Investigating threats in QRadar

IBM® QRadar® uses rules to monitor the events and flows in your network to detect security threats. When the events and flows meet the test criteria that is defined in the rules, an offense is created to show that a security attack or policy breach is suspected. Knowing that an offense occurred is only the first step. You also must identify how it happened, where it happened, and who did it.

About this task

The Offense Summary window provides context to help you understand what happened and determine how to isolate and resolve the problem.

Not all events trigger rules that create an offense. To see all the events, you can run the saved search for the threat simulation that you are investigating. All saved searches for the IBM QRadar Experience Center app are part of the Experience Center group in the Saved Searches.

1. To view the offense summary window, click the Offenses tab and then double-click the offense that you want to review.
   Tip: You can also view the Offense Summary window by clicking the offense icon at the beginning of the event row on the Log Activity tab.
2. On the Offense Summary window, you can quickly analyze the offense by reviewing the following types of information:
   • Details about the offense, such as the magnitude, description, and source and destination IP addresses.
   • Information about when the threat started, such as when the first related event was detected and its duration.
   • The Top 5 Categories that contribute to the offense.
   • The Top 5 Log Sources that contribute to the offense.
   The log source for events that are created by QRadar, such as a rule response action, is the Custom Rule Engine.
3. To view the events that are associated with the offense, click Events.
   1. To view events that occurred within a specific timeframe, specify the Start Time, End Time, and the View options.
   2. To sort the event list, click the Event Name column header.
   3. To reduce the number of events to review, right-click the event name in the list of events to apply quick filter options.
4. To view details about a specific event, go to the Event List window and double-click the event name.
   1. Review the Event Information and the Source and Destination Information window.

      Only information that is known about the event is shown. Depending on the type of event, some fields might be empty.

   2. In the Payload Information box, review the raw event for information that QRadar did not normalize.

      Information that is not normalized does not appear in the QRadar interface, but it might be valuable to your investigation.

   3. Review the following time fields for the event:
      • The Start Time is the time that QRadar received the raw event from the log source.
      • The Storage Time is the time that QRadar stored the normalized event.
      • The Log Source Time is the time that is recorded in the raw event from the log source.
5. To view the list of rules that contribute to the offense, go to the Offense Summary window and click Display > Rules.
   1. In the rule list, double-click the name of the rule that you want to analyze.
   2. Step through the rule wizard to view information about the rule tests, rule action, and rule response.

      Often, the rule response is configured to dispatch a new event and associate the new event with an offense.

   3. Check the Rule Action to see whether the offense is indexed.

      QRadar uses the offense indexing capability to determine which offenses to chain together.

      For example, an offense that has only one source IP address and multiple destination IP addresses indicates that the threat has a single attacker and multiple victims. If you index this type of offense by the source IP address, all events and flows that originate from the same IP address are added to the same offense.