Investigating an offense by using the summary information
The Offense Summary window provides the information that you need to investigate an offense in IBM® QRadar®. The information that is most important to you during your investigation might be different, depending on the type of offense that you are investigating.
To make it easier for you to investigate an offense, the bottom of the Offense Summary page groups information about top contributors to the offense. These fields show only the most recent or most important pieces of information in that category. Many fields show more information when you hover the mouse over them. Some fields have right-click menu options.
Procedure
-
Click the Offenses tab and double-click the offense that you want to
investigate.
The Offense Summary window opens.
-
Review the first row of data to learn about the level of importance that QRadar assigned to the
offense.
Learn more about the magnitude rating:
Parameter Description Magnitude Indicates the relative importance of the offense. This value is calculated based on the relevance, severity, and credibility ratings. Status Hover your mouse over the status icon to see the status. QRadar does not display a status icon when an offense is active.
Relevance Indicates the importance of the destination. QRadar determines the relevance by the weight that the administrator assigned to the networks and assets.
Severity Indicates the threat that an attack poses in relation to how prepared the destination is for the attack. Credibility Indicates the integrity of the offense as determined by the credibility rating that is configured in the log source. Credibility increases as multiple sources report the same event. QRadar administrators configure the credibility rating of log sources. -
Review the information in the top portion of the Offense Summary window
to learn more about the type of attack and the timeframe when it occurred.
Learn more about the offense information:
Parameter Description Description Shows the cause of the offense. Chained offenses show Preceded by, indicating that the offense changed over time as new events and flows were added to offense.
Offense Type The offense type is determined by the rule that created the offense. The offense type determines what type of information is displayed in the Offense Source Summary pane.
Event/Flow count To see the list of events and flows that contributed to the offense, click the Event or Flow links. If the flow count displays N/A, the offense might have a start date that precedes the date when you upgraded to IBM QRadar version 7.1 (MR1). The flows cannot be counted, but you can click the N/A link to investigate the flows.
Source IP(s) Specifies the device that attempts to breach the security of a component on your network. The device can have an IPv4 or IPv6 address.
Offenses of type Source IP always originate from only one source IP address. Offenses of other types can have more than one source IP address. You can see more information about the source IP address by hovering the mouse over the address, or by using right-click and left-click mouse actions.
Destination IP(s) Specifies the network device that the source IP address attempted to access. The network device can have an IPv4 or IPv6 address.
If the offense has only one target, the IP address is displayed. If the offense has multiple targets, the number of local or remote IP addresses that were targeted. You can see more information by hovering the mouse over the address, or by using right-click and left-click mouse actions.
Start Specifies the date and time when the first event or flow occurred for the offense. Duration Specifies the amount of time that elapsed since the first event or flow that is associated with the offense was created. Network(s) Specifies the local networks of the local destination IP addresses that were targeted. QRadar considers all networks that are specified in the network hierarchy as local. The system does not associate remote networks to an offense, even if they are specified as a remote network or a remote service on the Admin tab. -
In the Offense Source Summary window, review the information about the
source of the offense.
The information that is shown in the Offense Source Summary window depends on the Offense Type field.
Learn more about the source summary information:Parameter Description Chained Specifies whether the destination IP address is chained.
A chained IP address is associated with other offenses. For example, a destination IP address might become the source IP address for another offense. If the destination IP address is chained, click Yes to view the chained offenses.
Destination IP(s) Specifies the network device that the source IP address attempted to access. The network device can have an IPv4 or IPv6 address.
If the offense has only one target, the IP address is displayed. If the offense has multiple targets, this field shows the number of local or remote IP addresses that were targeted. You can see more information by hovering the mouse over the address, or by using right-click and left-click mouse actions.
Location Specifies the network location of the source or destination IP address. If the location is local, click the link to view the networks. Magnitude Specifies the relative importance of the source or destination IP address. The magnitude bar provides a visual representation of the CVSS risk value of the asset that is associated with the IP address. Hover your mouse over the magnitude bar to display the calculated magnitude.
Severity Specifies the severity of the event or offense. Severity specifies the level of threat that an offense poses in relation to how prepared the destination IP address is for the attack. This value is directly mapped to the event category that correlates to the offense. For example, a Denial of Service (DoS) attack has a severity of 10, which specifies a severe occurrence.
Source IP(s) Specifies the device that attempted to breach the security of a component on your network. The device can have an IPv4 or IPv6 address.
Offenses of type Source IP always originate from only one source IP address. Offenses of other types can have more than one source IP address. You can see more information about the source IP address by hovering the mouse over the address, or by using right-click and left-click mouse actions.
Username Specifies the user name that is associated with the event or flow that created the offense. Hover your mouse over the user name to see the most recent information in the asset model database for the user.
Events that do not include a user name in the payload, or system-generated events that belong to a local computer or a system account, show Unknown.
To access more information that is associated with a selected user name, right-click the user name for View Assets and View Events menu options.
Vulnerabilities Specifies the number of identified vulnerabilities that are associated with the source or destination IP address. This value also includes the number of active and passive vulnerabilities. When you view the summary information for historical offenses, the Last Known data fields are not populated.
-
In the bottom portion of the Offense Summary window, review additional
information about the offense top contributors, including notes and annotations that are collected
about the offense.
To see all the information that QRadar collected in a category, click the links on the right side of the category heading.Learn more about the information presented in the offense details:
Offense details category Description Last 5 Notes Use notes to track important information that is gathered during the offense investigation. You can add a note to an offense, but you cannot edit or delete notes. Top 5 Source IPs Shows the top 5 IP addresses with the highest magnitude, which is where the suspected attack or policy breach originated. Offenses that have only one source IP address show only one entry in the table.
Top 5 Destination IPs Shows the top 5 local IP addresses with the highest magnitude, which might indicate the target of the attack. Offenses that target less than 5 local IP addresses show fewer entries in the table. The Chained column indicates whether the destination IP address is the source IP address of another offense. A Yes in this column indicates that an attacker has control over the system with this IP address and is using it to attack other systems.
The Magnitude column shows the aggregate Common Vulnerability Scoring System (CVSS) score when it exists. When no CVSS score is available, the column shows the highest magnitude of all the offenses that the IP address is a part of.
When you hover the mouse over the destination IP address, the Destination Magnitude shows the CVSS score. When no CVSS score is available, a zero is displayed.
Top 5 Log Sources Shows the log sources that contribute the most events to the offense. The Custom Rule Engine (CRE) creates an event and adds it to the offense when the test criteria that is specified in the custom rule matches the incoming event. A log source that displays Custom Rule Engine in the Description field indicates that QRadar created the events from that log source.
Total Events shows the sum of all the events that are received from this log source while the offense was active.
Top 5 Users Events must include user information in order for QRadar to populate this table. Top 5 Categories Shows the low-level categories that have the most events that contributed to the offense. Local Destination Count shows the number of local destination IP addresses affected by offenses with events in the category. When all destination IP addresses are remote, this field shows 0.
Last 10 Events Shows information about the last 10 events that contributed to the offense. Last 10 Flows Shows information about the last 10 flows that contributed to the offense. The Total Bytes column shows the sum of the bytes transferred in both directions.
Annotations Annotations provide insight into why QRadar considers the event or observed traffic to be threatening. QRadar can add annotations when it adds events or flows to an offense. The oldest annotation shows information that QRadar added when the offense was created. Users cannot add, edit, or delete annotations.
Last 5 Search Results Shows information about the results from the last five scheduled searches. - If you installed IBM QRadar Risk Manager, click View Attack Path to see which assets in your network are communicating to allow an offense to travel through the network.