Home > SOC Analysis

Blocking via Firewall/SIEM

Blocking via Firewall and SIEM is a core response action during an incident.
The goal is to stop malicious communication, contain attacker movement, and prevent further compromise by enforcing security controls at the network and log-analysis layers.
This chapter explains how SOC teams perform blocking in real incidents using firewalls, SIEM correlation, threat feeds, IP/domain deny lists, and automated response logic.

Why Blocking Is Critical in Incident Response

Blocking stops attackers from:

  • Reaching Command-and-Control servers

  • Exfiltrating data

  • Spreading laterally

  • Downloading payloads

  • Running malicious scripts

  • Reusing compromised accounts

SOC teams must block quickly and accurately to avoid false positives that could disrupt business operations.

Where Blocking Happens

There are four primary control points:

  • Firewall

  • SIEM

  • DNS filtering

  • Proxy / Secure Web Gateway

  • EDR block rules

Every environment uses a combination of these.

Firewall-Based Blocking

Firewalls enforce network-level rules to block:

  • Malicious IPs

  • Malicious domains via URL filtering

  • Ports and protocols

  • Geographic regions (Geo-blocking)

  • Outbound traffic patterns

Blocking is done through ACLs, security policies, or dynamic block lists.

Types of Firewall Blocks

1. IP Blocking

Used when IOC is confirmed as malicious.

block outbound 91.22.113.10/32

2. Domain/URL Blocking

Useful for phishing, malware download sites, and C2 domains.

block *.update-sync.biz

3. Port Blocking

If attacker uses unusual protocols:

block outbound port 4444

4. Country Blocking

If an attack originates from restricted regions:

block outbound traffic to RU/CN

5. Application-Level Blocking

Next-gen firewalls can block:

  • TOR traffic

  • VPN proxies

  • Known RAT signatures

  • Cobalt Strike patterns

Dynamic Blocking (Automated)

Firewalls integrate with:

  • Threat feeds

  • SIEM alerts

  • SOAR playbooks

  • EDR alerts

When an IOC is confirmed malicious, the firewall updates its block list automatically.

Example workflow:

SIEM alert → SOAR workflow → firewall REST API → block IP instantly

This reduces response time to seconds.

SIEM-Based Blocking

SIEM itself does not block traffic, but it detects malicious behavior and triggers blocking actions through:

  • Automated playbooks

  • Integrations with firewalls

  • API-based response

  • SOAR orchestration

  • Detection rule-based triggers

SIEM is the brain; firewall is the muscle.

How SIEM Performs Blocking

Step 1 — SIEM Detects Malicious Activity

Example:

Encoded PowerShell + suspicious outbound IP

Step 2 — Correlation Rule Triggers

Rule identifies this as C2 behavior.

Step 3 — SIEM Sends Action to SOAR

The SOAR platform executes a workflow:

  • Block IP

  • Add domain to deny list

  • Isolate host via EDR

Step 4 — SOC Analyst Review (Optional)

High-confidence rules may auto-block.
Medium/low severity may require human approval.

What SOC Analysts Block Through SIEM

  • Malicious IPs

  • Malicious domains

  • File hashes across EDR

  • Suspicious user accounts

  • Offending hosts (quarantine via EDR)

  • Outbound ports used by attackers

  • Traffic to newly registered domains

Example:

Automatic block list: domains < 7 days old

Blocking Workflow in Real SOC Environments

Step 1 — IOC Identified

Example:

C2 IP from malware sandbox: 185.77.9.22

Step 2 — Enrichment

Check reputation across:

  • VirusTotal

  • OTX

  • GreyNoise

  • Passive DNS

Step 3 — Confirm Maliciousness

If multiple sources confirm:

Confirmed malicious C2 server

Step 4 — Execute Blocking

Firewall rule added:

deny outbound to 185.77.9.22

SIEM playbook runs:

Isolate endpoint + kill process

Step 5 — Post-Block Monitoring

Watch for:

  • Reattempts

  • New IPs

  • Lateral movement

  • New DNS queries

What Not to Block Immediately

Analysts avoid blocking:

  • Critical business applications

  • Cloud provider shared IPs

  • Internal endpoint IPs without confirmation

  • CDNs that host mixed content

  • IPs used by email services

Incorrect blocks can cause outages.

Indicators You Should Block Instantly

These require no additional validation:

  • Known C2 servers

  • Confirmed malware distribution domains

  • Ransomware infrastructure

  • IPs linked to credential theft

  • TOR exit nodes during incident

  • Dropper URLs from sandbox analysis

Manual vs Automated Blocking

Manual Blocking

Used for:

  • High-stakes environments

  • Complex infrastructure

  • Cases where business impact matters

Automated Blocking

Used when:

  • Intel feeds are trusted

  • IOC severity is high

  • SIEM correlation confidence is strong

  • EDR findings are definitive

Automation increases speed but requires careful tuning.

Practical Blocking Examples

Example 1 — Malware C2 Detected

SIEM finds outbound beacon:

svchost.exe → 91.22.113.10:443

Actions:

  • Firewall blocks IP

  • DNS sinkhole applied

  • Host isolated

Example 2 — Data Exfiltration Attempt

Outbound traffic to unknown server:

python.exe → POST /upload

Firewall blocks upload URL instantly.

Example 3 — Phishing Web Access

User visits phishing domain:

login-security-microsoft[.]net

Proxy blocks domain and logs the user session.

Example 4 — Hash-Based Blocking

Extracted malware hash from memory:

SHA256 → LockBit loader

EDR adds to block list to stop execution on other machines.

Intel Dump

  • Blocking is done via firewalls, DNS filtering, proxies, SIEM automation, and EDR block rules.

  • Firewalls block IPs, domains, URLs, ports, and malicious applications.

  • SIEM triggers blocking through playbooks, APIs, and SOAR automation.

  • Analysts enrich IOCs before blocking to prevent false positives.

  • Instant blocking applies to confirmed malware C2, ransomware, and dropper infrastructure.

  • Blocking stops C2 traffic, lateral movement, data exfiltration, and active attacks.

HOME LEARN COMMUNITY DASHBOARD