Lab5 Investigating an offense triggered by flows PDF

Preview

Summary

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.7 Investigating an offense triggered byflows exercisesExercise 1. Investigating an offense triggered byflowsTo investigate an offense triggered by flows, perform the following steps: Generate netwo...

Description

7

Investigating an offense triggered by flows exercises

Exercise 1. Investigating an offense triggered by flows To investigate an offense triggered by flows, perform the following steps: 1. Generate network traffic. In the PuTTY command line, type the following command: ./startRdp.sh

2. In the QRadar SIEM console, click the Network Activity tab. 3. Observe the network events and verify that a network event triggers an offense.

Screenshot

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.

Note: QRadar SIEM shows a red icon in the left-most column for network events that contribute to an offense.

4. To investigate to the offense, click the red icon in the left-most column.

Note: There is a delay between the time the red icon is shown next to the network event and when the offense is created in the All Offenses page in the Offenses tab.

Note: Disable block pop-up windows in Firefox. On the Firefox toolbar, select Tools > Options > Content > Disable block pop-up windows > OK.

The Offense Summary page opens.

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.

5. What is the name of the offense? Remote Desktop Access from the Internet containing RemoteAccess.MSTerminalServices.

6. What is the offense type and offense source?

the offense type: Source IP and offense source : 9.9.8.42

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.

7. What is the destination IP?

192.168.10.12 8. How many events are associated with this offense? 1 events

a. How many flows are associated with this offense? 1 flows

Paste screenshot here. Highlight the answers of Question 5 to 8.

9. What rule contributed to this offense?

Paste screenshot here.

Hint:

To determine which rule triggered the offense, click the Display list and select Rules.

Note: The Policy Remote: Remote Desktop Access from the Internet rule that triggered this offense is one of the default rules in the Enterprise tuning template. The rule evaluates Remote Desktop Access from external IP addresses to internally hosted Microsoft Windows servers.

10. To investigate the flows that contributed to the offense, click Flows on the Offense Summary page toolbar.

The Flow List page opens.

Paste screenshot here.

11. Examine the flow associated with this offense. Double-click the network event listed. The Flow Details page opens. 12. Answer the following questions: a. What is the flow direction?

Paste screenshot here.

b. What is the application name?

Paste screenshot here.

c. Based on your investigation, what behavior triggered this offense.

Write your answer here. Source and destination IP addresses provide information about the origin of the offense and its local targets

13. Tune the network event as a false positive. a. On the Flow Details page toolbar, click False Positive.

The False Positive page opens.

b. Click Tune. c. Click Close.

Paste screenshot here.

Note: Tuning an event or flow as a false positive updates the User-BB-FalsePositive: User Defined False Positives building block.

14. Close the Flow Details page. 15. Close the offense. a. On the Offense tab navigation menu, select All Offenses. b. From the Actions list on the toolbar, select Close. c. From the Reason for Closing list, select False-Positive, Tuned. d. Click OK.

Paste screenshot here.

Questions: Answer the following questions a. What does flow provide? List down the information included in flow details: flow provides information about network communication between two systems. 1- Source and destination IP address 2- Protocol transport

b. How can you know that flow contributes to an offense or not?

you can define your domains in QRadar based on the VLAN.

c.

What task can you perform in Network Activity Tab? 1- Investigate flows sent to QRadar SIEM 2- Perform detailed searches 3- View network activity

d. What does “First Packet Time”, “Last Packet Time” and “Storage time” tells in Flow base information? Last Packet Time Specifies the date and time the last packet for this flow was sent. First Packet Time Specifies the start time of the flow, as reported to SIEM by the clients.

e. How can you events and flows from contributing to offenses?

To make it easier for you to investigate an offense, the bottom of the Offense Summary page groups information about top contributors to the offense.

f.

How QRadar deals with Flows and events, that you tagged as false positives?

You can tune false positive events and flows to prevent them from creating offenses.

g. What are superflows and list its benefits?

QRadar SIEM aggregates flows with common characteristics into superflows that indicate common attack. Navigate to the flow details to investigate a superflow further.

h. What are different type of superflows?

1- ype A: Network sweep one source IP address > many destination IP addresses 2- Type B: Distributed denial of service (DDOS) attack many source IP addresses > one destination IP address 3- Type C: Portscan one source IP address > many ports on one destination IP address...