Enabling users to FTP pcap files and documents from external systems to forensics cases

To upload external data to include in specific cases, administrators can grant secure FTP permissions to users and manage the case to which the data is associated. Users can choose which IBM QRadar Incident Forensics host processes the FTP request.

To change a password after FTP access is enabled, you must disable FTP access and save the user, and then re-enable FTP access, and enter the new password.

Before you begin

Ensure that you create or assign roles for forensics investigators in the User Roles tool on the Admin tab.

By default, the /etc/vsftpd/vsftpd.conf file is configured so that five ports are open: 55100-55104. You can change the port range by editing the /etc/vsftpd/vsftpd.conf file and changing the values of the pasv_min_port and pasv_max_port settings to the range of ports that you want. You must deploy your configuration changes by clicking Deploy Changes on the Admin tab.

Note: FTP clients must support TLS v1.2 (vsftpd.conf file). The following list describes the minimum FTP client versions that are supported:
  • WinSCP 5.7
  • FileZilla 3.9.0.6

About this task

IBM QRadar Incident Forensics can import data from any accessible directory that is on the network. The data can be in a number of formats, including but not limited to the following formats:
  • Standard PCAP format files from external sources
  • Documents such as text files, PDF files, spreadsheets, and presentations
  • Image files
  • Streaming data from applications
  • Streaming data from external PCAP sources

Users can upload multiple files to a case and an administrator can grant multiple users access to the case.

Restriction: The case name must be unique. A single user is associated with a case. Therefore, two users cannot create a case that has the same name.

Procedure

  1. On the Admin, click Forensics User Permissions.
  2. From the Users list, select a user.
  3. In the Edit User pane, select the Enable FTP access check box.
  4. Enter and confirm the FTP password for the user.
  5. To save changes to the permissions, click Save User.
  6. To restart the FTP server, type the following command:

    systemctl restart ftpmonitor

  7. To restart the server that moves the files from the upload area to the QRadar Incident Forensics directory, type the following command:

    systemctl restart vsftpd

  8. In the FTP client, do the following steps:
    1. Ensure that Transport Layer Security (TLS) is selected as the protocol.
    2. Add the IP address of the QRadar Incident Forensics host.
    3. Create a logon that uses the QRadar Incident Forensics user name and password that was created.
  9. Connect to the QRadar Incident Forensics server and create a new directory. The new directory that you create is used as the case name.
  10. To FTP and store pcap files, create a directory that is named <case_name_from_step_9>/singles and drag the pcap files to that directory.
  11. To FTP and store file types that are not pcap files, create a directory that is named <case_name_from_step_9>/import and drag the files to that directory.

Results

An administrator sees the data that is uploaded in Case Management. A user can see their case in one of the tools on the Forensics tab.