Security

Is anyone auto-blocking malicious IPs using the 'Alert Action' or using other methods?

geekf
Path Finder

Hi,

I was wondering if anyone is auto-blocking malicious IPs using the 'Alert Action' or using any other method. We have Cisco FMC and are thinking of using the REST API to block the IPs. I would appreciate it if anyone has achieved this and can share how you are doing this.

Thanks!

Labels (1)
0 Karma

geekf
Path Finder

Hey @johnhuang , if that script is something you can share, I would appreciate that.

0 Karma

johnhuang
Motivator

Don't feel fully comfortable with Splunk making changes to critical systems, you should implement checks in the middle either scripting it yourself or leverage a SOAR platform.

We have success with scripting using Splunk report/query result -> Internal Webpage -> Palo Alto (using external dynamic address list) to block. Within our process, we have multiple layers of check to ensure it doesn't block anything legitimate.

johnhuang
Motivator

Basically you need to setup a process where you have a script which runs a splunk report/search via restapi and publish a list of "malicious ips" to an internal webpage (aka threat feed). Then you setup a firewall rule to block based on the threat feed.

0 Karma
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...