LAB5-Investigating an offense triggered by flows PDF

Preview

Summary

Lab3: CSF-4613 Security Intelligence: Investigating an offensetriggered by flows.Student Name: Click or tap here to enter text.Student ID: Click or tap here to enter text.1. Login to the Microsoft Azure at labs.azure/virtualmachines and Power ONboth virtual machines (QR & Win) in HyperV.Note: Pl...

Description

CSF-4613

Security Intelligence

Lab 5

Lab3: CSF-4613 Security Intelligence: Investigating an offense triggered by flows. Student Name: Click or tap here to enter text. Student ID: Click or tap here to enter text. 1. Login to the Microsoft Azure at https://labs.azure.com/virtualmachines and Power ON both virtual machines (QR & Win) in HyperV. Note: Play the VMs ahead of time, because it takes QRadar about 7 – 10 minutes to boot and get ready to work on.

2. Log in to the Windows server. (Username: administrator & password object00) 3. Open a PuTTY session on the QRadar SIEM server. Use the procedure “Logging in to the QRadar SIEM server VM” used in lab 1.

4. Generate events using PuTTY command line, type the following command:

5. Log in to the QRadar SIEM console by opening Firefox browser, then click on “Login to QRadar” button.

Instructor/ Student Lab Manual

Ayman Ahmed

CSF-4613

Security Intelligence

Lab 5

Exercise 1: Investigating an offense triggered by Flows. To investigate an offense triggered by flows, perform the following steps: 1. In the QRadar SIEM console, click the Network Activity tab. 2. Observe the network events and verify that a network event triggers an offense. 3. Click on the Offenses tab and look for the Client Base DNS Activity to the internet containing Misc.domain with offense source IP address 10.36.24.208 4. Double click on it.

5. Scroll down the offense summary until the “Last 10 Events” section.

6. Then click on “events”.

7. To investigate to the offense, click the red icon in the left-most column.

Note: QRadar SIEM shows a red icon in the left –most column for network events that contribute to an offense. Instructor/ Student Lab Manual

Ayman Ahmed

CSF-4613

Security Intelligence

Lab 5

Note: You might get the message below because there is a delay between the time the red icon is shown next to the network event and when the offense is created in the All Offenses page in the Offenses tab. Wait for sometimes until the offense being created and try again.

8. If you get the message above again, click on the offense tab and repeat steps 4 to 7. 9. After you click on the red icon in the left-most column, you should see the window below to answer the following questions:

10. What is the name of the offense? Click or tap here to enter text. 11. What is the offense type and offense source? Click or tap here to enter text. 12. What is the destination IP? Click or tap here to enter text. 13. How many events are associated with this offense? Click or tap here to enter text. Instructor/ Student Lab Manual

Ayman Ahmed

CSF-4613

Security Intelligence

14. How many flows are associated with this offense?

Lab 5

Click or tap here to enter

text.

15. What rule contributed to this offense?

Click or tap here to enter text.

Hint: To determine which rule triggered the offense, click the Display list and select Rules. 16. To investigate the flows that contributed to the offense, click Flows on the Offense Summary page toolbar.

17. The Flow List page opens.

18. Examine the flow associated with this offense. Double-click the network event listed (anywhere on the row. The Flow Details page opens, then answer the following questions.

Instructor/ Student Lab Manual

Ayman Ahmed

CSF-4613

Security Intelligence

19. What is the flow direction?

Lab 5

Click or tap here to enter text.

20. What is the application name?

Click or tap here to enter text.

21. Based on your investigation, what behavior triggered this offense.

Click

or tap here to enter text.

22. To tune the network event as a false positive, on the Flow Details page toolbar, click False Positive.

23. The False Positive page opens.

24. Click Tune then Close. Note: Tuning an event or flow as a false positive updates the User-BBFalse Positive: User Defined False Positives building block. 25. Close all the open windows.

Instructor/ Student Lab Manual

Ayman Ahmed

CSF-4613

Security Intelligence

Lab 5

End of the lab 

The following questions are based on this lab activity and week 11 PowerPoint slides. 1. Explain what the “C” behind the Source Bytes count shown below indicates:

Click or tap here to enter text.

2. If you used flow grouping, what display option would you use to remove the grouping? Click or tap here to enter text.

3. Explain what the Unioned Flows option is. Click or tap here to enter text.

4. Explain the flow type below: Instructor/ Student Lab Manual

Ayman Ahmed

CSF-4613

Security Intelligence

Lab 5

Click or tap here to enter text.

Instructor/ Student Lab Manual

Ayman Ahmed...