Topic
  • 2 replies
  • Latest Post - ‏2015-09-02T04:51:03Z by straq
straq
straq
5 Posts

Pinned topic Offense source summary shows unrelated username

‏2015-09-01T09:31:18Z |

Getting an offense triggered for excessive firewall denies. So far, so normal:

The problem is the Offense Source summary, which lists a Username, which throws us off, as we cannot find a single event linking the Source (IP) With this username. (the listed user does not understand why his username is listed, the Source is an Ipad, which are not logged on With normal usernames)

By what criteria is this Field (Offense Source summary - > username populated?

  • EricLauzon
    EricLauzon
    1 Post

    Re: Offense source summary shows unrelated username

    ‏2015-09-01T14:41:22Z  

    Hi straq,

    I think the username your are seeing comes from the asset profile of the source of the offense.

     

     

  • straq
    straq
    5 Posts

    Re: Offense source summary shows unrelated username

    ‏2015-09-02T04:51:03Z  

    Hi,Eric.

    The Source IP of the offense does not exist as an asset.

    The situation is : incomplete network configuration leads to a lot of anti-spoofing drop at the firewall, triggering the "Excessive firewall denies" offense.

    But, as stated, we cannot understand why the user is listed in the offense Source summary.

    The Source ip in question does not exist as an asset.

    Would very much like to get to the bottom of this, as this could affect the trust in Qradar. Do we need to second-Guess the information we get from the offenses?