IBM QRadar Incident Forensics

Additional features

Comprehensive Packet Capture (PCAP) Analysis

Captures, indexes, and analyzes raw network packet data (PCAPs), including both metadata and payload, to provide deep visibility into network communications.

Detailed Data Reconstruction

Reconstructs raw network data into its original application form, allowing investigators to view actual emails, file and picture attachments, VoIP phone calls, web page visits, and other files (DOC, PDF, MPEG3) as they appeared to the user.

Step-by-Step Attack Tracing

Enables security teams to retrace the precise actions of a potential attacker by analyzing the sequence of network events and reconstructed content, providing a detailed timeline of the breach.

Powerful & Intuitive Search Engine

Features a high-performance search engine with an intuitive, search-bar-like interface that allows for rapid and complex queries across all indexed data (at rest, in motion, structured, unstructured, documents).

Visual Digital Impressions

Generates visual reconstructions of network relationships, helping to identify attacking entities, their communication methods, and interacted systems through clear "digital impressions" of the incident.

Accelerated Incident Investigation

Significantly reduces the time required to investigate QRadar SIEM offense records (from days to hours or minutes), enabling quicker remediation of network security breaches.

Automated Suspect Content Identification

Utilizes pre-built rules and integrates with threat intelligence feeds (e.g., IBM X-Force) to automatically flag reconstructed content as suspicious based on known malicious patterns or behaviors.

Query Builder & Advanced Filtering

Provides a query builder tool for constructing complex searches using Boolean operators and Berkeley Packet Filters, alongside filters for specific protocols, domains, and web categories to refine investigations.

Integrated Case Management

Allows for the creation, assignment, and management of forensic cases, facilitating organized investigation workflows and allowing investigators to bookmark relevant records for focused analysis.

External File & PCAP Import

Supports the manual import of external packet capture (PCAP) files and other documents (spreadsheets, images, PDFs) into forensics cases, enhancing the scope of investigation.

SSL/TLS Decryption

Offers capabilities to decrypt SSL and TLS encrypted traffic (with appropriate server private keys or client key log files), providing visibility into encrypted communications.

YARA Rule Support

Allows for the import and management of YARA rules, enabling custom pattern matching for malware detection and identification within reconstructed data.

User Roles & Auditing

Provides role-based access control (RBAC) to assign specific user permissions (e.g., Admin, Forensics) and conducts auditing of user and system activity within the platform for accountability.

Hardware Appliance Support

Designed to run on dedicated QRadar appliances (e.g., QRadar M4, M5, M6, QRadar xx28-C, Network Insights), ensuring optimized performance and integration with the broader QRadar ecosystem.