I was wondering if anyone is auto-blocking malicious IPs using the 'Alert Action' or using any other method. We have Cisco FMC and are thinking of using the REST API to block the IPs. I would appreciate it if anyone has achieved this and can share how you are doing this.
Don't feel fully comfortable with Splunk making changes to critical systems, you should implement checks in the middle either scripting it yourself or leverage a SOAR platform.
We have success with scripting using Splunk report/query result -> Internal Webpage -> Palo Alto (using external dynamic address list) to block. Within our process, we have multiple layers of check to ensure it doesn't block anything legitimate.
Basically you need to setup a process where you have a script which runs a splunk report/search via restapi and publish a list of "malicious ips" to an internal webpage (aka threat feed). Then you setup a firewall rule to block based on the threat feed.