Getting Data In

Splunk alert and shutting down a physical port on a switch

pzharyuk
New Member

Have anyone used Splunk to act upon an alert and shut down a physical port on the switch? This would require running a scrip when an alert is triggered. I just want to reach out to the community and see if something like has been done already.

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi pzharyuk,

You can do such a thing, and also can find examples in the docs here http://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/ModAlertsIntro

Just make sure the script and the alert are bullet proof before you use them in Splunk; you don't want to get false positives on the alert and make the script shutdown your core router interfaces for example.

Hope this helps ...

cheers, MuS

0 Karma

pzharyuk
New Member

Oh yea, I will definitely make sure of that. The idea is to act upon an IPS alert, I was able to pull physical port/ap that the user is connected to using Cisco Prime API's, I want to correlate that data with IPS data which I can use to have Splunk trigger a script to disable the port of a critically infected user machine.

0 Karma