LAB5-Investigating an offense triggered by flows

CSF-4613 Security Intelligence Lab 5

Lab3: CSF-4613 Security Intelligence: Investigating an offense

triggered by flows.

Student Name: Click or tap here to enter text.

Student ID: Click or tap here to enter text.

1. Login to the Microsoft Azure at https://labs.azure.com/virtualmachines and Power ON

both virtual machines (QR & Win) in HyperV.

Note: Play the VMs ahead of time, because it takes QRadar about 7 – 10 minutes to

boot and get ready to work on.

2. Log in to the Windows server. (Username: administrator & password object00)

3. Open a PuTTY session on the QRadar SIEM server. Use the procedure “Logging in to

the QRadar SIEM server VM” used in lab 1.

4. Generate events using PuTTY command line, type the following command:

5. Log in to the QRadar SIEM console by opening Firefox browser, then click on “Login to

QRadar” button.

Instructor/ Student Lab Manual Ayman Ahmed

Computer and Network Security (ECC4703)

Universiti Putra Malaysia

Recommended for you

Comments

Students also viewed

Related documents

Preview text

Lab3: CSF-4613 Security Intelligence: Investigating an offense

triggered by flows.

Student Name: Click or tap here to enter text.

Student ID: Click or tap here to enter text.

1. Login to the Microsoft Azure at labs.azure/virtualmachines and Power ON

2. Log in to the Windows server. ( Username: administrator & password object00 )

3. Open a PuTTY session on the QRadar SIEM server. Use the procedure “Logging in to

4. Generate events using PuTTY command line, type the following command:

5. Log in to the QRadar SIEM console by opening Firefox browser, then click on “Login to

Exercise 1: Investigating an offense triggered

by Flows.

To investigate an offense triggered by flows, perform the following steps:

1. In the QRadar SIEM console, click the Network Activity tab.

2. Observe the network events and verify that a network event triggers an

offense.

3. Click on the Offenses tab and look for the Client Base DNS Activity

to the internet containing Misc with offense source IP

address 10.36.

4. Double click on it.

5. Scroll down the offense summary until the “Last 10 Events” section.

6. Then click on “events”.

7. To investigate to the offense, click the red icon in the left-most column.

Note: QRadar SIEM shows a red icon in the left –most column for

network events that contribute to an offense.

14. How many flows are associated with this offense? Click or tap here to enter

15. What rule contributed to this offense? Click or tap here to enter text.

Hint: To determine which rule triggered the offense, click the Display

list and select Rules.

16. To investigate the flows that contributed to the offense, click Flows on

the Offense Summary page toolbar.

17. The Flow List page opens.

18. Examine the flow associated with this offense. Double-click the

network event listed (anywhere on the row. The Flow Details page

opens, then answer the following questions.

19. What is the flow direction? Click or tap here to enter text.

20. What is the application name? Click or tap here to enter text.

21. Based on your investigation, what behavior triggered this offense. Click

22. To tune the network event as a false positive, on the Flow Details

page toolbar, click False Positive.

23. The False Positive page opens.

24. Click Tune then Close.

Note: Tuning an event or flow as a false positive updates the User-BB-

False Positive: User Defined False Positives building block.

25. Close all the open windows.