I was reading about Palo Alto XSOAR and I saw that for silverline you can add an ip address using the REST-API that has timeout, so the IP address will be blocked just for some time and seems great but I was wondering how this was done ? Maybe the silverline uploads the ip address to a custom ip intelligence category and there is an external script/automation that removes it after the configured by the user time or something else and it i good to know if the same can be done for the on-prem F5 devices using REST-API and not the F5 irule table command and maybe the sideband command (https://community.f5.com/t5/technical-articles/populating-tables-with-csv-data-via-sideband-connecti...).
Please share if you know.
The Palo Alto XSOAR example:
Sounds like it might be a specific feature in the Silverline API.
Depending on what modules/configuration you're using, there might be a couple options.
For the F5 data groups I am aware but I was looking for dynamic entries like the table irule command (the issue is that the table object can't be changed with a REST-API, so this is why the sideband irule function is needed to fetch the new data from the external server) not static ones like the data group (a workaround that I have made for this https://community.f5.com/t5/crowdsrc/automate-data-group-updates-on-many-big-ip-devices-using-big-iq...).
For the AFM you are right that it is a nice touch to use a REST-API to upload a list of of ip addresses in a rule that has a schedule in it the only thing is that after time someone will need to clean the old rules https://techdocs.f5.com/kb/en-us/products/big-ip-afm/manuals/product/big-ip-network-firewall-policie...
I am still thinking that maybe Silverline uses the a custom ip intelligence feed list and that they have some kind of an automation in place that removes the old entries after time. Too bad that maybe this is custom thing just for Silverline REST-API and not for the F5 products.
I will take a deeper look if I find anything.