Is anyone auto-blocking malicious IPs using the 'A...

geekf · ‎01-18-2022

Hi,

I was wondering if anyone is auto-blocking malicious IPs using the 'Alert Action' or using any other method. We have Cisco FMC and are thinking of using the REST API to block the IPs. I would appreciate it if anyone has achieved this and can share how you are doing this.

Thanks!

geekf · ‎08-31-2022

Hey @johnhuang , if that script is something you can share, I would appreciate that.

johnhuang · ‎01-18-2022

Don't feel fully comfortable with Splunk making changes to critical systems, you should implement checks in the middle either scripting it yourself or leverage a SOAR platform.

We have success with scripting using Splunk report/query result -> Internal Webpage -> Palo Alto (using external dynamic address list) to block. Within our process, we have multiple layers of check to ensure it doesn't block anything legitimate.

johnhuang · ‎08-31-2022

Basically you need to setup a process where you have a script which runs a splunk report/search via restapi and publish a list of "malicious ips" to an internal webpage (aka threat feed). Then you setup a firewall rule to block based on the threat feed.

Is anyone auto-blocking malicious IPs using the 'Alert Action' or using other methods?

access control

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation