Alerting

"Automate" alert actions

stwong
Communicator

Hi, we want to block malicious IP address in firewall as alert action. We run python script to block such IP address through REST api. It seems okay.

However, we're requested to unblock such blocked IP address automatically after blocking for 15 minutes. Is it possible to do so through Splunk?

Besides, shall we use webhook instead of running external scripts ?

We're using Splunk 7.0.

Thanks a lot.
Regards,
/ST Wong

Tags (1)
0 Karma
1 Solution

xpac
SplunkTrust
SplunkTrust

You might be able to figure something out by writing those bad IPs to a lookup (using |outputlookup append=true)including a timestamp, and also call the REST API to block them.
You could then regularly search through that lookup, filter on entries older than 15 minutes, and have another alert action on those to have the REST API unblock them, and also drop them from the lookup.

Not exactly a complete solution, but you should be able to figure something out using those idea 😉

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

View solution in original post

xpac
SplunkTrust
SplunkTrust

You might be able to figure something out by writing those bad IPs to a lookup (using |outputlookup append=true)including a timestamp, and also call the REST API to block them.
You could then regularly search through that lookup, filter on entries older than 15 minutes, and have another alert action on those to have the REST API unblock them, and also drop them from the lookup.

Not exactly a complete solution, but you should be able to figure something out using those idea 😉

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

cygnetix
Path Finder

I would personally feel a bit uncomfortable doing this from core Splunk. Have you taken a look at Splunk's recent acquisition https://phantom.us?

It's yet another product to deploy and pay for but it'd designed for exactly this type of orchestration task. While I think you could do it in Splunk using a combination of searches and the kvstore, I would worry that it'd be quite complicated and brittle and is getting a little outside of Splunk's core capabilities and intended purpose.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...