Investigate IT security incidents with QRadar Forensics

Jose Bravo demonstrates how to investigate common security incidents

Introduction to Forensics

In this introductory video, Jose Bravo recaps two of QRadar's current offerings and then introduces the new forensics offering from IBM. Jose discusses QRadar SIEM's basic ability to take billions of SIEM events and combine them with detected flows and external data to identify a small number of high priority offenses that need to be investigated. He notes that QRadar revolutionized the SIEM market by creating a system that enables non-IT security experts to manage the IT security issues. Jose discusses QRadar Vulnerability Manager's (QVM) ability to take detected vulnerabilities from application scanners, Guardium, and many other sources, combine them with topology information and security policies, and identify a few top priority threats that need to be acted on. Jose then introduces the new IBM offering, QRadar Forensics, which uses both structured and unstructured data to find relationships that assist in forensics investigations. This enables people who aren't data scientists to perform meaningful investigations into IT security incidents.

Sending confidential information in email file attachments

In this video, Jose introduces a common question, "Are employees sending emails with confidential information outside the company?" He shows how to set up rules that trigger an offense when someone sends an email with an attachment as well as how to create a Forensics Recovery work item. He uses QRadar Forensices queries over the full content that was indexed on the appliances monitoring the outbound traffic. He shows that even simple cases can generate large numbers of data items that need to be searched. Jose also shows how to build queries into the indexed data that contain words such as Confidential or Secret. From the search result, he shows how to look at the metadata on the emails, how to look for other places the document was sent, and how to extract other information that can help the investigator. After a suspicious email is found, he shows how to use MAC addresses, IP addresses, and user IDs related to the sender of the email to find relationships and activity that might indicate that the sent file is suspicious.

Looking for suspected information leaks

In this video, Jose proposes a scenario in which "Replay Industries" suspects that company information has been leaked because it has shown up at a competitor. No one knows who or how it was leaked. Jose starts QRadar Forensics and enters a search query for "Replay Industries." In the search results, which are sorted by relevance, Jose sees an online chat in which a document was exchanged that had the phrase "Replay Industries." From there, Jose demonstrates how to run queries that show a bigger picture of the communications between the two parties in the chat. He shows how QRadar Forensics can identify the email addresses, Voice over IP calls, and other types of communications that the two people had with each other. Jose also demonstrates the "surveyor" capability that lets the investigator look at everything that happened to a subject for a time period before and after the event of interest. Jose shows how a subject's web traffic can be captured by the system so that the investigator sees what the subject sees. Jose also demonstrates QRadar Forensics' capability to visualize the IP addresses and email addresses a subject communicates with.

Detecting brute force attacks over telnet

In this video, Jose starts with a detected offense and looks at the relationships between the source and destination IP addresses. He starts a new Forensics Recovery investigation. In the new investigation, Jose shows the Forensics tab collecting and indexing information that was related to the offense that raised the concern. He shows that the target IP address listed in the offense can be searched for in the Forensics Recovery investigation and how the indexed information can be scanned for incorrect logins. Jose shows the results of the query that lists all the incorrect logins and selects one to open for more detail. By looking at the detail, you can see that a brute force attack is clearly being performed on the session, and you can see the attacker's success and subsequent activities.

Downloadable resources

Related topics

ArticleTitle=Investigate IT security incidents with QRadar Forensics