Investigating offenses

You can view details and then investigate the offense with QRadar® Advisor with Watson™ app from the Offenses page on the QRadar Console.

Procedure

  1. On the Offenses page in the QRadar Console, double-click the offense to open the Offense ID details page.
  2. Click Investigate Now.
    The investigation can take several minutes depending on the complexity and size of the data that is being analyzed. You can see the progress of the three stages of the investigation.
  3. After the investigation is complete, you can do following:
    • View Watson's evaluation of the offense priority. You can agree or disagree with the priority value (high or low value offense) that Watson assigned. Tip: The more offenses you evaluate, the better the model will become at learning your environment.
    • Hover over the metrics to view information found about threat actors, malware families, high value assets, high value users, and related investigations that are associated with the offense.
    • Review MITRE ATT&CK Tactics and Techniques that were associated with the offense. Hover over each tactic to see observables associated with the specific tactic, the level of concern and any techniques associated with the tactic.
    • Click View Investigation to open the Watson Investigation page and to view findings associated with the investigation such as key observables, insights, and an offense summary.
    • Click Graph Relationships to view the relationship graph.
    • Click Reinvestigate to investigate the offense again.
      Important: Each investigation counts against your daily quota.
    • Click Copy Insights to copy the insights text and statistics to another system such as a ticketing system.
    The following example shows the 2.6.0 version of the light theme UI.
    2.6.0 Light theme UI for investigation results