George, I heard you talk at Splunk Live ATL. Were you the one with the quarantine integration on IPS for bad actors? If so, could we talk off list?

Yup that is me. That code is represented in the repo. Though I do need to redo all this in the new alert framework as mentioned by frobinson above in the comments. george@georgestarcher.com will reach me.

I saw this as a new feature with 6.3 and will test. However based on my reading it doesn't look to be very configurable or support the macros I would want: source and/or destination IP, source and/or destination port, etc.

Understandable. Depending on your use case, you can also build a custom alert action:
http://docs.splunk.com/Documentation/Splunk/6.3.0/AdvancedDev/ModAlertsIntro

Thanks starcher. I figured it would probably come down to a python script, but I am not a very strong script writer. I will try to research a bit and see what I can find to create a script for this sort of integration.

You can use my code as a model/base. It is MIT license so you are free to use it how you wish. With the only restriction of don't blame me if you don't like it 😃

You can always make your own python code and send in the results in a table csv for it to act on. Similar to what I do here: https://github.com/georgestarcher/Splunk-Alert/tree/master/XARF Not GUI simple but works.