The default action for this is simply to alert. As is, I generally set it so anything coming from external resources with a severity great-or-equal to medium gets reset, regardless of default action. You might want to look at making the same modification to the threat profile utilized on your external security entries.
One of the thing you might want to look at is the firewalls built-in block-ip option that can limit the source-ip from connecting for a set duration. You can also setup MineMeld to pull indicators from the threat logs (either through log-forwarding to a SIEM or directly through the API) so you can feed these into a block-list so to speak by utilizing the EDL functionality.
The product is included with AutoFocus which does have a cost associated with it that has caused a fair amount of confusion; MineMeld itself however is open-source and can be installed by itself without any cost associated.
You can get the indicators added automatically to MineMeld using some scripts to pull a custom report through the API, and feeding the indicators into a file that gets fed into MineMeld as an indicator list. I might write a post about that one of these days.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!