LAB3-Investigating an Offense triggered by events PDF

Preview

Summary

Lab3: CSF-4613 Security Intelligence: Investigating an offensetriggered by events exercises.Student Name: Click or tap here to enter text.Student ID: Click or tap here to enter text.Lab Objectives: To investigating an offense triggered by events exercises.Lab Requirements: Azure access - QRadar VM &...

Description

CSF-4613

Security Intelligence

Lab 3

Lab3: CSF-4613 Security Intelligence: Investigating an offense triggered by events exercises. Student Name: Click or tap here to enter text. Student ID: Click or tap here to enter text.

Lab Objectives: To investigating an offense triggered by events exercises. Lab Requirements: Azure access - QRadar VM & Windows Server 2008 VM.

Step to be performed: 1. Login to Azure using your HCT credentials. 2. Start your Azure host VM (Password: CIS@vlab2). 3. Click on Hyper-V manager. 4. Start and Connect to both virtual machines (QR & Win). Note: Play the VMs ahead of time, because it takes QRadar about 7 – 10 minutes to boot and get ready to work on. 5. Log in to the Windows server. (Username: administrator & password Object00) 6. Open a PuTTY session on the QRadar SIEM server. Use the procedure “Logging in to the QRadar SIEM server VM” used in lab 1. 7. Generate events using PuTTY command line, type the following command:

8. Log in to the QRadar SIEM console by opening the IE browser, then click on “Login To QRadar” button.

Instructor/ Student Lab Manual

Ayman Ahmed

CSF-4613

Security Intelligence

Lab 3

9. In the QRadar SIEM console, click the Offenses tab. Then All Offenses page opens. 10. Select the offense with the description Local DNS Scanner containing Invalid DNS. a) If you do not see the Local DNS Scanner containing Invalid DNS offense, search for the offense. From the Search list, select New Search.

b) On the Search Parameters pane, define the search criteria. In the Description field, type Local DNS Scanner.

Note: The description search criteria is case sensitive. c) Click Search. The All Offenses page shows the offense that meets the search criteria, Local DNS Scanner containing Invalid DNS. Instructor/ Student Lab Manual

Ayman Ahmed

CSF-4613

Security Intelligence

Lab 3

11. Answer the following questions for the Local DNS Scanner containing Invalid DNS offense.

a. What is the offense type and offense source and magnitude? Click or tap here to enter text.

Hint: Hold the mouse over the Magnitude to obtain the numeric value. b. What network does the offense source IP belong? Click or tap here to enter text.

Hint: Hold the mouse over the Offense Source IP to obtain the network. 12. Double-click the Local DNS Scanner containing Invalid DNS offense to view the Offense Summary page. The Offense Summary page provides detailed information about the offense.

Instructor/ Student Lab Manual

Ayman Ahmed

CSF-4613

Security Intelligence

Lab 3

Answer the following questions for this offense. a. How many events or flows are associated with this offense? Click or tap here to enter text.

b. What time did this offense begin? Click or tap here to enter text.

c. Is the source IP involved in any other offenses? Click or tap here to enter text.

d. How many destinations IPs are targets of the offense? Are the destinations IPs local or remote devices? Click or tap here to enter text.

e. List the event categories that contributed to this offense. From the Display list on the toolbar, select Categories to view the event categories. Click or tap here to enter text.

Hint: Click on display the category as shown below:

Instructor/ Student Lab Manual

Ayman Ahmed

CSF-4613

Security Intelligence

Lab 3

f. What do you learn about this offense based on the annotations? From the Display list on the toolbar, select Annotations. Click or tap here to enter text.

g. What is the event name, event category and destination port for the events listed in the Last 10 Events list? Click Summary on the toolbar and scroll down to the Last 10 Events list. Click or tap here to enter text.

h. The destination port is well known for what type of server communications? Click or tap here to enter text. 10. Perform the following actions on this offense.

a. Add a note: i. From the Actions toolbar, select Add Note.

Instructor/ Student Lab Manual

Ayman Ahmed

CSF-4613

Security Intelligence

Lab 3

ii. Type This offense was investigated in the QRadar SIEM Foundations course. iii. Click Add Note. b. Protect the offense. From the Actions toolbar on the Offense Summary page, select Protect Offense. The Protected icon is displayed in the status field on the Offense Summary page and in the flag column for the offense on the All Offenses page.

Why do you protect an offense? Click or tap here to enter text.

Instructor/ Student Lab Manual

Ayman Ahmed

CSF-4613

Security Intelligence

Lab 3

End of the lab 

The following questions are based on this lab activity and week 67 PowerPoint. 1. What are the maximum characters of a note that can be added? A. ☐ 200 B. ☐ 2000 C. ☐ 100 D. ☐ 1000 2. In IBM QRadar, explain what is the term chain means? Click or tap here to enter text.

3. In IBM QRadar, what does an annotations provide? Click or tap here to enter text.

Instructor/ Student Lab Manual

Ayman Ahmed...