QRadar Investigation Assistant FAQs

Edit online

Use these frequently asked questions and answers to help you understand the IBM QRadar Investigation Assistant.

What factors influence the watsonx subscription cost?

The cost for a most basic customer primarily depends on the number of input and output tokens that are used during interactions with the QRadar Investigation Assistant. However, the cost also depends on whether the customers need some of the advanced watsonx.ai features. Customers/Partners are advised to refer to the watsonx.ai pricing tiers at watsonx.ai pricing to understand the cost implications or contact their IBM representative.

The following cost analysis for watsonx.ai subscription is based on the number of offense summaries generated.
Figure 1. Cost analysis for watsonx.ai
Image shows cost analysis for Watson.ai
The cost analysis is based on the assumption that a SOC typically handles up to 50 offenses and addresses no more than 50 cybersecurity-related queries in a working day

How does it benefit MSSPs?

The key functionalities of the app are available to Managed security service providers (MSSPs). With support for offense summary, MSSPs can know about attack vectors, which might impact the source IP or destination IP, hostnames, and users. MSSPs can use the recommended steps for further investigation and mitigation.

Is on-premises deployment of watsonx supported?

QRadar Investigation Assistant app officially supports only watsonx SaaS subscription.

Are any additional modules or licenses required within QRadar SIEM?

QRadar Investigation Assistant does not require any additional modules or licenses within QRadar SIEM for full functionality. Yes, QRadar Investigation Assistant supports the latest QRadar Community Edition.

Does it offer security insights beyond QRadar offenses?

The first version of the QRadar Investigation Assistant app officially supports only Offense Summarization as the first use-case. As of today, the app does reply to some of the queries that are related to cybersecurity, in general, and associated with QRadar.

How is data encrypted and securely transmitted when using the app?

QRadar Investigation Assistant takes advantage of Transport Layer Security (TLS) encryption for securely transmitting data.

How does it differentiate from QRadar Watson Advisor (QRAW)?

QRadar Investigation Assistant uses large language models (LLMs) to generate responses to human prompts entered in Natural Language. QRAW does not have any chatbot or Generative AI capabilities.. The user experience is conversational and hence, is different from QRAW.

What additional insights does the app provide if an artifact is determined to be malicious?

If an artifact is identified as malicious, the app provides valuable insights to help security analysts investigate potential threats. Users can ask follow-up questions to gain additional context and details, allowing them to understand the implications of the malicious artifact and take informed action.

Does QRadar Investigation Assistant comply with data residency laws when you transmit offense data to an LLM over the Internet?

QRadar Investigation Assistant is designed in a way that the data resides only in QRadar on a customer’s premises and does not need to be mirrored on IBM cloud. The QRadar offense API provides specific offense information to watsonx.ai through API for the offense summarization feature. For more information, see Keeping your data secure and compliant.