Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - CATEGORY OFFENSE INVESTIGATION GUIDE REV 1 Manual page 59

View the Attacker Summary box to understand the attacker:
Step 6
Location - Allows you to determine if the attacker is local or remote:
•
- Local - This field specifies the network (group) in which it is located.
- Remote - This field specifies the geographic location of the attacker, for
example, Asia. We recommend that you investigate the traffic from the
remote source IP address to make sure that your firewalls are probably
configured to block any threatening traffic. If firewall logs are being sent to
STRM, use the Event Viewer to investigate firewall logs to make sure it is
probably configured. For more information on the Event Viewer, see the
STRM Users Guide.
• User - If the attacker is local or a VPN user and STRM is receiving user identity
logs, this field indicates user identity information. This allows you identify the
user who is the source of the traffic. To obtain further information about the
user, right-click on the IP address in the Description field to access additional
menu options. From the menu, select use the Select Information > Asset
Profile. The Asset Profile window allows you to determine additional
information regarding the identify of the source user. You can also select
Information > DNS Lookup or WHOIS Lookup to further investigate the user
associated with the attacker IP address.
Once you have identified the user associated with an IP address, contact your
Step 7
system administrator to determine the appropriate action. You can use several
methods to determine the user associated with an IP address. For example, you
can use Windows active directory event logs, VPN authentication logs, or the
Windows nbstat command.
View the Top 10 Events box. This box contains the top 10 events that contributed
Step 8
to this offense. To view all events, click
Category Offense Investigation Guide
How do I Investigate a Policy Offense?
Events.
53