Update List Using REST \ similar

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Update List Using REST \ similar

L4 Transporter

Maybe a stupid question and\or I've missed the obvious...


One of the issues we have with our Palo firewalls is - when we deploy 'active' IPS rules (block-ip etc) the maximum length of time is 3600 seconds. 


We have a log solution that we use to trigger alerts if we're being probed over multiple days etc and would like to trigger a script, rather than the current manual email, to poke the offending IP address into a block list.  As we've already started using MineMeld to serve up blocklists as I wondering if its possible to call a RESTful API - or similar - to push the IP address to an output list?


Longer term we'd be looking for a bit more intelligence i.e. checking whether it's already on the list, removing after a period of time (say 7 days), but initially it would just be a simple "if source IP triggers threat 3 times in 3 hours trigger (PowerShell) script to poke address into custom blocklist" type scenario


Sean, nice script! I took your script a step further and incorporated a GUI along with other logic to allow for easy uploading of IOC's. I made sure to cite your contribution:




Did you add any more methods (like delete)?

Hi @pataylor,

delete is available in the new API, you can check the new API mechanism at the end of the following article:


Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!