IBM Support

QRadar: How do I delete QRadar Incident Forensics icons from the Admin tab

How To


After an administrator removes a QRadar Incident Forensics appliance from the deployment, they might notice the Forensics icons remain in the Admin tab user interface. This article instructs the administrator how to request a license update to remove these user interface components.


To remove the QRadar Forensics icons from the Admin tab after Incident Forensics host is decommissioned and removed from the QRadar deployment.


To remove the QRadar Incident Forensics (QIF) icons you must apply a new Console license without the QRadar Incident Forensics component.
  1. The license key used to install QRadar Incident Forensics is a Console key that enables the Forensics tab and also shows Forensics icons:

    image 6284
  2.  Email and request a new Console license key WITHOUT QRadar Incident Forensics (QIF).
    For example:
      Hello We have decommissioned our QRadar Incident forensics appliance.  Could you send us a new license without a QIF enablement.  
  3. Change the Display drop-down to Licenses.

  4. Click Upload License.
  5. Select the new License key without QIF enablement.
  6. Click Upload.
  7. Click the Console > click Allocate license.
  8. Click Deploy License.
  9. Log out of the QRadar UI and clear the browser cache.
Note: The Forensics Suspect Content Management icon is standard on all QRadar deployments and will be present on the Admin tab even if no Incident Forensics host is added.
image 6288

After you log back into the Console UI the icons for Server Management, Case Management, Forensics User Permissions, Schedule Actions are removed.

Additional Information

Document Location


[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}},{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSUK44","label":"IBM Security QRadar Incident Forensics"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
23 September 2020