Security investigations

With IBM® QRadar® Incident Forensics, you can detect emerging threats, determine the root cause and prevent recurrences. By using forensics tools, you can quickly focus your analysis on who initiated the threat, how they did it and what was compromised.

As a forensics investigator, you can retrace the step-by-step actions of cyber criminals and reconstruct the raw network data that is related to a security incident.

When your organization first becomes aware of a threat or a potential security risk or compliance breach, you set objectives to assess the scope, identify the entities that are involved, and understand the motivations.

You can use the tools in IBM QRadar Incident Forensics in specific scenarios in the different types of investigations, such as network security, insider analysis, fraud and abuse, and evidence-gathering.
  1. Recover and reconstruct network sessions to and from an IP address.
  2. From the incidents that are created, you can query categories of attributes to gather evidence.

    When you create a recovery, an incident is created.

  3. Use search filters to retrieve only the information that you are interested in.
  4. Depending on the type of investigation, choose the forensics tool that provides you with the evidence that you need.

Suspicious content

You can use search to look for any contextual element or identifier that you know about the attacker or incident. If you use the keyword in the search, suspicious content is returned. Some of the suspicious content might relevant to the investigation.

Data pivoting

Data pivoting is achieved by making the content that is returned by a search result appear as a hotlink. For example, if you search for "Tom", the results might include emails that Tom wrote, Tom's chats, and more contextual information. When you click an email to view, every asset or entity, such as attachments or computer IDs that Tom used, appear as links. An investigator can use these links to investigate quickly.

Digital Impression

Use Digital Impression to look through the data and to map the relationship between entities, such as IP addresses, names, and MAC addresses) based on frequency. You can select one or more results to view the frequency and direction of the relationship.

Surveyor

Use Surveyor to see a timeline of activities so that you can retrace an attack. Surveyor reconstructs the session and sorts the documents in time order.

Content filtering

Use content filtering to look at a subset of content categories, such as WebMail, Pornography, to help you remove the noise or irrelevant when you search.