QRadar Incident Forensics

Isolated installation file for QRadar Incident Forensics

In previous releases, the QRadar Incident Forensics installation and upgrade files included QRadar Network Insights. In 7.4.0, each product has a separate .iso file for new installations.

The process to upgrade your deployment does not change. Only a single file is required, but you must ensure that you download the .sfs file that includes QRadar Incident Forensics.

Learn more about installing and upgrading QRadar Incident Forensics...

New BitTorrent inspector

Earlier versions of QRadar relied on the application signatures file (signatures.xml) to detect the BitTorrent protocol.

In QRadar Incident Forensics, the new BitTorrent inspector provides summary information about the connection, including the number of messages and the session duration. The protocol metadata includes information about the peers and the actual torrent file. You can use peer identifiers to track a BitTorrent client instance over time, or to identify when an IP address changes.

The protocol metadata also includes a new InfoDictionaryHash field that serves as a unique identifier for the torrent that is being transferred. Use this identifier in a forensics investigation to trace back and show the files that were being transferred.

Learn more about supported protocols and document types...

Change to search query syntax

The QRadar Incident Forensics search engine no longer supports spaces in field-specific searches. For example, the following queries are invalid:

Learn more about search query syntax...