Investigation Assistant FAQs

Edit online

Use these frequently asked questions and answers to help you understand the QRadar Investigation Assistant.

What factors influence the watsonx subscription cost?

The cost for a most basic customer primarily depends on the number of input and output tokens that are used during interactions with the Investigation Assistant. However, the cost also depends on whether the customers need some of the advanced watsonx.ai features. Customers/Partners are advised to refer to the watsonx.ai pricing tiers at watsonx.ai pricing to understand the cost implications or contact their IBM representative.

The following cost analysis for watsonx.ai subscription is based on the number of offense summaries generated.
Figure 1. Cost analysis for watsonx.ai
Image shows cost analysis for Watson.ai
The cost analysis is based on the assumption that a SOC typically handles up to 50 offenses and addresses no more than 50 cybersecurity-related queries in a working day

How does it benefit MSSPs?

The key functionalities of the app are available to Managed security service providers (MSSPs). With support for offense summary, MSSPs can know about attack vectors, which might impact the source IP or destination IP, hostnames, and users. MSSPs can use the recommended steps for further investigation and mitigation.

Is on-premises deployment of watsonx supported?

Investigation Assistant app officially supports only watsonx SaaS subscription.

Are any additional modules or licenses required within QRadar SIEM?

Investigation Assistant does not require any additional modules or licenses within QRadar SIEM for full functionality. Yes, Investigation Assistant supports the latest QRadar Community Edition.

Does it offer security insights beyond QRadar offenses?

The first version of the Investigation Assistant app officially supports only Offense Summarization as the first use-case. As of today, the app does reply to some of the queries that are related to cybersecurity, in general, and associated with QRadar.

How is data encrypted and securely transmitted when using the app?

Investigation Assistant takes advantage of Transport Layer Security (TLS) encryption for securely transmitting data.

How does it differentiate from QRadar Watson Advisor (QRAW)?

Investigation Assistant uses large language models (LLMs) to generate responses to human prompts entered in Natural Language. QRAW does not have any chatbot or Generative AI capabilities.. The user experience is conversational and hence, is different from QRAW.

What additional insights does the app provide if an artifact is determined to be malicious?

If an artifact is identified as malicious, the app provides valuable insights to help security analysts investigate potential threats. Users can ask follow-up questions to gain additional context and details, allowing them to understand the implications of the malicious artifact and take informed action.

Does Investigation Assistant comply with data residency laws when you transmit offense data to an LLM over the Internet?

Investigation Assistant is designed in a way that the data resides only in QRadar on a customer’s premises and does not need to be mirrored on IBM cloud. The QRadar offense API provides specific offense information to watsonx.ai through API for the offense summarization feature. For more information, see Keeping your data secure and compliant.

What offense data is being sent to watsonx.ai?

watsonx receives offense data from the QRadar OffenseAPI endpoint: GET /siem/offenses/{offense_id}.This includes offense summary details such as ID, description, magnitude, source and destination IPs, and rule information.

Is data transmitted to watsonx.ai automatically, or only upon user initiation?

Data is transmitted only when it is initiated by the user. For example, data is transmitted when a user click the watsonx summary in the Offense window or interact with the AI-powered chatbot. No data is sent automatically or in the background without user action.

Is the data used to train watsonx models?

No, watsonx does not use customer data for training foundation models. This ensures that sensitive or proprietary information remains private and is not used to improve or retrain the underlying AI models. For more details, refer to IBM documentation on Security and privacy for foundation models..