Here's a step-by-step guide to help you create a playbook in LogPoint SOAR to block an IP address or take other actions based on alerts:
-
Configure the Trigger:
- Start by configuring the trigger of your playbook to activate when specific alerts occur in LogPoint. You can find detailed instructions on how to set up triggers in the documentation here.
-
Integrate your firewall with LogPoint SOAR:
- Ensure that your firewall is integrated with LogPoint SOAR. This integration is necessary for executing actions like blocking an IP address. You may need to set up API actions to communicate with your firewall. Refer to LogPoint's documentation on how to integrate your firewall with SOAR and test the integration. You can find guidance on this process here.
-
Configure and create a playbook:
- Once your trigger and integration are set up, proceed to create a playbook. Define the actions you want the playbook to take when triggered by specific alerts. LogPoint provides various action types that you can utilize based on your requirements. Refer to their documentation on playbook creation and action types here.
-
Refer to built-in playbooks:
- To streamline your playbook creation process, consider referring to LogPoint's built-in playbooks. These playbooks often provide templates or examples that you can modify to suit your specific use case. LogPoint offers a generic playbook for blocking IP addresses that you can use as a reference or starting point. Check out the built-in playbook to Block-IP documentation here.
If you encounter any issues or need further assistance, feel free to ask!
Regards,
Nikesh