IBM® Security QRadar® Incident Forensics allows you to retrace the step-by-step actions of a potential attacker, and quickly and easily conduct an in-depth forensics investigation of suspected malicious network security incidents. It reduces the time it takes security teams to investigate offense records, in many cases from days to hours—or even minutes. It can also help you remediate a network security breach and prevent it from happening again.

IBM Security QRadar Incident Forensics offers an optional IBM Security QRadar Packet Capture appliance to store and manage data used by IBM Security QRadar Incident Forensics if no other network packet capture (PCAP) device is deployed. Any number of these appliances can be installed as a tap on a network or sub-network to collect the raw packet data.

IBM Security QRadar Incident Forensics:

  • Retraces the step-by-step actions of cyber criminals to provide deep insights into the impact of intrusions and help prevent their reoccurrence.
  • Reconstructs raw network data related to a security incident back into its original form for a greater understanding of the event.
  • Integrates with IBM QRadar Security Intelligence Platform and offers compatibility with many third-party packet capture offerings.

Retraces the step-by-step actions of cyber criminals

  • Reduces the time required to investigate and respond to security incidents before they significantly impact your business.
  • Uses expanded security data collection capabilities beyond log events and network flows to include full packet captures and digitally stored documents and elements.
  • Provides greater clarity regarding what happened, when it happened, who was involved and what data was accessed or transferred.
  • Requires minimal training, enabling IT security teams to quickly and efficiently research security incidents.
  • Helps formulate new proactive security practices by allowing teams to quickly obtain a clear understanding of an incident or a breach.

Reconstructs raw network data related to a security incident

  • Includes a powerful data pivoting capability to help discover and display extended network relationships involved in an incident.
  • Indexes and searches full packet capture data (PCAP) related to a security incident, including associated documents and database elements.
  • Helps security analysts intelligently filter search results to quickly and easily locate specific malicious traffic.
  • Enables testing for conditions associated with an observed attack pattern from an Internet threat intelligence feed such as IBM X-Force®.

Integrates with IBM QRadar Security Intelligence Platform

  • Uses the IBM QRadar single-console user interface.
  • Uses point-and-click tools for analysis and visualization and provides an intuitive search engine interface.
  • Complements existing Layer 7 application level insights available with IBM Security QRadar QFlow Collectors.
  • Available as a hardware, software or virtual appliance.