Forum Discussion
Aantat
Cirrus
CirrusSend Attackers IP to another system via API
Hi experts! I'm newbie here and I need your help. I have a task to send Attackers IP to another system via API. For example I've a ASM and there are some triggered violation. I want to send that Att...
JRahm
Admin
AdminHI Aantat, what kind of system is the other system, and did you want to manage those messages from a remote system (like pull on system C from system A, push from system C to system B) or just send messages directly from ASM to other systems? More details on what you're trying to accomplish would be helpful, but either way, there's likely a solution we can work out together. Let me know!
AantatCirrus
CirrusHi JRahm!
So I have a NGFW and F5 WAF. My goal is every time when there is some Security Event triggered, send Attackers IP from that Event to my NGFW via API. Hope I make it clear.
- Nikoolayy1
MVP
From what you ask it seems that something like a SIEM like Spunk to get the F5 ASM logs is needed and then a SOAR like Splunk Phantom to use the logs to add the Ip addreess of the attacker on the firewall. That is my idea but you will need to dig deep to automate and to play arround.
- Aantat
Hi Nikoolayy1,
Agreed, But I'd like to reach my goal without another 3rd system. I thought about iRule, that will send via HTTP Post to my NGFW the information about attacker IP.
- Nikoolayy1
Then you will need to play with HTTP Super SIDEBAND Requestor (Client) https://clouddocs.f5.com/api/irules/SIDEBAND.html but I do not have a premade irule for you so you will need to write it and get the IP from https://clouddocs.f5.com/api/irules/ASM_REQUEST_DONE.html event but this will be complex.
