When a particular offense triggered in Qradar SIEM, A SOC Analysts has to acknowledge and investigate it. He/She will try to answer a few questions based on information collected during investigation. Provided offence details help analysts to determine the course of action. However, The challenge for the any analysts is how & where to look for?
Here are the some following questions help Analysts to collect Threats information.
To answer this question, First thing to do is to Check Rules and why certain rule is fired. Then check for event categories and description to understand what really happened?
Who detected it?
To get answer on this question, Check Log sources to detect where and who (device e.g firewall) contributed to trigger this offense.
Who did it? – Source IP info to check who triggered in this offence?
Where did it happen?
To verify this is offense is occurring and impacted systems, Need to Check the destination sources. Basically, you would get to know where the malicious traffic headed to? Checking the networks would help narrow down the impacted VPC or network.
When did it happen? Look at the time when first event occurs and offence was detected? In this case, there won’t be any end date.
How did it happen?
This is the most important question to ask. To begin finding answer, Navigate to list of events and their details. A particular event can tell us the details and payload as well. Qradar intelligently describes many details into that.
Why did it happen?
Look at List of Annotations help provide information why rules are triggering offences.
What to do next?
Once you have gathered all required information. Make sure you have notes ready to take inform decision. There are many actions you can take for example: mark offense as follow up, close it, assign it to someone else etc.