Forum Discussion
From what you ask it seems that something like a SIEM like Spunk to get the F5 ASM logs is needed and then a SOAR like Splunk Phantom to use the logs to add the Ip addreess of the attacker on the firewall. That is my idea but you will need to dig deep to automate and to play arround.
Hi Nikoolayy1,
Agreed, But I'd like to reach my goal without another 3rd system. I thought about iRule, that will send via HTTP Post to my NGFW the information about attacker IP.
- Nikoolayy1Jan 16, 2023MVP
Then you will need to play with HTTP Super SIDEBAND Requestor (Client) https://clouddocs.f5.com/api/irules/SIDEBAND.html but I do not have a premade irule for you so you will need to write it and get the IP from https://clouddocs.f5.com/api/irules/ASM_REQUEST_DONE.html event but this will be complex.