Skip to main content

Workflow Template: Automated Workload Quarantine on Security Event

Automatically quarantine threatening IPs when Illumio error events exceed a configured threshold, with policy provisioning and Slack alerts.

Updated over 3 weeks ago

The "Automated Workload Quarantine on Security Event" workflow template is designed to enhance network security by automatically quarantining IPs that trigger error-severity events in Illumio. This workflow identifies and groups events by source IP, applying quarantine measures to those exceeding a set threshold. It creates IP blocklists, applies quarantine labels to affected workloads, and enforces deny-all security rules. All policy changes are provisioned in one operation, with a summary sent to a designated Slack channel, ensuring swift and efficient threat containment.

Take Me to the Template

Use Cases

Remediate Network Security Alerts

Workflow Breakdown

  1. Polls Illumio for error-severity security events on a scheduled interval

  2. Groups events by source IP and filters for IPs exceeding the threshold

  3. Creates IP blocklists and deny-all security rules for each flagged IP

  4. Applies quarantine labels to any matching managed workloads

  5. Provisions all policy changes in a single operation

  6. Sends a Slack summary with blocked IPs, workloads affected, and policy version

Vendors

Slack, Utils

Related Articles
Workflow Template: Compliance - Provide temporary Device Admin to Mac users (JAMF)
Workflow Template: Detected RDP session from Server to External IP (Armis)
Workflow Template: Okta event on MFA addition with user Verification (Okta)
Did this answer your question?