Hi,
I was wondering if anyone is auto-blocking malicious IPs using the 'Alert Action' or using any other method. We have Cisco FMC and are thinking of using the REST API to block the IPs. I would appreciate it if anyone has achieved this and can share how you are doing this.
Thanks!
Hey @johnhuang , if that script is something you can share, I would appreciate that.
Don't feel fully comfortable with Splunk making changes to critical systems, you should implement checks in the middle either scripting it yourself or leverage a SOAR platform.
We have success with scripting using Splunk report/query result -> Internal Webpage -> Palo Alto (using external dynamic address list) to block. Within our process, we have multiple layers of check to ensure it doesn't block anything legitimate.
Basically you need to setup a process where you have a script which runs a splunk report/search via restapi and publish a list of "malicious ips" to an internal webpage (aka threat feed). Then you setup a firewall rule to block based on the threat feed.