QRadar 101

• Operating system updated to Red Hat® Enterprise Linux® version 7.9.
• Local Only authentication allows administrators to prevent unintended access to users with accounts in external authentication systems.
• Use secure boot to ensure that only trusted kernels and kernel modules are loaded
• Two new offense rule tests: ‘when an offense is closed’ and ‘when an offense is modified’
• A new AQL OFFENSE_TIME function to increase the speed of your offense queries
• A new AQL DISTINCTCOUNT function to return the unique count of the value in an aggregate
• Encryption of managed hosts enabled by default

• Support for IPFIX bidirectional flows
• Multi-threaded processing for external flow sources
• Sequence number verification
• Support for Network Address Translation fields from IPFIX and NetFlow v9
• New application determination algorithms
• Support for more fields from AWS VPC flow logs
• Alias Autodetection field is renamed to DNS lookup for Alias Autodetection
• Flow direction algorithms are now applied at the beginning of the flow parsing process
• You can no longer delete the ‘Uncategorized’ category for tagged flow fields from your system
• Only relevant IPFIX fields are encoded into the payload and extra fieds are added as TLV elements

The hashing algorithm default is changed to SHA-512 for all Ariel hashing. Several algorithms, such as MD-2, MD-5, HMAC-MD5 are removed.

• Network inspection performance
• Performance improvements for the QRadar Network Insights 6500 appliance
• Modified process for identifying file types
• More integration with IBM X-Force
• Improved application detection
• Data aggregation and segmentation improvements
• Some inspectors are no longer supported, such as web domain, Myspace protocol, and SPDY.

During the upgrade to QRadar Incident Forensics 7.5.0, case data is exported and then imported back into the QRadar Incident Forensics managed host. As a result, the upgrade process takes longer to complete than in previous releases.

Vulnerability data scores and metric values are returned as CVSS version 3.0 or 3.1.

The operational efficiency improvements in QRadar 7.4.3 include adjusting the Asset Cleanup Batch Size Threshold.

• Support for ICMPv6 ICMP messages
• New inspector for Kerberos
• New inspector for TFTP
• New “Flow Source Types” field
• Support for more fields from AWS Flow Logs
• New API for managing flow applications
• New API for managing common destination ports
• Improvements to the Ariel Tagged Fields API

• You can now set your own password for encrypted log files
• Any authorized services with the “System Administrator” permission are expired, unless they are assigned to the “Admin” security profile
• Several custom properties were either renamed or merged together

• Simplified installation process
• Deprecation notice for some inspectors

• A new Kerberos inspector is available to parse Kerberos traffic that is sent to trusted third-party authentication providers.
• A new inspector for Trivial File Transfer Protocol (TFTP) network traffic.

Adjusting the number of MAC addresses allowed for an asset

Generating regex for parsing event properties

• MAC address support
• Accumulated byte and packet counters
• New “Common Destination Port” flow direction algorithms

• User authentication with Active Directory (AD) is no longer supported
• GlusterFS no longer supported

• Support for 40 Gbps connectivity
• QRadar Network Insights 1940 appliance stacking
• Content flows are more easily identified
• New TCP flow direction algorithms
• Easily determine the direction of a content flow
• More descriptive entity alerts

• Parsing status is color coded in the user interface to display unparsed and unmapped data
• An Override Delimiter option allows users to parse multiline event payloads more easily in the DSM Editor
• Event ID and Event Category fields copied to Event Mapping

• IBM QRadar Use Case Manager app installed by default
• QRadar Analyst Workflow to help you investigate offenses

• The core Operating System is updated to Red Hat Enterprise Linux® V7.7

• Support for the flow ID field in NetFlow V9 flow records
• Support for 40 Gbps Napatech card

• Enhanced parsing support for XML events in the DSM Editor
• Combined IPv4 & IPv6 columns to allow for more performant APIs and UIs
• Added support for DSM Parameters in the DSM Editor
• New event details provide extra context to how events are processed.

• Apps can now run in multi-tenanted environments
• Log Source Management app, now multi-tenanted
• QRadar Assistant app can now manage installed applications
• Pulse Dashboard V2.2 is now multi-tenanted and supports dashboard sharing

• QRadar 7.4 is upgraded to Red Hat Enterprise Linux V7.6
• SSH tunnel between two managed hosts can now be initiated from the remote host instead of the local host
• A secure email server update allows you to send alerts, reports, or notifications with SMTP authentication and TLS

• Content Management Export API expands the ability to export Custom Rules, Custom Searches, Reports, and required dependencies
• Dynamic Search API allows users to complete advanced queries using a selection of fields available in the Offenses Rest API
• Offense related searches possible in the Dynamic Search API
• QRadar V7.4.0 introduces API V13.0 and marks V11.0 endpoints as deprecated