AWS WAF

Integration version: 5.0

Use Cases

Active actions - manage IP Sets, Rule Groups, Pattern Sets, Web ACLs.

Configure AWS WAF integration in Google Security Operations SOAR

For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.

Integration parameters

Use the following parameters to configure the integration:

Parameter Display Name Type Default Value Is Mandatory Description
Instance Name String N/A No Name of the Instance you intend to configure integration for.
Description String N/A No Description of the Instance.
AWS Access Key ID String N/A Yes AWS Access Key ID to use in integration.
AWS Secret Key Password N/A Yes AWS Secret Key to use in integration.
AWS Default Region String N/A Yes AWS default region to use in integration, for example us-west-2.
Run Remotely Checkbox Unchecked No Check the field in order to run the configured integration remotely. Once checked, the option appears to select the remote user (agent).

Actions

Ping

Description

Test connectivity to AWS WAF with parameters provided at the integration configuration page in the Google Security Operations Marketplace tab.

Parameters

N/A

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful: "Successfully connected to the AWS WAF server with the provided connection parameters!"

The action should fail and stop a playbook execution:

If not successful: "Failed to connect to the AWS WAF server! Error is {0}".format(exception.stacktrace)

General

Create IP Set

Description

Create an IP Set in AWS WAF, based on entities.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Name String N/A Yes Specify the name of the IP set. Note: action will create an IP set in the following format: Siemplify_{Name}_{IP Type}. The name must have 1-128 characters. Valid characters: A-Z, a-z, 0-9, - (hyphen), and _ (underscore).
Scope DDL

CloudFront

Possible values:

  • CloudFront
  • Regional
  • Both
Yes Specify what should be the scope for the creation of IP sets. If "Both" is selected, action will create an IP set in Regional and Amazon CloudFront scopes.
Description String N/A No Specify the description for the IP set.
Tags CSV N/A No Specify additional tags that should be added to the IP set. Format: key_1:value_1,key_2:value_1.

Run On

This action runs on the IP Address entity.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
{
"Regional": ["IPv4_set", IPv6_set"]
"Cloudfront":  ["IPv4_set", IPv6_set"]
}
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful and at least one of the provided entities were used to create an IP set (is_success = true): "Successfully created {0} {1} IP Set '{2}' in AWS WAF with the following IPs: \n {3}".format("Regional"/"Cloudfront", "IPv4"/"IPv6", full_name, entity.identifier list)

If fail to use specific entities(is_success = true): "Action was not able to use the following IPs in order to create AWS WAF IP Set\n: {0}".format([entity.identifier])

If fail to use all entities (is_success = false): "No IP Sets were created. Reason: None of the provided IP entities were valid."

If All Sets Already exist (is_success=false) or if only partially sets already exist (is_success=true): "The following {0} IP Pattern Sets '{1}' already exist: \n.".format("Regional/CloudFront", list_of_full_names)

The action should fail and stop a playbook execution:

If fatal error, like wrong credentials, no connection to server, other: "Error executing action "Create IP Set". Reason: {0}''.format(error.Stacktrace)

Add IP To IP Set

Description

Add IP addresses to the IP Set in AWS WAF.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
IP Set Names CSV N/A Yes Specify the comma-separated list of IP set names. Example: name_1,name_2
Scope DDL

CloudFront

Possible values:

  • CloudFront
  • Regional
  • Both
Yes Specify what should be the scope of the IP set. If "Both" is selected, action will add IP addresses to IP sets in Regional and CloudFront scopes.

Run On

This action runs on the IP Address entity.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful and at least one IP addresses was added to one IP set(is_success = true): "Successfully added the following IPs to the {0} IP Set '{1}' in AWS WAF: \n {2}".format("Regional"/"Cloudfront", full_name, entity.identifier list)

If fail to add specific entities to one of the IP Sets(is_success = true): "Action was not able to add the following IPs to the {0} IP Set '{1}' in AWS WAF\n: {2}".format("Regional"/"Cloudfront", full_name,[entity.identifier])

If fail to find one of the IP sets (is_success = true): "Action wasn't able to find the following '{0}' IP Sets in the AWS WAF:\n {1}".format("Regional"/Cloudfront",list of IP sets that were not found in that scope)

If fail to find all of the provided IP sets in the desired scope or scopes (is_success=false): "Action didn't find the provided IP sets."

The action should fail and stop a playbook execution:

if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Add IP To IP Set". Reason: {0}''.format(error.Stacktrace)

General

Create Regex Pattern Set

Description

Create a Regex Pattern Set in AWS WAF based on entities.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Name String N/A Yes Specify the name of the Regex Pattern set. Note: The name must have 1-128 characters. Valid characters: A-Z, a-z, 0-9, - (hyphen), and _ (underscore).
Scope DDL

CloudFront

Possible values:

  • CloudFront
  • Regional
  • Both
Yes Specify what should be the scope for the creation of Regex Pattern sets. If "Both" is selected,, action will create a Regex Pattern set in Regional and CloudFront scopes.
Description String N/A No Specify the description for the Regex Pattern set.
Tags CSV N/A No Specify additional tags that should be added to the Regex Pattern set. Format: key_1:value_1,key_2:value_1.
Domain Pattern Checkbox Checked No If enabled, action will retrieve domain part out of urls and create a regex pattern based on them. Example: http://test.com/folder will be converted to a pattern ^(http|https)(:\/\/)(\Qtest.com\E).*".format(entity)
IP Pattern Checkbox Checked No

If enabled, action will construct a proper regex pattern out of IP address instead of using raw value. Example: 10.0.0.1 will be converted into ^(http|https)(:\/\/)(\Q10.0.1\E).*".format(entity)

Run On

This action runs on the following entities:

  • IP Address
  • URL

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
{
"Regional": "Regex_set"
"Cloudfront":  "Regex_set"
}
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

if successful and at least one of the provided entities were used to create an Regex set (is_success = true): "Successfully created {0} Regex Pattern Set '{1}' in AWS WAF with the following entities: \n {2}".format("Regional"/"Cloudfront", name, entity.identifier list)

If more than 10 entities are going to be used to create a regex pattern set: "Action wasn't able to create regex pattern sets with all of the provided entities, because the limit is exceeded. The following entities were skipped: {0}".format(entity.identifier)

If Set Already exists (is_success=false): "{0} Regex Pattern Set '{1}' already exists.".format("Regional/CloudFront", name)

The action should fail and stop a playbook execution:

If fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Create Regex Pattern Set". Reason: {0}''.format(error.Stacktrace)

General

Create Web ACLs

Description

Create a Web ACL in AWS WAF.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Name String N/A Yes Specify the name of the Web ACL. Note: The name must have 1-128 characters. Valid characters: A-Z, a-z, 0-9, - (hyphen), and _ (underscore).
Rule Source Type DDL

IP Set

Possible value

IP Set

Rule Group

Yes Specify what rule type should be used.
Rule Source Name String N/A Yes Specify the name of the source, which should be used for Web ACL. If "Rule Source Type" is "IP Set", action will search for IP Sets with that name. If "Rule Source Type" is "Rule Group", action will search for Rule Groups with that name.
Scope DDL

CloudFront

Possible values:

  • CloudFront
  • Regional
  • Both
Yes Specify what should be the scope for the creation of the web acl. If "Both" is selected, action will create a Web ACL in Regional and CloudFront scopes.
Enable Sampled Requests Checkbox Unchecked Yes If enabled, AWS WAF will store a sampling of the web requests that match the rules.
Enable CloudWatch Metrics Checkbox Unchecked Yes If enabled, the associated resource sends metrics to CloudWatch.
CloudWatch Metric Name Checkbox Unchecked Yes Specify the name of the CloudWatch Metric. Note: The name must have 1-128 characters. Valid characters: A-Z, a-z, 0-9, - (hyphen), and _ (underscore).
Default Action DDL

Allow

Possible values:

  • Allow
  • Block
Yes Specify what should be the default action for requests that don't match any rules.
IP Set Action DDL

Block

Possible value:

  • Allow
  • Block
  • Count
No Specify what should be the action for rules that are based on the IP set.
Rule Priority Integer N/A Yes Specify what should be the priority of the rule. Priorities in Web ACL should be unique.
Description String N/A No Specify the description for the Web ACL.
Tags CSV N/A No Specify additional tags that should be added to the Web ACL. Format: key_1:value_1,key_2:value_1.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
JSON Result
{
"Regional": "Web_Acl_name"
"Cloudfront":  "Web_Acl_name"
}
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successfully listed available IP Sets(is_success = true) and "Scope" == "Both": "Successfully created Web ACL {0} in Regional and Cloudfront scopes.".format(name)

If successfully listed available IP Sets(is_success = true) and "Scope" == "Regional": "Successfully created Web ACL {0} in Regional.".format(name)

If successfully listed available IP Sets(is_success = true) and "Scope" == "Cloudfront": "Successfully created Web ACL {0} in Cloudfront scope.".format(name)

If the Web ACL exists:

Print "The Web ACL {} already exists in {} scope.".format(web ACL name, scope).

If IP Set / Rule Group wasn't found: "Action wasn't able to create Web ACL. Reason: {0} {1} wasn't found in AWS WAF".format("IP Set/Rule Group", Rule Source Name)

The action should fail and stop a playbook execution:

if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Create Web ACL". Reason: {0}''.format(error.Stacktrace)

Add Rule To Web ACL

Description

Add a rule based on IP Sets or Rule Groups to Web ACL in AWS WAF. Note: at maximum Web ACL can contain 1500 rules.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Web ACL Names CSV N/A Yes

Specify the comma-separated list of Web ACL names. Example: name_1,name_2

Rule Source Type DDL

IP Set

Possible values:

  • IP Set
  • Rule Group
Yes Specify what rule type should be used.
Rule Source Name String N/A Yes Specify the name of the source, which should be used for Web ACL. If "Rule Source Type" is "IP Set", action will search for IP Sets with that name. If "Rule Source Type" is "Rule Group", action will search for Rule Groups with that name.
Scope DDL

CloudFront

Possible values:

  • CloudFront
  • Regional
  • Both
Yes Specify what should be the scope for the new rules. If "Both" is selected, action will add a Rule to a Web ACL in Regional and CloudFront scopes.
Rule Priority Integer N/A Yes Specify what should be the priority of the rule. Priorities in Web ACL should be unique.
IP Set Action DDL

Block

Possible value:

  • Allow
  • Block
  • Count
No Specify what should be the action for rules that are based on the IP set.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

if successful and at least one rule was added to one Web ACL(is_success = true): "Successfully added a rule to the following {0} Web ACLs '{1}' in AWS WAF.".format("Regional"/"Cloudfront", list of name)

If fail to find one of the Web ACLs(is_success = true): "Action wasn't able to find the following '{0}' Web ACLs in the AWS WAF:\n {1}".format("Regional"/Cloudfront", list of Web ACLs that were not found in that scope)

If rule with name already exists per Web ACL in Scope (is_success=true): "Action wasn't able to add {0} rules to the Web ACL in AWS WAF. Reason: {0} with name '{1}' already exists in the following Web ACLs:\n{2}".format( rule source type, rule source name, list Web ACL with scope - structure {0} - {1}.format(scope, web acl name))

The action should fail and stop a playbook execution:

If fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Add Rule To Web ACL". Reason: {0}''.format(error.Stacktrace)

General

Create Rule Group

Description

Create a rule group in AWS WAF.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Name String N/A Yes Specify the name of the rule group. Note: The name must have 1-128 characters. Valid characters: A-Z, a-z, 0-9, - (hyphen), and _ (underscore).
Scope DDL

CloudFront

Possible values:

  • CloudFront
  • Regional
  • Both
Yes Specify what should be the scope for the creation of the rule group. If "Both" is selected, action will create a Rule Group in Regional and CloudFront scopes.
Capacity Integer 100 Yes Specify the capacity of the rule group. Note: you can't change the capacity after the group is created. Maximum is 1500.
Enable Sampled Requests Checkbox Unchecked Yes If enabled, AWS WAF will store a sampling of the web requests that match the rules.
Enable CloudWatch Metrics Checkbox Unchecked Yes If enabled, the associated resource sends metrics to CloudWatch.
CloudWatch Metric Name Checkbox Unchecked Yes Specify the name of the CloudWatch Metric. Note: The name must have 1-128 characters. Valid characters: A-Z, a-z, 0-9, - (hyphen), and _ (underscore).
Description String N/A No Specify the description for the Rule Group.
Tags CSV N/A No Specify additional tags that should be added to the Rule Group. Format: key_1:value_1,key_2:value_1.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successfully listed available IP Sets(is_success = true) and "Scope" == "Both": "Successfully created Rule Group {0} in Regional and Cloudfront scopes.".format(name)

>If successfully listed available IP Sets(is_success = true) and "Scope" == "Regional": "The Rule Group {} already exists in {} scope.".format(web ACL name, scope).

If successfully listed available IP Sets(is_success = true) and "Scope" == "Cloudfront": "Successfully created Rule Group {0} in Cloudfront scope.".format(name)

If the Rule Group exists: "Successfully created Rule Group {0} in Cloudfront scope.".format(name)

If the creation of the Rule Group Fails "Action was not able to create Rule Group {} in {} scope".format(web ACL name, scope).

The action should fail and stop a playbook execution:

If fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Create Rule Group". Reason: {0}''.format(error.Stacktrace)

General

Add Entity To Regex Pattern Set

Description

Add string patterns based on entities to the Regex Pattern Set in AWS WAF.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Regex Pattern Set Names CSV N/A Yes Specify the comma-separated list of Regex Pattern set names. Example: name_1,name_2
Scope DDL

CloudFront

Possible values:

  • CloudFront
  • Regional
  • Both
Yes Specify what should be the scope of the regex pattern set. If "Both" is selected, action will add patterns based on entities to Regex Pattern sets in Regional and CloudFront scopes.
Domain Pattern Checkbox Checked No If enabled, action will retrieve domain part out of urls and create a regex pattern based on them. Example: http://test.com/folder will be converted to a pattern ^(http|https)(:\/\/)(\Qtest.com\E).*".format(entity)
IP Pattern Checkbox Checked

No

If enabled, action will construct a proper regex pattern out of IP address instead of using raw value. Example:
10.0.0.1 will be converted into ^(http|https)(:\/\/)(\Q10.0.1\E).*".format(entity)

Run On

This action runs on the following entities:

  • IP Address
  • URL

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

if successful and at least one entity was added to one Regex Pattern set(is_success = true): "Successfully added the following entity patterns to the {0} Regex Pattern Set '{1}' in AWS WAF: \n {2}".format("Regional"/"Cloudfront", name, list of entity patterns)

If more than 10 entities are going to be used to create a regex pattern set: "Action wasn't able to add patterns to {0} Regex Pattern Set {1} based on all of the provided entities, because the limit is exceeded. The following entities were skipped: {2}".forma("Regional"/"Cloudfront", name, entity.identifier)

If fail to find one of the sets (is_success = true): "Action wasn't able to find the following '{0}' Regex Pattern Sets in the AWS WAF:\n {1}".format("Regional"/Cloudfront",list of Regex Pattern sets that were not found in that scope)

If fail to find all of the provided sets in the desired scope or scopes (is_success=false): "Action didn't find the provided Regex Pattern sets."

The action should fail and stop a playbook execution:

if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Add Entity To Regex Pattern Set". Reason: {0}''.format(error.Stacktrace)

General

Add Pattern To Regex Pattern Set

Description

Add string patterns to the Regex Pattern Set in AWS WAF.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Regex Pattern Set Names CSV N/A Yes Specify the comma-separated list of Regex Pattern set names. Example: name_1,name_2
Patterns CSV N/A Yes Specify the comma-separated list of patterns that should be added to the Regex Pattern set. Example: pattern_1,pattern_2
Scope DDL

CloudFront

Possible values:

  • CloudFront
  • Regional
  • Both
Yes Specify what should be the scope of the regex pattern set. If "Both" is selected, action will add patterns based on entities to Regex Pattern sets in Regional and CloudFront scopes.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options Example
is_success True/False is_success:False
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful and at least one pattern was added to one Regex Pattern set(is_success = true):"Successfully added the following patterns to the {0} Regex Pattern Set '{1}' in AWS WAF: \n {2}".format("Regional"/"Cloudfront", name, list of patterns)

If fail to find one of the sets (is_success = true):t "Action wasn't able to find the following '{0}' Regex Pattern Sets in the AWS WAF:\n {1}".format("Regional"/Cloudfront",list of Regex Pattern sets that were not found in that scope).

If fail to find all of the provided sets in the desired scope or scopes (is_success=false): "Action didn't find the provided Regex Pattern sets."

The action should fail and stop a playbook execution:

if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Add Pattern To Regex Pattern Set". Reason: {0}''.format(error.Stacktrace)

General

Remove Rule From Web ACL

Description

Remove a rule from Web ACL in AWS WAF.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Web ACL Names CSV Yes

Specify the comma-separated list of Web ACL names. Example: name_1,name_2

Scope DDL

CloudFront

Possible values:

  • CloudFront
  • Regional
  • Both
Yes Specify what should be the scope for the removal of the web acl. If "Both" is selected, action will remove a Web ACL in Regional and CloudFront scopes.
Rule Name String

N/A

Yes Specify the name of the rule that should be deleted.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

if successful and at least one rule was removed from one Rule Group: print "Successfully removed a rule from the following {0} Web ACLs '{1}' in AWS WAF.".format("Regional"/"Cloudfront", list of names)

if unsuccessful for one Rule Group: print "Action wasn't able to remove a rule from the following {0} Web ACLs '{1}' in AWS WAF.".format("Regional"/"Cloudfront", list of names)

if unsuccessful for one Web ACL, because rule wasn't found in one ACL: print "Action wasn't able to find the specified rule in the following {0} Web ACLs '{1}' in AWS WAF.".format("Regional"/"Cloudfront", list of names Web ACL)

If fail to find one of the Rule Group: Print "Action wasn't able to find the following '{0}' Web ACLs in the AWS WAF:\n {1}".format("Regional"/Cloudfront", list of Rule Group that were not found in that scope)

If fail to find all of the provided sets in the desired scope or scopes: Print "Action didn't find the provided Web ACLs."

The action should fail and stop a playbook execution:

if fatal error, SDK error, like wrong credentials, no connection to server, other: print "Error executing action "Remove Rule From Web ACL". Reason: {0}''.format(error.Stacktrace)

General

List Web ACLs

Description

List available web ACLs in AWS WAF.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Scope DDL

CloudFront

Possible values:

  • CloudFront
  • Regional
  • Both
Specify what should be the scope for the listing of Web ACLs.
Max Web ACLs To Return Integer 50 No Specify how many Web ACLs to return. Default is 50. Maximum is 100.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
JSON Result
[
    {
        "Name": "asdasd",
        "Id": "543c2d66-6683-451b-993b-ae5fe79b7bad",
        "Description": "asdasd",
        "LockToken": "7e76581b-f152-4448-aafe-b733a33c8fa2",
        "ARN": "arn:aws:wafv2:us-east-1: 582302349248:regional/ipset/asdasd/543c2d66-6683-451b-993b-ae5fe79b7bad"
    }
]
"CloudFront": [
    {
        "Name": "asdasd",
        "Id": "543c2d66-6683-451b-993b-ae5fe79b7bad",
        "Description": "asdasd",
        "LockToken": "7e76581b-f152-4448-aafe-b733a33c8fa2",
        "ARN": "arn:aws:wafv2:us-east-1: 582302349248:regional/ipset/asdasd/543c2d66-6683-451b-993b-ae5fe79b7bad"
    }
]
Case Wall
Result type Value/Description Type (Entity \ General)
Output message*

The action should not fail nor stop a playbook execution:

If successfully listed available IP Sets and "Scope" == "Both": "Successfully listed available Web ACLs in Regional and Cloudfront scopes."

If successfully listed available IP Sets(is_success = true) and "Scope" == "Regional": "Successfully listed available Web ACLs in Regional scope."

If successfully listed available IP Sets(is_success = true) and "Scope" == "Cloudfront": "Successfully listed available Web ACLs in Cloudfront scope."

If no available values(is_success = false) and "Scope" == "Both": "No available Web ACLs were found in Regional and Cloudfront scopes."

If no available values (is_success = false) and "Scope" == "Regional": "No available Web ACLs were found in Regional scope."

If no available values(is_success = false) and "Scope" == "Cloudfront": "No available Web ACLs were found in Cloudfront scope."

The action should fail and stop a playbook execution:

if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "List Web ACLs". Reason: {0}''.format(error.Stacktrace)

General

Case Wall Table

(if "Scope" == "Regional" or "Both")

Table Name: Regional Rule ACLs

Table Columns:

  • Name
  • ID
  • Description
  • Lock Token
  • ARN
General

Case Wall Table

(if "Scope" == "CloudFront" or "Both")

Table Name: CloudFront Rule ACLs

Table Columns:

  • Name
  • ID
  • Description
  • Lock Token
  • ARN
General

Remove Rule From Rule Group

Description

Remove a rule from the rule group in AWS WAF.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Rule Group Names CSV Yes Specify the comma-separated list of Rule Group names. Example: name_1,name_2
Scope DDL

CloudFront

Possible values:

  • CloudFront
  • Regional
  • Both
Yes Specify what should be the scope for the removal of the rule group. If "Both" is selected, action will remove a Rule Group in Regional and CloudFront scopes.
Rule Name String

N/A

Yes Specify the name of the rule that should be deleted.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful and at least one rule was removed from one Rule Group: "Successfully removed a rule from the following {0} Rule Groups '{1}' in AWS WAF.".format("Regional"/"Cloudfront", list of names)

If unsuccessful for one Rule Group: "Action wasn't able to remove a rule from the following {0} Rule Groups '{1}' in AWS WAF.".format("Regional"/"Cloudfront", list of names)

If unsuccessful for one Rule Group, because rule wasn't found in one Rule Group: "Action wasn't able to find the specified rule in the following {0} Rule Groups '{1}' in AWS WAF.".format("Regional"/"Cloudfront", list of rule group names)

If fail to find one of the Rule Group: "Action wasn't able to find the following '{0}' Rule Groups in the AWS WAF:\n {1}".format("Regional"/Cloudfront", list of Rule Group that were not found in that scope)

If fail to find all of the provided sets in the desired scope or scopes: "Action didn't find the provided Rule Groups."

The action should fail and stop a playbook execution:

If a fatal error, SDK error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Remove Rule From Rule Group". Reason: {0}''.format(error.Stacktrace)

General

List Rule Groups

Description

List available rule groups in AWS WAF.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Scope DDL

CloudFront

Possible values:

  • CloudFront
  • Regional
  • Both
Specify what should be the scope for the listing of Rule Groups.
Max Rule Groups To Return Integer 50 No Specify how many Rule Groups to return. Default is 50. Maximum is 100.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
JSON Result
[
    {
        "Name": "asdasd",
        "Id": "543c2d66-6683-451b-993b-ae5fe79b7bad",
        "Description": "asdasd",
        "LockToken": "7e76581b-f152-4448-aafe-b733a33c8fa2",
        "ARN": "arn:aws:wafv2:us-east-1: 582302349248:regional/ipset/asdasd/543c2d66-6683-451b-993b-ae5fe79b7bad"
    }
]
"CloudFront": [
    {
        "Name": "asdasd",
        "Id": "543c2d66-6683-451b-993b-ae5fe79b7bad",
        "Description": "asdasd",
        "LockToken": "7e76581b-f152-4448-aafe-b733a33c8fa2",
        "ARN": "arn:aws:wafv2:us-east-1: 582302349248:regional/ipset/asdasd/543c2d66-6683-451b-993b-ae5fe79b7bad"
    }
]
Case Wall
Result type Value/Description Type (Entity \ General)
Output message*

The action should not fail nor stop a playbook execution:

If successfully listed available IP Sets and "Scope" == "Both": "Successfully listed available Rule groups in Regional and Cloudfront scopes."

If successfully listed available IP Sets and "Scope" == "Regional": "Successfully listed available Rule groups in Regional scope."

If successfully listed available IP Sets and "Scope" == "Cloudfront": "Successfully listed available Rule groups in Cloudfront scope.">

If no available values and "Scope" == "Both": "No available Rule groups were found in Regional and Cloudfront scopes."

If no available values and "Scope" == "Regional": "No available Rule groups were found in Regional scope."

If no available values and "Scope" == "Cloudfront": "No available Rule groups were found in Cloudfront scope."

The action should fail and stop a playbook execution:

If a fatal error, SDK error, like wrong credentials, no connection to the server, other is reported: "Error executing action "List Rule Groups". Reason: {0}''.format(error.Stacktrace)

General

Case Wall Table

(if "Scope" == "Regional" or "Both")

Table Name: Regional Rule Groups

Table Columns:

  • Name
  • ID
  • Description
  • Lock Token
  • ARN
General

Case Wall Table

(if "Scope" == "CloudFront" or "Both")

Table Name: CloudFront Rule Groups

Table Columns:

  • Name
  • ID
  • Description
  • Lock Token
  • ARN
General

List IP Sets

Description

List available IP Sets in AWS WAF.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Scope DDL

CloudFront

Possible values:

  • CloudFront
  • Regional
  • Both
Specify what should be the scope for the listing of IP sets.
Max IP Sets To Return Integer 50 No Specify how many IP sets to return. Default is 50. Maximum is 100.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
JSON Result
[
    {
        "Name": "asdasd",
        "Id": "543c2d66-6683-451b-993b-ae5fe79b7bad",
        "Description": "asdasd",
        "LockToken": "7e76581b-f152-4448-aafe-b733a33c8fa2",
        "ARN": "arn:aws:wafv2:us-east-1: 582302349248:regional/ipset/asdasd/543c2d66-6683-451b-993b-ae5fe79b7bad"
    }
]
"CloudFront": [
    {
        "Name": "asdasd",
        "Id": "543c2d66-6683-451b-993b-ae5fe79b7bad",
        "Description": "asdasd",
        "LockToken": "7e76581b-f152-4448-aafe-b733a33c8fa2",
        "ARN": "arn:aws:wafv2:us-east-1: 582302349248:regional/ipset/asdasd/543c2d66-6683-451b-993b-ae5fe79b7bad"
    }
]
Case Wall
Result type Value/Description Type (Entity \ General)
Output message*

The action should not fail nor stop a playbook execution:

If successfully listed available IP Sets and "Scope" == "Both": "Successfully listed available IP sets in Regional and Cloudfront scopes."

If successfully listed available IP Sets and "Scope" == "Regional": "Successfully listed available IP sets in Regional scope."

If successfully listed available IP Sets and "Scope" == "Cloudfront": "Successfully listed available IP sets in Cloudfront scope."

If no available values and "Scope" == "Both": Print "No available IP Sets were found in Regional and Cloudfront scopes."

If no available values and "Scope" == "Regional": "No available IP Sets were found in Regional scope."

If no available values and "Scope" == "Cloudfront": "No available IP Sets were found in Cloudfront scope."

The action should fail and stop a playbook execution:

If a fatal error, SDK error, like wrong credentials, no connection to the server, other is reported: "Error executing action "List IP Sets". Reason: {0}''.format(error.Stacktrace)

General

Case Wall Table

(if "Scope" == "Regional" or "Both")

Table Name: Regional Rule Groups

Table Columns:

  • Name
  • ID
  • Description
  • Lock Token
  • ARN
General

Case Wall Table

(if "Scope" == "CloudFront" or "Both")

Table Name: CloudFront Rule Groups

Table Columns:

  • Name
  • ID
  • Description
  • Lock Token
  • ARN
General

Remove Pattern From Regex Pattern Set

Description

Remove patterns from the Regex Pattern Set in AWS WAF.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Regex Pattern Set Names CSV Yes Specify the comma-separated list of Regex Pattern set names. Example: name_1,name_2
Patterns CSV Yes Specify the comma-separated list of patterns that should be removed from the Regex Pattern set. Example: pattern_1,pattern_2
Scope DDL

CloudFront

Possible values:

  • CloudFront
  • Regional
  • Both
Yes Specify what should be the scope of the c set. If "Both" is selected, action will remove patterns from Regex Pattern sets in Regional and CloudFront scopes.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful and at least one pattern set was removed from one regex set: "Successfully removed the following patterns from the {0} Regex Pattern Set '{1}' in AWS WAF: \n {2}".format("Regional"/"Cloudfront", full_name, list of entity patterns)

If pattern never existed in that Pattern Set: "The following patterns were not found in the {0} Regex Pattern Set '{1}' in AWS WAF: \n {2}".format("Regional"/"Cloudfront", full_name, list of patterns)

If fail to remove all patterns on all Regex Pattern Sets: "No patterns were removed from the provided Regex Pattern Sets."

If fail to find one of the Pattern sets: "Action wasn't able to find the following '{0}' Regex Pattern Sets in the AWS WAF:\n {1}".format("Regional"/Cloudfront",list of sets that were not found in that scope)

If fail to find all of the provided Regex Pattern sets in the desired scope or scopes: "Action didn't find the provided Regex Pattern sets."

The action should fail and stop a playbook execution:

If a fatal error, SDK error, like wrong credentials, no connection to server, other is reported: "Error executing action "Remove Pattern From Regex Pattern Set". Reason: {0}''.format(error.Stacktrace)

General

Remove IP From IP Set

Description

Remove IP addresses from the IP Set in AWS WAF.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
IP Set Names CSV Yes Specify the comma-separated list of IP set names. Example: name_1,name_2
Scope DDL

CloudFront

Possible values:

  • CloudFront
  • Regional
  • Both
Yes Specify what should be the scope of the IP set. If "Both" is selected, action will remove IP addresses from IP sets in Regional and CloudFront scopes.

Run On

This action runs on IP entities.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
Case Wall
Result Type Value / Description Type
Output message*

The action should not fail nor stop a playbook execution:

If successful and at least one IP addresses was removed from one IP set: "Successfully removed the following IPs from the {0} IP Set '{1}' in AWS WAF: \n {2}".format("Regional"/"Cloudfront", full_name, entity.identifier list)

If IPs never existed in that IP Set: "The following IPs were not a part of the {0} IP Set '{1}' in AWS WAF: \n {2}".format("Regional"/"Cloudfront", full_name, entity.identifier list)

If fail to remove all entities on all IP sets: "No IPs were removed from the provided IP Sets."

If fail to find one of the IP sets:P "Action wasn't able to find the following '{0}' IP Sets in the AWS WAF:\n {1}".format("Regional"/Cloudfront",list of IP sets that were not found in that scope)

If fail to find all of the provided IP sets in the desired scope or scopes: "Action didn't find the provided IP sets."

The action should fail and stop a playbook execution:

If a fatal error, SDK error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Remove IP From IP Set". Reason: {0}''.format(error.Stacktrace)

General

List Regex Pattern Sets

Description

List available Regex Pattern Sets in AWS WAF.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Scope DDL

CloudFront

Possible values:

  • CloudFront
  • Regional
  • Both
Specify what should be the scope for the listing of IP sets.
Max Regex Pattern Sets To Return Integer 5 No Specify how many Regex Pattern sets to return. Default is 5. Maximum is 10.

Run On

This action doesn't run on entities.

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
JSON Result
[
    {
        "Name": "asdasd",
        "Id": "543c2d66-6683-451b-993b-ae5fe79b7bad",
        "Description": "asdasd",
        "LockToken": "7e76581b-f152-4448-aafe-b733a33c8fa2",
        "ARN": "arn:aws:wafv2:us-east-1: 582302349248:regional/ipset/asdasd/543c2d66-6683-451b-993b-ae5fe79b7bad"
    }
]
"CloudFront": [
    {
        "Name": "asdasd",
        "Id": "543c2d66-6683-451b-993b-ae5fe79b7bad",
        "Description": "asdasd",
        "LockToken": "7e76581b-f152-4448-aafe-b733a33c8fa2",
        "ARN": "arn:aws:wafv2:us-east-1: 582302349248:regional/ipset/asdasd/543c2d66-6683-451b-993b-ae5fe79b7bad"
    }
]
Case Wall
Result type Value/Description Type (Entity \ General)
Output message*

The action should not fail nor stop a playbook execution:

If successfully listed available Regex Sets and "Scope" == "Both": "Successfully listed available Regex Pattern sets in Regional and Cloudfront scopes."

If successfully listed available IP Sets and "Scope" == "Regional": "Successfully listed available Regex Pattern sets in Regional scope."

If successfully listed available IP Sets and "Scope" == "Cloudfront": "Successfully listed available Regex Pattern sets in Cloudfront scope."

If no available values and "Scope" == "Both": "No available Regex Pattern sets were found in Regional and Cloudfront scopes."

If no available values and "Scope" == "Regional": "No available Regex Pattern sets were found in Regional scope."

If no available values and "Scope" == "Cloudfront": "No available Regex Pattern sets were found in Cloudfront scope."

The action should fail and stop a playbook execution:

If a fatal error, SDK error, like wrong credentials, no connection to the server, other is reported: "Error executing action "List Regex Pattern Sets". Reason: {0}''.format(error.Stacktrace)

General

Case Wall Table

(if "Scope" == "Regional" or "Both")

Table Name: Regional Rule Groups

Table Columns:

  • Name
  • ID
  • Description
  • Lock Token
  • ARN
General

Case Wall Table

(if "Scope" == "CloudFront" or "Both")

Table Name: CloudFront Rule Groups

Table Columns:

  • Name
  • ID
  • Description
  • Lock Token
  • ARN
General

Remove Entity From Regex Pattern Set

Description

Remove string patterns based on entities from the Regex Pattern Set in AWS WAF.

Parameters

Parameter Display Name Type Default Value Is Mandatory Description
Regex Pattern Set Names CSV Yes Specify the comma-separated list of Regex Pattern set names. Example: name_1,name_2
Scope DDL

CloudFront

Possible values:

  • CloudFront
  • Regional
  • Both
Yes Specify what should be the scope of the set. If "Both" is selected, action will remove patterns based on entities from Regex Pattern sets in Regional and CloudFront scopes.
Domain Pattern Checkbox True No

If enabled, action will retrieve domain part out of urls and search for a regex pattern based on them in the Regex Pattern Set.
Example: http://test.com/folder will be searched as pattern ^(http|https)(:\/\/)(\Qtest.com\E).*

IP Pattern Checkbox True No

If enabled, action will search for a regex pattern out of IP address instead of raw value.
Example: 10.0.0.1 will be searched as ^(http|https)(:\/\/)(\Q10.0.1\E).*

Run On

This action runs on the following entities:

  • IP Address
  • URL

Action Results

Script Result
Script Result Name Value Options
is_success is_success=False
is_success is_success=True
Case Wall
Result type Value/Description Type (Entity \ General)
Output message*

The action should not fail nor stop a playbook execution:

If successful and at least one entity was removed from one IP set: "Successfully removed the following entity patterns from the {0} Regex Pattern Set '{1}' in AWS WAF: \n {2}".format("Regional"/"Cloudfront", full_name, list of entity patterns)

If entity never existed in that Regex Pattern Set: "The following patterns were not found in the {0} Regex Pattern Set '{1}' in AWS WAF: \n {2}".format("Regional"/"Cloudfront", full_name, list of entity patterns)

If fail to remove all entities on all IP sets: "No patterns were removed from the provided Regex Pattern Sets."

If fail to find one of the IP sets: "Action wasn't able to find the following '{0}' Regex Pattern Sets in the AWS WAF:\n {1}".format("Regional"/Cloudfront",list of IP sets that were not found in that scope)

If fail to find all of the provided Regex Pattern sets in the desired scope or scopes: "Action didn't find the provided Regex Pattern sets."

The action should fail and stop a playbook execution:

If a fatal error, SDK error, like wrong credentials, no connection to the server, other is reported: "Error executing action "Remove Entity From Regex Pattern Set". Reason: {0}''.format(error.Stacktrace)

General