IBM Security QRadar

 View Only

  • 1.  Qradar Forensics

    Posted Mon April 08, 2019 09:58 AM
    Hi support
    I want to ask about <g class="gr_ gr_7 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" id="7" data-gr-id="7">qradar</g> forensics. are there diagram High availability for forensics processor? and with forensics package captures, If I use data node software separate to store, are there any limit for storage If you there are document refer. it's great Please help me clear about this solution. Thanks all

    ------------------------------
    Phuong Thai
    ------------------------------


  • 2.  RE: Qradar Forensics

    Posted Tue April 09, 2019 09:33 AM
    We do not recommend you use Data Node software for PCAP storage.

    ------------------------------
    Richard Gingras
    ------------------------------

    Original Message


  • 3.  RE: Qradar Forensics

    Posted Wed April 10, 2019 09:17 AM

    What do you recommend that we use for off appliance PCAP storage? 

     

    Thanks,

     

    Daniel Sichel, Info Security Analyst, Sr.,CISSP #422810

    Community Medical Centers

    Corporate Compliance Office – Information Systems Security

    1540 E. Shaw, Suite 101, Fresno Cal. 93710

    Phone: (559) 724-4265 ext. 24265 | Fax: 559-724-4271

    Cell: (559) 230-9444

    dsichel@communitymedical.org

     

     



    ------------------------------- WARNING/CONFIDENTIAL: -------------------------------

    This email, including attachments, may contain information that is privileged, confidential,
    and/or exempt from disclosure under applicable law (including, but not limited to, protected
    health information). It is not intended for transmission to, or receipt by, any unauthorized
    persons. If the reader of this message is not the intended recipient you are hereby notified
    that any dissemination, distribution or copying of this communication is strictly prohibited.
    If you believe this email was sent to you in error, do not read it. Reply to the sender informing
    them of the error and then destroy all copies and attachments of the message from your system.
    Thank you.



    Original Message


  • 4.  RE: Qradar Forensics

    Posted Wed April 10, 2019 11:29 AM
    Daniel, 

    If you are using QRadar Incident Forensics,  The Network PCAP appliances are meant to be chained when more storage is needed. If I can find a generally supported way to store the data outside of the appliance/software, I will post it here.

    ------------------------------
    Richard Gingras
    ------------------------------

    Original Message


  • 5.  RE: Qradar Forensics

    Posted Wed April 10, 2019 02:58 PM

    HA isn't available for QRIF and PCAP but you can create a deployment that allows for parallel deployments which can be switched manually.  Since forensics isn't real-time this has been an acceptable approach for many customers who do want HA for everything including forensics and PCAP.  

    If you have questions or need more information on how to do this, let me know what specific questions you need answered?

    Today there isn't a supported way to store data outside of Network PCAP.  A client can stack up to 16 Network PCAP appliances behind a single tap to extend storage.  The problem with external storage is the ability to guarantee that the writes will keep up with the speed of the network much less being able to manage the indexes and ultimately retrieve the data.
     
    External storage sounds great until it doesn't work and if our customers don't have the data they need when the really need it, well you can follow from there. 

    This is why we focus on scaling through Network PCAP which ensure IBM QIF can keep up with the network while have the data available when it is needed.



    ------------------------------
    Richard Gingras
    QRadar SME
    IBM Security
    Cambridge MA
    ------------------------------

    Original Message


  • 6.  RE: Qradar Forensics

    Posted Fri April 12, 2019 12:38 AM
    Thanks all

    ------------------------------
    Phuong Thai
    ------------------------------

    Original Message


  • 7.  RE: Qradar Forensics

    Posted Thu September 26, 2019 11:46 AM
    Dear Richard,
    I want to ask you
    How to take the backup of QIF and packet capture appliances?
    If you have any document refer 
    Thanks many


    ------------------------------
    Phuong Thai
    ------------------------------

    Original Message