[Cortex XSOAR] Blocking IP addresses using Ansible Linux Integration

I must confess, my own little XSOAR environment does not have fancy firewalls. But it consits of several Linux servers all capable of using iptables (or ufw if it would need to be that). So I have teh capability to use the Ansible integration of XSOAR to still run commands and execute iptables blocking on my systems.

Out of the box, XSOAR provides many Ansible integrations which you can use with different environments. For our purpose we will use “Ansible Linux”.

Ansible Linux Conten Pack provides four different integrations for different purpose

• Ansible ACME, to Control Automatic Certificate Management Environment on Linux hosts
• Ansible DNS, to Manage DNS records using NSUpdate
• Ansible OpenSSL, in order to Control OpenSSL on a remote Linux hosts
• and finally Ansible Linux, which we use as Agentlesss Linux host management over SSH

All these integrations offer several commands, but for our purpose the “!linux-iptables” is actually enough. The command follows the Ansible module definition to the dot

https://docs.ansible.com/ansible/latest/collections/ansible/builtin/iptables_module.html

So like in the example

- name: Block specific IP
  ansible.builtin.iptables:
    chain: INPUT
    source: 8.8.8.8
    jump: DROP
  become: yes

We see that we need the chain, source and jump

We can see the command is directly applied to the server itself

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       0    --  *      *       159.89.194.195       0.0.0.0/0  

This now enables us of course to make it a part of every playbook as a task to block IP addresses.