Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - CATEGORY OFFENSE INVESTIGATION GUIDE REV 1 Manual
  1. Manuals
  2. Brands
  3. Juniper Manuals
  4. Software
  5. SECURITY THREAT RESPONSE MANAGER 2008.2 - CATEGORY OFFENSE INVESTIGATION GUIDE REV...
  6. Manual
Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - CATEGORY OFFENSE INVESTIGATION GUIDE REV 1 Manual

Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - CATEGORY OFFENSE INVESTIGATION GUIDE REV 1 Manual

Category offense investigation guide
Hide thumbs Also See for SECURITY THREAT RESPONSE MANAGER 2008.2 - CATEGORY OFFENSE INVESTIGATION GUIDE REV 1:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Administration Manual, Manual
Security Threat Response Manager
Category Offense Investigation Guide
Release 2008.2
Juniper Networks, Inc.
1194 North Mathilda Avenue
Sunnyvale, CA 94089
USA
408-745-2000
www.juniper.net
Part Number: 530-025609-01, Revision 1

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the SECURITY THREAT RESPONSE MANAGER 2008.2 - CATEGORY OFFENSE INVESTIGATION GUIDE REV 1 and is the answer not in the manual?

Questions and answers

Related Manuals for Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - CATEGORY OFFENSE INVESTIGATION GUIDE REV 1

Summary of Contents for Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - CATEGORY OFFENSE INVESTIGATION GUIDE REV 1

  • Page 1 Security Threat Response Manager Category Offense Investigation Guide Release 2008.2 Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 408-745-2000 www.juniper.net Part Number: 530-025609-01, Revision 1...
  • Page 2 Juniper Networks or their respective owners. All specifications are subject to change without notice. Juniper Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

  • Page 3: Table Of Contents

    ONTENTS BOUT UIDE Documentation Feedback Requesting Support CCESS FFENSES What is an Access Offense? How do I Investigate an Access Offense? How do I Tune an Access Offense? SIM A UDIT FFENSES What is SIM Audit? How do I Investigate a SIM Audit Offense? How do I Tune a SIM Audit Offense? Tuning Using False Positive Function Tuning Using Custom Rules Wizard...
  • Page 4 How Can I Verify If STRM is Receiving Valid DoS Offenses? XPLOIT FFENSES What is an Exploit Attack? How do I Investigate an Exploit Offense How do I Tune an Exploit Offenses? How Can I Verify That STRM is Receiving Valid Exploit Offenses? ALWARE FFENSES What is Malware?
  • Page 5 USPICIOUS CTIVITY FFENSES What is a Suspicious Attack? What is Suspicious Traffic? What is a Suspicious Offense? How do I Investigate Suspicious Offense How do I Tune a Suspicious Offenses? YSTEM FFENSES What is a System Offense? How do I Investigate a System Offense? How do I Tune a System Offense? How Can I Verify That STRM is Receiving Valid Offenses? EFINED...

  • Page 7: About This Guide

    BOUT UIDE This preface provides the following guidelines for using the Category Offense Investigation Guide: Documentation Feedback • Requesting Support • Documentation We encourage you to provide feedback, comments, and suggestions so that we Feedback can improve the documentation. Send your comments to techpubs-comments@juniper.net, or fill out the documentation feedback form at http://www.juniper.net/techpubs/docbug/docbugreport.html.

  • Page 9: Access Offenses

    CCESS FFENSES This chapter provides information on access offenses including: What is an Access Offense? • How do I Investigate an Access Offense? • • How do I Tune an Access Offense? What is an Access Limiting access to your network and networked resources is an essential Offense? component of any network security strategy.

  • Page 10: How Do I Investigate An Access Offense

    CCESS FFENSES How do I To investigate an access offense: Investigate an Access Offense? Click the Offense Manager tab. Step 1 The Offense Manager window appears. Click By Category from the navigation menu. Step 2 The By Category view appears displaying high-level categories. The counts for each category are accumulated from the values in the low-level categories.
  • Page 11 How do I Investigate an Access Offense? Double-click the offense you wish to view. Step 5 The details panel appears. To investigate the attacker, view the Attacker Summary box: Step 6 Location - Allows you to determine if the attacker is local or remote: •...
  • Page 12 CCESS FFENSES STRM, use the Event Viewer to investigate firewall logs to make sure it is probably configured. For more information on the Event Viewer, see the STRM Users Guide. • User - If the attacker is local or a VPN user and STRM is receiving user identity logs, this field indicates user identity information.

  • Page 13: How Do I Tune An Access Offense

    How do I Tune an Access Offense? Once you have determined the impact of the offense, you must perform the Step 8 necessary steps to rectify the source of the activity. If you have determined this behavior is normal, you can tune STRM to no longer detect this activity. For more information, see How do I Tune an Access Offense?.
  • Page 14 CCESS FFENSES Select the necessary event properties to tune as a false positive. Step 4 Click Tune. Step 5 STRM will no longer create additional offense for this source IP address when this type of activity occurs. Offense Category Investigation Guide...

  • Page 15: Sim Audit Offenses

    SIM A UDIT FFENSES This chapter provides information on SIM audit offenses including: What is SIM Audit? • How do I Investigate a SIM Audit Offense? • • How do I Tune a SIM Audit Offense? What is SIM Audit? STRM generates an records SIM audit events for system and configuration changes occurring within the STRM deployment.
  • Page 16 SIM A UDIT FFENSES To view additional low-level category information for the SIM Audit category, click Step 3 the arrow icon next to SIM Audit. Double-click any low-level category to view the list of associated offenses. Step 4 The list of offenses appear. Double-click the offense you wish to view.
  • Page 17 How do I Investigate a SIM Audit Offense? User - If the attacker is local or a VPN user and STRM is receiving user identity • logs, this field indicates user identity information. This allows you identify the user who is the source of the suspicious traffic. To obtain further information about the user, right-click on the IP address in the Description field to access additional menu options.

  • Page 18: How Do I Tune A Sim Audit Offense

    SIM A UDIT FFENSES Once you have determined the impact of the offense, you must either block the Step 11 source of the unauthorized configuration activity, then take the desired action against the offense. Once you have resolved the offense, close or hide the offense. Step 12 For more information on closing or hiding an offense, see the STRM Users Guide.
  • Page 19 How do I Tune a SIM Audit Offense? Select the event with the source IP address known to be producing the SIM audit Step 2 activity. Click False Positive. Step 3 The False Positive window appears with information derived from the selected event.

  • Page 20: Tuning Using Custom Rules Wizard

    SIM A UDIT FFENSES Tuning Using Custom To tune SIM audit activity using the custom rules wizard: Rules Wizard In the navigation bar of the Offense Manager, click Rules. Step 1 The Rules interface appears. Using the Display drop-down list box, select Building Blocks. Step 2 In the Block Name list, locate the Default-BB-HostDefinition: VA Scanner Step 3...
  • Page 21 How do I Tune a SIM Audit Offense? In the Enter an IP address or CIDR and click ‘Add’ field, enter the IP address of Step 6 the VA scanner or IP address that is producing false positives. Click Add. Step 7 Repeat for all VA scanners or IP address(es).

  • Page 23: Authentication Offenses

    UTHENTICATION FFENSES This chapter provides information on authentication offenses including: What is an Authentication Offense? • How do I Investigate an Authentication Offense? • • How do I Tune an Authentication Offense? What is an Typically, the first level of network security starts with authentication. When a user Authentication navigates a protected network, the network generally requires authentication at Offense?
  • Page 24 UTHENTICATION FFENSES To view additional low-level category information for the Authentication category, Step 3 click the arrow icon next to Authentication. Double-click any low-level category to view the list of associated offenses. Step 4 The list of offenses appear. Offense Category Investigation Guide...
  • Page 25 How do I Investigate an Authentication Offense? Double-click the offense you wish to view. Step 5 The details panel appears. To investigate the attacker, view the Attacker Summary box: Step 6 Location - Allows you to determine if the attacker is local or remote: •...
  • Page 26 UTHENTICATION FFENSES STRM, use the Event Viewer to investigate firewall logs to make sure it is probably configured. For more information on the Event Viewer, see the STRM Users Guide. • User - If the attacker is local or a VPN user and STRM is receiving user identity logs, this field indicates user identity information.

  • Page 27: How Do I Tune An Authentication Offense

    How do I Tune an Authentication Offense? How do I Tune an If you determine that the authentication activity is normal and STRM is creating Authentication false positive offenses, you can tune STRM to make sure no more offenses are Offense? created due to this activity.
  • Page 28 UTHENTICATION FFENSES Select the necessary event properties to tune as a false positive. Step 4 Click Tune. Step 5 STRM will no longer create additional offense for this source IP address when this type of activity occurs. Offense Category Investigation Guide...

  • Page 29: Cre Offenses

    CRE O FFENSES This chapter provides information on CRE offenses including: What is a CRE Offense? • How do I Investigate a CRE Offense? • What is a CRE Custom Rule Engine (CRE) offenses are generated through user defined custom Offense? rules or sentries.
  • Page 30 CRE O FFENSES To view additional low-level category information for the CRE category, click the Step 3 arrow icon next to CRE Double-click any low-level category to view the list of associated offenses. Step 4 The list of offenses appear. Double-click the offense you wish to view.
  • Page 31 How do I Investigate a CRE Offense? View the Attacker Summary box to understand the attacker: Step 6 Location - Allows you to determine if the attacker is local or remote: • - Local - This field specifies the network (group) in which it is located. - Remote - This field specifies the geographic location of the attacker, for example, Asia.

  • Page 32: How Do I Tune A Cre Offense

    CRE O FFENSES How do I Tune a If you determine that the CRE activity is normal and STRM is creating false CRE Offense? positive offenses, you can tune STRM to make sure no more offenses are created due to this activity. You can use the Custom Rules wizard in the Offense Manager to create a building block to allow this behavior.

  • Page 33: Denial Of Service (D O S) Offenses

    ENIAL OF ERVICE FFENSES This chapter provides information on DoS offenses including: What is a DoS Offense? • How do I Investigate a DoS Offense? • • How do I Tune a DoS Offense? • How Can I Verify If STRM is Receiving Valid DoS Offenses? What is a DoS A DoS attack is an attempt to prevent an application or host from behaving in Offense?

  • Page 34: What Is A Dos Service Exploit

    S) O ENIAL OF ERVICE FFENSES What is a DoS The intention of a DoS service exploit is to cause a disruption in service for a host Service Exploit? or service. A DoS exploit attempts to disrupt a service by sending an exploit, which may be a single packet containing a DoS exploit, to a port where a vulnerable service is listening.
  • Page 35 How do I Investigate a DoS Offense? Double-click any low-level category to view the list of associated offenses. Step 4 The list of offenses appear. Double-click the offense you wish to view. Step 5 The details panel appears. Category Offense Investigation Guide...
  • Page 36 S) O ENIAL OF ERVICE FFENSES View the Description field and determine the activity associated with this offense. Step 6 This may indicate multiple types of activity. If the offense is a DDoS attack, the following terms appear: • Distributed DoS Attack (Low, Medium, or High Number of Hosts) Potential Unresponsive Service or Distributed DoS •...
  • Page 37 How do I Investigate a DoS Offense? DoS attack. From the right-click menu, select Information > WHOIS Lookup or DNS Lookup. For more information on using the right-click menu, see the STRM Users Guide. Once you have determined ownership, contact your network administrator to determine if the source IP address(es) of the DoS attack may be blocked using your firewall or intrusion prevention device.

  • Page 38: How Do I Tune A Dos Offense

    S) O ENIAL OF ERVICE FFENSES How do I Tune a If you determine that the DoS activity is normal and STRM is creating false positive DoS Offense? offenses, you can tune STRM to make sure no more offenses are created due to this activity.

  • Page 39: Tuning Using Sentries

    How do I Tune a DoS Offense? In the Event Properties option, select the first option. Step 4 In the Traffic Direction option, choose one of the following options: Step 5 For a DoS attack, select the <IP address> to Any Destination option. For a DDos attack, select the <IP address>...

  • Page 40: How Can I Verify If Strm Is Receiving Valid Dos Offenses

    S) O ENIAL OF ERVICE FFENSES How Can I Verify If If you believe STRM should be receiving DoS offenses but none have appeared in STRM is Receiving the Offense Manager, verify that the events were received and processed using Valid DoS the Event Viewer interface.

  • Page 41: Exploit Offenses

    Detection Systems (IDSs) or Intrusion Prevention System (IPSs). These systems may include stand-alone network sensors such as Sourcefire or Enterasys Dragon, part of an IPS within a firewall (such as Juniper Networks ISG), or host-based IDS systems (such as the Cisco Security Agent). By default, STRM attempts to detect high exploits that are likely to be successful or show a pattern of the attacker attempting to exploit multiple host or using multiple types of attacks.
  • Page 42 XPLOIT FFENSES To view additional low-level category information for the Exploit category, click the Step 3 arrow icon next to Exploit. Double-click any low-level category to view the list of associated offenses. Step 4 The list of offenses appear. Double-click the offense you wish to view. Step 5 The details panel appears.
  • Page 43 How do I Investigate an Exploit Offense Determine if the offense is a result of a remote host attempting to exploit one or Step 6 more local hosts. Typically the target of the attacker is located inside the Demilitarized Zone (DMZ) or in the public facing Network Address Translation (NAT) range.
  • Page 44 XPLOIT FFENSES Determine if the offense is the result of a local host attempting to exploit another Step 7 local host on your network. If this is the case, this is one of the most serious types of offenses, but also the most likely to be a false positive offense.

  • Page 45: How Do I Tune An Exploit Offenses

    How do I Tune an Exploit Offenses? How do I Tune an If you determine that the exploit activity is normal and STRM is creating false Exploit Offenses? positive offenses, you can tune STRM to make sure no more offenses are created due to this activity.

  • Page 46: How Can I Verify That Strm Is Receiving Valid Exploit Offenses

    XPLOIT FFENSES Click Tune. Step 8 STRM will no longer create additional offense for this source IP address when this type of activity occurs. How Can I Verify To verify that STRM is receiving valid offenses: That STRM is Receiving Valid Exploit Offenses? By default, STRM automatically removes noise and false positives commonly Step 1...

  • Page 47: Malware Offenses

    ALWARE FFENSES This chapter provides information on malware offenses including: What is Malware? • How do I Investigate a Malware Offense? • • How do I Tune a Malware Offense? What is Malware? This section provides information regarding malware including: What is Malware? •...
  • Page 48 ALWARE FFENSES How do I To investigate a malware offenses: Investigate a Malware Offense? Click the Offense Manager tab. Step 1 The Offense Manager window appears. Click By Category from the navigation menu. Step 2 The By Category view appears displaying high-level categories. The counts for each category are accumulated from the values in the low-level categories.
  • Page 49 How do I Investigate a Malware Offense? View the Attacker Summary box to understand the attacker: Step 6 Location - Allows you to determine if the attacker is local or remote: • - Local - This field specifies the network (group) in which it is located. - Remote - This field specifies the geographic location of the attacker, for example, Asia.
  • Page 50 ALWARE FFENSES has become chained to another offense. Chaining means that the target has become an attacker of another offense. This indicates a self-propagating malware. Note: Any remote targets associated to a malware offense may be foreign or unknown servers that the source IP address is communicating with to receive instructions to upload data.
  • Page 51 How do I Tune a Malware Offense? How do I Tune a If you determine that the malware activity is normal and STRM is creating false Malware Offense? positive offenses, you can tune STRM to make sure no more offenses are created due to this activity.
  • Page 52 ALWARE FFENSES Select the necessary event properties to tune as a false positive. In the case of a Step 4 malware offense, select the type of event and the event high-level category, which is creating the false positive malware offense. For additional information on using the False Positive tuning function, see the STRM Users Guide.

  • Page 53: Network Anomalies Offenses

    ETWORK NOMALIES FFENSES This chapter provides information on an network anomaly offenses including: What is an Network Anomaly Offense? • How do I Investigate a Network Anomaly Offense • • How do I Tune a Network Anomaly Offense? What is an Network Network anomaly offenses are generated using Network Behavior Anomaly Anomaly Offense? Detection (NBAD) and occur if STRM is receiving flow data (for example, NetFlow,...

  • Page 54: Anomaly

    ETWORK NOMALIES FFENSES threshold sentries, however, we recommend that you edit the value of the threshold sentries to values that meet the needs of your network. Anomaly An anomaly based offense includes changes in the amount of time particular services or networks are active. This includes three states: Detection of services, such as a mail server being installed in the Demilitarized •...
  • Page 55 How do I Investigate a Network Anomaly Offense To view additional low-level category information for the Network Anomalies Step 3 category, click the arrow icon next to Network Anomalies. Double-click any low-level category to view the list of associated offenses. Step 4 The list of offenses appear.

  • Page 56: How Do I Tune A Network Anomaly Offense

    ETWORK NOMALIES FFENSES Click the At Time of Alert graph to investigate the flows creating this offense. Step 6 Click the graph to zoom in on the information. Step 7 Click the legend with the corresponding color to isolate the problem. Step 8 Click on the lower half of the graph.

  • Page 57: Policy Offenses

    OLICY FFENSES This chapter provides information on policy offenses including: What is a Policy Offense? • How do I Investigate a Policy Offense? • • How do I Tune a Policy Offense? • How Can I Verify That STRM is Receiving Valid Offenses? What is a Policy Policy offenses include correlated events that may constitute violations of security Offense?
  • Page 58 OLICY FFENSES To view additional low-level category information for the Policy category, click the Step 3 arrow icon next to Policy Double-click any low-level category to view the list of associated offenses. Step 4 The list of offenses appear. Double-click the offense you wish to view. Step 5 The details panel appears.
  • Page 59 How do I Investigate a Policy Offense? View the Attacker Summary box to understand the attacker: Step 6 Location - Allows you to determine if the attacker is local or remote: • - Local - This field specifies the network (group) in which it is located. - Remote - This field specifies the geographic location of the attacker, for example, Asia.

  • Page 60: How Do I Tune A Policy Offense

    OLICY FFENSES Once you have determined the impact of the offense, you must perform the Step 9 necessary steps to rectify the source of the activity. If you have determined this behavior is normal, you can tune STRM to no longer detect this activity. For more information, see How do I Tune a Policy Offense?.

  • Page 61: Tuning Using Custom Rules Wizard

    How Can I Verify That STRM is Receiving Valid Offenses? Select the necessary event properties to tune as a false positive. Step 4 Click Tune. Step 5 STRM will no longer create additional offense for this source IP address when this type of activity occurs.

  • Page 63: Potential Exploit Offenses

    OTENTIAL XPLOIT FFENSES This chapter provides information on potential exploit offenses including: What is a Potential Exploit Offense? • How do I Investigate a Potential Exploit Offense? • • How do I Tune a Potential Exploit Offense? What is a Potential Potential exploit offenses may be generated from many different sources, such as, Exploit Offense? a custom rule created in STRM or from an Intrusion Detection System...
  • Page 64 OTENTIAL XPLOIT FFENSES To view additional low-level category information for the Potential Exploit category, Step 3 click the arrow icon next to Potential Exploit. Double-click any low-level category to view the list of associated offenses. Step 4 The list of offenses appear. Double-click the offense you wish to view.

  • Page 65: How Do I Tune A Potential Exploit Offense

    How do I Tune a Potential Exploit Offense? remote source IP address to make sure that your firewalls are probably configured to block any threatening traffic. If firewall logs are being sent to STRM, use the Event Viewer to investigate firewall logs to make sure it is probably configured.
  • Page 66 OTENTIAL XPLOIT FFENSES Select the event with the source IP address known to be producing this activity. Step 2 Click False Positive. Step 3 The False Positive window appears with information derived from the selected event. Select the necessary event properties to tune as a false positive. Step 4 For additional information on using the False Positive tuning function, see the STRM Users Guide.

  • Page 67: Reconnaissance Offenses

    ECONNAISSANCE FFENSES This chapter provides information on reconnaissance offenses including: What is Reconnaissance? • How do I Investigate a Reconnaissance Offense? • • How do I Tune a Reconnaissance Offense? What is STRM detects reconnaissance activity, which is the first step in thwarting and Reconnaissance? blocking serious network attacks.

  • Page 68: How Do I Investigate A Reconnaissance Offense

    ECONNAISSANCE FFENSES If reconnaissance activity from a specific attacker is followed by an exploit attack, STRM correlates this information to the offense to provide full details of the attacks. How do I This section provides information on further investigating a reconnaissance Investigate a offense.
  • Page 69 How do I Investigate a Reconnaissance Offense? The list of offenses appear. Double-click the offense you wish to view. Step 5 The details panel appears. View the Attacker Summary box to understand the attacker: Step 6 Location - Allows you to determine if the attacker is local or remote: •...
  • Page 70 ECONNAISSANCE FFENSES determine if the target responded to the scan. A scan is worth investigating if it receives a reply. This may indicate the initial behavior of a worm or an employee operating an unauthorized VA scanner. Click Events. Step 8 The List of Events appears for the selected offense.

  • Page 71: How Do I Tune A Reconnaissance Offense

    How do I Tune a Reconnaissance Offense? Once you have determined the impact of the offense, you must either block the Step 11 source of the scan, patch or shut down services on the appropriate systems, then take the desired action against the offense. Once you have resolved the offense, close or hide the offense.
  • Page 72 ECONNAISSANCE FFENSES Select the event with the source IP address known to be producing Step 2 reconnaissance activity. Click False Positive. Step 3 The False Positive window appears with information derived from the selected event. Select the necessary event properties to tune as a false positive. Step 4 For example, in the window above, the Events with specific QID option is selected to tune the specific IP address and the event high-level category that is creating...

  • Page 73: Tuning Using Custom Rules Wizard

    How do I Tune a Reconnaissance Offense? Click Tune. Step 5 STRM will no longer create additional offenses for this source IP address when performing normal VA or network management tasks. Tuning Using Custom To tune reconnaissance activity using the custom rules wizard: Rules Wizard In the navigation bar of the Offense Manager, click Rules.
  • Page 74 ECONNAISSANCE FFENSES In the Building Block section, click the IP address that appears. Step 5 A configuration window appears. In the Enter an IP address or CIDR and click ‘Add’ field, enter the IP address of Step 6 the VA scanner or IP address that is producing false positives. Click Add.

  • Page 75: Suspicious Activity Offenses

    USPICIOUS CTIVITY FFENSES This chapter provides information on a suspicious attack including: What is a Suspicious Attack? • How do I Investigate Suspicious Offense • • How do I Tune a Suspicious Offenses? What is a This section provides information on a suspicious attack including: Suspicious Attack? What is Suspicious Traffic? •...

  • Page 76: How Do I Investigate Suspicious Offense

    USPICIOUS CTIVITY FFENSES What is the event rate? STRM profiles the event rate for a device to determine the normal and abnormal rate for a device. If STRM detects a sudden increase in event rate from a device, or related to a specific source IP address, an offense is created. Who is the attacker (source IP address)? STRM profiles attackers and maintains a historical record of all detected attackers.
  • Page 77 How do I Investigate Suspicious Offense To view additional low-level category information for the Suspicious Activity Step 3 category, click the arrow icon next to Suspicious Activity. Double-click any low-level category to view the list of associated offenses. Step 4 The list of offenses appear.
  • Page 78 USPICIOUS CTIVITY FFENSES View the Description field and determine the suspicious activity associated with Step 6 this offense. This may include multiple types of activity. View the Attacker Summary box to understand the attacker: Step 7 Location - Allows you to determine if the attacker is local or remote: •...

  • Page 79: How Do I Tune A Suspicious Offenses

    How do I Tune a Suspicious Offenses? If this offense includes local targets, the Top 5 Local Targets box appears. This box Step 9 displays the top 5 destination IP addresses associated with this offense. Targets are rated based on their overall magnitude, which takes into consideration the severity of the overall offense, if the target is vulnerable, or if the asset has been assigned a high weight value (indicating that this is a critical business asset).
  • Page 80 USPICIOUS CTIVITY FFENSES In the List of Event Categories, double-click the related category to display Step 2 associated events. Select the event that includes the known source IP address that is reported to Step 3 produce suspicious activity. Click False Positive. Step 4 The False Positive window appears with information derived from the selected event.
  • Page 81 How do I Tune a Suspicious Offenses? STRM will no longer create additional offense for this source IP address when this type of activity occurs. Category Offense Investigation Guide...

  • Page 83: System Offenses

    YSTEM FFENSES This chapter provides information on system offenses including: What is a System Offense? • How do I Investigate a System Offense? • • How do I Tune a System Offense? What is a System An important component of a network security solution is monitoring the health Offense? status of the hosts and connected devices.
  • Page 84 YSTEM FFENSES To view additional low-level category information for the System category, click the Step 3 arrow icon next to System. Double-click any low-level category to view the list of associated offenses. Step 4 The list of offenses appear. Double-click the offense you wish to view. Step 5 The details panel appears.
  • Page 85 How do I Investigate a System Offense? View the Attacker Summary box to understand the attacker: Step 6 • Location - Allows you to determine if the attacker is local or remote: - Local - This field specifies the network (group) in which it is located. - Remote - This field specifies the geographic location of the attacker, for example, Asia.

  • Page 86: How Do I Tune A System Offense

    YSTEM FFENSES Once you determine the root cause of the error, notify the proper administrators to Step 8 rectify the situation. If you have determined this behavior is normal, you can tune STRM to no longer detect this activity. For more information, see How do I Tune a System Offense?.

  • Page 87: How Can I Verify That Strm Is Receiving Valid Offenses

    How Can I Verify That STRM is Receiving Valid Offenses? STRM will no longer create additional offense for this source IP address when this type of activity occurs. How Can I Verify By default, STRM generates system offenses as a result of multiple system errors That STRM is occurring within a specified time frame on the same host.
  • Page 88 YSTEM FFENSES In the Rule box, click the number that appears in the more than 10 times Step 5 statement. In the Enter a rule count field, enter the number that meets the needs of your Step 6 network. In the Rule box, click the number that appears in the within 3 minutes statement. Step 7 Edit the time frame, as necessary Step 8...

  • Page 89: User Defined Offenses

    EFINED FFENSES This chapter provides information on user defined offenses including: What is a User Defined Offense? • How do I Investigate a User Defined Offense? • • How do I Tune a User Defined Offense? What is a User You can use many different tools, techniques, and strategies to protect your Defined Offense? network.
  • Page 90 EFINED FFENSES To view additional low-level category information for the User Defined category, Step 3 click the arrow icon next to User Defined. Double-click any low-level category to view the list of associated offenses. Step 4 The list of offenses appear. Double-click the offense you wish to view.
  • Page 91 How do I Investigate a User Defined Offense? To investigate the attacker, view the Attacker Summary box: Step 6 Location - Allows you to determine if the attacker is local or remote: • - Local - This field specifies the network (group) in which it is located. - Remote - This field specifies the geographic location of the attacker, for example, Asia.

  • Page 92: How Do I Tune A User Defined Offense

    EFINED FFENSES Once you have determined the impact of the offense, you must perform the Step 8 necessary steps to rectify the source of the activity. If you have determined this behavior is normal, you can tune STRM to no longer detect this activity. For more information, see How do I Tune a User Defined Offense?.
  • Page 93 How do I Tune a User Defined Offense? Use the available rules and building blocks to create the required logic necessary Step 3 to generate the offense. Click Next. Step 4 The Rules Response Window appears. Step 5 Select the Dispatch New Events check box. Step 6 Additional optional appears.
  • Page 94 EFINED FFENSES Complete the rules wizard. Step 9 For more information on using the Custom Rules Wizard, see the STRM Administration Guide. Offense Category Investigation Guide...

This manual is also suitable for:

Security threat response manager

Table of Contents