Qradar Incident Forensics User Guide

Running a recovery from a document's Attributes page

Download 1,36 Mb.

1 ... 64 65 66 67 68 69 70 71 ... 83

Bog'liq
b forensics ug

Running a recovery from a document's Attributes page

When you view the Attributes tab for a document, you can run a recovery for an

IP address or port.

Procedure

From the Search page on the Forensics tab, do a search.

From the list of returned documents, click one to open it.

Click the Attributes tab.

Click an IP address or a port.

From the menu, click Run Recovery for.

QRadar Incident Forensics User Guide

Chapter 5. Investigating network traffic for an IP address

To get visibility of the relevant content in the conversations that occurred during a

security incident, you can recover and reconstruct network traffic that is associated

with an IP address. You can also search through existing cases that are related to

an IP address.

When network traffic is reconstructed from an IP address, an incident is created.

Investigators can visualize a sequence of events from the security incident or view

the documents in the incident.

IBM Security QRadar Incident Forensics indexes all available network data, file

data, metadata, and textual characters that are in each recovered file.

In distributed deployments, multiple capture devices and QRadar Incident

Forensics hosts capture and process data. You can view aggregated incident

recovery results or results by host and capture device.

Procedure

To create a case and get data from the packet capture devices, in QRadar, either

right-click an IP address and then select Run Forensics Recovery, or click the

forensics recovery icon

.

a.

Set the forensics recovery parameters, using the following information:

Table 5. Parameters for forensics recovery

Download 1,36 Mb.

Do'stlaringiz bilan baham:

1 ... 64 65 66 67 68 69 70 71 ... 83