page-brochureware.php

QRadar 101

A one-stop experience to help you navigate through content available for supporting QRadar.

News and Notices

Replays for Master Skills 2021

17 September: Users can watch replays for the Threat Detection, Advanced Searching, Network & Behavior Analytics session tracks. All sessions, with the exception of the live sessions are now posted and available for review. If you missed a QRadar session, use the provided link to watch a replay. It is expected that the live sessions will be posted in the next 7-10 days.

QRadar replays All topic replays

QVM External Scan service changes

1 September: On 1 September 2021 the QRadar Vulnerability Manager external scanners (DMZ scans) are being moved to an IBM Cloud location. This means that administrators need to contact your corporate firewall teams to allow access to 158.177.51.62:443 and complete a full deploy from your Console. If you experience issues with external scans stuck at 1% on or after 1 September 2021, then the network path is likely blocked to the new IBM Cloud scanners. For more information, review the technical note on this change.

QVM external scan service changes

Palo Alto Networks PanOS v10

2 September 2021: As part of a recent Palo Alto PA Series DSM update, IBM added support for new ‘recorded log types’ including ‘Global Protect’! This integration extends QRadar visibility and ability to correlate activity on Palo Alto Next Generation Firewalls.

Blog Documentation Custom Property content

Use Case Manager 3.3.0

31 August 2021: An updated version of the Use Case Manager app (V3.3.0) is released. This update adds several updates and improvements: 1. Support for custom rule attributes. Define a custom rule attribute and its values, assign the custom attribute values to a rule, and add the custom attribute as a column in Use Case Explorer. 2. Updates for V9 of the MITRE ATT&CK framework. 3. Added an option to delete one or more user rules that are selected in Use Case Explorer. 4. Improved report filtering.

Get Use Case Manager V3.3.0

Important: QRadar 7.4.3 issue identified

12 August 2021: A small number of users reported an upgrade issue in QRadar 7.4.3 and QRadar 7.4.3 Fix Pack 1 as described in the Security Bulletin for CVE-2021-29880. If you installed an affected software version, QRadar Support is requesting administrators confirm if domains are enabled on the Console. If you use an affected software version and domains are configured, you must open a case so the support team can review your Console.

Support Flash Notice Security Bulletin: CVE-2021-29880

News and Notices

Replays for Master Skills 2021
QVM external scan service changes
Palo Alto Networks PanOS v10
Use Case Manager 3.3.0
Important: QRadar 7.4.3 issue identified

Auto Updates

Current: 21 September 2021 (Build 1632187484)
View More Updates

21 September: Resolves a reported issue in the Cisco Firewall Devices DSM where acl_list permitted or denied events (ASA-6-106100) can parse incorrectly due to a new format. This RPM release updates the parsing pattern for ASA-6-106100 to ensure the full payload parses and categorizes correctly.

21 September: Resolves multiple issues in the Amazon AWS S3 REST API protocol: 1. Enhanced the protocol to add flow parsing support for all custom Amazon Virtual Private Cloud (VPC) Flow fields V3, V4, and V5. 2. Resolves an issue to set the Source IP address and Destination IP address to 0.0.0.0, instead of using loopback or the Event Collector IP address when there is no network information in the payload. 3. Added a user interface option in the Amazon Rest API protocol for ‘Assume IAM Role’. 4. Resolves an issue where the test tool built in the Log Source Management app could go out of memory (OOM) due to the number of files downloaded as described in APAR IJ33802.

Auto Updates

Software Versions

Features and what’s new

What’s New in QRadar v7.4.3?

Operational Efficiency

The operational efficiency improvements in QRadar 7.4.3 include adjusting the Asset Cleanup Batch Size Threshold.

Flow Improvements

  • Support for ICMPv6 ICMP messages
  • New inspector for Kerberos
  • New inspector for TFTP
  • New “Flow Source Types” field
  • Support for more fields from AWS Flow Logs
  • New API for managing flow applications
  • New API for managing common destination ports
  • Improvements to the Ariel Tagged Fields API

What is Changed or Removed?

  • You can now set your own password for encrypted log files
  • Any authorized services with the “System Administrator” permission are expired, unless they are assigned to the “Admin” security profile
  • Several custom properties were either renamed or merged together

QRadar Network Insights

  • Simplified installation process
  • Deprecation notice for some inspectors

QRadar Incident Forensics

  • A new Kerberos inspector is available to parse Kerberos traffic that is sent to trusted third-party authentication providers.
  • A new inspector for Trivial File Transfer Protocol (TFTP) network traffic.

SFS Release notes ISO Release notes Upgrade Guide What’s new

What’s New in QRadar v7.4.2?

Operational Efficiency

Adjusting the number of MAC addresses allowed for an asset

DSM Editor Enhancements

Generating regex for parsing event properties

Flow Improvements

  • MAC address support
  • Accumulated byte and packet counters
  • New “Common Destination Port” flow direction algorithms

What is Changed or Removed?

  • User authentication with Active Directory (AD) is no longer supported
  • GlusterFS no longer supported

QRadar Network Insights

  • Support for 40 Gbps connectivity
  • QRadar Network Insights 1940 appliance stacking
  • Content flows are more easily identified
  • New TCP flow direction algorithms
  • Easily determine the direction of a content flow
  • More descriptive entity alerts

SFS Release notes ISO Release notes Upgrade Guide What’s new

What’s New in QRadar v7.4.1?

DSM Editor Enhancements

  • Parsing status is color coded in the user interface to display unparsed and unmapped data
  • An Override Delimiter option allows users to parse multiline event payloads more easily in the DSM Editor
  • Event ID and Event Category fields copied to Event Mapping

Workflow Enhancements

  • IBM QRadar Use Case Manager app installed by default
  • QRadar Analyst Workflow to help you investigate offenses

Security Enhancements

  • The core Operating System is updated to Red Hat Enterprise Linux® V7.7

Flow Sources Improvements

  • Support for the flow ID field in NetFlow V9 flow records
  • Support for 40 Gbps Napatech card

SFS Release notes ISO Release notes Upgrade Guide What’s new

What’s New in QRadar v7.4.0?

Performance Enhancements

  • Enhanced parsing support for XML events in the DSM Editor
  • Combined IPv4 & IPv6 columns to allow for more performant APIs and UIs
  • Added support for DSM Parameters in the DSM Editor
  • New event details provide extra context to how events are processed.

Application & Framework Enhancements

  • Apps can now run in multi-tenanted environments
  • Log Source Management app, now multi-tenanted
  • QRadar Assistant app can now manage installed applications
  • Pulse Dashboard V2.2 is now multi-tenanted and supports dashboard sharing

Security Enhancements

  • QRadar 7.4 is upgraded to Red Hat Enterprise Linux V7.6
  • SSH tunnel between two managed hosts can now be initiated from the remote host instead of the local host
  • A secure email server update allows you to send alerts, reports, or notifications with SMTP authentication and TLS

API & Core Improvements

  • Content Management Export API expands the ability to export Custom Rules, Custom Searches, Reports, and required dependencies
  • Dynamic Search API allows users to complete advanced queries using a selection of fields available in the Offenses Rest API
  • Offense related searches possible in the Dynamic Search API
  • QRadar V7.4.0 introduces API V13.0 and marks V11.0 endpoints as deprecated

Release notes Upgrade Guide What’s new

What’s New in QRadar v7.3.3?

Performance Enhancements

  • Enhanced parsing support for Name Value Pair events in the DSM Editor
  • Enhanced parsing support for Generic List events
  • Removing reference data when you uninstall a content extension
  • Export content faster in the DSM Editor

Security Enhancements

Inactivity timeout for user accounts

As an administrator, if you have users who require longer periods of inactivity before they are logged out of the system, you can configure their inactivity timeout threshold individually. The default is 30 minutes.

Flow Improvements

  • A new Flow Aggregation Count field displays a total number for each flow that contributed.
  • VXLAN flow information now available
  • Flow ID enhancements now give unique values to the flow session

QRadar Network Insights

  • New inspector for Remote Desktop Protocol (RDP)
  • New inspector for Berkeley remote commands
  • Protocol name and version information is now available
  • TLS inspector now extracts more data

Release notes Upgrade Guide What’s new

Events

QRadar events and webinars

Events and webinars are hosted by QRadar experts to discuss technical topics or present content teams feel is beneficial to users and administrators.

Events

Open mic events are hosted by QRadar Support to discuss technical topics or present content we feel is beneficial to users. Join an open mic to learn about a topic, ask questions from panelists and learn about QRadar.

IBM prides itself on delivering world class software support with highly skilled, customer-focused people. QRadar Support is available 24×7 for all high severity issues. For QRadar resources, technical help, guidance, and information, see our QRadar Support 101 pages.

Contact Support

Find your regional support contact

Contact Support

Find your regional support contact

Give Feedback