Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - CATEGORY OFFENSE INVESTIGATION GUIDE REV 1 Manual page 12

6 A O
CCESS FFENSES
Step 7
STRM, use the Event Viewer to investigate firewall logs to make sure it is
probably configured. For more information on the Event Viewer, see the
STRM Users Guide.
• User - If the attacker is local or a VPN user and STRM is receiving user identity
logs, this field indicates user identity information. This allows you identify the
user who is the source of the traffic. To obtain further information about the
user, right-click on the IP address in the Description field to access additional
menu options. From the menu, select use the Select Information > Asset
Profile. The Asset Profile window allows you to determine additional
information regarding the identify of the source user. You can also determine if
the user associated to the offense is a valid user on the device they are
attempting to access.
STRM generates access events when the same source IP address causes
multiple failed access attempts, such as, from a firewall. If you determine that this
is normal behavior, you can tune STRM to no longer create offenses for this
behavior. For information, see
Determine if the user associated with the offense was attempting to illegally gain
access to the network or a restricted area of the network. If you determine that the
user had malicious intent:
Click Flows to further the user's activity to make sure that the user did not
a
obtain access to a restricted area of the network.
The Flow Search window appears.
Use the Event Viewer to search for events relating to this user associated with
b
firewall accept messages. For more information on the Event Viewer, see Using
the Event Viewer in the STRM Users Guide.
Offense Category Investigation Guide
How do I Tune an Access Offense?.