QRadar Incident Forensics searches and bookmarks
Investigators use IBM QRadar Incident Forensics to extract relevant data from network traffic and documents.
Searching and bookmarking records
To enable intuitive forensics activity QRadar Incident Forensics retrieves packet data and ingests other content. This technology provides search-driven data exploration, session reconstruction, and forensics intelligence to help security incident investigations.
Investigators focus their investigation through course-grained actions and then proceed to fine-tune those findings into a relevant final result set. A simple, high-level approach is to search and bookmark many records at first. Then, focus on the bookmarked records to identify a final set of records. Determine which material is relevant and tweak queries to include and or exclude items. Use that material to prove a hypothesis.
As you develop new leads, you can follow up on them by using other methods. You can use visualization and analysis tools to manually and automatically assess the results for relevance. You can also use varied queries to get a different aspect of the same issue.
Processing bookmarked results
When you find results that are significant to your investigation, you can bookmark the results for deeper inspection and final determination. Bookmark more than you think you need. If in question, bookmark it. You want to eliminate the irrelevant material and focus on what you think is relevant.
- Inspect each bookmarked document through the visualization and analysis tools.
- Attach case notes to the documents and make final decisions on each document about its relevance to the case.
- If a record is not relevant, remove the bookmark.
In the investigation process, you identified the relevant material in the repository and you now have a set of relevant bookmarked records.
- Print, export or process the relevant records.