Scribd
Upload
13 views4 pages

SIEM-W5

Da klvg cm CNG

Uploaded by

hdfc6786
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
13 views4 pages

SIEM-W5

Da klvg cm CNG

Uploaded by

hdfc6786
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 4

SECURITY INFORMATION & EVENT MANAGEMENT LAB

WEEK-05
NAME : DATE:

HT NO : BRANCH: CSE-CS-B

PROBLEM STATEMENT:

Scan monitored system to detect rootkits.

Output:
On the IBM® Security Threat Intelligence Insights landing page, complete the
following steps.

1. Scroll to the Top relevant threats section and choose the threat activity that
is not yet scanned.
2. Click Scan now.

On the threat details page, complete the following steps:

1. Look at the Check if you are affected card.


2. Data sources must be connected before you can run a scan. You can select
which data sources to scan for threat indicators. Otherwise, all connected
data sources are scanned.
3. Choose a timeframe. Scan now is set by default to search your connected
data sources for the last 60 minutes. If you want to search for a longer period
against your connected data sources, select from the predefined timeframes.
4. Click Scan now.

When the scan is complete and indicators are found:

The card is updated to show the number of found indicators.


A case is created to help you begin the investigation.

How does the scan work?


You must have data sources that are connected to your IBM Security QRadar® Suite
Software account. Learn how to connect a data source

Threat Intelligence Insights cross-references the user logs in all connected data
sources to determine whether events and flows are related to any indicators of
compromise (IoC) that are captured within the threat reports.

If an indicator is found and it is supported in your connected data sources, the


indicator is counted in the scan result, and returned in found indicators.
If an indicator is not supported in your connected data sources, then that indicator
is not counted in the scan result.

Important: Your Am I Affected scan might not start if it is scanning for a threat that
contains more than 300 indicators of compromise.
A tis_system key is automatically created when you first initiate a scan. Threat
Intelligence Insights uses this key to provide Am I Affected Scans. If the tis_system
key is deleted, scans cannot be completed. Data sources must be connected

What are indicators of compromise (IoC)?


Indicators of compromise are any recorded or captured pieces of digital evidence
from a security incident that can be used to provide information about an intrusion or
issue.

These indicators provide the first concrete targets for your investigation. Different
threat intelligence feeds might use different indicators, depending on your region,
business sector, or security requirements. Threat Intelligence Insights uses the
following indicators:

URLs
IP addresses
MD5 and SHA-256 hashes

What is the difference between total indicators and


found indicators?
1. Total indicators
The total number of indicators that are associated with the threat, a value that
is based on consolidated reports. The value does not include the indicators
that are found in your connected data sources after an Am I Affected scan is
run. The value corresponds to the total number of indicators that are listed in
the threat details Indicators tab.
2. Found indicators
The number of indicators that are supported and found in your connected data
sources after an Am I Affected scan is run.

How do I set up an automatic scan?


In addition to the manual scans, entitled users have access to continuous,
automated overnight scans for all applicable threats published in the past 7 days.
The default time range for overnight scans is a 24-hour look-back across connected
data sources. Currently, the default automated scans cannot be adjusted.

Investigating your rules


Last Updated: 2024-01-25
Investigate your rules by filtering different properties. Determine which rules you
might need to edit in IBM® Detection and Response Center or search in Data
Explorer.

Before you begin


See the system requirements and information about setting up QRadar®
connections in Accessing Detection and Response Center.
About this task
Follow the suggested workflow for investigating your rules.
Procedure
1. From the vertical overflow menu on the report menu bar, click tView
presets and pick one. The default preset shows the rules that are available
from IBM QRadar and the Sigma community.
2. Filter the rules by source and origin, rule attributes, QRadar rule attributes, or
MITRE ATT&CK tactics and techniques. For more information, see Filtering
rules by their properties.
3. To find a rule with a specific name, filter on the name attribute by using a
regular expression.
4. Customize the report presentation to make it easier to investigate your rules.
To modify the column settings, go to the vertical overflow menu and click
Manage columns.
Search or scroll down the window to find the column that you want to add
to the report and select the relevant checkbox.
Tip: You can add other QRadar rule attributes to the report display, such
as rule category, group, log source type, or test.
In the Selected columns section of the window, drag the columns in the
order that you want them displayed in the report.
Click Apply.
5. To investigate details for a specific rule, select the rule name to open the rule
details page. The rule details page contains sections for common rule
attributes, test definitions, and source-specific rule attributes, such as the
author of a Sigma community rule.
6. Tips:
To run a STIX pattern for a Sigma community rule, click Run query in
Data Explorer.
To see more details about a Sigma community rule in GitHub, click Sigma
community external link.
7. Visualize your rules after you organize the report data.

What to do next
Filtering rules by their properties
Filtering rules by their properties
Filter your rules to fine-tune the report results. Examine your MITRE ATT&CK
coverage by filtering your rules based on their mappings to tactics and
techniques. IBM QRadar rules can be modified in QRadar or QRadar Use
Case Manager.
Exporting rules
Export rule data from the current report in CSV format so that you can further
process the data or view it in Excel.

You might also like