Creating cases

Cases are logical containers for your collection of imported document and pcap files. You can use a single case for all pcap files or create multiple cases. Cases can be restricted to specific users. QRadar Incident Forensics. To avoid out of memory errors, limit the number of cases that are allowed on each instance of QRadar Incident Forensics to 150. Review existing cases and remove the cases that don't have any associated PCAP files.

Procedure

  1. On the navigation menu ( Navigation menu icon ), click Admin.
  2. Select Case Management.
  3. Click Add New Case.
  4. In the Case Name field, type a unique name.
    Restriction:

    Case names cannot contain spaces.

  5. Click Save.

Results

A new directory that is based on the case name is created: /case_input/<case_name>. This directory is used to import your pcap files.