In Security Operations Centers (SOCs), analysts often spend valuable time manually responding to recurring malicious IP connections. This project demonstrates how to automate incident response in IBM QRadar SIEM by creating a custom action script that blocks malicious IPs directly on a firewall (pfSense).
By reducing response time from minutes to seconds, this automation helps SOC teams improve their MTTR (Mean Time to Respond) and strengthens the overall security posture.
flowchart LR
A[QRadar<br/>Offense Triggered] --> B[Custom Action<br/>Bash Script]
B --> C[SSH Connection<br/>to pfSense]
C --> D[pfctl Adds IP<br/>to Block List]
D --> E[Firewall Rule<br/>Blocks IPs in List]
- QRadar: Detects offense (e.g., brute force).
- Custom Action Script: Bash script runs when offense is triggered.
- pfSense Firewall: Executes
pfctlcommand which blocks offending IP.
- IBM QRadar CE (SIEM)
- pfSense (Router x Firewall)
- Windows Server (Victim Machine)
- SSH access with restricted admin privileges using ssh keys for authentication
- Bash Script
-
Write Bash Script
#!/bin/bash # # block_ip.sh - Add an IP address to pfSense blocklist via SSH # === Configuration === PFSENSE_HOST="10.10.1.1" PFSENSE_USER="qradar_usr" SSH_KEY="/home/customactionuser/.ssh/id_rsa" BLOCK_TABLE="qradar_blocklist" # === Input validation === if [ -z "$1" ]; then echo "Usage: $0 <IP_ADDRESS>" exit 1 fi IP=$1 # === Add IP to blocklist === ssh -i "$SSH_KEY" -o StrictHostKeyChecking=no "$PFSENSE_USER@$PFSENSE_HOST" \ "sudo /sbin/pfctl -t $BLOCK_TABLE -T add $IP" # === Check result === if [ $? -eq 0 ]; then echo "[+] Successfully added $IP to blocklist ($BLOCK_TABLE)" else echo "[-] Failed to add $IP to blocklist" exit 1 fi
-
Test Workflow
- Trigger a QRadar offense with a test IP.
- QRadar offense is generated and automated response is triggered.
- Verify pfSense now has the IP in its block list.
pfctl -t qradar_blocklist -T show
- Verify blocked connection in firewall logs.
-
QRadar offense triggered
-
Custom Action execution logs
-
Verification of blocked traffic
--- Blocked RDP connection ---
--- Blocked QRadar UI Connection (HTTPS) ---
--- Firewall Log Showing Blocked Traffic ---
- Before Automation: Blocking malicious IPs required manual firewall login (~3–5 mins).
- After Automation: QRadar offense triggers script -> IP blocked automatically in seconds (
~10 seconds). - SOC Value: Faster response & containment, reduced analyst fatigue, repeatable playbook.
- Integrate with email sever to send email alerts to analysts for review.
- Add an unblock script to restore connection after analyst review if false positive.
- Add a step to check IP reputation before taking action.
- Integrate with Splunk SOAR CE for advanced playbook orchestration.
- SIEM Engineering (QRadar Custom Actions)
- Firewall Integration
- Bash Scripting
- SOC Workflow Optimization
- Incident Response Automation
👤 Taofeek Isiaka-Aliagan