IBM QRadar

Im having distributed deployment of QRadar 7.3.1.
I have created a custom rule to detect IP Scanning on my network, and rule is working fine.
Now using Custom Action, I want QRadar not only to generate an offence when someone connects to my network device but ALSO to disable the ethernet port  of router / firewall at which the attacking laptop is connected. By writing custom scripts, can i make my QRadar to log in to the firewall (Juniper) and execute JunOS commands to disable that specific port.
Any help in this regard will be highly appreciated.
Regards.

------------------------------
Shahzad Ahmed
------------------------------

Hi @Shahzad Ahmed,

I am not an expert in Juniper but I think it is doable. Just one challenge I am thinking about.
1) I am not sure you will get what ethernet port the attacker is connected to, in the log from QRadar. (Excude me if I am wrong)

QRadar can do the login to the firewall and disable the port (I would probably say block the IP/ MAC instead of port)​

------------------------------
Chinmay Kulkarni
------------------------------

Original Message:
Sent: Wed February 12, 2020 02:39 PM
From: Shahzad Ahmed
Subject: QRadar 7.3.1 as IPS

Im having distributed deployment of QRadar 7.3.1.
I have created a custom rule to detect IP Scanning on my network, and rule is working fine.
Now using Custom Action, I want QRadar not only to generate an offence when someone connects to my network device but ALSO to disable the ethernet port  of router / firewall at which the attacking laptop is connected. By writing custom scripts, can i make my QRadar to log in to the firewall (Juniper) and execute JunOS commands to disable that specific port.
Any help in this regard will be highly appreciated.
Regards.

------------------------------
Shahzad Ahmed
------------------------------