Feature spotlights

Retrace the step-by-step actions of cyber criminals

IBM® QRadar® Incident Forensics reduces the time needed to investigate and respond to security incidents. It is easy to use and requires minimal training, enabling IT security teams to quickly and efficiently research security incidents. Its data collection capabilities extend beyond log events and network flows to include full packet captures, and digitally stored documents and elements. It helps provide context and visibility to the who, what, when, where and how of an attack.

Rebuild data and evidence related to a security incident

Includes data pivoting to help discover network relationships involved in an incident. Creates indices using network and file metadata and the payload contents of packet capture data (PCAP) including text from web pages and documents. Helps analysts filter search results to include only packets associated with a specific QRadar offense, helping them quickly and easily locate malicious traffic. Enables testing for attacks identified by internet threat intelligence feeds such as IBM X-Force®.

Integrates with IBM QRadar Security Intelligence Platform

Uses the QRadar single-console user interface with a right-click integration capability to populate a packet capture search request. Includes point-and-click tools for deeper analysis and visualization of extended relationships, or digital impressions based on IP or MAC addresses, email, chat and social media identities.

Enable threat-prevention collaboration and management

Permit access to the IBM Security App Exchange.

How customers use it

  • Screenshot of incident forensics

    Retrace a cyber criminal's footsteps


    Discerning which suspicious activity is truly relevant to an incident.


    Identify the actions of cyber criminals to provide deep insights into the impact of an intrusion and help prevent reoccurrence.

  • Screen cap of force detection in IBM QRadar

    Reconstruct data in a security attack


    Determining the full extent of a security incident.


    Compile evidentiary profiles on security incidents for remediation. Rebuild data involved in a security incident to obtain a detailed, step-by-step view of the offense. Simplify the query process with an interface like an internet search engine.

  • Screen shot of incident forensics graph

    Save time and lower costs


    Forensics has been manual, required specialized tools, and needed specialized technical skills.


    IT security teams can quickly and easily conduct a thorough forensics investigation and gain visibility to the details behind a security breach, with no special skills or training.

  • Screen shot of incident overview

    Leverage existing infrastructure


    Having to use disparate systems and tools, and hoping you find a connection for the offense.


    Optionally use existing PCAP infrastructure or acquire new systems dedicated to QRadar Incident Forensics.

Technical details

Technical specifications

OS: Red Hat Enterprise Linux (RHEL) Server 6. Prerequisite: IBM Security QRadar SIEM 7.2.2 and future fix packs.

Software requirements

For hardware compatibility information, see the detailed system requirements in the IBM Security QRadar Incident Forensics Installation Guide.

Hardware requirements

IBM QRadar Incident Forensics is available as hardware, software or a virtual appliance. Ensure you have access to the following hardware:

  • Monitor and keyboard, or a serial console