Threat from multiple hosts

IBM® QRadar® helps detect suspicious communication to hosts when the same threat patterns are seen across multiple endpoints. This type of activity might indicate an organized, targeted attack against your organization, and requires immediate attention to prevent escalation and damage.

Simulating the threat

The Threat from multiple hosts simulation shows how QRadar detects a threat by correlating events that are identified as repetitive malicious behavior.

Tip:

To get more QRadar content that supports additional use cases, download the IBM Security Threat Content pack from the IBM Security App Exchange.

To see how QRadar detects the threat, run the simulation.
  1. On the Log Activity tab, click Show Experience Center.
  2. Click Threat simulator.
  3. Locate the Threat from multiple hosts simulation and click Run.

You can see the events that are coming into QRadar contain potentially malicious URL addresses and attachments.

Detecting the threat: QRadar in action

In this simulation, the Custom Rule Engine (CRE) processes the incoming events, and determines that a potentially threatening activity is occurring on multiple hosts in your network. To warn you about the potential threat, the CRE creates a new event that provides more context for the activity that was found. For example, if the incoming event is URL Detection - Phishing and the CRE generated event is Same Threat Detected on Same Network Different Hosts, you can quickly see which area of your network the threat is occurring in.

The CRE creates an offense that is indexed based on the EC Threat Name custom property, which ensures that all events that contribute to the same threat are associated with the same offense.

Investigating the threat

The following IBM QRadar content is created by the Threat from multiple hosts simulation. After you run the simulation, you can use this content to trace and investigate the threat.

Table 1. QRadar content for the Threat from multiple hosts simulation
Content Name
Saved Search EC: Threat from Multiple Hosts
Incoming event
  • URL Detection - Phishing
  • URL Detection - Spam/Graymail
  • Attachment detection - Content violation
  • Attachment detection - Phishing
  • Attachment detection - Potentially Malicious URL

The log source for the incoming event is Trend Micro Deep Discovery.

Rule EC: Same Threat Detected on Multiple Hosts
Generated events The main event that is created is Same Threat Detected on Multiple Hosts (Exp Center).
The following events are also created as part of the threat simulation scenario:
  • Same Threat Detected on Multiple Hosts
  • Same Threat Detected on Same Network Different Hosts

The log source for events that are generated by QRadar is the Custom Rule Engine (CRE).

Offense Same Threat Detected on Multiple Hosts (Exp Center)

The offense is indexed based on the EC Threat Name custom property, meaning that all events that trigger this rule and contribute to the same threat, are part of the same offense.

Depending on the events and rules that exist in your environment before running the use case, the name of the offense might include preceded by <offense name> or containing <offense name>.