Qradar SIEM: Working with Offenses and questions to be asked.

When a particular offense fired in Qradar SIEM, SOC Analysts has to investigate and try to answer a few questions. Based on information collected during investigation, We can determine the inform decision. Let’s understand what are the question can be answered and where to look for answer?

What happened?

To answer this question, First thing to do is to Check Rules and why certain rule is fired. Then check for event categories and description to understand what really happened?

Who detected it?

To get answer on this question, Check Log sources to detect where and who (device e.g firewall) contributed to trigger this offense.

Who did it? – Source IP info to check who triggered in this offence?

Where did it happen?

To verify this is offense is occurring and impacted systems, Need to Check the destination sources. Basically, you would get to know where the malicious traffic headed to? Checking the networks would help narrow down the impacted VPC or network.

When did it happen? Look at the time when first event occurs and offence was detected? In this case, there won’t be any end date.

How did it happen?

This is the most important question to ask. To begin finding answer, Navigate to list of events and their details. A particular event can tell us the details and payload as well. Qradar intelligently describes many details into that.

Why did it happen?

Look at List of Annotations help provide information why rules are triggering offences.

What to do next?

Once you have gathered all required information. Make sure you have notes ready to take inform decision. There are many actions you can take for example: mark offense as follow up, close it, assign it to someone else etc.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.