Sabotage

In this scenario, an organization is alerted that one or more stakeholders are attempting to disrupt operations. The stakeholder might be being used as a proxy.

Objective

To solve the problem in these investigations, the organization has these objectives:

  • Identify the saboteur.
  • Understand the techniques that were employed by the saboteur.
  • Assess the impact and scope of the disruption.
  • Pinpoint vulnerabilities that were exploited by the saboteur

Investigation

Use the tools on the Forensics tab to help you investigate.

This image shows the options available in the Forensics tab to help you investigate the problem. Press Shift and click a link in the image to learn more about QRadar Incident Forensics. Click this area to get information about document search Click this area to get information about document reconstruction Click this area to get information about Digital Impression Click this area to get information about Visualizations Click this area to get information about Surveyor
  1. Use free-form search to search for symptoms of the sabotage.
  2. Examine suspect content that is flagged by the product.
  3. Use visual navigation, Digital Impression, and content filtering to explore the symptoms and detect identifiers of the saboteur.
  4. Use Surveyor to trace the activities of the saboteur.
  5. Use data reconstruction to discover saboteur roles and motivations.
  6. Use data reconstruction to review the content that the saboteur used.
  7. Use free-form search, Surveyor, and suspect content to reveal the compromised systems and procedures that enabled the sabotage.