page-brochureware.php

QRadar 101

A one-stop experience to help you navigate through content available for supporting QRadar.

News and Notices

Flash notice issued for V7.4.3

11 February: A flash notice with an included workaround has been published for APAR IJ37604 to raise visibility to an issue where QRadar V7.4.3 nightly configuration backups can experience a file decryption issue. If you restore a 7.4.3 configuration and experience the issue, certain keys cannot be extracted from the backup. This error leads to some services (primarily Tomcat), which cannot start as expected causing a user interface and app connection issues. All QRadar Consoles (on-premise) at 7.4.3 Fix Pack 4 or 7.4.3 Fix Pack 4 Interim Fix 2 are affected by this issue.

Flash notice and workaround

Security bulletins: Risk Manager, DLC, & UBA

20 December 2021: The QRadar Product Security Incident Response Team (PSIRT) has released flash notices to users for QRadar Risk Manager, Disconnected Log Collector and the User Behavior Analytics app this week as these products related to the Log4j CVE-2021-44228 issue. Administrators can review an addendum to the PSIRT blog to help identify affected and not susceptible ‘QRadar SIEM’ products. Both the Disconnected Log Collector and User Behavior Analytics app security bulletins are linked in the addendum. A QRadar SFS to update Risk Manager appliances is available on QRadar Software 101 as 7.4.3 Fix Pack 4 Interim Fix 2 and 7.3.3 Fix Pack 10 Interim Fix 1 to mitigate the security issues.

Addendum & not susceptible products

IBM Log4j information

12 December 2021: This section is added as a reference for IBM content to assist users looking for information about Log4j and CVE-2021-44228.

Detecting Log4j in QRadar Event (15 Dec): IBM X-Force discusses Log4j IBM X-Force collection IBM PSIRT: CVE-2021-44228 Kestrel Log4j huntbook Yara rules app and Log4j

QRadar 7.4.3 Fix Pack 4 upgrades

10 December 2021: QRadar Development and Support teams are investigating an issue where multi-distributed NAT networks (multiple NAT groups) can experience extended upgrade times for managed host. This issue was initially reported for 7.4.2 users who upgraded to 7.4.3 Fix Pack 4 with multiple NAT groups in their network. A technical note is available for administrators to review before you upgrade to QRadar 7.4.3 Fix Pack 4. If you use multiple NAT groups and plan to upgrade, contact support as described in the technical note.

Technical note

QRadar 7.4.3 Fix Pack 3

30 October: An important issue has been reported for users on QRadar 7.4.3 Fix Pack 3. These issues only affect on-premise QRadar SIEM users and not QRadar on Cloud. QRadar 7.4.3 Fix Pack 3 is now removed from IBM Fix Central and an re-release is planned as QRadar 7.4.3 Fix Pack 4. For more information, read the following technical note from QRadar Support.

QRadar SIEM version 7.4.3 Fix Pack 3 removed

News and Notices

Flash notice: V7.4.3 configuration backups
Security bulletins: Risk Manager, DLC, & UBA
IBM Log4j information
QRadar 7.4.3 Fix Pack 4 upgrades
QRadar 7.4.3 Fix Pack 3 removed

Auto Updates

Current: 09 February 2022 (Build 1644610017)

View More Updates

09 February: Resolved multiple issues in the TLS Syslog Protocol RPM: 1. Enhanced the TLS Syslog protocol to improve performance. This update resolves potential issues where a single thread could be waiting on input from the last processor, causing other threads to not be able to continue work if a connection issue or blocker occurs and prevents situations where threads get stuck. 2. Updated the tool tip help text in the user interface for the Use CN Allowlist and CN Allowlist functions to assist administrators with TLS Syslog protocol configurations.

09 February: Resolves an issue in the IBM AIX Server DSM where users reported sudo commands, even when successful, might categorize as a ‘Sudo Failure’ event when the payload did not reflect a failed sudo request. This RPM release updates failed adaptive pattern checks and includes a DSM Common installation dependency. Administrators who do not use automatic updates, but manually install RPMs on their Console appliance must install the DSM Common, then update the IBM AIX Server DSM.

09 February: Resolves an issue in the Solaris Operating System Authentication Messages DSM where new session audit events can parse as Unknown or Stored due to unexpected extra characters in the payload. This parsing change includes a dependency on the DSM Common framework. Administrators who do not use automatic updates, but manually upgrade DSMs must first install the DSM Common RPM, then install the Solaris Operating System Authentication Messages RPM to ensure events parse properly.

09 February: Resolves an issue where username fields that contain an email address might cause events to categorize as ‘Stored’ unexpectedly. This RPM release updates parsing patterns to allow an email ID as the username in IBM DB2 DSM payloads.

09 February: Enhanced the DSM Common framework to include support for parsing changes where a sudo event can unexpectedly categorize as ‘Sudo Failed’ when the payload did not reflect a failed sudo command for the IBM AIX Server DSM. This release also includes parsing changes to support parsing changes in the framework where Sun Solaris Operating System Authentication Messages new session audit events can parse as Unknown or Stored due to unexpected extra characters in the payload.

Software Versions

Features and what’s new

What’s New in QRadar v7.4.3?

Operational Efficiency

The operational efficiency improvements in QRadar 7.4.3 include adjusting the Asset Cleanup Batch Size Threshold.

Flow Improvements

  • Support for ICMPv6 ICMP messages
  • New inspector for Kerberos
  • New inspector for TFTP
  • New “Flow Source Types” field
  • Support for more fields from AWS Flow Logs
  • New API for managing flow applications
  • New API for managing common destination ports
  • Improvements to the Ariel Tagged Fields API

What is Changed or Removed?

  • You can now set your own password for encrypted log files
  • Any authorized services with the “System Administrator” permission are expired, unless they are assigned to the “Admin” security profile
  • Several custom properties were either renamed or merged together

QRadar Network Insights

  • Simplified installation process
  • Deprecation notice for some inspectors

QRadar Incident Forensics

  • A new Kerberos inspector is available to parse Kerberos traffic that is sent to trusted third-party authentication providers.
  • A new inspector for Trivial File Transfer Protocol (TFTP) network traffic.

SFS Release notes ISO Release notes Upgrade Guide What’s new

What’s New in QRadar v7.4.2?

Operational Efficiency

Adjusting the number of MAC addresses allowed for an asset

DSM Editor Enhancements

Generating regex for parsing event properties

Flow Improvements

  • MAC address support
  • Accumulated byte and packet counters
  • New “Common Destination Port” flow direction algorithms

What is Changed or Removed?

  • User authentication with Active Directory (AD) is no longer supported
  • GlusterFS no longer supported

QRadar Network Insights

  • Support for 40 Gbps connectivity
  • QRadar Network Insights 1940 appliance stacking
  • Content flows are more easily identified
  • New TCP flow direction algorithms
  • Easily determine the direction of a content flow
  • More descriptive entity alerts

SFS Release notes ISO Release notes Upgrade Guide What’s new

What’s New in QRadar v7.4.1?

DSM Editor Enhancements

  • Parsing status is color coded in the user interface to display unparsed and unmapped data
  • An Override Delimiter option allows users to parse multiline event payloads more easily in the DSM Editor
  • Event ID and Event Category fields copied to Event Mapping

Workflow Enhancements

  • IBM QRadar Use Case Manager app installed by default
  • QRadar Analyst Workflow to help you investigate offenses

Security Enhancements

  • The core Operating System is updated to Red Hat Enterprise Linux® V7.7

Flow Sources Improvements

  • Support for the flow ID field in NetFlow V9 flow records
  • Support for 40 Gbps Napatech card

SFS Release notes ISO Release notes Upgrade Guide What’s new

What’s New in QRadar v7.4.0?

Performance Enhancements

  • Enhanced parsing support for XML events in the DSM Editor
  • Combined IPv4 & IPv6 columns to allow for more performant APIs and UIs
  • Added support for DSM Parameters in the DSM Editor
  • New event details provide extra context to how events are processed.

Application & Framework Enhancements

  • Apps can now run in multi-tenanted environments
  • Log Source Management app, now multi-tenanted
  • QRadar Assistant app can now manage installed applications
  • Pulse Dashboard V2.2 is now multi-tenanted and supports dashboard sharing

Security Enhancements

  • QRadar 7.4 is upgraded to Red Hat Enterprise Linux V7.6
  • SSH tunnel between two managed hosts can now be initiated from the remote host instead of the local host
  • A secure email server update allows you to send alerts, reports, or notifications with SMTP authentication and TLS

API & Core Improvements

  • Content Management Export API expands the ability to export Custom Rules, Custom Searches, Reports, and required dependencies
  • Dynamic Search API allows users to complete advanced queries using a selection of fields available in the Offenses Rest API
  • Offense related searches possible in the Dynamic Search API
  • QRadar V7.4.0 introduces API V13.0 and marks V11.0 endpoints as deprecated

Release notes Upgrade Guide What’s new

What’s New in QRadar v7.3.3?

Performance Enhancements

  • Enhanced parsing support for Name Value Pair events in the DSM Editor
  • Enhanced parsing support for Generic List events
  • Removing reference data when you uninstall a content extension
  • Export content faster in the DSM Editor

Security Enhancements

Inactivity timeout for user accounts

As an administrator, if you have users who require longer periods of inactivity before they are logged out of the system, you can configure their inactivity timeout threshold individually. The default is 30 minutes.

Flow Improvements

  • A new Flow Aggregation Count field displays a total number for each flow that contributed.
  • VXLAN flow information now available
  • Flow ID enhancements now give unique values to the flow session

QRadar Network Insights

  • New inspector for Remote Desktop Protocol (RDP)
  • New inspector for Berkeley remote commands
  • Protocol name and version information is now available
  • TLS inspector now extracts more data

Release notes Upgrade Guide What’s new

Events

QRadar events and webinars

Events and webinars are hosted by QRadar experts to discuss technical topics or present content teams feel is beneficial to users and administrators.

Events

Open mic events are hosted by QRadar Support to discuss technical topics or present content we feel is beneficial to users. Join an open mic to learn about a topic, ask questions from panelists and learn about QRadar.

IBM prides itself on delivering world class software support with highly skilled, customer-focused people. QRadar Support is available 24×7 for all high severity issues. For QRadar resources, technical help, guidance, and information, see our QRadar Support 101 pages.

Contact Support

Find your regional support contact

Contact Support

Find your regional support contact

Give Feedback