Is anyone auto-blocking malicious IPs using the 'A...

geekf · ‎01-18-2022

Hi,

I was wondering if anyone is auto-blocking malicious IPs using the 'Alert Action' or using any other method. We have Cisco FMC and are thinking of using the REST API to block the IPs. I would appreciate it if anyone has achieved this and can share how you are doing this.

Thanks!

geekf · ‎08-31-2022

Hey @johnhuang , if that script is something you can share, I would appreciate that.

johnhuang · ‎01-18-2022

Don't feel fully comfortable with Splunk making changes to critical systems, you should implement checks in the middle either scripting it yourself or leverage a SOAR platform.

We have success with scripting using Splunk report/query result -> Internal Webpage -> Palo Alto (using external dynamic address list) to block. Within our process, we have multiple layers of check to ensure it doesn't block anything legitimate.

johnhuang · ‎08-31-2022

Basically you need to setup a process where you have a script which runs a splunk report/search via restapi and publish a list of "malicious ips" to an internal webpage (aka threat feed). Then you setup a firewall rule to block based on the threat feed.

Is anyone auto-blocking malicious IPs using the 'Alert Action' or using other methods?

access control

other

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!