Investigating relationships to track identity trails

Digital Impression reconstructs network relationships to help you identify an attacking entity and other entities that it communicates with.

The Digital Impressions tool shows the frequency distribution of correlated events. The tool shows relationships between entities and counts the relations. The higher the count, the stronger the relationship. For example, if you view the relationships between an email address and other entities, you can see who is communicating with whom. You can view the IP addresses that are associated with the email address, the IP addresses that the suspect visited, and the other names that are associated with the email address.

In distributed deployments, you can choose to see relationships for one node in your organization.

Procedure

  1. Select a result from the list of documents in the recovery grid and click the Digital Impression tab.
  2. From the list, select an item that you want to explore.

    By default, the digital impression report is listed in tabular format, which is organized by identifier type. All identifiers that interacted with the centering identifier are displayed. The interacting identifiers are organized by identifier type and are sorted by frequency of interaction.

  3. If you see an identifier of interest, select it.

    Identifiers are hyperlinks and you can use them as the centering identifier of another report. Another tab is created and the new centering identifier is displayed. You can see who a given suspected attacker interacts with and then who the suspect's interactions interact with. You can expand the radius of an investigation to more suspected attackers and entities with whom they interact.

  4. To look at another host, select the IP address from the Select Remote Host list.

    In distributed installations, you can choose the QRadar Incident Forensics host and then view the digital impression. The default view is the primary host, but you can select any secondary host that is associated with the QRadar Incident Forensics host.

  5. To see a visualization of the associations and relationships of the interactions of the centering identifier to other identifiers, click the Visualize Data tab.