Blocking Offenses in JSA and IBM QRadar with Security Director
After successfully registering with Security Director, you can block an offense by selecting source IP addresses and creating rules for them in Security Director.
You can refer the same procedure for blocking offense in IBM QRadar.
- Log in to the JSA application.
- Select Offenses > All Offenses.
- Double-click an offense that you want to block.
The corresponding offense summary page is displayed. Scroll down to the Security Director Extension wizard as shown in Figure 1.
- Click Block Offense to create a firewall rule
to block IP addresses from accessing the firewall device.
The Block Offense page is displayed.
- Select the source IP addresses causing the offense that you want to block. The table lists the top offending source IP addresses based on events over the past 24 hours, sorted by event count.
- Click Create Rules.
A success message is displayed. Security Director jobs are triggered for publishing and updating the configuration. Then the Job Status button is enabled.
- Click Job Status to monitor the jobs in the Job Management page in Security Director.
The firewall rules are displayed in the Security Director Extensions widget. Click View in SD to view the firewall policy rules under Device Specific Policies in the Firewall Policies page in Security Director.
See Creating Firewall Policy Rules and Using Job Management in Security Director in the Security Director User Guide.