Integrate AWS WAF with Google SecOps

This document describes how to integrate AWS WAF with Google Security Operations (Google SecOps).

Integration version: 7.0

Use Cases

Active actions - manage IP Sets, Rule Groups, Pattern Sets, Web ACLs.

Integration parameters

Use the following parameters to configure the integration:

Parameter Display Name	Type	Default Value	Is Mandatory	Description
Instance Name	String	N/A	No	Name of the Instance you intend to configure integration for.
Description	String	N/A	No	Description of the Instance.
AWS Access Key ID	String	N/A	Yes	AWS Access Key ID to use in integration.
AWS Secret Key	Password	N/A	Yes	AWS Secret Key to use in integration.
AWS Default Region	String	N/A	Yes	AWS default region to use in integration, for example us-west-2.
Run Remotely	Checkbox	Unchecked	No	Check the field in order to run the configured integration remotely. Once checked, the option appears to select the remote user (agent).

For instructions about how to configure an integration in Google SecOps, see Configure integrations .

You can make changes at a later stage, if needed. After you configure an integration instance, you can use it in playbooks. For more information about how to configure and support multiple instances, see Supporting multiple instances .

Actions

For more information about actions, see Respond to pending actions from Your Workdesk and Perform a manual action .

Ping

Test the connectivity to AWS WAF.

Parameters

N/A

Run On

This action doesn't run on entities.

Action Results

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

Case Wall

Result Type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: If successful: "Successfully connected to the AWS WAF server with the provided connection parameters!" The action should fail and stop a playbook execution: If not successful: "Failed to connect to the AWS WAF server! Error is {0}".format(exception.stacktrace)	General

Result Type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If successful: "Successfully connected to the AWS WAF server with the provided connection parameters!"

The action should fail and stop a playbook execution:

If not successful: "Failed to connect to the AWS WAF server! Error is {0}".format(exception.stacktrace)

General

Create IP Set

Create an IP Set in AWS WAF, based on entities.

IP Set is created in the following format:

 Siemplify_ NAME 
_ IP Type 
`

Parameters

Parameter Display Name

Type

Default Value

Is Mandatory

Description

Name

String

N/A

Yes

Specify the name of the IP set. Note: action will create an IP set in the following format: Siemplify_{Name}_{IP Type}. The name must have 1-128 characters. Valid characters: A-Z, a-z, 0-9, - (hyphen), and _ (underscore).

Scope

DDL

CloudFront

Possible values:

CloudFront
Regional
Both

Yes

Specify what should be the scope for the creation of IP sets. If "Both" is selected, action will create an IP set in Regional and Amazon CloudFront scopes.

Description

String

N/A

Specify the description for the IP set.

Tags

CSV

N/A

Specify additional tags that should be added to the IP set. Format: key_1:value_1,key_2:value_1.

Run On

This action runs on the IP Address entity.

Action Results

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

JSON Result

  { 
 "Regional" 
 : 
  
 [ 
 "IPv4_set" 
 , 
  
 "IPv6_set" 
 ] 
 "Cloudfront" 
 : 
  
 [ 
 "IPv4_set" 
 , 
  
 "IPv6_set" 
 ] 
 }

Case Wall

Result Type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: If successful and at least one of the provided entities were used to create an IP set (is_success = true): "Successfully created {0} {1} IP Set '{2}' in AWS WAF with the following IPs: \n {3}".format("Regional"/"Cloudfront", "IPv4"/"IPv6", full_name, entity.identifier list) If fail to use specific entities(is_success = true): "Action was not able to use the following IPs in order to create AWS WAF IP Set\n: {0}".format([entity.identifier]) If fail to use all entities (is_success = false): "No IP Sets were created. Reason: None of the provided IP entities were valid." If All Sets Already exist (is_success=false) or if only partially sets already exist (is_success=true): "The following {0} IP Pattern Sets '{1}' already exist: \n.".format("Regional/CloudFront", list_of_full_names) The action should fail and stop a playbook execution: If fatal error, like wrong credentials, no connection to server, other: "Error executing action "Create IP Set". Reason: {0}''.format(error.Stacktrace)

Result Type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If successful and at least one of the provided entities were used to create an IP set (is_success = true): "Successfully created {0} {1} IP Set '{2}' in AWS WAF with the following IPs: \n {3}".format("Regional"/"Cloudfront", "IPv4"/"IPv6", full_name, entity.identifier list)

If fail to use specific entities(is_success = true): "Action was not able to use the following IPs in order to create AWS WAF IP Set\n: {0}".format([entity.identifier])

If fail to use all entities (is_success = false): "No IP Sets were created. Reason: None of the provided IP entities were valid."

If All Sets Already exist (is_success=false) or if only partially sets already exist (is_success=true): "The following {0} IP Pattern Sets '{1}' already exist: \n.".format("Regional/CloudFront", list_of_full_names)

The action should fail and stop a playbook execution:

If fatal error, like wrong credentials, no connection to server, other: "Error executing action "Create IP Set". Reason: {0}''.format(error.Stacktrace)

Add IP To IP Set

Add IP addresses to the IP Set in AWS WAF.

Parameters

Parameter Display Name

Type

Default Value

Is Mandatory

Description

IP Set Names

CSV

N/A

Yes

Specify the comma-separated list of IP set names. Example: name_1,name_2

Scope

DDL

CloudFront

Possible values:

CloudFront
Regional
Both

Yes

Specify what should be the scope of the IP set. If "Both" is selected, action will add IP addresses to IP sets in Regional and CloudFront scopes.

Run On

This action runs on the IP Address entity.

Action Results

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

Case Wall

Result Type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: If successful and at least one IP addresses was added to one IP set(is_success = true): "Successfully added the following IPs to the {0} IP Set '{1}' in AWS WAF: \n {2}".format("Regional"/"Cloudfront", full_name, entity.identifier list) If fail to add specific entities to one of the IP Sets(is_success = true): "Action was not able to add the following IPs to the {0} IP Set '{1}' in AWS WAF\n: {2}".format("Regional"/"Cloudfront", full_name,[entity.identifier]) If fail to find one of the IP sets (is_success = true): "Action wasn't able to find the following '{0}' IP Sets in the AWS WAF:\n {1}".format("Regional"/Cloudfront",list of IP sets that were not found in that scope) If fail to find all of the provided IP sets in the selected scope or scopes (is_success=false): "Action didn't find the provided IP sets." The action should fail and stop a playbook execution: if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Add IP To IP Set". Reason: {0}''.format(error.Stacktrace)	General

Result Type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If successful and at least one IP addresses was added to one IP set(is_success = true): "Successfully added the following IPs to the {0} IP Set '{1}' in AWS WAF: \n {2}".format("Regional"/"Cloudfront", full_name, entity.identifier list)

If fail to add specific entities to one of the IP Sets(is_success = true): "Action was not able to add the following IPs to the {0} IP Set '{1}' in AWS WAF\n: {2}".format("Regional"/"Cloudfront", full_name,[entity.identifier])

If fail to find one of the IP sets (is_success = true): "Action wasn't able to find the following '{0}' IP Sets in the AWS WAF:\n {1}".format("Regional"/Cloudfront",list of IP sets that were not found in that scope)

If fail to find all of the provided IP sets in the selected scope or scopes (is_success=false): "Action didn't find the provided IP sets."

The action should fail and stop a playbook execution:

if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Add IP To IP Set". Reason: {0}''.format(error.Stacktrace)

General

Create Regex Pattern Set

Create a regular expression pattern set in AWS WAF based on entities.

The regular expression pattern set can only contain 10 patterns for every set and there can only be 10 regular expression pattern sets in total.

Parameters

Parameter Display Name

Type

Default Value

Is Mandatory

Description

Name

String

N/A

Yes

Specify the name of the regular expression pattern set. Note: The name must have 1-128 characters. Valid characters: A-Z, a-z, 0-9, - (hyphen), and _ (underscore).

Scope

DDL

CloudFront

Possible values:

CloudFront
Regional
Both

Yes

Specify what should be the scope for the creation of regular expression pattern sets. If "Both" is selected, the action creates a regular expression pattern set in Regional and CloudFront scopes.

Description

String

N/A

Specify the description for the regular expression pattern set.

Tags

CSV

N/A

Specify additional tags that should be added to the regular expression pattern set. Format: key_1:value_1,key_2:value_1.

Domain Pattern

Checkbox

Checked

If enabled, the action retrieves the domain part out of URLs and create a regular expression pattern based on them, such as http://test.com/folder is converted to ^(http|https)(:\/\/)(\Qtest.com\E).*".format(entity) .

IP Pattern

Checkbox

Checked

If enabled, the action constructs a proper regular expression pattern out of IP address instead of using raw value, such as 10.0.0.1 is converted into ^(http|https)(:\/\/)(\Q10.0.1\E).*".format(entity) .

Run On

This action runs on the following entities:

IP Address
URL

Action Results

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

JSON Result

  { 
 "Regional" 
 : 
  
 "Regex_set" 
 "Cloudfront" 
 : 
  
 "Regex_set" 
 }

Case Wall

Result Type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: if successful and at least one of the provided entities were used to create an regular expression set (is_success = true): "Successfully created {0} Regex Pattern Set '{1}' in AWS WAF with the following entities: \n {2}".format("Regional"/"Cloudfront", name, entity.identifier list) If more than 10 entities are going to be used to create a regular expression pattern set: "Action wasn't able to create regular expression pattern sets with all of the provided entities, because the limit is exceeded. The following entities were skipped: {0}".format(entity.identifier) If Set Already exists (is_success=false): "{0} Regex Pattern Set '{1}' already exists.".format("Regional/CloudFront", name) The action should fail and stop a playbook execution: If fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Create Regex Pattern Set". Reason: {0}''.format(error.Stacktrace)	General

Result Type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:

if successful and at least one of the provided entities were used to create an regular expression set (is_success = true): "Successfully created {0} Regex Pattern Set '{1}' in AWS WAF with the following entities: \n {2}".format("Regional"/"Cloudfront", name, entity.identifier list)

If more than 10 entities are going to be used to create a regular expression pattern set: "Action wasn't able to create regular expression pattern sets with all of the provided entities, because the limit is exceeded. The following entities were skipped: {0}".format(entity.identifier)

If Set Already exists (is_success=false): "{0} Regex Pattern Set '{1}' already exists.".format("Regional/CloudFront", name)

The action should fail and stop a playbook execution:

If fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Create Regex Pattern Set". Reason: {0}''.format(error.Stacktrace)

General

Create Web ACLs

Create a Web ACL in AWS WAF.

Parameters

Parameter Display Name

Type

Default Value

Is Mandatory

Description

Name

String

N/A

Yes

Specify the name of the Web ACL. Note: The name must have 1-128 characters. Valid characters: A-Z, a-z, 0-9, - (hyphen), and _ (underscore).

Rule Source Type

DDL

IP Set

Possible value

IP Set

Rule Group

Yes

Specify what rule type should be used.

Rule Source Name

String

N/A

Yes

Specify the name of the source, which should be used for Web ACL. If "Rule Source Type" is "IP Set", action will search for IP Sets with that name. If "Rule Source Type" is "Rule Group", action will search for Rule Groups with that name.

Scope

DDL

CloudFront

Possible values:

CloudFront
Regional
Both

Yes

Specify what should be the scope for the creation of the web acl. If "Both" is selected, action will create a Web ACL in Regional and CloudFront scopes.

Enable Sampled Requests

Checkbox

Unchecked

Yes

If enabled, AWS WAF will store a sampling of the web requests that match the rules.

Enable CloudWatch Metrics

Checkbox

Unchecked

Yes

If enabled, the associated resource sends metrics to CloudWatch.

CloudWatch Metric Name

Checkbox

Unchecked

Yes

Specify the name of the CloudWatch Metric. Note: The name must have 1-128 characters. Valid characters: A-Z, a-z, 0-9, - (hyphen), and _ (underscore).

Default Action

DDL

Allow

Possible values:

Allow
Block

Yes

Specify what should be the default action for requests that don't match any rules.

IP Set Action

DDL

Block

Possible value:

Allow
Block
Count

Specify what should be the action for rules that are based on the IP set.

Rule Priority

Integer

N/A

Yes

Specify what should be the priority of the rule. Priorities in Web ACL should be unique.

Description

String

N/A

Specify the description for the Web ACL.

Tags

CSV

N/A

Specify additional tags that should be added to the Web ACL. Format: key_1:value_1,key_2:value_1.

Run On

This action doesn't run on entities.

Action Results

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

JSON Result

  { 
 "Regional" 
 : 
  
 "Web_Acl_name" 
 "Cloudfront" 
 : 
  
 "Web_Acl_name" 
 }

Case Wall

Result Type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: If successfully listed available IP Sets(is_success = true) and "Scope" == "Both": "Successfully created Web ACL {0} in Regional and Cloudfront scopes.".format(name) If successfully listed available IP Sets(is_success = true) and "Scope" == "Regional": "Successfully created Web ACL {0} in Regional.".format(name) If successfully listed available IP Sets(is_success = true) and "Scope" == "Cloudfront": "Successfully created Web ACL {0} in Cloudfront scope.".format(name) If the Web ACL exists: Print "The Web ACL {} already exists in {} scope.".format(web ACL name, scope). If IP Set / Rule Group wasn't found: "Action wasn't able to create Web ACL. Reason: {0} {1} wasn't found in AWS WAF".format("IP Set/Rule Group", Rule Source Name) The action should fail and stop a playbook execution: if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Create Web ACL". Reason: {0}''.format(error.Stacktrace)

Result Type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If successfully listed available IP Sets(is_success = true) and "Scope" == "Both": "Successfully created Web ACL {0} in Regional and Cloudfront scopes.".format(name)

If successfully listed available IP Sets(is_success = true) and "Scope" == "Regional": "Successfully created Web ACL {0} in Regional.".format(name)

If successfully listed available IP Sets(is_success = true) and "Scope" == "Cloudfront": "Successfully created Web ACL {0} in Cloudfront scope.".format(name)

If the Web ACL exists:

Print "The Web ACL {} already exists in {} scope.".format(web ACL name, scope).

If IP Set / Rule Group wasn't found: "Action wasn't able to create Web ACL. Reason: {0} {1} wasn't found in AWS WAF".format("IP Set/Rule Group", Rule Source Name)

The action should fail and stop a playbook execution:

if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Create Web ACL". Reason: {0}''.format(error.Stacktrace)

Add Rule To Web ACL

Add a rule based on IP Sets or Rule Groups to Web ACL in AWS WAF. The Web ACL can contain a maximum of 1,500 rule.

Parameters

Parameter Display Name

Type

Default Value

Is Mandatory

Description

Web ACL Names

CSV

N/A

Yes

Specify the comma-separated list of Web ACL names. Example: name_1,name_2

Rule Source Type

DDL

IP Set

Possible values:

IP Set
Rule Group

Yes

Specify what rule type should be used.

Rule Source Name

String

N/A

Yes

Scope

DDL

CloudFront

Possible values:

CloudFront
Regional
Both

Yes

Specify what should be the scope for the new rules. If "Both" is selected, action will add a Rule to a Web ACL in Regional and CloudFront scopes.

Rule Priority

Integer

N/A

Yes

Specify what should be the priority of the rule. Priorities in Web ACL should be unique.

IP Set Action

DDL

Block

Possible value:

Allow
Block
Count

Specify what should be the action for rules that are based on the IP set.

Run On

This action doesn't run on entities.

Action Results

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

Case Wall

Result Type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: if successful and at least one rule was added to one Web ACL(is_success = true): "Successfully added a rule to the following {0} Web ACLs '{1}' in AWS WAF.".format("Regional"/"Cloudfront", list of name) If fail to find one of the Web ACLs(is_success = true): "Action wasn't able to find the following '{0}' Web ACLs in the AWS WAF:\n {1}".format("Regional"/Cloudfront", list of Web ACLs that were not found in that scope) If rule with name already exists per Web ACL in Scope (is_success=true): "Action wasn't able to add {0} rules to the Web ACL in AWS WAF. Reason: {0} with name '{1}' already exists in the following Web ACLs:\n{2}".format( rule source type, rule source name, list Web ACL with scope - structure {0} - {1}.format(scope, web acl name)) The action should fail and stop a playbook execution: If fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Add Rule To Web ACL". Reason: {0}''.format(error.Stacktrace)	General

Result Type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:

if successful and at least one rule was added to one Web ACL(is_success = true): "Successfully added a rule to the following {0} Web ACLs '{1}' in AWS WAF.".format("Regional"/"Cloudfront", list of name)

If fail to find one of the Web ACLs(is_success = true): "Action wasn't able to find the following '{0}' Web ACLs in the AWS WAF:\n {1}".format("Regional"/Cloudfront", list of Web ACLs that were not found in that scope)

If rule with name already exists per Web ACL in Scope (is_success=true): "Action wasn't able to add {0} rules to the Web ACL in AWS WAF. Reason: {0} with name '{1}' already exists in the following Web ACLs:\n{2}".format( rule source type, rule source name, list Web ACL with scope - structure {0} - {1}.format(scope, web acl name))

The action should fail and stop a playbook execution:

If fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Add Rule To Web ACL". Reason: {0}''.format(error.Stacktrace)

General

Create Rule Group

Create a rule group in AWS WAF.

Parameters

Parameter Display Name

Type

Default Value

Is Mandatory

Description

Name

String

N/A

Yes

Specify the name of the rule group. Note: The name must have 1-128 characters. Valid characters: A-Z, a-z, 0-9, - (hyphen), and _ (underscore).

Scope

DDL

CloudFront

Possible values:

CloudFront
Regional
Both

Yes

Specify what should be the scope for the creation of the rule group. If "Both" is selected, action will create a Rule Group in Regional and CloudFront scopes.

Capacity

Integer

100

Yes

Specify the capacity of the rule group. Note: you can't change the capacity after the group is created. Maximum is 1500.

Enable Sampled Requests

Checkbox

Unchecked

Yes

If enabled, AWS WAF will store a sampling of the web requests that match the rules.

Enable CloudWatch Metrics

Checkbox

Unchecked

Yes

If enabled, the associated resource sends metrics to CloudWatch.

CloudWatch Metric Name

Checkbox

Unchecked

Yes

Specify the name of the CloudWatch Metric. Note: The name must have 1-128 characters. Valid characters: A-Z, a-z, 0-9, - (hyphen), and _ (underscore).

Description

String

N/A

Specify the description for the Rule Group.

Tags

CSV

N/A

Specify additional tags that should be added to the Rule Group. Format: key_1:value_1,key_2:value_1.

Run On

This action doesn't run on entities.

Action Results

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

Case Wall

Result Type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: If successfully listed available IP Sets(is_success = true) and "Scope" == "Both": "Successfully created Rule Group {0} in Regional and Cloudfront scopes.".format(name) > If successfully listed available IP Sets(is_success = true) and "Scope" == "Regional": "The Rule Group {} already exists in {} scope.".format(web ACL name, scope). If successfully listed available IP Sets(is_success = true) and "Scope" == "Cloudfront": "Successfully created Rule Group {0} in Cloudfront scope.".format(name) If the Rule Group exists: "Successfully created Rule Group {0} in Cloudfront scope.".format(name) If the creation of the Rule Group Fails "Action was not able to create Rule Group {} in {} scope".format(web ACL name, scope). The action should fail and stop a playbook execution: If fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Create Rule Group". Reason: {0}''.format(error.Stacktrace)	General

Result Type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If successfully listed available IP Sets(is_success = true) and "Scope" == "Both": "Successfully created Rule Group {0} in Regional and Cloudfront scopes.".format(name)

> If successfully listed available IP Sets(is_success = true) and "Scope" == "Regional": "The Rule Group {} already exists in {} scope.".format(web ACL name, scope).

If successfully listed available IP Sets(is_success = true) and "Scope" == "Cloudfront": "Successfully created Rule Group {0} in Cloudfront scope.".format(name)

If the Rule Group exists: "Successfully created Rule Group {0} in Cloudfront scope.".format(name)

If the creation of the Rule Group Fails "Action was not able to create Rule Group {} in {} scope".format(web ACL name, scope).

The action should fail and stop a playbook execution:

If fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Create Rule Group". Reason: {0}''.format(error.Stacktrace)

General

Add Entity To Regex Pattern Set

Add string patterns based on entities to the regular expression pattern set in AWS WAF.

The regular expression pattern set can only contain 10 patterns in every set.

Parameters

Parameter Display Name

Type

Default Value

Is Mandatory

Description

Regex Pattern Set Names

CSV

N/A

Yes

Specify the comma-separated list of regular expression pattern set names, such as name_1,name_2 .

Scope

DDL

CloudFront

Possible values:

CloudFront
Regional
Both

Yes

Scope of the regular expression pattern set. If "Both" is selected, the action adds patterns based on entities to regular expression pattern sets in both Regional and CloudFront scopes.

Domain Pattern

Checkbox

Checked

If enabled, the action retrieves the domain part out of URLs and creates a regular expression pattern based on them, such as http://test.com/folder is converted to ^(http|https)(:\/\/)(\Qtest.com\E).*".format(entity) .

IP Pattern

Checkbox

Checked

Run On

This action runs on the following entities:

IP Address
URL

Action Results

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

Case Wall

Result Type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: if successful and at least one entity was added to one regular expression pattern set(is_success = true): "Successfully added the following entity patterns to the {0} Regex Pattern Set '{1}' in AWS WAF: \n {2}".format("Regional"/"Cloudfront", name, list of entity patterns) If more than 10 entities are going to be used to create a regular expression pattern set: "Action wasn't able to add patterns to {0} Regex Pattern Set {1} based on all of the provided entities, because the limit is exceeded. The following entities were skipped: {2}".forma("Regional"/"Cloudfront", name, entity.identifier) If fail to find one of the sets (is_success = true): "Action wasn't able to find the following '{0}' Regex Pattern Sets in the AWS WAF:\n {1}".format("Regional"/Cloudfront",list of regular expression pattern sets that were not found in that scope) If fail to find all of the provided sets in the selected scope or scopes (is_success=false): "Action didn't find the provided Regex Pattern sets." The action should fail and stop a playbook execution: if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Add Entity To Regex Pattern Set". Reason: {0}''.format(error.Stacktrace)	General

Result Type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:

if successful and at least one entity was added to one regular expression pattern set(is_success = true): "Successfully added the following entity patterns to the {0} Regex Pattern Set '{1}' in AWS WAF: \n {2}".format("Regional"/"Cloudfront", name, list of entity patterns)

If more than 10 entities are going to be used to create a regular expression pattern set: "Action wasn't able to add patterns to {0} Regex Pattern Set {1} based on all of the provided entities, because the limit is exceeded. The following entities were skipped: {2}".forma("Regional"/"Cloudfront", name, entity.identifier)

If fail to find one of the sets (is_success = true): "Action wasn't able to find the following '{0}' Regex Pattern Sets in the AWS WAF:\n {1}".format("Regional"/Cloudfront",list of regular expression pattern sets that were not found in that scope)

If fail to find all of the provided sets in the selected scope or scopes (is_success=false): "Action didn't find the provided Regex Pattern sets."

The action should fail and stop a playbook execution:

if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Add Entity To Regex Pattern Set". Reason: {0}''.format(error.Stacktrace)

General

Add Pattern To Regex Pattern Set

Add string patterns to the regular expression pattern set in AWS WAF.

The regular expression pattern set can only contain 10 patterns for every set.

Parameters

Parameter Display Name

Type

Default Value

Is Mandatory

Description

Regex Pattern Set Names

CSV

N/A

Yes

Specify the comma-separated list of regular expression pattern set names, such as name_1,name_2 .

Patterns

CSV

N/A

Yes

Specify the comma-separated list of patterns to add to the regular expression pattern set, such as pattern_1,pattern_2 .

Scope

DDL

CloudFront

Possible values:

CloudFront
Regional
Both

Yes

Scope of the regular expression pattern set. If "Both" is selected, the action adds patterns based on entities to regular expression pattern sets in both Regional and CloudFront scopes.

Run On

This action doesn't run on entities.

Action Results

Script Result

Script Result Name	Value Options	Example
is_success	True/False	is_success:False

Case Wall

Result Type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: If successful and at least one pattern was added to one regular expression pattern set(is_success = true): "Successfully added the following patterns to the {0} Regex Pattern Set '{1}' in AWS WAF: \n {2}".format("Regional"/"Cloudfront", name, list of patterns) If fail to find one of the sets (is_success = true): t "Action wasn't able to find the following '{0}' Regex Pattern Sets in the AWS WAF:\n {1}".format("Regional"/Cloudfront",list of regular expression pattern sets that were not found in that scope). If fail to find all of the provided sets in the selected scope or scopes (is_success=false): "Action didn't find the provided Regex Pattern sets." The action should fail and stop a playbook execution: if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Add Pattern To Regex Pattern Set". Reason: {0}''.format(error.Stacktrace)	General

Result Type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If successful and at least one pattern was added to one regular expression pattern set(is_success = true): "Successfully added the following patterns to the {0} Regex Pattern Set '{1}' in AWS WAF: \n {2}".format("Regional"/"Cloudfront", name, list of patterns)

If fail to find one of the sets (is_success = true): t "Action wasn't able to find the following '{0}' Regex Pattern Sets in the AWS WAF:\n {1}".format("Regional"/Cloudfront",list of regular expression pattern sets that were not found in that scope).

If fail to find all of the provided sets in the selected scope or scopes (is_success=false): "Action didn't find the provided Regex Pattern sets."

The action should fail and stop a playbook execution:

if fatal error, SDK error, like wrong credentials, no connection to server, other: "Error executing action "Add Pattern To Regex Pattern Set". Reason: {0}''.format(error.Stacktrace)

General

Remove Rule From Web ACL

Remove a rule from Web ACL in AWS WAF.

Parameters

Parameter Display Name

Type

Default Value

Is Mandatory

Description

Web ACL Names

CSV

Yes

Specify the comma-separated list of Web ACL names. Example: name_1,name_2

Scope

DDL

CloudFront

Possible values:

CloudFront
Regional
Both

Yes

Specify what should be the scope for the removal of the web acl. If "Both" is selected, action will remove a Web ACL in Regional and CloudFront scopes.

Rule Name

String

N/A

Yes

Specify the name of the rule that should be deleted.

Run On

This action doesn't run on entities.

Action Results

Script Result

Script Result Name	Value Options
is_success	is_success=False
is_success	is_success=True

Case Wall

Result Type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: if successful and at least one rule was removed from one Rule Group:print "Successfully removed a rule from the following {0} Web ACLs '{1}' in AWS WAF.".format("Regional"/"Cloudfront", list of names) if unsuccessful for one Rule Group:print "Action wasn't able to remove a rule from the following {0} Web ACLs '{1}' in AWS WAF.".format("Regional"/"Cloudfront", list of names) if unsuccessful for one Web ACL, because rule wasn't found in one ACL:print "Action wasn't able to find the specified rule in the following {0} Web ACLs '{1}' in AWS WAF.".format("Regional"/"Cloudfront", list of names Web ACL) If fail to find one of the Rule Group:Print "Action wasn't able to find the following '{0}' Web ACLs in the AWS WAF:\n {1}".format("Regional"/Cloudfront", list of Rule Group that were not found in that scope) If fail to find all of the provided sets in the desired scope or scopes:Print "Action didn't find the provided Web ACLs." The action should fail and stop a playbook execution: if fatal error, SDK error, like wrong credentials, no connection to server, other:print "Error executing action "Remove Rule From Web ACL". Reason: {0}''.format(error.Stacktrace)	General

Result Type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:

if successful and at least one rule was removed from one Rule Group:print "Successfully removed a rule from the following {0} Web ACLs '{1}' in AWS WAF.".format("Regional"/"Cloudfront", list of names)

if unsuccessful for one Rule Group:print "Action wasn't able to remove a rule from the following {0} Web ACLs '{1}' in AWS WAF.".format("Regional"/"Cloudfront", list of names)

if unsuccessful for one Web ACL, because rule wasn't found in one ACL:print "Action wasn't able to find the specified rule in the following {0} Web ACLs '{1}' in AWS WAF.".format("Regional"/"Cloudfront", list of names Web ACL)

If fail to find one of the Rule Group:Print "Action wasn't able to find the following '{0}' Web ACLs in the AWS WAF:\n {1}".format("Regional"/Cloudfront", list of Rule Group that were not found in that scope)

If fail to find all of the provided sets in the desired scope or scopes:Print "Action didn't find the provided Web ACLs."

The action should fail and stop a playbook execution:

if fatal error, SDK error, like wrong credentials, no connection to server, other:print "Error executing action "Remove Rule From Web ACL". Reason: {0}''.format(error.Stacktrace)

General

List Web ACLs

List available web ACLs in AWS WAF.

Parameters

Parameter Display Name

Type

Default Value

Is Mandatory

Description

Scope

DDL

CloudFront

Possible values:

CloudFront
Regional
Both

Specify what should be the scope for the listing of Web ACLs.

Max Web ACLs To Return

Integer

Specify how many Web ACLs to return. Default is 50. Maximum is 100.

Run On

This action doesn't run on entities.

Action Results

Script Result

Script Result Name	Value Options
is_success	is_success=False
is_success	is_success=True

JSON Result

  [ 
  
 { 
  
 "Name" 
 : 
  
 "example" 
 , 
  
 "Id" 
 : 
  
 " ID 
" 
 , 
  
 "Description" 
 : 
  
 "example" 
 , 
  
 "LockToken" 
 : 
  
 "7e76581b-f152-4448-aafe-b733a33c8fa2" 
 , 
  
 "ARN" 
 : 
  
 "arn:aws:wafv2:us-east-1:regional/ipset/example/ ID 
" 
  
 } 
 ] 
 "CloudFront" 
 : 
  
 [ 
  
 { 
  
 "Name" 
 : 
  
 "example" 
 , 
  
 "Id" 
 : 
  
 " ID 
" 
 , 
  
 "Description" 
 : 
  
 "example" 
 , 
  
 "LockToken" 
 : 
  
 "7e76581b-f152-4448-aafe-b733a33c8fa2" 
 , 
  
 "ARN" 
 : 
  
 "arn:aws:wafv2:us-east-1:regional/ipset/example/ ID 
" 
  
 } 
 ]

Case Wall

Result type

Value/Description

Type (Entity \ General)

Output message*

The action should not fail nor stop a playbook execution:

If successfully listed available IP Sets and "Scope" == "Both":"Successfully listed available Web ACLs in Regional and Cloudfront scopes."

If successfully listed available IP Sets(is_success = true) and "Scope" == "Regional":"Successfully listed available Web ACLs in Regional scope."

If successfully listed available IP Sets(is_success = true) and "Scope" == "Cloudfront":"Successfully listed available Web ACLs in Cloudfront scope."

If no available values(is_success = false) and "Scope" == "Both":"No available Web ACLs were found in Regional and Cloudfront scopes."

If no available values (is_success = false) and "Scope" == "Regional":"No available Web ACLs were found in Regional scope."

If no available values(is_success = false) and "Scope" == "Cloudfront":"No available Web ACLs were found in Cloudfront scope."

The action should fail and stop a playbook execution:

if fatal error, SDK error, like wrong credentials, no connection to server, other:"Error executing action "List Web ACLs". Reason: {0}''.format(error.Stacktrace)

General

Case Wall Table

(if "Scope" == "Regional" or "Both")

Table Name:Regional Rule ACLs

Table Columns:

Name
ID
Description
Lock Token
ARN

General

Case Wall Table

(if "Scope" == "CloudFront" or "Both")

Table Name:CloudFront Rule ACLs

Table Columns:

Name
ID
Description
Lock Token
ARN

General

Remove Rule From Rule Group

Remove a rule from the rule group in AWS WAF.

Parameters

Parameter Display Name

Type

Default Value

Is Mandatory

Description

Rule Group Names

CSV

Yes

Specify the comma-separated list of Rule Group names. Example: name_1,name_2

Scope

DDL

CloudFront

Possible values:

CloudFront
Regional
Both

Yes

Specify what should be the scope for the removal of the rule group. If "Both" is selected, action will remove a Rule Group in Regional and CloudFront scopes.

Rule Name

String

N/A

Yes

Specify the name of the rule that should be deleted.

Run On

This action doesn't run on entities.

Action Results

Script Result

Script Result Name	Value Options
is_success	is_success=False
is_success	is_success=True

Case Wall

Result Type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: If successful and at least one rule was removed from one Rule Group:"Successfully removed a rule from the following {0} Rule Groups '{1}' in AWS WAF.".format("Regional"/"Cloudfront", list of names) If unsuccessful for one Rule Group:"Action wasn't able to remove a rule from the following {0} Rule Groups '{1}' in AWS WAF.".format("Regional"/"Cloudfront", list of names) If unsuccessful for one Rule Group, because rule wasn't found in one Rule Group:"Action wasn't able to find the specified rule in the following {0} Rule Groups '{1}' in AWS WAF.".format("Regional"/"Cloudfront", list of rule group names) If fail to find one of the Rule Group:"Action wasn't able to find the following '{0}' Rule Groups in the AWS WAF:\n {1}".format("Regional"/Cloudfront", list of Rule Group that were not found in that scope) If fail to find all of the provided sets in the desired scope or scopes:"Action didn't find the provided Rule Groups." The action should fail and stop a playbook execution: If a fatal error, SDK error, like wrong credentials, no connection to the server, other is reported:"Error executing action "Remove Rule From Rule Group". Reason: {0}''.format(error.Stacktrace)	General

Result Type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If successful and at least one rule was removed from one Rule Group:"Successfully removed a rule from the following {0} Rule Groups '{1}' in AWS WAF.".format("Regional"/"Cloudfront", list of names)

If unsuccessful for one Rule Group:"Action wasn't able to remove a rule from the following {0} Rule Groups '{1}' in AWS WAF.".format("Regional"/"Cloudfront", list of names)

If unsuccessful for one Rule Group, because rule wasn't found in one Rule Group:"Action wasn't able to find the specified rule in the following {0} Rule Groups '{1}' in AWS WAF.".format("Regional"/"Cloudfront", list of rule group names)

If fail to find one of the Rule Group:"Action wasn't able to find the following '{0}' Rule Groups in the AWS WAF:\n {1}".format("Regional"/Cloudfront", list of Rule Group that were not found in that scope)

If fail to find all of the provided sets in the desired scope or scopes:"Action didn't find the provided Rule Groups."

The action should fail and stop a playbook execution:

If a fatal error, SDK error, like wrong credentials, no connection to the server, other is reported:"Error executing action "Remove Rule From Rule Group". Reason: {0}''.format(error.Stacktrace)

General

List Rule Groups

List available rule groups in AWS WAF.

Parameters

Parameter Display Name

Type

Default Value

Is Mandatory

Description

Scope

DDL

CloudFront

Possible values:

CloudFront
Regional
Both

Specify what should be the scope for the listing of Rule Groups.

Max Rule Groups To Return

Integer

Specify how many Rule Groups to return. Default is 50. Maximum is 100.

Run On

This action doesn't run on entities.

Action Results

Script Result

Script Result Name	Value Options
is_success	is_success=False
is_success	is_success=True

JSON Result

  [ 
  
 { 
  
 "Name" 
 : 
  
 "example" 
 , 
  
 "Id" 
 : 
  
 " ID 
" 
 , 
  
 "Description" 
 : 
  
 "example" 
 , 
  
 "LockToken" 
 : 
  
 "7e76581b-f152-4448-aafe-b733a33c8fa2" 
 , 
  
 "ARN" 
 : 
  
 "arn:aws:wafv2:us-east-1:regional/ipset/example/ ID 
" 
  
 } 
 ] 
 "CloudFront" 
 : 
  
 [ 
  
 { 
  
 "Name" 
 : 
  
 "example" 
 , 
  
 "Id" 
 : 
  
 " ID 
" 
 , 
  
 "Description" 
 : 
  
 "example" 
 , 
  
 "LockToken" 
 : 
  
 "7e76581b-f152-4448-aafe-b733a33c8fa2" 
 , 
  
 "ARN" 
 : 
  
 "arn:aws:wafv2:us-east-1:regional/ipset/example/ ID 
" 
  
 } 
 ]

Case Wall

Result type

Value/Description

Type (Entity \ General)

Output message*

The action should not fail nor stop a playbook execution:

If successfully listed available IP Sets and "Scope" == "Both":"Successfully listed available Rule groups in Regional and Cloudfront scopes."

If successfully listed available IP Sets and "Scope" == "Regional":"Successfully listed available Rule groups in Regional scope."

If successfully listed available IP Sets and "Scope" == "Cloudfront":"Successfully listed available Rule groups in Cloudfront scope.">

If no available values and "Scope" == "Both":"No available Rule groups were found in Regional and Cloudfront scopes."

If no available values and "Scope" == "Regional":"No available Rule groups were found in Regional scope."

If no available values and "Scope" == "Cloudfront":"No available Rule groups were found in Cloudfront scope."

The action should fail and stop a playbook execution:

If a fatal error, SDK error, like wrong credentials, no connection to the server, other is reported:"Error executing action "List Rule Groups". Reason: {0}''.format(error.Stacktrace)

General

Case Wall Table

(if "Scope" == "Regional" or "Both")

Table Name:Regional Rule Groups

Table Columns:

Name
ID
Description
Lock Token
ARN

General

Case Wall Table

(if "Scope" == "CloudFront" or "Both")

Table Name:CloudFront Rule Groups

Table Columns:

Name
ID
Description
Lock Token
ARN

General

List IP Sets

List available IP Sets in AWS WAF.

Parameters

Parameter Display Name

Type

Default Value

Is Mandatory

Description

Scope

DDL

CloudFront

Possible values:

CloudFront
Regional
Both

Specify what should be the scope for the listing of IP sets.

Max IP Sets To Return

Integer

Specify how many IP sets to return. Default is 50. Maximum is 100.

Run On

This action doesn't run on entities.

Action Results

Script Result

Script Result Name	Value Options
is_success	is_success=False
is_success	is_success=True

JSON Result

  [ 
  
 { 
  
 "Name" 
 : 
  
 "example" 
 , 
  
 "Id" 
 : 
  
 " ID 
" 
 , 
  
 "Description" 
 : 
  
 "example" 
 , 
  
 "LockToken" 
 : 
  
 "7e76581b-f152-4448-aafe-b733a33c8fa2" 
 , 
  
 "ARN" 
 : 
  
 "arn:aws:wafv2:us-east-1:regional/ipset/example/ ID 
" 
  
 } 
 ] 
 "CloudFront" 
 : 
  
 [ 
  
 { 
  
 "Name" 
 : 
  
 "example" 
 , 
  
 "Id" 
 : 
  
 " ID 
" 
 , 
  
 "Description" 
 : 
  
 "example" 
 , 
  
 "LockToken" 
 : 
  
 "7e76581b-f152-4448-aafe-b733a33c8fa2" 
 , 
  
 "ARN" 
 : 
  
 "arn:aws:wafv2:us-east-1:regional/ipset/example/ ID 
" 
  
 } 
 ]

Case Wall

Result type

Value/Description

Type (Entity \ General)

Output message*

The action should not fail nor stop a playbook execution:

If successfully listed available IP Sets and "Scope" == "Both":"Successfully listed available IP sets in Regional and Cloudfront scopes."

If successfully listed available IP Sets and "Scope" == "Regional":"Successfully listed available IP sets in Regional scope."

If successfully listed available IP Sets and "Scope" == "Cloudfront":"Successfully listed available IP sets in Cloudfront scope."

If no available values and "Scope" == "Both":Print "No available IP Sets were found in Regional and Cloudfront scopes."

If no available values and "Scope" == "Regional":"No available IP Sets were found in Regional scope."

If no available values and "Scope" == "Cloudfront":"No available IP Sets were found in Cloudfront scope."

The action should fail and stop a playbook execution:

If a fatal error, SDK error, like wrong credentials, no connection to the server, other is reported:"Error executing action "List IP Sets". Reason: {0}''.format(error.Stacktrace)

General

Case Wall Table

(if "Scope" == "Regional" or "Both")

Table Name:Regional Rule Groups

Table Columns:

Name
ID
Description
Lock Token
ARN

General

Case Wall Table

(if "Scope" == "CloudFront" or "Both")

Table Name:CloudFront Rule Groups

Table Columns:

Name
ID
Description
Lock Token
ARN

General

Remove Pattern From Regex Pattern Set

Remove patterns from the regular expression set in AWS WAF.

Parameters

Parameter Display Name

Type

Default Value

Is Mandatory

Description

Regex Pattern Set Names

CSV

Yes

Specify the comma-separated list of regular expression set names, such as name_1,name_2 .

Patterns

CSV

Yes

Specify the comma-separated list of patterns that should be removed from the regular expression set, such as pattern_1,pattern_2 .

Scope

DDL

CloudFront

Possible values:

CloudFront
Regional
Both

Yes

Scope of the set. If "Both" is selected, the action removes patterns from regular expression sets in both Regional and CloudFront scopes.

Run On

This action doesn't run on entities.

Action Results

Script Result

Script Result Name	Value Options
is_success	is_success=False
is_success	is_success=True

Case Wall

Result Type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: If successful and at least one pattern set was removed from one regex set:"Successfully removed the following patterns from the {0} Regex Pattern Set '{1}' in AWS WAF: \n {2}".format("Regional"/"Cloudfront", full_name, list of entity patterns) If pattern never existed in that Pattern Set:"The following patterns were not found in the {0} Regex Pattern Set '{1}' in AWS WAF: \n {2}".format("Regional"/"Cloudfront", full_name, list of patterns) If fail to remove all patterns on all Regex Pattern Sets:"No patterns were removed from the provided Regex Pattern Sets." If fail to find one of the Pattern sets:"Action wasn't able to find the following '{0}' Regex Pattern Sets in the AWS WAF:\n {1}".format("Regional"/Cloudfront",list of sets that were not found in that scope) If fail to find all of the provided Regex Pattern sets in the desired scope or scopes:"Action didn't find the provided Regex Pattern sets." The action should fail and stop a playbook execution: If a fatal error, SDK error, like wrong credentials, no connection to server, other is reported:"Error executing action "Remove Pattern From Regex Pattern Set". Reason: {0}''.format(error.Stacktrace)	General

Result Type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If successful and at least one pattern set was removed from one regex set:"Successfully removed the following patterns from the {0} Regex Pattern Set '{1}' in AWS WAF: \n {2}".format("Regional"/"Cloudfront", full_name, list of entity patterns)

If pattern never existed in that Pattern Set:"The following patterns were not found in the {0} Regex Pattern Set '{1}' in AWS WAF: \n {2}".format("Regional"/"Cloudfront", full_name, list of patterns)

If fail to remove all patterns on all Regex Pattern Sets:"No patterns were removed from the provided Regex Pattern Sets."

If fail to find one of the Pattern sets:"Action wasn't able to find the following '{0}' Regex Pattern Sets in the AWS WAF:\n {1}".format("Regional"/Cloudfront",list of sets that were not found in that scope)

If fail to find all of the provided Regex Pattern sets in the desired scope or scopes:"Action didn't find the provided Regex Pattern sets."

The action should fail and stop a playbook execution:

If a fatal error, SDK error, like wrong credentials, no connection to server, other is reported:"Error executing action "Remove Pattern From Regex Pattern Set". Reason: {0}''.format(error.Stacktrace)

General

Remove IP From IP Set

Remove IP addresses from the IP Set in AWS WAF.

Parameters

Parameter Display Name

Type

Default Value

Is Mandatory

Description

IP Set Names

CSV

Yes

Specify the comma-separated list of IP set names. Example: name_1,name_2

Scope

DDL

CloudFront

Possible values:

CloudFront
Regional
Both

Yes

Specify what should be the scope of the IP set. If "Both" is selected, action will remove IP addresses from IP sets in Regional and CloudFront scopes.

Run On

This action runs on IP entities.

Action Results

Script Result

Script Result Name	Value Options
is_success	is_success=False
is_success	is_success=True

Case Wall

Result Type	Value / Description	Type
Output message*	The action should not fail nor stop a playbook execution: If successful and at least one IP addresses was removed from one IP set:"Successfully removed the following IPs from the {0} IP Set '{1}' in AWS WAF: \n {2}".format("Regional"/"Cloudfront", full_name, entity.identifier list) If IPs never existed in that IP Set:"The following IPs were not a part of the {0} IP Set '{1}' in AWS WAF: \n {2}".format("Regional"/"Cloudfront", full_name, entity.identifier list) If fail to remove all entities on all IP sets:"No IPs were removed from the provided IP Sets." If fail to find one of the IP sets:P "Action wasn't able to find the following '{0}' IP Sets in the AWS WAF:\n {1}".format("Regional"/Cloudfront",list of IP sets that were not found in that scope) If fail to find all of the provided IP sets in the desired scope or scopes:"Action didn't find the provided IP sets." The action should fail and stop a playbook execution: If a fatal error, SDK error, like wrong credentials, no connection to the server, other is reported:"Error executing action "Remove IP From IP Set". Reason: {0}''.format(error.Stacktrace)	General

Result Type

Value / Description

Type

Output message*

The action should not fail nor stop a playbook execution:

If successful and at least one IP addresses was removed from one IP set:"Successfully removed the following IPs from the {0} IP Set '{1}' in AWS WAF: \n {2}".format("Regional"/"Cloudfront", full_name, entity.identifier list)

If IPs never existed in that IP Set:"The following IPs were not a part of the {0} IP Set '{1}' in AWS WAF: \n {2}".format("Regional"/"Cloudfront", full_name, entity.identifier list)

If fail to remove all entities on all IP sets:"No IPs were removed from the provided IP Sets."

If fail to find one of the IP sets:P "Action wasn't able to find the following '{0}' IP Sets in the AWS WAF:\n {1}".format("Regional"/Cloudfront",list of IP sets that were not found in that scope)

If fail to find all of the provided IP sets in the desired scope or scopes:"Action didn't find the provided IP sets."

The action should fail and stop a playbook execution:

If a fatal error, SDK error, like wrong credentials, no connection to the server, other is reported:"Error executing action "Remove IP From IP Set". Reason: {0}''.format(error.Stacktrace)

General

List Regex Pattern Sets

List available regular expression sets in AWS WAF.

Parameters

Parameter Display Name

Type

Default Value

Is Mandatory

Description

Scope

DDL

CloudFront

Possible values:

CloudFront
Regional
Both

Specify what should be the scope for the listing of IP sets.

Max Regex Pattern Sets To Return

Integer

Specify how many regular expression sets to return. Default is 5. Maximum is 10.

Run On

This action doesn't run on entities.

Action Results

Script Result

Script Result Name	Value Options
is_success	is_success=False
is_success	is_success=True

JSON Result

  [ 
  
 { 
  
 "Name" 
 : 
  
 "example" 
 , 
  
 "Id" 
 : 
  
 " ID 
" 
 , 
  
 "Description" 
 : 
  
 "example" 
 , 
  
 "LockToken" 
 : 
  
 "7e76581b-f152-4448-aafe-b733a33c8fa2" 
 , 
  
 "ARN" 
 : 
  
 "arn:aws:wafv2:us-east-1:regional/ipset/example/ ID 
" 
  
 } 
 ] 
 "CloudFront" 
 : 
  
 [ 
  
 { 
  
 "Name" 
 : 
  
 "example" 
 , 
  
 "Id" 
 : 
  
 " ID 
" 
 , 
  
 "Description" 
 : 
  
 "example" 
 , 
  
 "LockToken" 
 : 
  
 "7e76581b-f152-4448-aafe-b733a33c8fa2" 
 , 
  
 "ARN" 
 : 
  
 "arn:aws:wafv2:us-east-1:regional/ipset/example/ ID 
" 
  
 } 
 ]

Case Wall

Result type

Value/Description

Type (Entity \ General)

Output message*

The action should not fail nor stop a playbook execution:

If successfully listed available Regex Sets and "Scope" == "Both":"Successfully listed available Regex Pattern sets in Regional and Cloudfront scopes."

If successfully listed available IP Sets and "Scope" == "Regional":"Successfully listed available Regex Pattern sets in Regional scope."

If successfully listed available IP Sets and "Scope" == "Cloudfront":"Successfully listed available Regex Pattern sets in Cloudfront scope."

If no available values and "Scope" == "Both":"No available Regex Pattern sets were found in Regional and Cloudfront scopes."

If no available values and "Scope" == "Regional":"No available Regex Pattern sets were found in Regional scope."

If no available values and "Scope" == "Cloudfront":"No available Regex Pattern sets were found in Cloudfront scope."

The action should fail and stop a playbook execution:

If a fatal error, SDK error, like wrong credentials, no connection to the server, other is reported:"Error executing action "List Regex Pattern Sets". Reason: {0}''.format(error.Stacktrace)

General

Case Wall Table

(if "Scope" == "Regional" or "Both")

Table Name:Regional Rule Groups

Table Columns:

Name
ID
Description
Lock Token
ARN

General

Case Wall Table

(if "Scope" == "CloudFront" or "Both")

Table Name:CloudFront Rule Groups

Table Columns:

Name
ID
Description
Lock Token
ARN

General

Remove Entity From Regex Pattern Set

Remove string patterns based on entities from the regular expression set in AWS WAF.

Parameters

Parameter Display Name

Type

Default Value

Is Mandatory

Description

Regex Pattern Set Names

CSV

Yes

Specify the comma-separated list of regular expression set names, such as name_1,name_2 .

Scope

DDL

CloudFront

Possible values:

CloudFront
Regional
Both

Yes

Scope of the set. If "Both" is selected, the action removes patterns based on entities from regular expression sets in Regional and CloudFront scopes.

Domain Pattern

Checkbox

True

If enabled, the action retrieves the domain part from URLs and searches for a regular expression based on them in the regular expression set, such as http://test.com/folder turns to ^(http|https)(:\/\/)(\Qtest.com\E).* .

IP Pattern

Checkbox

True

If enabled, the action searches for a regular expression out of IP address instead of the raw value, such as 10.0.0.1 turns to ^(http|https)(:\/\/)(\Q10.0.1\E).* .

Run On

This action runs on the following entities:

IP Address
URL

Action Results

Script Result

Script Result Name	Value Options
is_success	is_success=False
is_success	is_success=True

Case Wall

Result type	Value/Description	Type (Entity \ General)
Output message*	The action should not fail nor stop a playbook execution: If successful and at least one entity was removed from one IP set:"Successfully removed the following entity patterns from the {0} Regex Pattern Set '{1}' in AWS WAF: \n {2}".format("Regional"/"Cloudfront", full_name, list of entity patterns) If entity never existed in that Regex Pattern Set:"The following patterns were not found in the {0} Regex Pattern Set '{1}' in AWS WAF: \n {2}".format("Regional"/"Cloudfront", full_name, list of entity patterns) If fail to remove all entities on all IP sets:"No patterns were removed from the provided Regex Pattern Sets." If fail to find one of the IP sets:"Action wasn't able to find the following '{0}' Regex Pattern Sets in the AWS WAF:\n {1}".format("Regional"/Cloudfront",list of IP sets that were not found in that scope) If fail to find all of the provided Regex Pattern sets in the desired scope or scopes:"Action didn't find the provided Regex Pattern sets." The action should fail and stop a playbook execution: If a fatal error, SDK error, like wrong credentials, no connection to the server, other is reported:"Error executing action "Remove Entity From Regex Pattern Set". Reason: {0}''.format(error.Stacktrace)	General

Result type

Value/Description

Type (Entity \ General)

Output message*

The action should not fail nor stop a playbook execution:

If successful and at least one entity was removed from one IP set:"Successfully removed the following entity patterns from the {0} Regex Pattern Set '{1}' in AWS WAF: \n {2}".format("Regional"/"Cloudfront", full_name, list of entity patterns)

If entity never existed in that Regex Pattern Set:"The following patterns were not found in the {0} Regex Pattern Set '{1}' in AWS WAF: \n {2}".format("Regional"/"Cloudfront", full_name, list of entity patterns)

If fail to remove all entities on all IP sets:"No patterns were removed from the provided Regex Pattern Sets."

If fail to find one of the IP sets:"Action wasn't able to find the following '{0}' Regex Pattern Sets in the AWS WAF:\n {1}".format("Regional"/Cloudfront",list of IP sets that were not found in that scope)

If fail to find all of the provided Regex Pattern sets in the desired scope or scopes:"Action didn't find the provided Regex Pattern sets."

The action should fail and stop a playbook execution:

If a fatal error, SDK error, like wrong credentials, no connection to the server, other is reported:"Error executing action "Remove Entity From Regex Pattern Set". Reason: {0}''.format(error.Stacktrace)

General

Need more help? Get answers from Community members and Google SecOps professionals.