Removing a QRadar Incident Forensics managed host

To change network configuration settings or if there is an issue with seeing the Forensics tab, you can remove the QRadar Incident Forensics managed host (IBM QRadar Incident Forensics Processor) from the QRadar deployment.

If the QRadar Incident Forensics managed host was responsible for forensics recoveries, the data is lost when you re-add the QRadar Incident Forensics Processor.

If you don't remove the QRadar Incident Forensics managed host, but instead it becomes temporarily unresponsive because of power failure or other issue, jobs for the managed host are still scheduled and are processed when the managed host comes back online.

Procedure

  1. Log in to QRadar Console as an administrator:

    https://IP_Address_QRadar

    The default user name is admin. The password is the password of the root user account that was entered during the installation.

  2. On the navigation menu ( Navigation menu icon ), click Admin.
  3. In the System Configuration pane, click System and License Management.
  4. From the host table, click the QRadar Incident Forensics Processor host that you want to remove, and click > Deployment Actions > Remove Host.
  5. From the Admin tab menu bar, click Deploy Changes.
  6. Refresh your web browser.