Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - CATEGORY OFFENSE INVESTIGATION GUIDE REV 1 Manual page 26

20 A O
UTHENTICATION
Step 7
Step 8
Step 9
FFENSES
STRM, use the Event Viewer to investigate firewall logs to make sure it is
probably configured. For more information on the Event Viewer, see the
STRM Users Guide.
• User - If the attacker is local or a VPN user and STRM is receiving user identity
logs, this field indicates user identity information. This allows you identify the
user who is the source of the traffic. To obtain further information about the
user, right-click on the IP address in the Description field to access additional
menu options. From the menu, select use the Select Information > Asset
Profile. The Asset Profile window allows you to determine additional
information regarding the identify of the source user.
Authentication offenses occur when the same source IP address causes multiple
log in failures. This may be caused by many users using the same network path to
reach a particular server. Your network may also include an entire development
team accessing a Windows server from the same Linux or Solaris server. In this
case, false positive offenses may be generated when multiple users attempt to log
in to different servers from the same server incorrectly. If this is the case, you can
tune STRM to no longer create offenses for this behavior. For more information,
see How do I Tune an Authentication
Determine if the user associated with the offense was attempting to illegally gain
access to the network with malicious intent or a user who has forgotten their
password. If you determine that the user had malicious intent, we recommend that
you restrict this user's access to the network. We also recommend that you use the
Event Viewer to search for events relating to this user to determine if your network
was successfully breached. For more information on the Event Viewer, see the
STRM Users Guide.
Once you have determined the impact of the offense, you must perform the
necessary steps to rectify the source of the activity. If you have determined this
behavior is normal, you can tune STRM to no longer detect this activity. For more
information, see How do I Tune an Authentication
Once you are satisfied that you have resolved the offense, you can close or hide
the offense.
For more information on closing or hiding an offense, see Investigating Offenses in
the STRM Users Guide.
Offense Category Investigation Guide
Offense?.
Offense?.