Forum Discussion
Aantat
Cirrus
CirrusSend Attackers IP to another system via API
Hi experts! I'm newbie here and I need your help. I have a task to send Attackers IP to another system via API. For example I've a ASM and there are some triggered violation. I want to send that Att...
AantatCirrus
CirrusHi JRahm!
So I have a NGFW and F5 WAF. My goal is every time when there is some Security Event triggered, send Attackers IP from that Event to my NGFW via API. Hope I make it clear.
Nikoolayy1
MVP
MVPFrom what you ask it seems that something like a SIEM like Spunk to get the F5 ASM logs is needed and then a SOAR like Splunk Phantom to use the logs to add the Ip addreess of the attacker on the firewall. That is my idea but you will need to dig deep to automate and to play arround.
- Aantat
Hi Nikoolayy1,
Agreed, But I'd like to reach my goal without another 3rd system. I thought about iRule, that will send via HTTP Post to my NGFW the information about attacker IP.
- Nikoolayy1
Then you will need to play with HTTP Super SIDEBAND Requestor (Client) https://clouddocs.f5.com/api/irules/SIDEBAND.html but I do not have a premade irule for you so you will need to write it and get the IP from https://clouddocs.f5.com/api/irules/ASM_REQUEST_DONE.html event but this will be complex.