QRadar 101
A one-stop experience to help you navigate through content available for supporting QRadar.
News and Notices
Introducing IBM QRadar Cloud-Native SIEM
6 Nov: IBM has announced QRadar SIEM (cloud-native) is here to introduce users to the new generation of QRadar SIEM. The new generation of QRadar SIEM was re-built from the ground up to solve challenges and serve the demands for users in multi-cloud environments. Join us on our upcoming webinar as we talk QRadar SIEM and the evolution of the QRadar Suite portfolio to help analysts and SOC teams succeed and evolve how they work.
QRadar SIEM (cloud-native) edition is here IBM Newsroom Join the webinar (15 Nov)
QRadar 7.5.0 Update Package 7 Interim Fix 2 is released
6 Nov: New software is available for QRadar users. The release of QRadar 7.5.0 Update Package 7 Interim Fix 2 resolves one reported issue where hostcontext can experience an out-of-memory issue when the service attempts to request more than the default memory allocation. The interim fix is a cumulative release, so administrators on QRadar 7.5.0 UP7 can apply the latest interim fix to get the fixes from both IF1 and IF2. For more information about this release and direct links to the download and release notes, see the QRadar Software 101 page.
Upgrade path information for the transition to Red Hat Enterprise 8
6 Nov: A new flash notice was sent to users on 6 Nov 2023 about QRadar’s transition from Red Hat Enterprise 7 to move to Red Hat Enterprise 8. Administrators who plan to upgrade to a QRadar version that includes Red Hat Enterprise 8 must first install QRadar 7.5.0 Update Package 7. This restriction is to ensure all of the required packages needed to transition to RHEL8 are available when users attempt to upgrade. An upgrade to QRadar 7.5.0 Update Package 7 is required for users who plan to go to 7.5.0 UP8 or later.
QRadar hits 400 apps on the X-Force App Exchange
1 Nov: QRadar hit a new milestone where 400 apps are now available for IBM QRadar SIEM. As of 1 November 2023, there are 243 Technology Partner applications and 157 IBM developed apps on X-Force. As all applications are reviewed and tested by IBM Security teams, this milestone represents an amazing achievement for both IBM and their partners who work with us every day to built better great security products.
QRadar natively supports SIGMA for rule creation
15 Sept: A new version of the QRadar Manager for YARA and SIGMA Rules app is avaialble on the IBM App Exchange. The new app version 2.0.0 supports some great new features for users, such as:
– New functionality allowing users to upload SIGMA rules manually or import them from GitHub.
– New functionality allowing users to convert SIGMA rules to AQL searches.
– New functionality allowing users to convert SIGMA rules to AQL filter queries, and inject them into QRadar as QRadar rules.
– New functionality allowing users to bulk-import SIGMA rules from a GitHub repository directly into QRadar as QRadar rules.
– New SIGMA Rule Manager tutorial page.
WinCollect 10.1.7 is released
30 Aug: Administrators with stand-alone WinCollect agents can upgrade to the latest released version, which is 10.1.7. This release resolved five important issues for adminsitrators, such as virtual account install issues on Domain Controllers and non-English operating systems, an AD lookup configuration problem, issues collecting logs for ‘restricted group’ policies, and an installation issues for non-C drive installations.
Support Top Technotes
Troubleshooting performance for expensive custom rules in 7.5.0 UP2 and later
Not properly tuned custom rules can cause performance issues. Troubleshoot rule performance issues by using the findExpensiveCustomRules.sh script.
Searching fails with error “There was a problem connecting to the query server”
Real-time streaming works as expected however administrators might find an error after a search is attempted by using filter criteria in the Log Activity.
How to use ariel_offline_indexer.sh
The ariel_offline_indexer.sh is used within QRadar to remap information related to events stored in ariel nonstructured database in case of migration, reallocation of events, and more.
Installation or upgrade displays “WinCollect 10 Setup Wizard ended prematurely” error
Installing WinCollect 10 by double-clicking the MSI file results “WinCollect 10 Setup Wizard ended prematurely” error even when all fields are completed correctly.
Unable to add HA
You are not able to add HA in the virtualized environment even if the KMOD and DRBD rpms are updated.
“Unable to push events to eventcollector– DiskManager can’t allocate bytes” error
The error message is displayed when WinCollect is unable to communicate with the target event collector, and the WinCollect cache is full.
Update an application tomcat-client-conman.cert certificate before expiration
The system issues a warning notification: An application framework certificate is expiring soon and needs to be replaced.
How to configure PowerShell in WinCollect 10
This article contains the steps to configure a WinCollect 10 agent to collect and forward PowerShell logs to QRadar.
Effects of low bandwidth on replication
How does low bandwidth affect the replication process on managed hosts?
How to properly move a Log Source from one Target Collector to another
Several outbound protocols use a marker file as a bookmark during event collection which is stored on the “Target Collector” set within the Overview tab of the log source.
Regex Parsing Performance
If the regular expression used is too complex, or inefficient, parsing is slow, leading to events waiting on persistent queue and routing to storage.
Apps migration failures
Apps migration from Console to AppHost fails due to a bad certificates and throws “Unable to communicate with API” and “certificate signed by unknown authority” errors.
Auto Updates
Current: 1 November 2023
1 Nov: Enhanced the Microsoft Entra ID DSM to add parsing for more categories of events. This RPM adds parsing and QID map updates to categorize events for the following event types: Audit Logs, Sign in Logs, Non-Interactive User Sign in Logs, Service Principal Sign in Logs, Managed Identity Sign in Logs, Provisioning Logs, ADFS Sign in Logs, Active Directory Federation Services(ADFS), Risky Service Principals, Risky Users, Service Principal Risk Events, User Risk Events.
1 Nov: Added support for administrators to enable a new configuration option for ‘Use HTTP Header Authentication Token’ for security devices that support outbound posts that include header tokens to authorize connections. Administrators who enable ‘Use HTTP Header Authentication Token’ for their log source can define an ‘Authentication Token Header Name’ and an ‘Authentication Token Value’ in the user interface.
1 Nov: Resolved a user reported issue where some events did not parse as expected and were categorized as ‘Stored’. This RPM release reviews and adds parsing for several Aruba Mobility events, such as: DPIMGR system error (393000), ctb_redis_data (312604), and added parsing for several CLI events, prepare_and_send_debug_response, cli_rap_gre_ep_request, and wsc_resolve_addr_inadvance.
1 Nov: Enhanced the Protocol Common RPM to add support for TLS v1.3 test functionality in the Log Source Management application. Protocol Common is required to ensure log sources that use TLS v1.3 for TLS Syslog, HTTP Receiver, and IBM QRadar DLC log sources can use the test functionality to validate connections and troubleshoot configuration issues.
1 Nov: Resolved multiple issues in the TLS Syslog protocol: 1. Enhanced the TLS Syslog protocol to include support for TLS v1.3. Administrators must ensure that they have the latest version of Protocol Common installed to be able to test TLS v1.3 configurations from the Log Source Management application. 2. Resolved an issue where administrators with large numbers of TLS Syslog connections could experience bind errors after a deploy changes due to ‘Address already in use (bind error), which might require a restart of ecs-ec-ingress. This RPM update allows the protocol to retry binding and prevents administrators from needing to manually restart services. 3. Removed support for TLS v1.0 and v1.1.
1 Nov: Resolved a reported issue in the F5 Networks BIG-IP LTM DSM where Traffic Management Microkernel (TMM) rule events with an info severity did not parse as expected and categorized as ‘Stored’.
Software Versions
Features and what’s new
What’s New in QRadar v7.5.0?
QRadar
- Operating system updated to Red Hat® Enterprise Linux® version 7.9.
- Local Only authentication allows administrators to prevent unintended access to users with accounts in external authentication systems.
- Use secure boot to ensure that only trusted kernels and kernel modules are loaded
- Two new offense rule tests: ‘when an offense is closed’ and ‘when an offense is modified’
- A new AQL OFFENSE_TIME function to increase the speed of your offense queries
- A new AQL DISTINCTCOUNT function to return the unique count of the value in an aggregate
- Encryption of managed hosts enabled by default
- Support for IPFIX bidirectional flows
- Multi-threaded processing for external flow sources
- Sequence number verification
- Support for Network Address Translation fields from IPFIX and NetFlow v9
- New application determination algorithms
- Support for more fields from AWS VPC flow logs
- Alias Autodetection field is renamed to DNS lookup for Alias Autodetection
- Flow direction algorithms are now applied at the beginning of the flow parsing process
- You can no longer delete the ‘Uncategorized’ category for tagged flow fields from your system
- Only relevant IPFIX fields are encoded into the payload and extra fieds are added as TLV elements
The hashing algorithm default is changed to SHA-512 for all Ariel hashing. Several algorithms, such as MD-2, MD-5, HMAC-MD5 are removed.
QRadar Network Insights
- Network inspection performance
- Performance improvements for the QRadar Network Insights 6500 appliance
- Modified process for identifying file types
- More integration with IBM X-Force
- Improved application detection
- Data aggregation and segmentation improvements
- Some inspectors are no longer supported, such as web domain, Myspace protocol, and SPDY.
QRadar Incident Forensics
During the upgrade to QRadar Incident Forensics 7.5.0, case data is exported and then imported back into the QRadar Incident Forensics managed host. As a result, the upgrade process takes longer to complete than in previous releases.
QRadar Vulnerability Mgr and Risk Manager
Vulnerability data scores and metric values are returned as CVSS version 3.0 or 3.1.
Upgrade release notes New installation release notes Upgrade Guide What’s new
What’s New in QRadar v7.4.3?
Operational Efficiency
The operational efficiency improvements in QRadar 7.4.3 include adjusting the Asset Cleanup Batch Size Threshold.
Flow Improvements
- Support for ICMPv6 ICMP messages
- New inspector for Kerberos
- New inspector for TFTP
- New “Flow Source Types” field
- Support for more fields from AWS Flow Logs
- New API for managing flow applications
- New API for managing common destination ports
- Improvements to the Ariel Tagged Fields API
What is Changed or Removed?
- You can now set your own password for encrypted log files
- Any authorized services with the “System Administrator” permission are expired, unless they are assigned to the “Admin” security profile
- Several custom properties were either renamed or merged together
QRadar Network Insights
- Simplified installation process
- Deprecation notice for some inspectors
QRadar Incident Forensics
- A new Kerberos inspector is available to parse Kerberos traffic that is sent to trusted third-party authentication providers.
- A new inspector for Trivial File Transfer Protocol (TFTP) network traffic.
SFS Release notes ISO Release notes Upgrade Guide What’s new
What’s New in QRadar v7.4.2?
Operational Efficiency
Adjusting the number of MAC addresses allowed for an asset
DSM Editor Enhancements
Generating regex for parsing event properties
Flow Improvements
- MAC address support
- Accumulated byte and packet counters
- New “Common Destination Port” flow direction algorithms
What is Changed or Removed?
- User authentication with Active Directory (AD) is no longer supported
- GlusterFS no longer supported
QRadar Network Insights
- Support for 40 Gbps connectivity
- QRadar Network Insights 1940 appliance stacking
- Content flows are more easily identified
- New TCP flow direction algorithms
- Easily determine the direction of a content flow
- More descriptive entity alerts
SFS Release notes ISO Release notes Upgrade Guide What’s new
What’s New in QRadar v7.4.1?
DSM Editor Enhancements
- Parsing status is color coded in the user interface to display unparsed and unmapped data
- An Override Delimiter option allows users to parse multiline event payloads more easily in the DSM Editor
- Event ID and Event Category fields copied to Event Mapping
Workflow Enhancements
- IBM QRadar Use Case Manager app installed by default
- QRadar Analyst Workflow to help you investigate offenses
Security Enhancements
- The core Operating System is updated to Red Hat Enterprise Linux® V7.7
Flow Sources Improvements
- Support for the flow ID field in NetFlow V9 flow records
- Support for 40 Gbps Napatech card
SFS Release notes ISO Release notes Upgrade Guide What’s new
What’s New in QRadar v7.4.0?
Performance Enhancements
- Enhanced parsing support for XML events in the DSM Editor
- Combined IPv4 & IPv6 columns to allow for more performant APIs and UIs
- Added support for DSM Parameters in the DSM Editor
- New event details provide extra context to how events are processed.
Application & Framework Enhancements
- Apps can now run in multi-tenanted environments
- Log Source Management app, now multi-tenanted
- QRadar Assistant app can now manage installed applications
- Pulse Dashboard V2.2 is now multi-tenanted and supports dashboard sharing
Security Enhancements
- QRadar 7.4 is upgraded to Red Hat Enterprise Linux V7.6
- SSH tunnel between two managed hosts can now be initiated from the remote host instead of the local host
- A secure email server update allows you to send alerts, reports, or notifications with SMTP authentication and TLS
API & Core Improvements
- Content Management Export API expands the ability to export Custom Rules, Custom Searches, Reports, and required dependencies
- Dynamic Search API allows users to complete advanced queries using a selection of fields available in the Offenses Rest API
- Offense related searches possible in the Dynamic Search API
- QRadar V7.4.0 introduces API V13.0 and marks V11.0 endpoints as deprecated
Events
QRadar events and webinars
Events and webinars are hosted by QRadar experts to discuss technical topics or present content teams feel is beneficial to users and administrators.
Events
Events and webinars are hosted by QRadar experts to discuss technical topics or present content teams feel is beneficial to users and administrators.