF.".format("Regional"/"Cloudfront", list of names) if unsuccessful for one Rule Group: print "Action wasn't able to remove a rule from the following {0} Web ACLs '{1}' in AWS WAF.".format("Regional"/"Cloudfront", list of names) if unsuccessful for one Web ACL, because rule wasn't found in one ACL: print "Action wasn't able to find the specified rule in the following {0} Web ACLs '{1}' in AWS WAF.".format("Regional"/"Cloudfront", list of names Web ACL) If fail to find one of the Rule Group: Print "Action wasn't able to find the following '{0}' Web ACLs in the AWS WAF:\n {1}".format("Regional"/Cloudfront", list of Rule Group that were not found in that scope) If fail to find all of the provided sets in the desired scope or scopes: Print "Action didn't find the provided Web ACLs." The action should fail and stop a playbook execution: if fatal error, SDK error, like wrong credentials, no connection to server, other: print "Error executing action "Remove Rule From Web ACL". Reason: {0}''.format(error.Stacktrace)	General

Result Type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:

if successful and at least one rule was removed from one Rule Group: print "Successfully removed a rule from the following {0} Web ACLs '{1}' in AWS WAF.".format("Regional"/"Cloudfront", list of names)

if unsuccessful for one Rule Group: print "Action wasn't able to remove a rule from the following {0} Web ACLs '{1}' in AWS WAF.".format("Regional"/"Cloudfront", list of names)

if unsuccessful for one Web ACL, because rule wasn't found in one ACL: print "Action wasn't able to find the specified rule in the following {0} Web ACLs '{1}' in AWS WAF.".format("Regional"/"Cloudfront", list of names Web ACL)

If fail to find one of the Rule Group: Print "Action wasn't able to find the following '{0}' Web ACLs in the AWS WAF:\n {1}".format("Regional"/Cloudfront", list of Rule Group that were not found in that scope)

If fail to find all of the provided sets in the desired scope or scopes: Print "Action didn't find the provided Web ACLs."

The action should fail and stop a playbook execution:

if fatal error, SDK error, like wrong credentials, no connection to server, other: print "Error executing action "Remove Rule From Web ACL". Reason: {0}''.format(error.Stacktrace)

General

List Web ACLs

Description

List available web ACLs in AWS WAF.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Scope	DDL	CloudFront Possible values: CloudFront Regional Both		Specify what should be the scope for the listing of Web ACLs.
Max Web ACLs To Return	Integer	50	No	Specify how many Web ACLs to return. Default is 50. Maximum is 100.

Parameter Display Name

Type

Default Value

Is Mandatory

Description

Scope

DDL

CloudFront

Possible values:

CloudFront
Regional
Both

Specify what should be the scope for the listing of Web ACLs.

Max Web ACLs To Return

Integer

Specify how many Web ACLs to return. Default is 50. Maximum is 100.

Run On

This action doesn't run on entities.

Action Results

Script Result

Script Result Name	Value Options
is_success	is_success=False
is_success	is_success=True

JSON Result

[
    {
        "Name": "asdasd",
        "Id": "543c2d66-6683-451b-993b-ae5fe79b7bad",
        "Description": "asdasd",
        "LockToken": "7e76581b-f152-4448-aafe-b733a33c8fa2",
        "ARN": "arn:aws:wafv2:us-east-1: 582302349248:regional/ipset/asdasd/543c2d66-6683-451b-993b-ae5fe79b7bad"
    }
]
"CloudFront": [
    {
        "Name": "asdasd",
        "Id": "543c2d66-6683-451b-993b-ae5fe79b7bad",
        "Description": "asdasd",
        "LockToken": "7e76581b-f152-4448-aafe-b733a33c8fa2",
        "ARN": "arn:aws:wafv2:us-east-1: 582302349248:regional/ipset/asdasd/543c2d66-6683-451b-993b-ae5fe79b7bad"
    }
]

Case Wall

Result type	Value/Description	Type (Entity \ General)
Output message*	The action should not fail nor stop a playbook execution: If successfully listed available IP Sets and "Scope" == "Both": "Successfully listed available Web ACLs in Regional and Cloudfront scopes." If successfully listed available IP Sets(is_success = true) and "Scope" == "Regional": "Successfully listed available Web ACLs in Regional scope." If successfully listed available IP Sets(is_success = true) and "Scope" == "Cloudfront": "Successfully listed available Web ACLs in Cloudfront scope." If no available values(is_success = false) and "Scope" == "Both": "No available Web ACLs were found in Regional and Cloudfront scopes." If no available values (is_success = false) and "Scope" == "Regional": "No available Web ACLs were found in Regional scope." If no available values(is_success = false) and "Scope" == "Cloudfront": "No available Web ACLs were found in Cloudfront scope." The action should fail and stop a playbook execution: if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "List Web ACLs". Reason: {0}''.format(error.Stacktrace)	General
Case Wall Table (if "Scope" == "Regional" or "Both")	Table Name: Regional Rule ACLs Table Columns: Name ID Description Lock Token ARN	General
Case Wall Table (if "Scope" == "CloudFront" or "Both")	Table Name: CloudFront Rule ACLs Table Columns: Name ID Description Lock Token ARN	General

Result type

Value/Description

Type (Entity \ General)

Output message*

The action should not fail nor stop a playbook execution:

If successfully listed available IP Sets and "Scope" == "Both": "Successfully listed available Web ACLs in Regional and Cloudfront scopes."

If successfully listed available IP Sets(is_success = true) and "Scope" == "Regional": "Successfully listed available Web ACLs in Regional scope."

If successfully listed available IP Sets(is_success = true) and "Scope" == "Cloudfront": "Successfully listed available Web ACLs in Cloudfront scope."

If no available values(is_success = false) and "Scope" == "Both": "No available Web ACLs were found in Regional and Cloudfront scopes."

If no available values (is_success = false) and "Scope" == "Regional": "No available Web ACLs were found in Regional scope."

If no available values(is_success = false) and "Scope" == "Cloudfront": "No available Web ACLs were found in Cloudfront scope."

The action should fail and stop a playbook execution:

if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "List Web ACLs". Reason: {0}''.format(error.Stacktrace)

General

Case Wall Table

(if "Scope" == "Regional" or "Both")

Table Name: Regional Rule ACLs

Table Columns:

Name
ID
Description
Lock Token
ARN

General

Case Wall Table

(if "Scope" == "CloudFront" or "Both")

Table Name: CloudFront Rule ACLs

Table Columns:

Name
ID
Description
Lock Token
ARN

General

Remove Rule From Rule Group

Description

Remove a rule from the rule group in AWS WAF.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Rule Group Names	CSV		Yes	Specify the comma-separated list of Rule Group names. Example: name_1,name_2
Scope	DDL	CloudFront Possible values: CloudFront Regional Both	Yes	Specify what should be the scope for the removal of the rule group. If "Both" is selected, action will remove a Rule Group in Regional and CloudFront scopes.
Rule Name	String	N/A	Yes	Specify the name of the rule that should be deleted.

Parameter Display Name

Type

Default Value

Is Mandatory

Description

Rule Group Names

CSV

Yes

Specify the comma-separated list of Rule Group names. Example: name_1,name_2

Scope

DDL

CloudFront

Possible values:

CloudFront
Regional
Both

Yes

Specify what should be the scope for the removal of the rule group. If "Both" is selected, action will remove a Rule Group in Regional and CloudFront scopes.

Rule Name

String

N/A

Yes

Specify the name of the rule that should be deleted.

Run On

This action doesn't run on entities.

Action Results

Script Result

Script Result Name	Value Options
is_success	is_success=False
is_success	is_success=True

Case Wall

Result Type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: If successful and at least one rule was removed from one Rule Group: "Successfully removed a rule from the following {0} Rule Groups '{1}' in AWS WAF.".format("Regional"/"Cloudfront", list of names) If unsuccessful for one Rule Group: "Action wasn't able to remove a rule from the following {0} Rule Groups '{1}' in AWS WAF.".format("Regional"/"Cloudfront", list of names) If unsuccessful for one Rule Group, because rule wasn't found in one Rule Group: "Action wasn't able to find the specified rule in the following {0} Rule Groups '{1}' in AWS WAF.".format("Regional"/"Cloudfront", list of rule group names) If fail to find one of the Rule Group: "Action wasn't able to find the following '{0}' Rule Groups in the AWS WAF:\n {1}".format("Regional"/Cloudfront", list of Rule Group that were not found in that scope) If fail to find all of the provided sets in the desired scope or scopes: "Action didn't find the provided Rule Groups." The action should fail and stop a playbook execution: If a fatal error, SDK error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Remove Rule From Rule Group". Reason: {0}''.format(error.Stacktrace)	General

Result Type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If successful and at least one rule was removed from one Rule Group: "Successfully removed a rule from the following {0} Rule Groups '{1}' in AWS WAF.".format("Regional"/"Cloudfront", list of names)

If unsuccessful for one Rule Group: "Action wasn't able to remove a rule from the following {0} Rule Groups '{1}' in AWS WAF.".format("Regional"/"Cloudfront", list of names)

If unsuccessful for one Rule Group, because rule wasn't found in one Rule Group: "Action wasn't able to find the specified rule in the following {0} Rule Groups '{1}' in AWS WAF.".format("Regional"/"Cloudfront", list of rule group names)

If fail to find one of the Rule Group: "Action wasn't able to find the following '{0}' Rule Groups in the AWS WAF:\n {1}".format("Regional"/Cloudfront", list of Rule Group that were not found in that scope)

If fail to find all of the provided sets in the desired scope or scopes: "Action didn't find the provided Rule Groups."

The action should fail and stop a playbook execution:

If a fatal error, SDK error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Remove Rule From Rule Group". Reason: {0}''.format(error.Stacktrace)

General

List Rule Groups

Description

List available rule groups in AWS WAF.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Scope	DDL	CloudFront Possible values: CloudFront Regional Both		Specify what should be the scope for the listing of Rule Groups.
Max Rule Groups To Return	Integer	50	No	Specify how many Rule Groups to return. Default is 50. Maximum is 100.

Parameter Display Name

Type

Default Value

Is Mandatory

Description

Scope

DDL

CloudFront

Possible values:

CloudFront
Regional
Both

Specify what should be the scope for the listing of Rule Groups.

Max Rule Groups To Return

Integer

Specify how many Rule Groups to return. Default is 50. Maximum is 100.

Run On

This action doesn't run on entities.

Action Results

Script Result

Script Result Name	Value Options
is_success	is_success=False
is_success	is_success=True

JSON Result

[
    {
        "Name": "asdasd",
        "Id": "543c2d66-6683-451b-993b-ae5fe79b7bad",
        "Description": "asdasd",
        "LockToken": "7e76581b-f152-4448-aafe-b733a33c8fa2",
        "ARN": "arn:aws:wafv2:us-east-1: 582302349248:regional/ipset/asdasd/543c2d66-6683-451b-993b-ae5fe79b7bad"
    }
]
"CloudFront": [
    {
        "Name": "asdasd",
        "Id": "543c2d66-6683-451b-993b-ae5fe79b7bad",
        "Description": "asdasd",
        "LockToken": "7e76581b-f152-4448-aafe-b733a33c8fa2",
        "ARN": "arn:aws:wafv2:us-east-1: 582302349248:regional/ipset/asdasd/543c2d66-6683-451b-993b-ae5fe79b7bad"
    }
]

Case Wall

Result type	Value/Description	Type (Entity \ General)
Output message*	The action should not fail nor stop a playbook execution: If successfully listed available IP Sets and "Scope" == "Both": "Successfully listed available Rule groups in Regional and Cloudfront scopes." If successfully listed available IP Sets and "Scope" == "Regional": "Successfully listed available Rule groups in Regional scope." If successfully listed available IP Sets and "Scope" == "Cloudfront": "Successfully listed available Rule groups in Cloudfront scope."> If no available values and "Scope" == "Both": "No available Rule groups were found in Regional and Cloudfront scopes." If no available values and "Scope" == "Regional": "No available Rule groups were found in Regional scope." If no available values and "Scope" == "Cloudfront": "No available Rule groups were found in Cloudfront scope." The action should fail and stop a playbook execution: If a fatal error, SDK error, like wrong credentials, no connection to the server, other is reported: "Error executing action "List Rule Groups". Reason: {0}''.format(error.Stacktrace)	General
Case Wall Table (if "Scope" == "Regional" or "Both")	Table Name: Regional Rule Groups Table Columns: Name ID Description Lock Token ARN	General
Case Wall Table (if "Scope" == "CloudFront" or "Both")	Table Name: CloudFront Rule Groups Table Columns: Name ID Description Lock Token ARN	General

Result type

Value/Description

Type (Entity \ General)

Output message*

The action should not fail nor stop a playbook execution:

If successfully listed available IP Sets and "Scope" == "Both": "Successfully listed available Rule groups in Regional and Cloudfront scopes."

If successfully listed available IP Sets and "Scope" == "Regional": "Successfully listed available Rule groups in Regional scope."

If successfully listed available IP Sets and "Scope" == "Cloudfront": "Successfully listed available Rule groups in Cloudfront scope.">

If no available values and "Scope" == "Both": "No available Rule groups were found in Regional and Cloudfront scopes."

If no available values and "Scope" == "Regional": "No available Rule groups were found in Regional scope."

If no available values and "Scope" == "Cloudfront": "No available Rule groups were found in Cloudfront scope."

The action should fail and stop a playbook execution:

If a fatal error, SDK error, like wrong credentials, no connection to the server, other is reported: "Error executing action "List Rule Groups". Reason: {0}''.format(error.Stacktrace)

General

Case Wall Table

(if "Scope" == "Regional" or "Both")

Table Name: Regional Rule Groups

Table Columns:

Name
ID
Description
Lock Token
ARN

General

Case Wall Table

(if "Scope" == "CloudFront" or "Both")

Table Name: CloudFront Rule Groups

Table Columns:

Name
ID
Description
Lock Token
ARN

General

List IP Sets

Description

List available IP Sets in AWS WAF.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Scope	DDL	CloudFront Possible values: CloudFront Regional Both		Specify what should be the scope for the listing of IP sets.
Max IP Sets To Return	Integer	50	No	Specify how many IP sets to return. Default is 50. Maximum is 100.

Parameter Display Name

Type

Default Value

Is Mandatory

Description

Scope

DDL

CloudFront

Possible values:

CloudFront
Regional
Both

Specify what should be the scope for the listing of IP sets.

Max IP Sets To Return

Integer

Specify how many IP sets to return. Default is 50. Maximum is 100.

Run On

This action doesn't run on entities.

Action Results

Script Result

Script Result Name	Value Options
is_success	is_success=False
is_success	is_success=True

JSON Result

[
    {
        "Name": "asdasd",
        "Id": "543c2d66-6683-451b-993b-ae5fe79b7bad",
        "Description": "asdasd",
        "LockToken": "7e76581b-f152-4448-aafe-b733a33c8fa2",
        "ARN": "arn:aws:wafv2:us-east-1: 582302349248:regional/ipset/asdasd/543c2d66-6683-451b-993b-ae5fe79b7bad"
    }
]
"CloudFront": [
    {
        "Name": "asdasd",
        "Id": "543c2d66-6683-451b-993b-ae5fe79b7bad",
        "Description": "asdasd",
        "LockToken": "7e76581b-f152-4448-aafe-b733a33c8fa2",
        "ARN": "arn:aws:wafv2:us-east-1: 582302349248:regional/ipset/asdasd/543c2d66-6683-451b-993b-ae5fe79b7bad"
    }
]

Case Wall

Result type	Value/Description	Type (Entity \ General)
Output message*	The action should not fail nor stop a playbook execution: If successfully listed available IP Sets and "Scope" == "Both": "Successfully listed available IP sets in Regional and Cloudfront scopes." If successfully listed available IP Sets and "Scope" == "Regional": "Successfully listed available IP sets in Regional scope." If successfully listed available IP Sets and "Scope" == "Cloudfront": "Successfully listed available IP sets in Cloudfront scope." If no available values and "Scope" == "Both": Print "No available IP Sets were found in Regional and Cloudfront scopes." If no available values and "Scope" == "Regional": "No available IP Sets were found in Regional scope." If no available values and "Scope" == "Cloudfront": "No available IP Sets were found in Cloudfront scope." The action should fail and stop a playbook execution: If a fatal error, SDK error, like wrong credentials, no connection to the server, other is reported: "Error executing action "List IP Sets". Reason: {0}''.format(error.Stacktrace)	General
Case Wall Table (if "Scope" == "Regional" or "Both")	Table Name: Regional Rule Groups Table Columns: Name ID Description Lock Token ARN	General
Case Wall Table (if "Scope" == "CloudFront" or "Both")	Table Name: CloudFront Rule Groups Table Columns: Name ID Description Lock Token ARN	General

Result type

Value/Description

Type (Entity \ General)

Output message*

The action should not fail nor stop a playbook execution:

If successfully listed available IP Sets and "Scope" == "Both": "Successfully listed available IP sets in Regional and Cloudfront scopes."

If successfully listed available IP Sets and "Scope" == "Regional": "Successfully listed available IP sets in Regional scope."

If successfully listed available IP Sets and "Scope" == "Cloudfront": "Successfully listed available IP sets in Cloudfront scope."

If no available values and "Scope" == "Both": Print "No available IP Sets were found in Regional and Cloudfront scopes."

If no available values and "Scope" == "Regional": "No available IP Sets were found in Regional scope."

If no available values and "Scope" == "Cloudfront": "No available IP Sets were found in Cloudfront scope."

The action should fail and stop a playbook execution:

If a fatal error, SDK error, like wrong credentials, no connection to the server, other is reported: "Error executing action "List IP Sets". Reason: {0}''.format(error.Stacktrace)

General

Case Wall Table

(if "Scope" == "Regional" or "Both")

Table Name: Regional Rule Groups

Table Columns:

Name
ID
Description
Lock Token
ARN

General

Case Wall Table

(if "Scope" == "CloudFront" or "Both")

Table Name: CloudFront Rule Groups

Table Columns:

Name
ID
Description
Lock Token
ARN

General

Remove Pattern From Regex Pattern Set

Description

Remove patterns from the Regex Pattern Set in AWS WAF.

Parameters

Parameter Display Name

Type

Default Value

Is Mandatory

Description

Regex Pattern Set Names

CSV

Yes

Specify the comma-separated list of Regex Pattern set names. Example: name_1,name_2

Patterns

CSV

Yes

Specify the comma-separated list of patterns that should be removed from the Regex Pattern set. Example: pattern_1,pattern_2

Scope

DDL

CloudFront

Possible values:

CloudFront
Regional
Both

Yes

Specify what should be the scope of the c set. If "Both" is selected, action will remove patterns from Regex Pattern sets in Regional and CloudFront scopes.

Run On

This action doesn't run on entities.

Action Results

Script Result

Script Result Name	Value Options
is_success	is_success=False
is_success	is_success=True

Case Wall

Result Type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: If successful and at least one pattern set was removed from one regex set: "Successfully removed the following patterns from the {0} Regex Pattern Set '{1}' in AWS WAF: \n {2}".format("Regional"/"Cloudfront", full_name, list of entity patterns) If pattern never existed in that Pattern Set: "The following patterns were not found in the {0} Regex Pattern Set '{1}' in AWS WAF: \n {2}".format("Regional"/"Cloudfront", full_name, list of patterns) If fail to remove all patterns on all Regex Pattern Sets: "No patterns were removed from the provided Regex Pattern Sets." If fail to find one of the Pattern sets: "Action wasn't able to find the following '{0}' Regex Pattern Sets in the AWS WAF:\n {1}".format("Regional"/Cloudfront",list of sets that were not found in that scope) If fail to find all of the provided Regex Pattern sets in the desired scope or scopes: "Action didn't find the provided Regex Pattern sets." The action should fail and stop a playbook execution: If a fatal error, SDK error, like wrong credentials, no connection to server, other is reported: "Error executing action "Remove Pattern From Regex Pattern Set". Reason: {0}''.format(error.Stacktrace)	General

Result Type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If successful and at least one pattern set was removed from one regex set: "Successfully removed the following patterns from the {0} Regex Pattern Set '{1}' in AWS WAF: \n {2}".format("Regional"/"Cloudfront", full_name, list of entity patterns)

If pattern never existed in that Pattern Set: "The following patterns were not found in the {0} Regex Pattern Set '{1}' in AWS WAF: \n {2}".format("Regional"/"Cloudfront", full_name, list of patterns)

If fail to remove all patterns on all Regex Pattern Sets: "No patterns were removed from the provided Regex Pattern Sets."

If fail to find one of the Pattern sets: "Action wasn't able to find the following '{0}' Regex Pattern Sets in the AWS WAF:\n {1}".format("Regional"/Cloudfront",list of sets that were not found in that scope)

If fail to find all of the provided Regex Pattern sets in the desired scope or scopes: "Action didn't find the provided Regex Pattern sets."

The action should fail and stop a playbook execution:

If a fatal error, SDK error, like wrong credentials, no connection to server, other is reported: "Error executing action "Remove Pattern From Regex Pattern Set". Reason: {0}''.format(error.Stacktrace)

General

Remove IP From IP Set

Description

Remove IP addresses from the IP Set in AWS WAF.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
IP Set Names	CSV		Yes	Specify the comma-separated list of IP set names. Example: name_1,name_2
Scope	DDL	CloudFront Possible values: CloudFront Regional Both	Yes	Specify what should be the scope of the IP set. If "Both" is selected, action will remove IP addresses from IP sets in Regional and CloudFront scopes.

Parameter Display Name

Type

Default Value

Is Mandatory

Description

IP Set Names

CSV

Yes

Specify the comma-separated list of IP set names. Example: name_1,name_2

Scope

DDL

CloudFront

Possible values:

CloudFront
Regional
Both

Yes

Specify what should be the scope of the IP set. If "Both" is selected, action will remove IP addresses from IP sets in Regional and CloudFront scopes.

Run On

This action runs on IP entities.

Action Results

Script Result

Script Result Name	Value Options
is_success	is_success=False
is_success	is_success=True

Case Wall

Result Type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: If successful and at least one IP addresses was removed from one IP set: "Successfully removed the following IPs from the {0} IP Set '{1}' in AWS WAF: \n {2}".format("Regional"/"Cloudfront", full_name, entity.identifier list) If IPs never existed in that IP Set: "The following IPs were not a part of the {0} IP Set '{1}' in AWS WAF: \n {2}".format("Regional"/"Cloudfront", full_name, entity.identifier list) If fail to remove all entities on all IP sets: "No IPs were removed from the provided IP Sets." If fail to find one of the IP sets:P "Action wasn't able to find the following '{0}' IP Sets in the AWS WAF:\n {1}".format("Regional"/Cloudfront",list of IP sets that were not found in that scope) If fail to find all of the provided IP sets in the desired scope or scopes: "Action didn't find the provided IP sets." The action should fail and stop a playbook execution: If a fatal error, SDK error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Remove IP From IP Set". Reason: {0}''.format(error.Stacktrace)	General

Result Type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If successful and at least one IP addresses was removed from one IP set: "Successfully removed the following IPs from the {0} IP Set '{1}' in AWS WAF: \n {2}".format("Regional"/"Cloudfront", full_name, entity.identifier list)

If IPs never existed in that IP Set: "The following IPs were not a part of the {0} IP Set '{1}' in AWS WAF: \n {2}".format("Regional"/"Cloudfront", full_name, entity.identifier list)

If fail to remove all entities on all IP sets: "No IPs were removed from the provided IP Sets."

If fail to find one of the IP sets:P "Action wasn't able to find the following '{0}' IP Sets in the AWS WAF:\n {1}".format("Regional"/Cloudfront",list of IP sets that were not found in that scope)

If fail to find all of the provided IP sets in the desired scope or scopes: "Action didn't find the provided IP sets."

The action should fail and stop a playbook execution:

If a fatal error, SDK error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Remove IP From IP Set". Reason: {0}''.format(error.Stacktrace)

General

List Regex Pattern Sets

Description

List available Regex Pattern Sets in AWS WAF.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Scope	DDL	CloudFront Possible values: CloudFront Regional Both		Specify what should be the scope for the listing of IP sets.
Max Regex Pattern Sets To Return	Integer	5	No	Specify how many Regex Pattern sets to return. Default is 5. Maximum is 10.

Parameter Display Name

Type

Default Value

Is Mandatory

Description

Scope

DDL

CloudFront

Possible values:

CloudFront
Regional
Both

Specify what should be the scope for the listing of IP sets.

Max Regex Pattern Sets To Return

Integer

Specify how many Regex Pattern sets to return. Default is 5. Maximum is 10.

Run On

This action doesn't run on entities.

Action Results

Script Result

Script Result Name	Value Options
is_success	is_success=False
is_success	is_success=True

JSON Result

[
    {
        "Name": "asdasd",
        "Id": "543c2d66-6683-451b-993b-ae5fe79b7bad",
        "Description": "asdasd",
        "LockToken": "7e76581b-f152-4448-aafe-b733a33c8fa2",
        "ARN": "arn:aws:wafv2:us-east-1: 582302349248:regional/ipset/asdasd/543c2d66-6683-451b-993b-ae5fe79b7bad"
    }
]
"CloudFront": [
    {
        "Name": "asdasd",
        "Id": "543c2d66-6683-451b-993b-ae5fe79b7bad",
        "Description": "asdasd",
        "LockToken": "7e76581b-f152-4448-aafe-b733a33c8fa2",
        "ARN": "arn:aws:wafv2:us-east-1: 582302349248:regional/ipset/asdasd/543c2d66-6683-451b-993b-ae5fe79b7bad"
    }
]

Case Wall

Result type

Value/Description

Type (Entity \ General)

Output message*

The action should not fail nor stop a playbook execution:

If successfully listed available Regex Sets and "Scope" == "Both": "Successfully listed available Regex Pattern sets in Regional and Cloudfront scopes."

If successfully listed available IP Sets and "Scope" == "Regional": "Successfully listed available Regex Pattern sets in Regional scope."

If successfully listed available IP Sets and "Scope" == "Cloudfront": "Successfully listed available Regex Pattern sets in Cloudfront scope."

If no available values and "Scope" == "Both": "No available Regex Pattern sets were found in Regional and Cloudfront scopes."

If no available values and "Scope" == "Regional": "No available Regex Pattern sets were found in Regional scope."

If no available values and "Scope" == "Cloudfront": "No available Regex Pattern sets were found in Cloudfront scope."

The action should fail and stop a playbook execution:

If a fatal error, SDK error, like wrong credentials, no connection to the server, other is reported: "Error executing action "List Regex Pattern Sets". Reason: {0}''.format(error.Stacktrace)

General

Case Wall Table

(if "Scope" == "Regional" or "Both")

Table Name: Regional Rule Groups

Table Columns:

Name
ID
Description
Lock Token
ARN

General

Case Wall Table

(if "Scope" == "CloudFront" or "Both")

Table Name: CloudFront Rule Groups

Table Columns:

Name
ID
Description
Lock Token
ARN

General

Remove Entity From Regex Pattern Set

Description

Remove string patterns based on entities from the Regex Pattern Set in AWS WAF.

Parameters

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Regex Pattern Set Names	CSV		Yes	Specify the comma-separated list of Regex Pattern set names. Example: name_1,name_2
Scope	DDL	CloudFront Possible values: CloudFront Regional Both	Yes	Specify what should be the scope of the set. If "Both" is selected, action will remove patterns based on entities from Regex Pattern sets in Regional and CloudFront scopes.
Domain Pattern	Checkbox	True	No	If enabled, action will retrieve domain part out of urls and search for a regex pattern based on them in the Regex Pattern Set. Example: http://test.com/folder will be searched as pattern ^(http\|https)(:\/\/)(\Qtest.com\E).*
IP Pattern	Checkbox	True	No	If enabled, action will search for a regex pattern out of IP address instead of raw value. Example: 10.0.0.1 will be searched as ^(http\|https)(:\/\/)(\Q10.0.1\E).*

Run On

This action runs on the following entities:

IP Address
URL

Action Results

Script Result

Script Result Name	Value Options
is_success	is_success=False
is_success	is_success=True

Case Wall

Result type

Value/Description

Type (Entity \ General)

Output message*

The action should not fail nor stop a playbook execution:

If successful and at least one entity was removed from one IP set: "Successfully removed the following entity patterns from the {0} Regex Pattern Set '{1}' in AWS WAF: \n {2}".format("Regional"/"Cloudfront", full_name, list of entity patterns)

If entity never existed in that Regex Pattern Set: "The following patterns were not found in the {0} Regex Pattern Set '{1}' in AWS WAF: \n {2}".format("Regional"/"Cloudfront", full_name, list of entity patterns)

If fail to remove all entities on all IP sets: "No patterns were removed from the provided Regex Pattern Sets."

If fail to find one of the IP sets: "Action wasn't able to find the following '{0}' Regex Pattern Sets in the AWS WAF:\n {1}".format("Regional"/Cloudfront",list of IP sets that were not found in that scope)

If fail to find all of the provided Regex Pattern sets in the desired scope or scopes: "Action didn't find the provided Regex Pattern sets."

The action should fail and stop a playbook execution:

If a fatal error, SDK error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Remove Entity From Regex Pattern Set". Reason: {0}''.format(error.Stacktrace)

General