Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Offenses

The QRadar Analyst Workflow Offenses overview page displays a table of the offenses in your JSA environment that you can filter in many different ways. It also includes graphical representations of offenses, by magnitude, assignee, and type.

On the offenses page, you can investigate an offense to determine the root cause of an issue and work to resolve it.

Visualization of Offenses

Filter the Offenses table in the QRadar Analyst Workflow to display the specific offenses you want to investigate.

As you apply filters, the offenses table displays only the offenses that meet your filter criteria. The graphs displayed on the page also change to reflect only the offenses in your filtered list.

Tip:

You can copy and paste the URL from your browser to share the offenses page, including all filters and configuration options.

  1. To apply a filter, click any of the following categories to see filtering options for that category:

    • Magnitude

    • Severity

    • Assigned To

    • Status

    • Start Time

    • Offense Type

    • Log Source Name

    • Log Source Type

    • Destination Network

    • Local Destination Addresses

    • Source Addresses

    • Rules

    • Follow Up

    • Protected

  2. To include only offenses with specific attributes, select that attribute in the filters list. To exclude offenses with specific attributes, click the icon next to the attribute, and click Apply IS NOT Filter.

    Tip:

    You can right-click on a Status, Type, Source IP, or Destination IP in the offenses table and quickly apply an IS or IS NOT filter to the offenses.

  3. To sort the offenses table in ascending or descending order by an attribute, click the appropriate table heading.

  4. To clear individual filters, click the X on the filter indicator. To clear all filters, click Clear filters.

  5. To configure the number of offenses displayed in the table, click the Items per page drop-down at the bottom of the table.

  6. To sort the offenses table in ascending or descending order by an attribute, click the appropriate table heading.

Offense Investigation

Begin your offense investigation in the QRadar Analyst Workflow by clicking an offense in the offense table. The offense details provide context to help you understand what happened and determine how to isolate and resolve the problem.

In addition to the basic information included in the offense table, the offense details page includes the following detailed information:

Feature

Description

Insights

The Insights section displays rules that triggered the event. Click a rule to see details about specific rules.

Events graph

The Events graph displays the number of events that occurred at a given time within the last 7 active days. Use the scrubber bar at the top of the graph to zoom in on specific times and event spikes. Click View Events to see a list of events that contributed to the offense and investigate event details.

Source and Destination IPs

If offenses include multiple source or destination IPs, you can click the IP lists to scroll through the entire list of IPs. Click a specific IP address to see details about that IP.

Magnitude

The Magnitude graph provides a visual representation of how the magnitude was calculated, based on relevance, credibility, and severity. Click the graph to see a detailed description of how the magnitude is calculated.

Notes

In the Notes section, you can click on a long note to see the entire text. Click Add note to add your own note to the offense details.
Tip:

If an offense has a long title, click on the title to see the entire offense title.

Offense Actions

Use the QRadar Analyst Workflow to keep track of offenses throughout your investigation.

Knowing that an offense occurred is only the first step; identifying how it happened, where it happened, and who did it requires some investigation.

Marking an offense for follow-up

In the QRadar Analyst Workflow, you can mark an offense for follow-up when you want to flag it for further investigation.

  1. From the Offenses table, do one of the following actions:

    • Select the offenses that you want to flag.

    • Click on a single offense listing to open the offense details.

  2. From the Actions list, select Follow up.

    Tip:

    To remove the flag, select Unfollow from the Actions list.

Protecting Offenses

You might have offenses that you want to retain regardless of the retention period. In the QRadar Analyst Workflow, you can protect offenses to prevent them from being removed from JSA after the retention period has elapsed.

By default, offenses are retained for thirty days. For more information about customizing the offense retention period, see the Juniper Secure Analytics Administration Guide.

  1. From the Offenses table, do one of the following:

    • Select any offenses you want to protect.

    • Click on a single offense listing to open the offense details.

  2. From the Actions list, select Protect.

    Tip:

    To remove the protection from the offense, select Unprotect from the Actions list.

Hiding Offenses

Hide an offense to prevent it from being displayed in the QRadar Analyst Workflow offenses table. After you hide an offense, the offense is only displayed if you apply an IS filter for Status = Hidden.

  1. From the Offenses table, do one of the following:

    • Select any offenses you want to hide.

    • Click on a single offense listing to open the offense details.

  2. From the Actions list, select Hide.

    Tip:

    To unhide the offense, filter to see hidden offenses, and select Open from the Actions list.

Closing Offenses

Close an offense in the QRadar Analyst Workflow to remove it completely from your system.

The default offense retention period is 30 days. After the offense retention period expires, closed offenses are deleted from the system. You can protect an offense to prevent it from being deleted when the retention period expires.

After you close an offense, the offense is only displayed if you apply an IS filter for Status = Closed. If more events occur for an offense that is closed, a new offense is created.

When you close offenses, you must select a reason for closing the offense. If you have the Manage Offense Closing permission, you can add custom closing reasons. For more information about user role permissions, see the Juniper Secure Analytics Administration Guide.

  1. From the Offenses table, do one of the following:

    • Select any offenses you want to close.

    • Click on a single offense listing to open the offense details.

  2. From the Actions list, select Close.

  3. Specify a closing reason from the Choose a resolution option list.

  4. In the text field, type a note to provide more information.

    Notes must not exceed 1,984 characters.

  5. Click OK.

Related Documentation