Network & blocking
The Network API manages IP, CIDR, domain, and ASN blocks applied at your Cloudflare and firewall layer — giving Sentinel and your analysts the ability to cut off malicious traffic instantly.
The block object
json
{
"id": "blk_01hxyz",
"tenant_id": "ten_01hxyz",
"type": "ip",
"value": "41.58.22.11",
"direction": "both",
"reason": "C2 communication detected from this IP — blocking.",
"incident_id": "inc_01hxyz",
"expires_at": null,
"created_by": "usr_01hxyz",
"created_at": "2025-06-01T03:14:09Z",
"removed_at": null,
"removed_by": null
}List active blocks
bash
GET /v1/sentinel/network/blocks| Name | Type | Required | Description |
|---|---|---|---|
| filter[type] | string | No | ip | cidr | domain | asn |
| filter[active] | boolean | No | true (default) returns active blocks only. false returns all including removed. |
Create a block
bash
POST /v1/sentinel/network/blocks| Name | Type | Required | Description |
|---|---|---|---|
| value | string | Yes | IP address, CIDR range (e.g. 41.58.0.0/16), domain, or ASN number. |
| type | string | Yes | ip | cidr | domain | asn |
| reason | string | Yes | Why this is being blocked. Written to audit trail. |
| direction | string | No | inbound | outbound | both. Defaults to both. |
| incident_id | string | No | Associate with an open incident. |
| expires_at | string | No | ISO 8601 timestamp. If set, block is automatically removed at this time. |
bash
curl -X POST https://api.hldgroup.org/v1/sentinel/network/blocks \
-H "Authorization: Bearer hld_live_xxxx" \
-H "Content-Type: application/json" \
-d '{
"value": "41.58.22.11",
"type": "ip",
"direction": "both",
"reason": "Active C2 communication — inc_01hxyz.",
"incident_id": "inc_01hxyz"
}'Remove a block
bash
DELETE /v1/sentinel/network/blocks/:id
{
"reason": "Investigation complete. IP confirmed benign."
}Returns 204 No Content on success. The block record is soft-deleted — removal history is retained for audit.
Note:Blocks are applied via the Cloudflare integration. Ensure your Cloudflare integration is healthy (
GET /v1/integrations/:id/health) before relying on network blocks for active incident response.