Scribd
Upload
30 views2 pages

SI2

The document discusses offenses in QRadar SIEMs, including common offense types, how offenses are rated by magnitude, and the various sections of an offense summary. An offense represents a suspected attack or policy breach, and common examples include multiple login failures, worm infections, and P2P traffic. The offense summary displays information about the offense such as the source and destination IPs, event count, and assigned analyst.

Uploaded by

Hussain
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
30 views2 pages

SI2

The document discusses offenses in QRadar SIEMs, including common offense types, how offenses are rated by magnitude, and the various sections of an offense summary. An offense represents a suspected attack or policy breach, and common examples include multiple login failures, worm infections, and P2P traffic. The offense summary displays information about the offense such as the source and destination IPs, event count, and assigned analyst.

Uploaded by

Hussain
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 2

* Offenses is:An offense represents a suspected attack or policy breach.

Some common offenses include these examples:


1-Multiple login failures
2-Worm infection
3-P2P traffic
4-Scanner reconnaissance
* Some of the most common offenses that a typical security analyst
investigates include:
1-Clear Text Application Usage
2-Remote Desktop Access from the Internet
3-Connection to a remote proxy or anonymization service
4-SSH or Telnet detected on Non-Standard Port
5-Large Outbound Transfer
6-Communication to a known Bot Command and Control
7-Local IRC Server detected
* QRadar SIEMs magistrate rates each offense by its magnitude,
which has these characteristics:
1-Ranges from 1 to 10, with 1 being low and 10 being high
2-Specifies the relative importance of the offense
* Offenses are listed in these locations:
1-In Dashboard items
2-In the Offense Manager on the Offenses tab
* the offense summary displays?
info. about ICMP scanning offense.
* The sections of the Offense Summary window include:
Offense Parameters - Offense Source Summary - Last 5 Notes
Top 5 Source IPs - Top 5 Destination IPs - Top 5 Log Sources
Top 5 Users - Top 5 Categories - Top 10 Events
Top 10 Flows - Top 5 Annotations
* Magnitude :Relative importance of the offense, as calculated from
relevance, severity, and credibility.
* Credibility: How valid is information from that source?
20% of magnitude
* Relevance: How important is the destination? 50% of magnitude.
* Severity: How high is the potential damage to the destination?
30% of magnitude.
* Offense Type: General root cause of the offense. The offense type
determines which information is displayed in the next section
of the Offense Summary.
* Description: Reflects the causes for the offense. The description
can change when new events or flows are associated with the offense.
* Event count: Number of events associated with this offense.
* Flow count:Number of flows associated with this offense.
* Offense types include:
Offense Types- Source IP- Destination IP- Event Name- Username
Source MAC Address- Destination MAC Address- Log Source- Host Name
Source Port- Destination Port- Source IPv6- Destination IPv6
Source ASN- Destination ASN- Rule- App ID - Source IP Identity
* Autonomous System Number (ASN) uniquely identifies one or more IP
networks that have a single, clearly defined external routing policy.
An ASN is required only if the autonomous system exchanges routing
information with other autonomous systems on the Internet.
* Source IP(s):Origin of the ICMP scanning
* Start:Date and time when the first event or flow associated with
the offense was created.
* Destination IP(s):Targets of the ICMP scanning.
* Duration:Amount of time elapsed since the first event or flow
associated with the offense was created.
* Network(s):Local network(s) of the local Destination IP(s) that have been
scanned
* Assigned to:QRadar SIEM user assigned to investigate this offense.

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy