Adding a QRadar Incident Forensics managed host to QRadar Console

For distributed installations, you must add IBM® QRadar® Incident Forensics Processor as a managed host to the QRadar Console.

A managed host is every non-console QRadar appliance in the deployment. To distribute processing, you can add more than one QRadar Incident Forensics Processor as a managed host.

Before you begin

You must install the QRadar Console software first. For more information, see Installing QRadar Console.


  1. Log in to QRadar Console as an administrator:


    The default user name is admin. The password is the password of the root user account that was entered during the installation.

  2. On the navigation menu ( Navigation menu icon ), click Admin.
  3. In the System Configuration pane, click System and License Management.
  4. From the host table, click the QRadar Console host, and click > Deployment Actions > Add Host.
  5. Enter the information for the QRadar Incident Forensics Processor appliance and then click Add.
    Restriction: Network Address Translation properties are not supported.
  6. From the Admin tab menu bar, click Deploy Changes.
  7. Refresh your web browser.

    The Forensics tab is now visible.

What to do next

You can add an QRadar Network Packet Capture device to the QRadar Incident Forensics Processor. For more information, see Adding packet capture devices to QRadar Incident Forensics hosts.