Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

"Automate" alert actions

stwong
Communicator
‎05-08-2018 09:46 PM

Hi, we want to block malicious IP address in firewall as alert action. We run python script to block such IP address through REST api. It seems okay.

However, we're requested to unblock such blocked IP address automatically after blocking for 15 minutes. Is it possible to do so through Splunk?

Besides, shall we use webhook instead of running external scripts ?

We're using Splunk 7.0.

Thanks a lot.
Regards,
/ST Wong

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

xpac
SplunkTrust
SplunkTrust
‎05-09-2018 02:16 AM

You might be able to figure something out by writing those bad IPs to a lookup (using |outputlookup append=true)including a timestamp, and also call the REST API to block them.
You could then regularly search through that lookup, filter on entries older than 15 minutes, and have another alert action on those to have the REST API unblock them, and also drop them from the lookup.

Not exactly a complete solution, but you should be able to figure something out using those idea 😉

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

View solution in original post

Reply
Solved! Jump to solution
Solution

xpac
SplunkTrust
SplunkTrust
‎05-09-2018 02:16 AM

You might be able to figure something out by writing those bad IPs to a lookup (using |outputlookup append=true)including a timestamp, and also call the REST API to block them.
You could then regularly search through that lookup, filter on entries older than 15 minutes, and have another alert action on those to have the REST API unblock them, and also drop them from the lookup.

Not exactly a complete solution, but you should be able to figure something out using those idea 😉

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

Reply
Solved! Jump to solution

cygnetix
Path Finder
‎05-08-2018 10:06 PM

I would personally feel a bit uncomfortable doing this from core Splunk. Have you taken a look at Splunk's recent acquisition https://phantom.us?

It's yet another product to deploy and pay for but it'd designed for exactly this type of orchestration task. While I think you could do it in Splunk using a combination of searches and the kvstore, I would worry that it'd be quite complicated and brittle and is getting a little outside of Splunk's core capabilities and intended purpose.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...