IBM QRadar Incident Forensics

Captures, indexes, and analyzes raw network packet data (PCAPs), including both metadata and payload, to provide deep visibility into network communications.

Reconstructs raw network data into its original application form, allowing investigators to view actual emails, file and picture attachments, VoIP phone calls, web page visits, and other files (DOC, PDF, MPEG3) as they appeared to the user.

Enables security teams to retrace the precise actions of a potential attacker by analyzing the sequence of network events and reconstructed content, providing a detailed timeline of the breach.

Features a high-performance search engine with an intuitive, search-bar-like interface that allows for rapid and complex queries across all indexed data (at rest, in motion, structured, unstructured, documents).

Generates visual reconstructions of network relationships, helping to identify attacking entities, their communication methods, and interacted systems through clear "digital impressions" of the incident.

Significantly reduces the time required to investigate QRadar SIEM offense records (from days to hours or minutes), enabling quicker remediation of network security breaches.

Utilizes pre-built rules and integrates with threat intelligence feeds (e.g., IBM X-Force) to automatically flag reconstructed content as suspicious based on known malicious patterns or behaviors.

Provides a query builder tool for constructing complex searches using Boolean operators and Berkeley Packet Filters, alongside filters for specific protocols, domains, and web categories to refine investigations.

Allows for the creation, assignment, and management of forensic cases, facilitating organized investigation workflows and allowing investigators to bookmark relevant records for focused analysis.

Supports the manual import of external packet capture (PCAP) files and other documents (spreadsheets, images, PDFs) into forensics cases, enhancing the scope of investigation.

Offers capabilities to decrypt SSL and TLS encrypted traffic (with appropriate server private keys or client key log files), providing visibility into encrypted communications.

Allows for the import and management of YARA rules, enabling custom pattern matching for malware detection and identification within reconstructed data.

Provides role-based access control (RBAC) to assign specific user permissions (e.g., Admin, Forensics) and conducts auditing of user and system activity within the platform for accountability.

Designed to run on dedicated QRadar appliances (e.g., QRadar M4, M5, M6, QRadar xx28-C, Network Insights), ensuring optimized performance and integration with the broader QRadar ecosystem.