Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

"Automate" alert actions

stwong
Communicator
‎05-08-2018 09:46 PM

Hi, we want to block malicious IP address in firewall as alert action. We run python script to block such IP address through REST api. It seems okay.

However, we're requested to unblock such blocked IP address automatically after blocking for 15 minutes. Is it possible to do so through Splunk?

Besides, shall we use webhook instead of running external scripts ?

We're using Splunk 7.0.

Thanks a lot.
Regards,
/ST Wong

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

xpac
SplunkTrust
SplunkTrust
‎05-09-2018 02:16 AM

You might be able to figure something out by writing those bad IPs to a lookup (using |outputlookup append=true)including a timestamp, and also call the REST API to block them.
You could then regularly search through that lookup, filter on entries older than 15 minutes, and have another alert action on those to have the REST API unblock them, and also drop them from the lookup.

Not exactly a complete solution, but you should be able to figure something out using those idea 😉

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

View solution in original post

Reply
Solved! Jump to solution
Solution

xpac
SplunkTrust
SplunkTrust
‎05-09-2018 02:16 AM

You might be able to figure something out by writing those bad IPs to a lookup (using |outputlookup append=true)including a timestamp, and also call the REST API to block them.
You could then regularly search through that lookup, filter on entries older than 15 minutes, and have another alert action on those to have the REST API unblock them, and also drop them from the lookup.

Not exactly a complete solution, but you should be able to figure something out using those idea 😉

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

Reply
Solved! Jump to solution

cygnetix
Path Finder
‎05-08-2018 10:06 PM

I would personally feel a bit uncomfortable doing this from core Splunk. Have you taken a look at Splunk's recent acquisition https://phantom.us?

It's yet another product to deploy and pay for but it'd designed for exactly this type of orchestration task. While I think you could do it in Splunk using a combination of searches and the kvstore, I would worry that it'd be quite complicated and brittle and is getting a little outside of Splunk's core capabilities and intended purpose.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...