Quickly and easily conduct in-depth security forensics investigations. IBM® QRadar® Incident Forensics allows you to retrace the step-by-step actions of a potential attacker, and quickly and easily conduct an in-depth forensics investigation of suspected malicious network security incidents. It reduces the time it takes security teams to investigate QRadar offense records, in many cases from days to hours—or even minutes. It can also help you remediate a network security breach and prevent it from happening again.

IBM QRadar Incident Forensics offers an optional IBM QRadar Packet Capture appliance to store and manage data used by IBM QRadar Incident Forensics if no other network packet capture (PCAP) device is deployed. Any number of these appliances can be installed as a tap on a network or sub-network to collect the raw packet data.

IBM QRadar Incident Forensics:

  • Retraces the step-by-step actions of cyber criminals to provide deep insights into the impact of intrusions and help prevent their reoccurrence
  • Reconstructs raw network data related to a security incident back into its original form for a greater understanding of the event
  • Integrates with IBM QRadar Security Intelligence Platform and offers compatibility with many third-party packet capture offerings

Retraces the step-by-step actions of cyber criminals

  • Reduces the time required to investigate and respond to security incidents before they significantly impact your business
  • Uses expanded security data collection capabilities beyond log events and network flows to include full packet captures and digitally stored documents and elements
  • Complements advanced Sense Analytics to provide more network context and greater clarity regarding what happened, when it happened, who was involved and what data was accessed or transferred
  • Requires minimal training, enabling IT security teams to quickly and efficiently research security incidents
  • Helps formulate new proactive security practices by allowing teams to quickly obtain a clear understanding of an incident or a breach

Reconstructs raw network data related to a security incident

  • Includes a powerful data pivoting capability to help discover and display extended network relationships involved in an incident
  • Creates multiple indices using all network and file metadata and the payload contents of packet capture data (PCAP) including text from web pages, documents and database elements
  • Helps security analysts intelligently filter search results to include only those packets associated with a specific QRadar offense helping analysts quickly and easily locate specific malicious traffic
  • Enables testing for conditions associated with an observed attack pattern from an Internet threat intelligence feed such as IBM X-Force®

Integrates with IBM QRadar Security Intelligence Platform

  • Uses the IBM QRadar single-console user interface including a right-click integration capability to populate the contents of a packet capture search request
  • Uses point-and-click tools for deeper analysis and visualization of extended relationships or Digital Impressions based on IP or MAC addresses, Email, chat and social media identities
  • Complements existing Layer 7 application level insights available with IBM QRadar QFlow Collectors
  • Available as a hardware, software or virtual appliance