QRadar Incident Forensics

IBM® QRadar® Incident Forensics 7.4.3 introduces new Kerberos and BitTorrent inspectors.

New Kerberos inspector

QRadar Incident Forensics 7.4.3 includes a new Kerberos inspector that you can use to parse Kerberos traffic that is sent to trusted third-party authentication providers. The new inspector makes it easier to identify the user or device that requested the access, and the service for which access was requested.

When the flow application is Kerberos, you can use the following new flow fields to identify more information about the network traffic:
Kerberos Realm
Shows the Active Directory domain.
Kerberos Client Principal Name
Shows the user or device that requested the access.
Kerberos Server Principal Name
Shows the service for which access was requested.
Kerberos Presented Ticket Hash
Shows the hash of the ticket that was provided when access to the resource was requested.
Kerberos Issued Ticket Hash
Shows the hash of the ticket that was issued to allow access to the resource.
Kerberos Cipher Suite
Shows the set of ciphers that were used to encrypt the ticket.

The existing HTTP and SMB inspectors were also updated to parse the data when Kerberos is used for authentication.

In QRadar Incident Forensics, the protocol metadata also includes an additional field, Kerberos Ticket SHA1 Hash, that includes both the presented and the issued ticket hash together. You can use this field to find all of the Kerberos traffic that is involved in a single session.

New information Learn more about supported protocols and document types...

New TFTP inspector

QRadar Incident Forensics 7.4.3 introduces a new inspector for Trivial File Transfer Protocol (TFTP) network traffic. The TFTP inspector introduces the following new flow fields to show information about the file transfer:
TFTP Status
Shows whether the TFTP client issued a read or write command.
TFTP Mode
Shows if the file was transferred in ASCII or binary mode.
TFTP Requested Options
Shows the options that were negotiated prior to the file transfer, including the block size, time out interval, and the file transfer size.

In QRadar Incident Forensics, the protocol metadata also includes additional information about the client and server ports, and error code information.

New information Learn more about supported protocols and document types...