Skip to main content

Workflow Template: Automated Workload Quarantine on Security Event

Automatically quarantine threatening IPs when Illumio error events exceed a configured threshold, with policy provisioning and Slack alerts.

Updated this week

The "Automated Workload Quarantine on Security Event" workflow template is designed to enhance network security by automatically quarantining IPs that trigger error-severity events in Illumio. This workflow identifies and groups events by source IP, applying quarantine measures to those exceeding a set threshold. It creates IP blocklists, applies quarantine labels to affected workloads, and enforces deny-all security rules. All policy changes are provisioned in one operation, with a summary sent to a designated Slack channel, ensuring swift and efficient threat containment.

Take Me to the Template

Use Cases

Remediate Network Security Alerts

Workflow Breakdown

  1. Polls Illumio for error-severity security events on a scheduled interval

  2. Groups events by source IP and filters for IPs exceeding the threshold

  3. Creates IP blocklists and deny-all security rules for each flagged IP

  4. Applies quarantine labels to any matching managed workloads

  5. Provisions all policy changes in a single operation

  6. Sends a Slack summary with blocked IPs, workloads affected, and policy version

Vendors

Slack, Utils

Related Articles
Workflow Template: Compliance - Provide temporary Device Admin to Mac users (JAMF)
Workflow Template: Detected RDP session from Server to External IP (Armis)
Workflow Template: Okta event on MFA addition with user Verification (Okta)
Did this answer your question?