Investigating possible communication with protected assets

You can create a Policy Monitor question based on IP addresses that detect possible communication with protected assets. From a risk perspective, it is important to know which users within your organization can communicate with critical network assets.

1. Click the Risks tab.
2. From the navigation menu, click Policy Monitor.
3. From the Actions menu, select New.
4. In the What do you want to name this question field, type a name for the question.
5. In the What type of data do you want to return list, select Assets.
6. From the Evaluate On list, select Possible Communication.
7. From the Importance Factor list, specify a level of importance to associate with your question.
8. In the Time Range section, specify a time range for the question.
9. In the Which tests do you want to include in your question section, double-click to select have accepted communication to destination asset building blocks.
10. In the Find Assets that section, click asset building blocks to further configure this test and specify Protected Assets.
    Note: To define your network remote assets, your remote assets building block must be defined.
11. In the Which tests do you want to include in your question section, double-click to select the restrictive test and include only the following IP addresses.
12. In the Find Assets that section, click IP Addresses.
13. Specify the IP address range or CIDR address of your remote network, and click Save Question.
14. Select the Policy Monitor question that you created for protected assets, and click Submit Question.
15. Review the results to see whether any protected asset accepts communication from an unknown IP address or CIDR range.
16. Optional: Monitor your protected assets by putting the question into monitoring mode. If an unrecognized IP address connects to a protected asset, then QRadar Risk Manager can generate an alert.