Threat from multiple hosts
Simulating the threat
The Threat from multiple hosts simulation shows how QRadar detects a threat by correlating events that are identified as repetitive malicious behavior.
To get more QRadar content that supports additional use cases, download the IBM Security Threat Content pack from the IBM Security App Exchange.
- On the Log Activity tab, click Show Experience Center.
- Click Threat simulator.
- Locate the Threat from multiple hosts simulation and click Run.
You can see the events that are coming into QRadar contain potentially malicious URL addresses and attachments.
Detecting the threat: QRadar in action
In this simulation, the Custom Rule Engine (CRE) processes the incoming events, and determines that a potentially threatening activity is occurring on multiple hosts in your network. To warn you about the potential threat, the CRE creates a new event that provides more context for the activity that was found. For example, if the incoming event is URL Detection - Phishing and the CRE generated event is Same Threat Detected on Same Network Different Hosts, you can quickly see which area of your network the threat is occurring in.
The CRE creates an offense that is indexed based on the EC Threat Name custom property, which ensures that all events that contribute to the same threat are associated with the same offense.
Investigating the threat
The following IBM QRadar content is created by the Threat from multiple hosts simulation. After you run the simulation, you can use this content to trace and investigate the threat.
Content | Name |
---|---|
Saved Search | EC: Threat from Multiple Hosts |
Incoming event |
The log source for the incoming event is Trend Micro Deep Discovery. |
Rule | EC: Same Threat Detected on Multiple Hosts |
Generated events | The main event that is created is Same Threat Detected on Multiple Hosts (Exp
Center). The following events are also created as part of the threat simulation scenario:
The log source for events that are generated by QRadar is the Custom Rule Engine (CRE). |
Offense | Same Threat Detected on Multiple Hosts (Exp Center) The offense is indexed based on the EC Threat Name custom property, meaning that all events that trigger this rule and contribute to the same threat, are part of the same offense. Depending on the events and rules that exist in your environment before running the use case, the name of the offense might include preceded by <offense name> or containing <offense name>. |