Feature spotlights

Retrace the step-by-step actions of cyber criminals

IBM® QRadar® Incident Forensics reduces the time needed to investigate and respond to security incidents. It is easy to use and requires minimal training, enabling IT security teams to quickly and efficiently research security incidents. Its data collection capabilities extend beyond log events and network flows to include full packet captures, and digitally stored documents and elements. It helps provide context and visibility to the who, what, when, where and how of an attack.

Rebuild data and evidence related to a security incident

Includes data pivoting to help discover network relationships involved in an incident. Creates indices using network and file metadata and the payload contents of packet capture data (PCAP) including text from web pages and documents. Helps analysts filter search results to include only packets associated with a specific QRadar offense, helping them quickly and easily locate malicious traffic. Enables testing for attacks identified by internet threat intelligence feeds such as IBM X-Force®.

Integrates with IBM QRadar Security Intelligence Platform

Uses the QRadar single-console user interface with a right-click integration capability to populate a packet capture search request. Includes point-and-click tools for deeper analysis and visualization of extended relationships, or digital impressions based on IP or MAC addresses, email, chat and social media identities.

Enable threat-prevention collaboration and management

Permit access to the IBM Security App Exchange.

Technical details

Software requirements

For information about hardware and software compatibility, see the detailed system requirements in the IBM Security QRadar Incident Forensics Installation Guide.

    Hardware requirements

    QRadar® Incident Forensics is available as a hardware, software or virtual appliance. Ensure that you have access to the following hardware components:

    Uninterrupted Power Supply (UPS) for all systems that store data, such as QRadar Console, Event Processor components, or QRadar QFlow Collector components; Null modem cable if you want to connect the system to a serial console.

    QRadar products support hardware-based Redundant Array of Independent Disks (RAID) implementations, but do not support software-based RAID installations.

    • Monitor and keyboard, or a serial console

    Technical specifications

    OS: Red Hat Enterprise Linux (RHEL) Server 6. Prerequisite: IBM Security QRadar SIEM 7.2.2 and future fix packs

    QRadar Incident Forensics is integrated into the IBM QRadar Security Intelligence Platform. For distributed installations, you can now add a QRadar Incident Forensics appliance (IBM Security QRadar Incident Forensics Processor) as a managed host to a QRadar appliance.

    There is no longer a primary or secondary QRadar Incident Forensics node. Each QRadar Incident Forensics processor is managed by the QRadar console.