Offense investigations

IBM® QRadar® uses rules to monitor the events and flows in your network to detect security threats. When the events and flows meet the test criteria that is defined in the rules, an offense is created to show that a security attack or policy breach is suspected. But knowing that an offense occurred is only the first step; identifying how it happened, where it happened, and who did it requires some investigation.

The Offense Summary window helps you begin your offense investigation by providing context to help you understand what happened and determine how to isolate and resolve the problem.

Figure 1. Offense Summary view
Offense summary

QRadar does not use device level user permissions to determine which offenses each user is able to view. All users who have access to the network can view all offenses regardless of which log source or flow source is associated with the offense. For more information about restricting network access, see the security profiles documentation in the IBM QRadar Administration Guide.