Categories
QRadar Risk Incident Forensic

What is QRIF

What is QRIF. QRIF does stand for QRadar Incident Forensics and allows you to retrace the step-by-step actions of a potential attacker and quickly and easily conduct an in-depth forensics investigation of suspected malicious network security incidents. It reduces the time it takes security teams to investigate QRadar offense records, often from days to hours – or even minutes. It can also help you remediate a network security breach and prevent it from happening again. IBM QRadar Packet Capture appliances are also available to store and manage data if no other network packet capture (PCAP) device is deployed.

Retrace the step-by-step actions of cyber criminals

IBM® QRadar® Incident Forensics reduces the time needed to investigate and respond to security incidents. It is easy to use and requires minimal training, enabling IT security teams to quickly and efficiently research security incidents. Its data collection capabilities extend beyond log events and network flows to include full packet captures, and digitally stored documents and elements. It helps provide context and visibility to the who, what, when, where and how of an attack.

Rebuild data and evidence related to a security incident

Includes data pivoting to help discover network relationships involved in an incident. Creates indices using network and file metadata and the payload contents of packet capture data (PCAP) including text from web pages and documents. Helps analysts filter search results to include only packets associated with a specific QRadar offense, helping them quickly and easily find malicious traffic. Enables testing for attacks identified by internet threat intelligence feeds such as IBM X-Force.

Integrates with IBM QRadar Security Intelligence Platform

Uses the QRadar single-console user deal with a right-click integration ability to populate a packet capture search request. Includes point-and-click tools for deeper analysis and visualization of extended relationships, or digital impressions based on IP or MAC addresses, email, chat and social media identities.

Installation options

Depending on the components that you install, not all the security capabilities are available. For example, if you install QRadar Incident Forensics on one appliance, only network forensics is available. However, if you install a QRadar Incident Forensics managed host, more security capabilities are available. For most installations, you install the QRadar Console, at least one QRadar Incident Forensics Processor, and one or more QRadar Packet Capture appliances.

Incident Forensic
Example of Incident Forensic Deployment