QRadar Incident Forensics distributed deployments

A distributed deployment of QRadar® Incident Forensics includes a QRadar Console and one or more QRadar Incident Forensics managed hosts. This type of deployment includes event and log management, anomaly detection, risk management, vulnerability management and also gives you the ability to distribute the workload for forensics recoveries.
In a distributed deployment, there are three appliances:
  • QRadar Console
  • QRadar Incident Forensics managed host (Forensics processor)
  • QRadar Network Packet Capture (optional)

Software versions for all IBM® QRadar appliances in a deployment must be the same version and fix level. Deployments that use different versions of software are not supported.

The following diagram shows that you can attach multiple QRadar Incident Forensics managed hosts to the QRadar Console. You can attach QRadar Network Packet Capture devices to the QRadar Incident Forensics managed hosts (QRadar Incident Forensics Processor).
Figure 1. Distributed deployment example
Multiple capture devices are attached to multiple QRadar Incident Forensics managed hosts.

Distributed installations

New software installations that integrate QRadar Incident Forensics with IBM QRadar requires installation components from at least 2 ISO files. Each installation requires an activation key which determines the appliance type that is installed.

The following table shows which ISO file to use to install each of the components in a QRadar Incident Forensics distributed deployment.
Table 1. Components of a QRadar Incident Forensics distributed deployment
ISO file Installed component
QRadar ISO Choose appliance type 3199 to install the QRadar Console.

This ISO image is also used to install every QRadar product except for QRadar Incident Forensics and IBM QRadar Network Insights. The activation key determines the type of appliance that is installed.

QRadar Incident Forensics ISO Choose appliance type 6000 to install the QRadar Incident Forensics Processor.

You cannot attach QRadar Incident Forensics Standalone (appliance type 6100) to a QRadar Console.