This article provides information about taking action with response in a case.
In order to take action within a case or provide automation through an action rule, response integration must be established.
To block an IP address with a firewall within a case, we can follow the steps below:
While the case is open, the Logsign magic button is displayed in the bottom right corner of the page. Clicking on the button lists the products with integrated response. We can examine the methods by clicking on the product that we want to take action on.
Fortinet Fortigate supports methods such as IP blocking, unblocking, and listing current object groups through API support.
In this scenario, we choose the Block IP method because we will block the IP with the firewall.
Each product has a different API format, so it is possible that the information each product requires from us may be different. In the Fortinet product, we are expected to define the IP address to be blocked, the group address to be registered for blocking, and the duration of the blocking process.
The blocking process takes place with the submit button, and we can examine the output of the process from the case screen.
We can check the accuracy of the process from the Response panel. We can check the blocked IP address in the Responses - Block List section.
You can unblock the currently blocked IP address with the Delete button.
In a different scenario, we can disable a user by providing LDAP integration with an authorized user.