Maybe we haven't done enough tuning, but we seem to have a fair number of low magnitude events that pop up on a regular basis. I'm wondering if anyone had any policies that state that you just automatically close out any offense with a magnitude of X or lower. I'd like to be able to have a stated policy for my team such that as we investigate, we automatically close magnitude 1-4, glance at 5-7s, and make a deep investigation of 8 or higher. But I just totally grabbed those numbers out of a hat and have no basis for whether they are realistic or not.
We're still relatively new to the platform, so I'd love to hear how others handle the day to day operations.
-------Posted BY Corey Weeklund
Pinned topic What's your threshold for investigation?
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
Updated on 2012-11-27T18:15:53Z at 2012-11-27T18:15:53Z by SystemAdmin
Re: take time and magnitude together2012-06-21T19:53:17ZThis is the accepted answer. This is the accepted answer.Sorry to see this has gone almost a month with no answers, but I'm just now seeing it myself.
Here is how I suggest you approach the Offenses tab in QRadar. When your team has time to look at a new offense, take the highest magnitude offense (that's unassigned), assign it to yourself and start working. Stop when you come to a conclusion or get stuck. Repeat as necessary.
Separate from all that, have a "cull" process that comes along and closes any offenses (regardless of magnitude) that have been open for more than X days. This may feel "wrong" but really, at some point, it's just not going to matter anymore. Maybe that's 7 days, or 30 days, or 90 days, depending on your organization. If you find yourself repeatedly closing the same offense only to have it re-open right away, chances are you have a rule that needs tuning. Similarly, if you feel that the high magnitude offenses are not as important, use rule tuning to adjust the magnitude down.
For the offenses that you cull, you should keep track of this as work that is not getting done because you don't have enough staff to handle everything. Report this up to your management as justification for additional staffing. Probably won't get you much, but it's worth the try.
Posted By travis.mcwaters
Re: Travis provided some good2012-11-27T18:15:53ZThis is the accepted answer. This is the accepted answer.Travis provided some good advice and I will expand on that a little further. As much as possible I think you want to have QRadar offense investigation mimic your business or security guidelines.
If you have a list of critical assets from a business perspective, ensure they are defined as critical within QRadar. Then you can create an Offense rule that flags those offenses specifically to ensure they are detected.
If your business has a lot of contractors or temporary users, you may need to be more diligent on those offenses, and again you can tune QRadar to ensure those offenses are monitored.
QRadar can perform some amazing correlations and make very intelligent decisions for you, but to get the best value you should ensure its decisions are lined up with your priorities.
Posted By scott.vanwart