How Do I Investigate Suspicious Offense - Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - CATEGORY OFFENSE INVESTIGATION GUIDE REV 1 Manual
Category offense investigation guide
Hide thumbs
Also See for SECURITY THREAT RESPONSE MANAGER 2008.2 - CATEGORY OFFENSE INVESTIGATION GUIDE REV 1:
- Administration manual (370 pages) ,
- Manual (228 pages) ,
- Getting started (14 pages)
Table of Contents
Advertisement
70
S
A
USPICIOUS
CTIVITY
How do I
Investigate
Suspicious Offense
Step 1
Step 2
O
FFENSES
What is the event rate?
STRM profiles the event rate for a device to determine the normal and abnormal
rate for a device. If STRM detects a sudden increase in event rate from a device,
or related to a specific source IP address, an offense is created.
Who is the attacker (source IP address)?
STRM profiles attackers and maintains a historical record of all detected attackers.
For each attacker, the following information is recorded:
Types of offenses in which these attackers were involved
•
Targets attacked
•
•
Potential of threat for this source IP address.
If the source IP address of the suspicious activity is known as a threat, STRM
creates an offense.
Who are the targets (destination IP addresses)?
You can associate weights (value) to hosts, such as mission critical business
servers. This weight allows you to tune STRM to create an offense when any type
of threatening or suspicious traffic is directed at a critical business asset with high
asset weighting.
Are the targets vulnerable?
If STRM receives suspicious events, the asset profile database correlates
vulnerability assessment data and passive host profile data to correlate if the target
has a vulnerability to the suspicious activity.
Are there any patterns in the events or flows that can be suspicious?
STRM's correlation rules searches for patterns of behavior that may be a potential
threat, such as multiple log in failures followed by a successful log in.
To investigate a suspicious offense:
Click the Offense Manager tab.
The Offense Manager window appears.
Click By Category from the navigation menu.
The By Category view appears displaying high-level categories. The counts for
each category are accumulated from the values in the low-level categories.
Hint: Only low-level categories with associated offenses appear with an arrow.
You can click the arrow to view the associated low-level categories. If you wish to
view all categories, click Show Inactive Categories.
Category Offense Investigation Guide
Advertisement
Table of Contents
