Investigate IT security incidents with QRadar Forensics

Jose Bravo demonstrates how to investigate common security incidents

In this four-part video tutorial, Jose Bravo demonstrates how to use QRadar Forensics to investigate three common scenarios. He walks through the investigation of the scenarios in the same way an investigator would collect forensic evidence.


Jose F. Bravo, IBM Security Tiger Team, IBM

Jose Bravo is a 26-year IBM Security subject matter expert. He recently joined the IBM Security Tiger Team. A prolific video educator, Bravo's main area of expertise is strong authentication; he has seven patents in that field. His BS in Electronic Engineering is from Simon Bolivar University, and his Master of Science in Computer and Systems Engineering is from Rensselaer Polytechnic Institute.

29 July 2014

Also available in Russian

Introduction to Forensics

In this introductory video, Jose Bravo recaps two of QRadar's current offerings and then introduces the new forensics offering from IBM. Jose discusses QRadar SIEM's basic ability to take billions of SIEM events and combine them with detected flows and external data to identify a small number of high priority offenses that need to be investigated. He notes that QRadar revolutionized the SIEM market by creating a system that enables non-IT security experts to manage the IT security issues. Jose discusses QRadar Vulnerability Manager's (QVM) ability to take detected vulnerabilities from application scanners, Guardium, and many other sources, combine them with topology information and security policies, and identify a few top priority threats that need to be acted on. Jose then introduces the new IBM offering, QRadar Forensics, which uses both structured and unstructured data to find relationships that assist in forensics investigations. This enables people who aren't data scientists to perform meaningful investigations into IT security incidents.

Sending confidential information in email file attachments

In this video, Jose introduces a common question, "Are employees sending emails with confidential information outside the company?" He shows how to set up rules that trigger an offense when someone sends an email with an attachment as well as how to create a Forensics Recovery work item. He uses QRadar Forensices queries over the full content that was indexed on the appliances monitoring the outbound traffic. He shows that even simple cases can generate large numbers of data items that need to be searched. Jose also shows how to build queries into the indexed data that contain words such as Confidential or Secret. From the search result, he shows how to look at the metadata on the emails, how to look for other places the document was sent, and how to extract other information that can help the investigator. After a suspicious email is found, he shows how to use MAC addresses, IP addresses, and user IDs related to the sender of the email to find relationships and activity that might indicate that the sent file is suspicious.

Looking for suspected information leaks

In this video, Jose proposes a scenario in which "Replay Industries" suspects that company information has been leaked because it has shown up at a competitor. No one knows who or how it was leaked. Jose starts QRadar Forensics and enters a search query for "Replay Industries." In the search results, which are sorted by relevance, Jose sees an online chat in which a document was exchanged that had the phrase "Replay Industries." From there, Jose demonstrates how to run queries that show a bigger picture of the communications between the two parties in the chat. He shows how QRadar Forensics can identify the email addresses, Voice over IP calls, and other types of communications that the two people had with each other. Jose also demonstrates the "surveyor" capability that lets the investigator look at everything that happened to a subject for a time period before and after the event of interest. Jose shows how a subject's web traffic can be captured by the system so that the investigator sees what the subject sees. Jose also demonstrates QRadar Forensics' capability to visualize the IP addresses and email addresses a subject communicates with.

Detecting brute force attacks over telnet

IBM has published a white paper to discuss how to use QRadar's unique capabilities to help improve the security of cloud platforms.

Download "Security intelligence is the smart way to keep the cloud safe."

In this video, Jose starts with a detected offense and looks at the relationships between the source and destination IP addresses. He starts a new Forensics Recovery investigation. In the new investigation, Jose shows the Forensics tab collecting and indexing information that was related to the offense that raised the concern. He shows that the target IP address listed in the offense can be searched for in the Forensics Recovery investigation and how the indexed information can be scanned for incorrect logins. Jose shows the results of the query that lists all the incorrect logins and selects one to open for more detail. By looking at the detail, you can see that a brute force attack is clearly being performed on the session, and you can see the attacker's success and subsequent activities.



developerWorks: Sign in

Required fields are indicated with an asterisk (*).

Need an IBM ID?
Forgot your IBM ID?

Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name

The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.


All information submitted is secure.

Dig deeper into Security on developerWorks

ArticleTitle=Investigate IT security incidents with QRadar Forensics