April 26, 2024
June 12, 2024

This integration enables IP addresses from alerts to populate into an IP Set on an AWS WAF. When set up, you can attach the integration to an alert. This enables alerts to put IP addresses into an IP set, which can function as either a block list or an allow list.

When attached to an alert, the integration captures the IP addresses that triggered the alert during the specified period. For example, if you configure an alert to detect SQL injection in requests and link it to this integration, any triggering IP addresses within the defined timeframe will be added to the designated IP Set.

1. Navigate to Integrations in the FireTail platform. Select the Create integration tab.

2. Click AWS WAFv2 IP Set.

3. In the Name of Integration field, enter a name for the integration.

4. Select the AWS Region of the WAFv2.

5. Log in to AWS and return to the FireTail platform

6. Click Launch Cloudformation to launch the template. This opens a template that will deploy a role that allows FireTail to connect to your AWS WAFv2.

7. Select the checkbox; I acknowledge that AWS CloudFormation might create IAM resources. Click Create stack.

8. When the CloudFormation Stack has a status of CREATE_COMPLETE, copy the RoleARN from the Outputs tab.

9. Return to the FireTail platform. Paste the copied value in the AWS Role ARN field.

10. Select the Scope as Regional or Cloudfront.

  • Regional is for WAFs that protect API Gateways, Loadbalancers and so on.

11. Enter the values into IPV4/IPV6 Set ID and Set Name fields. These values can be retrieved from AWS:

  • Open AWS and search for AWS WAF & Shield.
  • Select IP Sets from the left menu.
  • Select the Region from the dropdown.
  • Copy the IP Set ID and IP Set Name.
  • Paste into corresponding fields in the FireTail platform.

12. Click Submit.