Decrypting SSL and TLS traffic in QRadar Incident Forensics

To find hidden threats, it might be necessary to decrypt SSL and TLS traffic that is processed by IBM QRadar.

For IBM QRadar Incident Forensics deployments that include IBM QRadar Network Packet Capture, it is recommended that you use a dedicated man-in-the-middle solution where the clear text output is fed into QRadar.

For deployments that do not include QRadar Network Packet Capture, or if you do not want to deploy a man-in-the-middle solution, limited decryption capabilities are available within QRadar if the required keys are available. You will experience performance degradation if you enable the decryption capability.

Decryption is supported for the following protocols:
  • SSL v3
  • TLS v1.0
  • TLS v1.1
  • TLS v1.2
Restriction:
The following restrictions apply:
  • Traffic cannot be decrypted if SSL or TLS compression is in use.
  • The Diffie Hellman key exchange mechanism is not supported when encrypted traffic is decrypted through a private key. When you use a private key, other key exchange methods, such as RSA, are supported. This restriction does not apply when traffic is decrypted with information that is found in a key log.
  • In FIPS mode, OpenSSL supports a limited list of ciphers that can be decrypted. Run the openssl ciphers command to view a full list of ciphers available in FIPS mode. Not all the listed ciphers are supported for decryption.