QRadar Incident Forensics installation overview

The security capabilities that are available to you in IBM® QRadar® Incident Forensics depends on the type of installation that have.

For example, in a stand-alone deployment, a single QRadar Incident Forensics Standalone (6100) appliance provides only network forensics capabilities.

In a distributed deployment, a QRadar Incident Forensics Processor (6000) appliance is connected to a QRadar Console (3199) as a managed host, which provides more security capabilities than a stand-alone deployment.

You can also install QRadar Incident Forensics software on your own appliance or on a virtual appliance. QRadar Incident Forensics must be installed on a Red Hat® Enterprise Linux® operating system.

The following diagram summarizes the multiple security capabilities and architectural framework of the IBM QRadar Security Intelligence Platform.
Figure 1. QRadar security intelligence architectural overview
Image shows structured and unstructured data going into IBM QRadar, passing through the architectural framework components, and the different types of assessments that can be run on the data.

For most installations, you install the QRadar Console, at least one QRadar Incident Forensics Processor, and one or more QRadar Network Packet Capture appliances.