04-28-2022 05:13 PM
I would like to ask the community if perhaps someone has created a playbook that takes in Snort/Suricata alert data. I am looking a creating a automated block process that will compare an IDS alert with a Threat notification from the PAN. If the src_ip, src_port, dst_ip, dst_port and timestamp match and the firewall took no action on the threat. Then I will add the external src_ip to the Indicators database, make Verdict "suspicious", set Expiration Date to 30 days, add both the IDS and Threat log data to "Comments" to show reason for block, tag the new entry as "block_external_ips", "ids" and "pan threat". So that it gets added to the EDL that will be picked up by the Firewall. It would be helpful if someone had an IDS related playbook that they would be willing to share to start this process.
Thanks
05-31-2022 06:12 AM
Hey @jpadro, this seems like something that you could also raise as a feature request in our Aha portal, to have such a playbook (or more likely something a bit more generic).
Our R&D team is always happy to receive suggestions for playbooks and other content items.
The portal is https://xsoar.ideas.aha.io/, make sure to be as detailed as you can, and to not share any personal information as this is a public community.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
