Firewall Excessive Hit 5.2.6
  • 01 Mar 2023
  • 2 Minutes to read
  • Dark
    Light
  • PDF

Firewall Excessive Hit 5.2.6

  • Dark
    Light
  • PDF

Article Summary

tags: python | Automation | PaloAlto | Firewall EDL | Azure Blobs


Description

Excessive Hit Automation is created to support CDC users by automating the playbook used by the CyberProof Monitoring/SoC teams, to address connection attempts made via various IP addresses across the internet to the client’s network in last 30 days. This is captured by the firewall logs.

This automation is built on top of the playbook, performing various calculations. Depending on the outcome, next actions are defined, which includes actions like ignoring the IP, enriching the IP address, blocking the IP address with the help of Firewall EDL Integration, etc.

We have used Splunk as a data source for this automation, which filters the alerts and forwards them to us to be used in the automation. Each reported IP is enriched with integration like AbuseIPDB to ascertain if the IP is malicious or not. If found malicious, it gets added to the blocked list using Firewall EDL integration. Otherwise, no action is taken on the IP address.

In order to reduce the risk of breaking legitimate business IP addresses, we have provisioned a whitelist that ensures that if IP addresses are entered into it, they will not be blocked.

Post completion of the actions, all of the information is passed on to the CDC in form of an alert.

Integration Type:Automation
Information read:Splunk alert regarding excessive hits on firewalls.
API Supported:
Input:Alert from Splunk
Output:Creation of a ticket in the CDC, writing entries in the EDL blocklist on blobs, etc.

Customer Configuration

No customer configuration


CDC Command Lines

No CDC command lines


Workflows

* **add_new_alert_to_incident**
Handle an alert count of more than three in the last 30 days.

* **automate_create_incident**
Automate create incident.

* **automate_create_incident_for_cdc_2**
Automate create incident for CDC 2.0 or above versions.

* **create_incident_and_block_ip**
Create an incident in the CDC and block the IP.

* **get_cdc_version**
Get the CDC version.

* **mark_the_alert_as_irrelevant**
Handle an alert count of less than or equal to two in the last 30 days.


Rules

* **firewall_exessive_deny_alert_listener**
Firewall exessive deny alert listener


Sensors

No sensors


Triggers

No triggers


Known Issues

No known issues


Change Log

Pack VersionDate of MergeChanges
v5.2.52022-05-20Changed configuration title in ReadMe.
v5.2.42022-03-07Added uca-st-linter to pipeline.
v5.2.32021-11-10Updated firewall_black_list version in dependencies.
v5.2.22021-11-02Bugfix: Updated search input add_new_alert_to_incident_workflow.
v5.2.12021-10-28Fixed linter issue: added default value to config schema.
v5.2.02021-10-01Updated common logic version. Changes: added datastore.yaml, pack.yaml, pack description, tags, readme jinja template, added actions GEN prefix.

Was this article helpful?