Hello,

I would like to ask about offences at the console.
When you are inside an offence there is a table about Sources.

The Source IP is related to the offense?
How magnitude is derived?
What does vulnerability mean?
User, Mac, Weight are related to Assets?
Offences are the offences related to that IP regardless if it is source or destination?
Events/Flows are related to the offences in the previous tab, right?

Thanks and regards,
Konstantinos

------------------------------
Konstantinos Asimakopoulos
------------------------------

So, a starting point about the info contained in the Offense summary view is covered here. Have in mind that the source IP info, though relevant to the offense, is not always the primary reason for the offense (it could be based on say the username or destination IP or maybe a malware etc.). Events/Flows links from the Offense summary windows will open a new window where a search will be executed and events/flows associated with the offense will be shown.
Information such as MAC, IP, hostname (FQDN, NetBIOS), weight are related to the assets records. Vulnerability information is associated with the asset record if e.g. it was imported from an external vulnerability scanner; vulnerabilities are basically flaws in the software or miss-configurations that could make your system susceptible to attacks / or exploitable by malicious actors. There is also a list of users info potentially historically associated to the asset, too.
Magnitude is an attempt to measure the importance and give you the possibility to do adequately prioritize the offense. Like it is mentioned here, main "ingredients" are Relevance (determines the impact of the offense on your network), Credibility (indicates the integrity of the offense based on the rating set in the log source and Severity (indicates the level of threat posed in relation to state of the destination); these contribute to the resulting Magnitude  based on the fixed ratio (relevance most of them). However, there are much more "nuances" to this, and the algorithm for this calculation is proprietary; things like number of log sources involved, source or destination network importance, context (L2L/R2L/L2R), source reputation etc. all contribute to the result (dynamically).

------------------------------
Dusan VIDOVIC
------------------------------

Original Message:
Sent: Wed February 01, 2023 02:52 AM
From: Konstantinos Asimakopoulos
Subject: Sources at Offences

Hello,

I would like to ask about offences at the console.
When you are inside an offence there is a table about Sources.

The Source IP is related to the offense?
How magnitude is derived?
What does vulnerability mean?
User, Mac, Weight are related to Assets?
Offences are the offences related to that IP regardless if it is source or destination?
Events/Flows are related to the offences in the previous tab, right?

Thanks and regards,
Konstantinos

------------------------------
Konstantinos Asimakopoulos
------------------------------

Thanks for the reply. 

It cleared a couple of things. 

Regards, 
Konstantinos

------------------------------
Konstantinos Asimakopoulos
------------------------------

Original Message:
Sent: Thu February 02, 2023 04:44 AM
From: Dusan VIDOVIC
Subject: Sources at Offences

So, a starting point about the info contained in the Offense summary view is covered here. Have in mind that the source IP info, though relevant to the offense, is not always the primary reason for the offense (it could be based on say the username or destination IP or maybe a malware etc.). Events/Flows links from the Offense summary windows will open a new window where a search will be executed and events/flows associated with the offense will be shown.
Information such as MAC, IP, hostname (FQDN, NetBIOS), weight are related to the assets records. Vulnerability information is associated with the asset record if e.g. it was imported from an external vulnerability scanner; vulnerabilities are basically flaws in the software or miss-configurations that could make your system susceptible to attacks / or exploitable by malicious actors. There is also a list of users info potentially historically associated to the asset, too.
Magnitude is an attempt to measure the importance and give you the possibility to do adequately prioritize the offense. Like it is mentioned here, main "ingredients" are Relevance (determines the impact of the offense on your network), Credibility (indicates the integrity of the offense based on the rating set in the log source and Severity (indicates the level of threat posed in relation to state of the destination); these contribute to the resulting Magnitude  based on the fixed ratio (relevance most of them). However, there are much more "nuances" to this, and the algorithm for this calculation is proprietary; things like number of log sources involved, source or destination network importance, context (L2L/R2L/L2R), source reputation etc. all contribute to the result (dynamically).

------------------------------
Dusan VIDOVIC

Original Message:
Sent: Wed February 01, 2023 02:52 AM
From: Konstantinos Asimakopoulos
Subject: Sources at Offences

Hello,

I would like to ask about offences at the console.
When you are inside an offence there is a table about Sources.

The Source IP is related to the offense?
How magnitude is derived?
What does vulnerability mean?
User, Mac, Weight are related to Assets?
Offences are the offences related to that IP regardless if it is source or destination?
Events/Flows are related to the offences in the previous tab, right?

Thanks and regards,
Konstantinos

------------------------------
Konstantinos Asimakopoulos
------------------------------