Integration With Firewall/IPS for Autonomous Response

[alasdairmuckart]

Does Malcolm have any capability to integrate with an existing firewall or IPS for autonomous response to malicious traffic, or is it purely a detection/analysis platform?

From the docs it appears to be the latter.

Thanks.

[mmguero]

Malcolm is passive by design and is not configured by default to be able to perform actions in response to what it observes.

However some possibilities to achieve what you're talking about (I haven't done this, exactly, so take it with a grain of salt) might involve:

• OpenSearch has an Alerting plugin which can send notifications including webhooks. One could conceivably set up an alert to notify you via webhook based on some query/condition and then you could handle it from there.
• You could create a custom Logstash output pipeline to send all or some of Malcolm's log data elsewhere and make decisions based on that.
• You could set up some external script to query the Malcolm API (for example, perhaps checking some field aggregation values) and then perform actions based on that.

Best of luck.

[alasdairmuckart]

Thank you. I'll see what we can come up with.