Automatically Add IP Addresses to a Penalty Box in Cloudflare with Torq

Good security may come from strong defenses, but strong security comes from a good offense. This is especially true for network security, where minutes can make the difference between a breach and a near miss. 

For example, if an unknown IP address triggers an alert for suspicious or abusive behavior, the faster you can isolate and block that address, the less likely it is that the person or entity at the other end can do damage. But the time it takes for a human to look up the IP address, verify it, then add it to a penalty box or blocklist can very easily use up those few minutes. 

With Torq, you can automate the process by using a Slack command to add the address to a list within seconds. 

How Torq automates IP penalty boxing in Cloudflare

All Torq users have access to the pre-built workflow template Network – IP Penalty Box with Timeout via Slack (Cloudflare). This flow will check whether an IP address is IPv4 or IPv6, add it to the appropriate penalty box, wait for a set duration, then remove it.

Here’s how it works:

  1. A trigger is sent to Torq with the offending IP address.
  2. Torq will verify which type of address to handle (IPv4 or IPv6). 
  3. The address(es) is then added to the IP Access Rules in Cloudflare.
  4. If the block was successful, Torq will wait for a set duration and then remove the block when it expires.
  5. If an address is not provided with the trigger or the address can not be identified as either IPv4 or IPv6, an error message is sent to the requesting user. 

IP penalty workflow template in Torq

By default, the workflow uses Cloudflare for a network security solution, but it can be customized for other solutions with a few clicks. Likewise, the flow is triggered with a Slack command. But it can be set to use Microsoft Teams or Webex, or even a webhook. Using a webhook as the trigger means the workflow can be automatically executed without human intervention—further improving threat response times and overall security posture. 

Get the workflow template

Torq customers can find the IP penalty box workflow and dozens more in the template library. Just add it to your Torq account, set your preferred trigger, and determine a penalty box duration. That’s it!  

You may also want to check out some of our related templates, such as Check periodically for new Carbon Black alerts, then handle and Use Slack command to analyze suspicious URLs and IPs in VirusTotal

Get started with Torq

Not using Torq yet? Get in touch for a trial account and see how the no-code security automation platform unifies your security, infrastructure, and collaboration tools to create a stronger security posture.

Read Previous Post
Read Next Post