Uploading pcap files and documents from external systems to forensics cases

You can upload external data into specific cases.

Before you begin

An administrator must enable secure FTP permissions for the user who wants to upload external files.

About this task

IBM QRadar Incident Forensics can import data from any accessible directory that is on the network. The data can be in a number of formats, including but not limited to the following formats:
  • Standard PCAP format files from external sources
  • Documents such as text files, PDF files, spreadsheets, and presentations
  • Image files
  • Streaming data from applications
  • Streaming data from external PCAP sources

You can upload multiple files to a case.

Restriction: The case name must be unique. You cannot create a case that has the same name as an existing case.

Procedure

  1. In the FTP client, do the following steps:
    1. Ensure that Transport Layer Security (TLS) is selected as the protocol.
    2. Add the IP address of the QRadar Incident Forensics host.
    3. Create a logon that uses the QRadar Incident Forensics user name and password that was created.
  2. Connect to the QRadar Incident Forensics server and create a new directory.
  3. To FTP and store pcap files, under the directory that you created for the case, create a directory that is named singles and drag the pcap files to that directory.
  4. To FTP and store other files types that are not pcap files, under the directory that you created for the case, create a directory that is named import and drag the files to that directory.
  5. To restart the FTP server, type the following command:

    systemctl restart vsftpd

  6. To restart the server that moves the files from the upload area to the QRadar Incident Forensics directory, type the following command:

    systemctl restart tomcat-forensics

Results

You can see your case in one of the tools on the Forensics tab.