QRadar Incident Forensics
IBM® QRadar® Incident Forensics 7.4.0 introduces changes to the files that are used to install and upgrade your deployment, and a new BitTorrent inspector.
Isolated installation file for QRadar Incident Forensics
In previous releases, the QRadar Incident Forensics installation and upgrade files included QRadar Network Insights. In 7.4.0, each product has a separate .iso file for new installations.
The process to upgrade your deployment does not change. Only a single file is required, but you must ensure that you download the .sfs file that includes QRadar Incident Forensics.
- New QRadar Incident
Forensics
installations:
Rhe764forensics<build_version>.stable-<identifier>.iso
- Upgrades to existing QRadar installations that include QRadar Incident
Forensics:
<identifier>_Forensics_patchupdate-<build_number>.sfs
This .sfs file upgrades the entire QRadar deployment, including QRadar Incident Forensics and QRadar Network Insights.
Learn more about installing and upgrading QRadar Incident Forensics...
New BitTorrent inspector
Earlier versions of QRadar relied on the application signatures file (signatures.xml) to detect the BitTorrent protocol.
In QRadar Incident Forensics, the new BitTorrent inspector provides summary information about the connection, including the number of messages and the session duration. The protocol metadata includes information about the peers and the actual torrent file. You can use peer identifiers to track a BitTorrent client instance over time, or to identify when an IP address changes.
The protocol metadata also includes a new InfoDictionaryHash
field that serves
as a unique identifier for the torrent that is being transferred. Use this identifier in a forensics
investigation to trace back and show the files that were being transferred.
Change to search query syntax
The QRadar Incident Forensics search engine no longer supports spaces in field-specific searches. For example, the following queries are invalid:
Content: text
TcpPort: 80 AND IPAddress: "192.168.2.36"
Content:text
TcpPort:80 AND IPAddress:"192.168.2.36"