Best way to manage a time based IP blocklist in XSOAR

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Best way to manage a time based IP blocklist in XSOAR

L2 Linker

Hi All,

 

I have been trying to find the best way to manage a list of IP addresses. This is the idea I am trying to achieve.

 

1) I identify an IP address that is malicious and block it on the PaloAlto firewall in a static object group.

2) I keep track of the IP address along with the time I added it 

3) After 48 hours I check the IP addresses I added that are older than 48 hours and remove it.

 

I am not sure which is the best way to approach this.

My idea was to

1) Create a XSOAR list and add the TimeNowLinux:IP (JSON format, not sure how to add line by line, keeps adding in the same line) for each entry in one playbook

2) Create a job that runs every 48 hours that reads the same list and reads the TimeNowLinux and checks if older CurrentTime(48Hoursago), then gets the respective IP address 

3) Remove the IP address in the palo alto firewall static object group

 

Step 1 I could implement without any issues.

I got stuck at step two, since I am not sure how to pull the contents on the list and read in the manner I described since a loop through each entry in the list is involved. I do not know how to accomplish that.

 

I am stuck at that step and do not know how to proceed.

 

Does anyone have suggestions on how to fix Step 2 and implement Step 3?

 

Or is there a way better and efficient way than this?

 

Thanks in advance.

2 REPLIES 2

L3 Networker

Looping through every element of the list is possible with subplaybooks, but likely not the best approach here.

 

For this kind of a use case, I'd recommend:

* Configure a Generic Export Indicators integration instance https://xsoar.pan.dev/docs/reference/integrations/edl

* Configure the query on the integration to find IP addresses which match a custom tag and are not expired

* To block an IP address, add the custom tag and set the expiry to <current time>+48 hours

* Configure the firewall to use the URL of the integration as an EDL.

 

With this method XSOAR should do the expiry for you without any kind of job and the firewall config is just a once-off EDL setup.

Hi @chrking 

 

Thanks, I will explore that option. Since we just deployed our XSOAR and just setting up our automations and experimenting, we were exploring  options where we could avoid a dependency on EDL stored on the XSOAR for now. Considering that, is there an alternative with static object groups? 

Perhaps going forward once the XSOAR is fully deployed we will switch to EDLs. But for now, is there an option we can do with static object groups to add and expire IP addresses from the XSOAR?

 

Thanks in advance!

  • 2173 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!