Administration workflow and user access to forensics capabilities

After IBM QRadar Incident Forensics is installed and configured, an administrator can troubleshoot, maintain, and monitor the system and its operations and manage user access to cases.

You must have administrative privileges to see the administration tools for QRadar Incident Forensics.

Example: Administration workflow

The following diagram shows a sample workflow for QRadar Incident Forensics administration.
  1. Use Server Management to filter web categories and traffic that you, do not want monitor.
  2. Use Forensics User Permissions to assign cases to investigators.
  3. Use Case Management to create and delete cases and import external content into the system.
  4. Use Scheduled Actions to schedule maintenance, such as deleting old documents, tuning the database, and resetting the QRadar Incident Forensics server.
Tools that are used to administer the product. Click here to get information about Server Management Click here to get information about Forensics User Permissions Click here to get information about Case Management Click here to get information about Scheduled Actions

User roles

To add user accounts, you must first create security profiles to meet the specific access requirements of your users. For more information about configuring security profiles, see the IBM QRadar Administration Guide.

In the User Roles tool on the Admin tab of QRadar, you can assign the following user roles:
Admin
Users can view and access all cases that are assigned to users and all incidents and are automatically given full access QRadar Incident Forensics.
Forensics
Users can see and access to the Forensics tab, but cannot create cases.
Create cases in Incident Forensics
Users can automatically create forensics cases.