Visualization of Amazon AWS cloud offense data
The AWS Offense Overview dashboard helps security analysts to visualize potential offenses in AWS, and can be organized in various ways to suit your needs.
- All regions by magnitude
- All regions by related rule
- Top 10 account IDs by magnitude
- Top 10 account IDs by related rule
- Top 10 resource types by magnitude
- Top 10 resource types by related rule
- Total offenses by MITRE tactic and rule (This chart is only available if IBM® QRadar® Use Case Manager is installed.)
- Most severe offenses
- Location of offenses by magnitude
- Magnitude level indicator
- The log source that processes Amazon AWS logs didn't identify the region, so the region was not included in the event data.
- The app was unable to properly retrieve events from the Ariel database because the Ariel database was overloaded. So, for some offenses, event data does not contain the region information.
The offense data can be displayed in pie or bar chart format. To toggle the view, click the View Chart icon. By hovering over a section, you find out more details, such as what the color represents and the percentage of rules that are related to that representation. Display a legend of the rules and their colors by clicking Show legend. You can also toggle between viewing the information in graph or table format by clicking the View table icon in the All regions by magnitude and All regions by related rule charts.
If you want to view specific information on one of the charts, you can drill down into a list of offenses that are related to the location or user that you clicked. Drill down into a chart section for a related list of offenses. For example, you might want to see more information about an offense list that is related to a user and the rule that is depicted by the bar chart. To see this information, drill down to different levels of detail about an offense within that user, and then click an offense to view details in QRadar.
Along with the charts, you can learn more information about your offenses through the severe offenses table, the map, and the magnitude level indicator. The most severe offenses are listed in a separate table where you can click an offense to get more details. The map shows offenses by offense magnitude, including the regions or user locations and the severity of the offenses in those locations. The magnitude level indicator shows the percentage of offenses per each magnitude. Hovering over the magnitude level indicator shows the average offense magnitude.
To ensure that the data is up-to-date, click Refresh in the overview title bar. You can also see when you last refreshed the page. If you want to save a snapshot of offense creation for a specific time, you can save chart and map data. The map and charts can be downloaded in PNG format through QRadar Cloud Visibility, so you can save these images and share them with managers and colleagues.
Trends
By clicking the Trends tab, you can see a trend of new offenses that are created over a specific time period. The tab will refresh on its own if it is reopened after more than 5 minutes. The default is set to view the offense creation timeline from the last 24 hours. You can also view an offense timeline for the last 7 days and the last 30 days. Only the timeline of new offenses is displayed.
If you want to save a snapshot of offense creation for a specific time, you can save chart data. The charts can be downloaded in PNG format through QRadar Cloud Visibility, so you can save these images and share them with managers and colleagues.
To return to the dashboard view, click the Current Status tab. The date and time range you want to view can be selected in the Filters sidebar for the Trends page.
Filters
The Offense dashboard has filters so you can choose the offenses that you want to view. These filters apply to the whole dashboard, not just one chart, and are different depending on which cloud service you are viewing. Access the Filters sidebar by clicking the filter icon () in the upper left of the page.
- Offense Status
- Select the status type that you want to view in the overview charts: all open, only active, or closed.
- Offense Start Date
- Configure a date range to display in the charts for when offenses were first detected in QRadar Cloud Visibility.
- Magnitudes
- Select the magnitude of offenses you want to view in the overview charts. The graphs are also affected by the magnitudes you select.
- Log Source Types and Log Sources
- Select the log source types and specific log sources for the offenses you want to view.
Alternatively, you can also select all the log sources for the selected log source type.
In QRadar Cloud Visibility V1.3.0 and later, administrators can customize which log source types and log sources contribute to the dashboard.
- Regions
- The geographic area where Amazon cloud computing resources are hosted worldwide.
- Account IDs
- Select the Amazon AWS account IDs for the offenses you want to view.
- Resource Types
- Select the Amazon AWS service resources for the offenses you want to view.
- Rule Groups and Rules
- Select the groups or individual rules for the offenses you want to view.
The Other category contains contributing rules, such as custom rules and rules from different content packs. Consider tuning your rules if unintended rules appear in the dashboard.