Visualization of Amazon AWS cloud offense data

The AWS Offense Overview dashboard helps security analysts to visualize potential offenses in AWS, and can be organized in various ways to suit your needs.

The AWS Offense Overview dashboard displays all open offense data in the following charts:
  • All regions by magnitude
  • All regions by related rule
  • Top 10 account IDs by magnitude
  • Top 10 account IDs by related rule
  • Top 10 resource types by magnitude
  • Top 10 resource types by related rule
  • Total offenses by MITRE tactic and rule (This chart is only available if IBM® QRadar® Use Case Manager is installed.)
  • Most severe offenses
  • Location of offenses by magnitude
  • Magnitude level indicator
The dashboard includes graphs that sort offenses by user or region. The graphs also display the magnitude of offenses and the number of offenses per rule. Regions can be classified in the charts as "unknown" for various reasons:
  • The log source that processes Amazon AWS logs didn't identify the region, so the region was not included in the event data.
  • The app was unable to properly retrieve events from the Ariel database because the Ariel database was overloaded. So, for some offenses, event data does not contain the region information.

The offense data can be displayed in pie or bar chart format. To toggle the view, click the View Chart icon. By hovering over a section, you find out more details, such as what the color represents and the percentage of rules that are related to that representation. Display a legend of the rules and their colors by clicking Show legend. You can also toggle between viewing the information in graph or table format by clicking the View table icon in the All regions by magnitude and All regions by related rule charts.

If you want to view specific information on one of the charts, you can drill down into a list of offenses that are related to the location or user that you clicked. Drill down into a chart section for a related list of offenses. For example, you might want to see more information about an offense list that is related to a user and the rule that is depicted by the bar chart. To see this information, drill down to different levels of detail about an offense within that user, and then click an offense to view details in QRadar.

Along with the charts, you can learn more information about your offenses through the severe offenses table, the map, and the magnitude level indicator. The most severe offenses are listed in a separate table where you can click an offense to get more details. The map shows offenses by offense magnitude, including the regions or user locations and the severity of the offenses in those locations. The magnitude level indicator shows the percentage of offenses per each magnitude. Hovering over the magnitude level indicator shows the average offense magnitude.

To ensure that the data is up-to-date, click Refresh in the overview title bar. You can also see when you last refreshed the page. If you want to save a snapshot of offense creation for a specific time, you can save chart and map data. The map and charts can be downloaded in PNG format through QRadar Cloud Visibility, so you can save these images and share them with managers and colleagues.

Trends

By clicking the Trends tab, you can see a trend of new offenses that are created over a specific time period. The tab will refresh on its own if it is reopened after more than 5 minutes. The default is set to view the offense creation timeline from the last 24 hours. You can also view an offense timeline for the last 7 days and the last 30 days. Only the timeline of new offenses is displayed.

If you want to save a snapshot of offense creation for a specific time, you can save chart data. The charts can be downloaded in PNG format through QRadar Cloud Visibility, so you can save these images and share them with managers and colleagues.

To return to the dashboard view, click the Current Status tab. The date and time range you want to view can be selected in the Filters sidebar for the Trends page.

Filters

The Offense dashboard has filters so you can choose the offenses that you want to view. These filters apply to the whole dashboard, not just one chart, and are different depending on which cloud service you are viewing. Access the Filters sidebar by clicking the filter icon (Filter icon) in the upper left of the page.

Fine-tune the AWS Offense Overview dashboard by the following filters:
Offense Status
Select the status type that you want to view in the overview charts: all open, only active, or closed.
Offense Start Date
Configure a date range to display in the charts for when offenses were first detected in QRadar Cloud Visibility.
Magnitudes
Select the magnitude of offenses you want to view in the overview charts. The graphs are also affected by the magnitudes you select.
Log Source Types and Log Sources
Select the log source types and specific log sources for the offenses you want to view. Alternatively, you can also select all the log sources for the selected log source type.

In QRadar Cloud Visibility V1.3.0 and later, administrators can customize which log source types and log sources contribute to the dashboard.

Regions
The geographic area where Amazon cloud computing resources are hosted worldwide.
Account IDs
Select the Amazon AWS account IDs for the offenses you want to view.
Resource Types
Select the Amazon AWS service resources for the offenses you want to view.
Rule Groups and Rules
Select the groups or individual rules for the offenses you want to view.

The Other category contains contributing rules, such as custom rules and rules from different content packs. Consider tuning your rules if unintended rules appear in the dashboard.

Amazon AWS Offense Overview

Figure 1. Regions, top 10 account IDs, and top 10 resource types by magnitude on AWS
Image of charts that show offenses by magnitude.
Figure 2. Regions, top 10 account IDs, and top 10 resource types by related rule on AWS
Image of charts that show offenses by rule
Figure 3. Total offenses by MITRE tactic and rule, most severe offenses, map, and magnitude level indicator on AWS
Image of severe offenses chart, a map with offense locations, and the magnitude level indicator.Image of total offenses by MITRE tactic and rule, severe offenses chart, a map with offense locations, and the magnitude level indicator.