Investigating threats

Investigate threat data and indicators of compromise that are imported from various sources from one unified interface.

Before you begin

Ensure that the risk information from various sources products is imported into IBM® Security Risk Manager repository through the Universal Data Insights and Connected Assets and Risk services. For more information about downloading risk information, see Asset and data source connections.

Procedure

  1. On the home page, click the Menu icon.
  2. In the My applications section, click Risk Manager > Manage threats.
  3. Review the threat data.
    1. Click the Threats tab.

      By default, a list of all the threats and their attributes is displayed in tabular format. You can apply filters to the threat list to focus on the content that you want.

    2. Select the relevant filters and click Apply filters.
    3. Review the details for the selected threat.
      Field Description
      Threat Name of the threat. Threats are the events that occurred on an asset at a specific time.
      Severity Severity level of the detected threat such as high, medium, or low.
      Occurrences Number of events or sightings that are associated with the selected threat.
      Indicators Number of IOCs that are associated with the threat. IOCs are the evidence of malicious activities that occurred on a system or network, for example; suspicious URLs or email addresses.
      Affected assets Number of assets where the threat is detected.
      First seen The date when the threat was seen for the first time.
      Last seen The date of the most recent detection of the threat.
      Risk area Name of the risk areas that are associated with the selected threat. A risk area is a logical group of threats of similar nature.
    4. To view the following details of a selected threat, click the More More icon icon and click View details. Alternatively, click the threat name.
      Overview
      The overview information such as threat first and last seen date, count of threat events occurrences, threat severity, and names of the threat actors that are associated with the threat.
      Affected assets
      Links to the top three assets where the threat was detected. Click a link to view the asset overview information in the side window. To view details of all the affected assets, click View all assets.
      Threat activity over time
      The Threat activity over time chart shows pattern of occurrence of threat activities for the past 15 days from the privileged and unprivileged accounts. When you hover on a vertical bar on the chart, a tooltip displays the count of threat event occurrence, threat event occurrence date, and the group type.

      You can view details of the threat activities that occurred on a particular date from all the privileged risky users along with their risk score. Click a privileged risky user name to view the Privileged user activity over time chart that shows details of the threat activities. Hover on a horizontal bar on the chart to view the details such as threat activity start time, end time, IP address of the affected asset, and the privileged account name.

      Indicators
      Links to the top three IOCs where the threat was detected. Click a link to view the IOC overview information in the side window. To view details of all the IOCs, click View all.
    5. The threats that are imported from the source products are automatically mapped to the appropriate risk areas. You can change the existing threat mapping by assigning different risk areas. For more information about assigning risk areas, see Creating and assigning risk areas to a threat.
  4. Review the indicators of comprise (IOCs) data.
    1. Click the Indicators tab.

      By default, a list of all the IOCs and their attributes is displayed in tabular format. You can apply filters to the IOCs' list to focus on the content that you want.

    2. Select the relevant filters and click Apply filters.
    3. Review the details for the selected IOC.
      Field Description
      Indicator Name and type of IOC. IOCs are the evidence of malicious activities that occurred on a system or network, for example, suspicious URLs or email addresses.
      Severity The severity level of the IOC such as high, medium, or low.
      Sightings Number of times the IOCs are referenced in a threat across the enclaves.
      Source Name of the source product from which the IOCs are imported. For example, TruSTAR.
      Last seen The date of the most recent detection of the IOC.
      Risk area Name of the risk areas that is associated with the IOC.
  5. Review the affected asset data.
    1. Click the Affected assets tab.

      By default, a list of all the affected and their attributes is displayed in tabular format. You can apply filters to the asset list to focus on the content that you want.

    2. Select the relevant filters and click Apply filters.
    3. Review the details of the selected asset.
      Field Description
      Asset name Name of the asset. The entities such as databases, applications, assets, IP addresses, and hostnames are collectively referred to as assets in Risk Manager.
      Asset type Type of the asset entity. For example, application or IP address.
      Risk Overall risk score of the asset, such as high, medium, or low. The risk score is calculated based on the threat frequency and severity, controls, and asset value by using the Threat, Vulnerability, and Asset Risk components according to the assigned weight for various factors.
      Vulnerabilities Count of critical and major vulnerabilities that are detected in the asset when a vulnerability scan is run in the source products; for example, IBM Security Guardium® or IBM Security QRadar®.
      Weaponized exploits Count of open vulnerabilities with exploits that is detected in the asset.
      Exploit code Count of vulnerabilities for which the weaponized code is not needed for exploitation. An exploit code is a program that is used to exploit a vulnerability.
      Attack chain Count of vulnerabilities that have an attack chaining capability. An attack chain is a sequence of events that are involved in a security attack.
      Actions on objectives Count of vulnerabilities with actions on objectives.
      Threats Count of critical and major threat events that is monitored in the assets. For example, threat events include threats that are identified by QRadar, or policy violations or activity monitoring alerts from Guardium.
      Monitoring Status of the monitoring control that is implemented on the asset. Protect your assets by installing a monitoring agent on the asset to detect security and compliance problems.
      Encryption Status of the encryption control that is implemented on the asset to secure data.
    4. To view details of the selected asset, click the asset name.