QRadar Incident Forensics installation components

QRadar Incident Forensics is integrated into the scalable architecture of IBM QRadar Security Intelligence Platform. Depending on your requirements, you can install IBM QRadar Incident Forensics components on a stand-alone appliance (all-in-one deployment) or on multiple appliances (distributed deployment).
The following diagram shows a QRadar Incident Forensics distributed deployment.
QRadar deployments can include the following components:
QRadar Console

The QRadar Console provides the product user interface, and real-time event and flow views, reports, offenses, asset information, and administrative functions.

In distributed QRadar deployments, use the QRadar Console to administer otherQRadar managed hosts.

QRadar Flow Processor

Processes flows from one or more QRadar Flow Collector appliances. The Flow Processor appliance can also collect external network flows such as NetFlow, J-Flow, and sFlow directly from routers in your network. You can use the Flow Processor appliance to scale your QRadar deployment to manage higher flows per minute (FPM) rates.

QRadar Data Node

Data Nodes enable new and existing QRadar deployments to add storage and processing capacity on demand as required. Data Nodes help to increase the search speed in your deployment by providing more hardware resources to run search queries on.

QRadar Flow Collector

The IBM QRadar Flow Collector collects flows by connecting to a SPAN port, or a network TAP. The appliance also supports the collection of external flow-based data sources, such as NetFlow from routers.

QRadar Incident Forensics Processor
Provides the QRadar Incident Forensics product user interface. The interface delivers tools to retrace the step-by-step actions of cyber criminals, reconstruct raw network data that is related to a security incident, search across available unstructured data, and visually reconstruct sessions and events.

You must attach the QRadar Incident Forensics Processor as a managed host to a QRadar Console before you can use the security intelligence forensics capability.

You can connect up to five packet capture devices to a QRadar Incident Forensics Processor or a QRadar Incident Forensics Standalone appliance.

Note: If you install QRadar Incident Forensics Standalone, a QRadar Console is not required. This offering provides only the tools and administrative capabilities that are required to do a forensics investigation.
QRadar Network Packet Capture

Use these optional packet capture appliances to store and manage data that is used by QRadar Incident Forensics when no other packet capture device is deployed in your environment. You can install any number of these appliances as a network tap or subnetwork to collect the raw packet data. If no packet capture device is attached, you can manually upload the packet capture files in the user interface or by using FTP.

You can extend the storage that is available for capture data by connecting multiple QRadar Network Packet Capture appliances together in a ring topology to create a stack. The stack allows the distribution of capture data across each of the connected appliances. It can connect up to 16 devices, but appears and behaves like a single entity that captures data from one TAP of a single 10GB port.

QRadar Network Insights
The QRadar Network Insights appliance provides real-time analysis of network data and an advanced level of threat detection and analysis. You can use QRadar Network Insights to detect and analyze malware, phishing, insider threats, lateral movement attacks, data exfiltration, and compliance gaps.