Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Auto Block IP

geekf
Path Finder
‎01-18-2022 09:23 AM

Hi,

I was wondering if anyone is auto-blocking malicious IPs using the 'Alert Action' or using any other method. We have Cisco FMC and are thinking of using the REST API to block the IPs. I would appreciate it if anyone has achieved this and can share how you are doing this.

Thanks!

Labels (2)
Labels
0 Karma
Reply

johnhua
Builder
‎01-18-2022 06:23 PM

Don't feel fully comfortable with Splunk making changes to critical systems, you should implement checks in the middle either scripting it yourself or leverage a SOAR platform.

We have success with scripting using Splunk report/query result -> Internal Webpage -> Palo Alto (using external dynamic address list) to block. Within our process, we have multiple layers of check to ensure it doesn't block anything legitimate.

0 Karma
Reply
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...