IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

How to interpret this investigation from Watson Insight?

  • 1.  How to interpret this investigation from Watson Insight?

    Posted Tue October 29, 2019 04:42 AM
    Hello,

    I frequently see similar results of the investigation from Watson Insight, with the typical summary as follows:

    "Watson has analyzed this offense and a total of 32 observables. The analysis found 13 new indicators that were not included in the offense. 12 indicators were related to suspicious activity, and no indicators were active. From the newly found indicators, 12 have ties to suspicious activity. In particular, 11 files and one domain name have been found, which are known to be suspicious or malicious. Here is a threat vector of the malware that is related to this offense: "trojan" The following malware family types might be linked to the <g class="gr_ gr_205 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling multiReplace" id="205" data-gr-id="205">offense</g>: "<g class="gr_ gr_195 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling" id="195" data-gr-id="195">dnotua</g>", "<g class="gr_ gr_190 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="190" data-gr-id="190">jiagu</g>", "<g class="gr_ gr_196 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling" id="196" data-gr-id="196">skymobi</g>", "<g class="gr_ gr_191 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="191" data-gr-id="191">dowgincw</g>", "<g class="gr_ gr_192 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="192" data-gr-id="192">rootnik</g>", "<g class="gr_ gr_193 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="193" data-gr-id="193">dowgin</g>", "<g class="gr_ gr_194 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="194" data-gr-id="194">obfus</g>", "<g class="gr_ gr_197 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling" id="197" data-gr-id="197">xgen</g>" and "box"."

    Note: See the screenshot here for more details (sorry for not uploading the image here since the company block it by default)

    Actually, I don't find any risk relating to the relevant event logs, but why does the Watson suggest that several indicators have ties to suspicious activity or malware family types?


    ​​

    ------------------------------
    Nam Tran Quoc
    ------------------------------


Related Content