Investigating threats in QRadar
IBM QRadar uses rules to monitor the events and flows in your network to detect security threats. When the events and flows meet the test criteria that is defined in the rules, an offense is created to show that a security attack or policy breach is suspected. Knowing that an offense occurred is only the first step. You also must identify how it happened, where it happened, and who did it.
About this task
The Offense Summary window provides context to help you understand what happened and determine how to isolate and resolve the problem.
Not all events trigger rules that create an offense. To see all the events, you can run the saved search for the threat simulation that you are investigating. All saved searches for the IBM QRadar Experience Center app are part of the Experience Center group in the Saved Searches.
To view the offense summary window, click the Offenses tab and then
double-click the offense that you want to review.
Tip: You can also view the Offense Summary window by clicking the offense icon at the beginning of the event row on the Log Activity tab.
On the Offense Summary window, you can quickly analyze the offense by
reviewing the following types of information:
The log source for events that are created by QRadar, such as a rule response action, is the Custom Rule Engine.
- Details about the offense, such as the magnitude, description, and source and destination IP addresses.
- Information about when the threat started, such as when the first related event was detected and its duration.
- The Top 5 Categories that contribute to the offense.
- The Top 5 Log Sources that contribute to the offense.
- To view the events that are associated with the offense, click
- To view events that occurred within a specific timeframe, specify the Start Time, End Time, and the View options.
- To sort the event list, click the Event Name column header.
- To reduce the number of events to review, right-click the event name in the list of events to apply quick filter options.
To view details about a specific event, go to the Event List window and
double-click the event name.
Review the Event Information and the Source and Destination
Only information that is known about the event is shown. Depending on the type of event, some fields might be empty.
In the Payload Information box, review the raw event for information
that QRadar did not normalize.
Information that is not normalized does not appear in the QRadar interface, but it might be valuable to your investigation.
Review the following time fields for the event:
- The Start Time is the time that QRadar received the raw event from the log source.
- The Storage Time is the time that QRadar stored the normalized event.
- The Log Source Time is the time that is recorded in the raw event from the log source.
- Review the Event Information and the Source and Destination Information window.
To view the list of rules that contribute to the offense, go to the Offense
Summary window and click .
- In the rule list, double-click the name of the rule that you want to analyze.
Step through the rule wizard to view information about the rule tests, rule action, and rule
Often, the rule response is configured to dispatch a new event and associate the new event with an offense.
- Check the Rule Action to see whether the offense is
QRadar uses the offense indexing capability to determine which offenses to chain together.For example, an offense that has only one source IP address and multiple destination IP addresses indicates that the threat has a single attacker and multiple victims. If you index this type of offense by the source IP address, all events and flows that originate from the same IP address are added to the same offense.
What to do next
For more information about investigating offenses, events, and flows, see Offense investigations in the IBM Knowledge Center.