Visualization of IBM Cloud offense data

The IBM Cloud Offense Overview dashboard helps security analysts to visualize potential offenses in IBM® Cloud, and can be organized in various ways to suit your needs.

The IBM Cloud Offense Overview dashboard displays all open offense data in the following charts:
  • All users by magnitude
  • All users by related rule
  • Total offenses by MITRE tactic and rule (This chart is only available if IBM QRadar® Use Case Manager is installed.)
  • Most severe offenses
  • All users by number of offenses
  • Magnitude level indicator

The offense data can be displayed in pie or bar chart format. To toggle the view, click the View Chart icon. By hovering over a section, you find out more details, such as what the color represents and the percentage of rules that are related to that representation. Display a legend of the rules and their colors by clicking Show legend. You can also toggle between viewing the information in graph or table format by clicking the View table icon in the All regions by magnitude and All regions by related rule charts.

If you want to view specific information on one of the charts, you can drill down into a list of offenses that are related to the location or user that you clicked. Drill down into a chart section for a related list of offenses. For example, you might want to see more information about an offense list that is related to a user and the rule that is depicted by the bar chart. To see this information, drill down to different levels of detail about an offense within that user, and then click an offense to view details in QRadar.

Along with the charts, you can learn more information about IBM Cloud offenses through the severe offenses table and the magnitude level indicator. The most severe offenses are listed in a separate table where you can click an offense to get more details. The magnitude level indicator shows the percentage of offenses per each magnitude. Hovering over the magnitude level indicator shows the average offense magnitude.

To ensure that the data is up-to-date, click Refresh in the overview title bar. You can also see when you last refreshed the page.

Filters

The Offense dashboard has filters so you can choose the offenses that you want to view. These filters apply to the whole dashboard, not just one chart, and are different depending on which cloud service you are viewing. Access the Filters sidebar by clicking the filter icon (Filter icon) in the upper left of the page.

Fine-tune the IBM Cloud Offense Overview dashboard by the following filters:
Offense status
Select the status type that you want to view in the overview charts: all open, only active, or closed.
Offense Start Date
Configure a date range to display in the charts for when offenses were first detected in QRadar Cloud Visibility.
Magnitudes
Select the magnitude of offenses you want to view in the overview charts. The graphs are also affected by the magnitudes you select.
Log Source Types and Log Sources
Select the log source types and specific log sources for the offenses you want to view. Alternatively, you can also select all the log sources for the selected log source type.
Note: As of QRadar Cloud Visibility V1.3.0, administrators can customize which log source types and log sources contribute to the dashboard.
Users
Select the user who is associated with the offenses you want to view.
Rule Groups and Rules
Select the groups or individual rules for the offenses you want to view.
Note: The Other category contains contributing rules, such as custom rules and rules from different content packs. Consider tuning your rules if unintended rules appear in the dashboard.

IBM Cloud Offense Overview

Figure 1. All users by magnitude and by related rule, and the total offenses by MITRE tactic and rule on IBM Cloud
Image showing all users by magnitude and by related rule Image of charts showing users on IBM Cloud
Figure 2. Most severe offenses, users by number of offenses, and magnitude level indicator on IBM Cloud
Image showing charts with most severe offenses