Have anyone used Splunk to act upon an alert and shut down a physical port on the switch? This would require running a scrip when an alert is triggered. I just want to reach out to the community and see if something like has been done already.
Hi pzharyuk,
You can do such a thing, and also can find examples in the docs here http://docs.splunk.com/Documentation/Splunk/latest/AdvancedDev/ModAlertsIntro
Just make sure the script and the alert are bullet proof before you use them in Splunk; you don't want to get false positives on the alert and make the script shutdown your core router interfaces for example.
Hope this helps ...
cheers, MuS
Oh yea, I will definitely make sure of that. The idea is to act upon an IPS alert, I was able to pull physical port/ap that the user is connected to using Cisco Prime API's, I want to correlate that data with IPS data which I can use to have Splunk trigger a script to disable the port of a critically infected user machine.