QRadar Incident Forensics
IBM® QRadar® Incident Forensics 7.4.3 introduces new Kerberos and BitTorrent inspectors.
New Kerberos inspector
QRadar Incident Forensics 7.4.3 includes a new Kerberos inspector that you can use to parse Kerberos traffic that is sent to trusted third-party authentication providers. The new inspector makes it easier to identify the user or device that requested the access, and the service for which access was requested.
- Kerberos Realm
- Shows the Active Directory domain.
- Kerberos Client Principal Name
- Shows the user or device that requested the access.
- Kerberos Server Principal Name
- Shows the service for which access was requested.
- Kerberos Presented Ticket Hash
- Shows the hash of the ticket that was provided when access to the resource was requested.
- Kerberos Issued Ticket Hash
- Shows the hash of the ticket that was issued to allow access to the resource.
- Kerberos Cipher Suite
- Shows the set of ciphers that were used to encrypt the ticket.
The existing HTTP and SMB inspectors were also updated to parse the data when Kerberos is used for authentication.
In QRadar Incident Forensics, the protocol metadata also includes an additional field, Kerberos Ticket SHA1 Hash, that includes both the presented and the issued ticket hash together. You can use this field to find all of the Kerberos traffic that is involved in a single session.
New TFTP inspector
- TFTP Status
- Shows whether the TFTP client issued a read or write command.
- TFTP Mode
- Shows if the file was transferred in ASCII or binary mode.
- TFTP Requested Options
- Shows the options that were negotiated prior to the file transfer, including the block size, time out interval, and the file transfer size.
In QRadar Incident Forensics, the protocol metadata also includes additional information about the client and server ports, and error code information.