I am working on tuning my QRadar Offenses and am getting numerous Offenses where one of my main firewalls is the source:
Excessive Firewall Denies Between Hosts containing Firewall Deny
I looked at the Offenses for Excessive Firewall Denies and I see it is excluding the BB:HostDefinition: Servers. The problem is that there is no building block for firewalls.
I know I could just use the False Positive for this Offense and enter my firewall IP, but I was curious what others have done for tuning activity from their firewall out of rules. Do you create a building block for firewall servers and put that in the BB:HostDefinition: Servers? Or something else that has worked?
Thanks for your help,