Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - CATEGORY OFFENSE INVESTIGATION GUIDE REV 1 Manual page 78

72 S A
USPICIOUS CTIVITY
Step 6
Step 7
Step 8
O
FFENSES
View the Description field and determine the suspicious activity associated with
this offense. This may include multiple types of activity.
View the Attacker Summary box to understand the attacker:
Location - Allows you to determine if the attacker is local or remote:
•
- Local - This field specifies the network object (group) in which it is located.
- Remote - This field specifies the geographic location of the attacker, for
example, Asia. We recommend that you investigate the traffic from the
remote source IP address to make sure that your firewalls are probably
configured to block any threatening traffic. If firewall logs are being sent to
STRM, use the Event Viewer to investigate firewall logs to make sure it is
probably configured. For more information on the Event Viewer, see the
STRM Users Guide.
User - If the attacker is local or a VPN user and STRM is receiving user identity
•
logs, this field indicates user identity information. This allows you identify the
user who is the source of the suspicious traffic. To obtain further information
about the user, right-click on the IP address in the Description field to access
additional menu options. From the menu, select use the Select Information >
Asset Profile. The Asset Profile window allows you to determine additional
information regarding the identify of the source user.
View the Top 10 Events box to view the most severe events correlated to this
offense. This box provides a view of the type of events that are being correlated to
the offense, the devices from which event are being received, and the detailed
event names.
Category Offense Investigation Guide