Investigating network traffic for an IP address

To get visibility of the relevant content in the conversations that occurred during a security incident, you can recover and reconstruct network traffic that is associated with an IP address. You can also search through existing cases that are related to an IP address.

When network traffic is reconstructed from an IP address, an incident is created. Investigators can visualize a sequence of events from the security incident or view the documents in the incident.

IBM QRadar Incident Forensics indexes all available network data, file data, metadata, and textual characters that are in each recovered file.

In distributed deployments, multiple capture devices and QRadar Incident Forensics hosts capture and process data. You can view aggregated incident recovery results or results by host and capture device.

Procedure

  1. To create a case and get data from the packet capture devices, in QRadar, either right-click an IP address and then select Run Forensics Recovery, or click the forensics recovery icon Run Forensics Recovery .
    1. Set the forensics recovery parameters, using the following information:
      Table 1. Parameters for forensics recovery
      Parameter Description
      IP Address

      Use command to separate multiple IP addresses. If no IP addresses or ports are entered, the default TCP or UDP is used.

      Port

      Use commas to separate multiple ports.
      Case

      The case name must be unique.
      Collection

      Recovered data is grouped into a collection and associated to the case. The collection name must be unique. If the collection name exists in the case, the original collection is deleted.

      Tags
      Optional. Used to quickly retrieve exact result sets from relevant documents. Use a comma to separate multiple tags. Use alphanumeric characters only; special characters are not allowed.
      Enable Custom BPF (Berkeley Packet Filter) Available to administrator users. Selecting the checkbox activates a BPF input field where you specify an IP address and port.
      Enable Custom Capture Devices Available to administrator users. Selecting the checkbox generates the list of PCAP devices on your deployment. Select one or more devices to see traffic only from those devices.
    2. Click OK, and then click the Forensics tab.
      Troubleshoot: If you see a message that you do not have permission to recover data, ensure that your security profile has access to the IP address. In some instances, if you used a # character in the Tags field, you might see the message.
    3. Click the incidents icon Incident Results. to view your incidents. Expand or collapse content when navigating through a hierarchy.
    4. To view the documents in the incident, click Jump to search page results.
    5. To visualize a sequence of events for the incident, click Jump to surveyor page results.
    6. To remove or cancel a particular incident, click Delete or cancel this incident.
    7. To re-run the previous forensics recovery job, click Re-run this forensics recovery. For example, if the results return incomplete data, you re-run a forensics recovery to include different IP addresses, or to change the time frame specified in the previous run recovery job.
  2. To search existing cases in QRadar, right-click an IP address and click Run Forensics Search.
    1. On the Forensics tab, click the incidents icon.
    2. To investigate an aggregate of the activities that are associated with an incident, highlight a case by hovering your mouse over it, and then click the search icon.
    3. To investigate activities by QRadar Incident Forensics host and capture device in distributed deployments, expand the Case entry and then expand the Collection entry.
    4. To view a chronological list of interactions in an incident, highlight the collection by hovering your mouse over it, and then click the Surveyor icon.