Skip to content

Commit d49cb4a

Browse files
mauricesvayclaude
andauthored
✨ Add one-click attacker cluster blocking documentation (#37719)
* fix(aap): correct button names in attacker clustering docs Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(aap): add block-cluster-button screenshot Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(aap): fix Vale warnings in attacker clustering docs Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(aap): address PR review comments on attacker clustering docs Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(aap): clarify "cluster attributes" wording Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
1 parent 4eee38e commit d49cb4a

2 files changed

Lines changed: 31 additions & 0 deletions

File tree

content/en/security/application_security/security_signals/attacker_clustering.md

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -85,6 +85,37 @@ This manual approach allows you to create more targeted blocking rules when the
8585

8686
{{< img src="security/application_security/threats/custom-clusters.png" alt="An AAP signal with custom clusters sorted by the attacker attributes" >}}
8787

88+
## Block an attacker cluster with one click
89+
90+
After an attacker cluster is identified, you can directly generate an In-App WAF custom rule in the UI that matches the cluster attributes, without needing to write regex.
91+
92+
To block a cluster:
93+
94+
1. Open the **Attacker Explorer** and select the **Cluster** grouping.
95+
2. Click a cluster to open its side panel.
96+
3. Click **Create In-App WAF rule** in the cluster header. The In-App WAF custom rule form opens pre-filled with the generated conditions, one condition per blocking attribute, combined with AND logic.
97+
4. Review the conditions and adjust if needed, then save the rule.
98+
99+
Alternatively, inside a security signal, you can click the **Create In-App WAF rule** icon on the cluster row in the clusters table.
100+
101+
If a matching blocking rule already exists for a cluster, the button changes to **View In-App WAF rule** and links directly to the existing rule.
102+
103+
{{< img src="security/application_security/threats/block-cluster-button.png" alt="The attacker cluster side panel with the Create In-App WAF rule button highlighted" >}}
104+
105+
### Supported attributes
106+
107+
The following cluster attributes can be converted to WAF conditions:
108+
109+
- HTTP user-agent (`@http.useragent`)
110+
- HTTP request headers (`@http.request.headers.*`)
111+
- Client IP (`@http.client_ip`)
112+
- User ID (`@usr.id`)
113+
- Datadog attacker fingerprint sub-attributes (`@appsec.fingerprint.*`)
114+
115+
Attributes that are not evaluated by the WAF at request time (for example, `@http.useragent_details.*`) cannot be converted. When a cluster contains unsupported attributes, the button is disabled and a tooltip lists the attributes that prevent rule generation.
116+
117+
**Note**: Generated rules default to monitoring mode. You can switch to blocking mode using the behavior toggle in the rule form before saving.
118+
88119
## Further reading
89120

90121
{{< partial name="whats-next/whats-next.html" >}}
248 KB
Loading

0 commit comments

Comments
 (0)