QRadar 101

A one-stop experience to help you navigate through content available for supporting QRadar.

News and Notices

Active Directory authentication modules deprecated from QRadar

IBM® is alerting QRadar® administrators to transition from Kerberos-based Active Directory (AD) authentication to the direct Secure Lightweight Directory Access Protocol (LDAPS) implementation as the underlying open source component libraries for Active Directory are no longer supported. This notice is intended to inform administrators that future versions of the QRadar® installer include a check to detect Kerberos-based Active Directory configurations. If the Active Directory module is configured, you must disable the Active Directory authentication module or configure LDAPS authentication before you attempt to upgrade to QRadar 7.4.1 fix pack 1 or QRadar 7.3.3 fix pack 5.

Read about Active Directory authentication changes

Required before 30 November 2020

IBM® is migrating QRadar auto update servers to a new location in the IBM Cloud ( for all users globally. The new server location is available now for both daily and weekly QRadar auto updates. Administrators who use IP-based firewall rules in their organization must update their firewall rules and the web server URL in QRadar before 30 November 2020. It is important for administrators to read the associated technical note and start discussions with firewall teams to ensure that automatic updates continue without interruption. QRadar on Cloud appliances are already updated to use new IBM Cloud auto update server.

Auto update server location changes

QRadar Risk Manager: Adobe Flash end of life

Administrators with QRadar Risk Manager appliances in their deployment are being alerted to changes in Configuration Source Manager due to the approaching end of life of Adobe Flash. Due to removal of Adobe Flash, the Configuration Source Management (CSM) functionality is integrated in to the Configuration Monitor on the Risks tab. The updated Configuration Monitor interface is available to administrators who upgrade their QRadar deployment in upcoming fix pack releases.

Flash notice for QRadar Risk Manager

Upcoming changes to support for Napatech SmartNIC cards

Napatech has deprecated support for the NT20E SmartNIC. As a result of this change, future releases of QRadar will not support this network card. Although QRadar 7.4.1 is still under development, customers who install QRadar on their own hardware and who use the NT20E SmartNIC to collect flows will need to consider this change before they upgrade to QRadar 7.4.1 in the future.

QRadar Risk Manager Adapter Bundle 13.1

QRadar Risk Manager Adapter Bundle 13.1 is available on IBM Fix Central. This release adds Juniper JunOS Virtual Interface support and includes multiple adapter updates to CLOSE existing problems reported by users for Cisco IOS, Cisco ASA, Check Point, and Cisco Next-Generation IPS adapters. Adapter Bundle 13.1 supercedes Bundle 13 and is intended for QRadar Risk Manager 7.3.2 and earlier deployments.

View Adapter Bundle 13.1 APARs Adapter Bundle 13.1 on IBM Fix Central

News and Notices

Active Directory authentication modules deprecated from QRadar
Required before 30 November 2020
QRadar Risk Manager: Adobe Flash end of life
Napatech NT20E SmartNIC support
QRadar Risk Manager Adapter Bundle 13.1

Auto Updates

Current: 23 November 2020 (Build 1605884354)
View More Updates

Release of a new DSM for Amazon AWS Network Firewalls to collect allow or deny traffic events from S3 buckets that contain flow logs. To collect events, administrators must setup an S3 bucket, an SQS queue, configure SQS queue notifications, and set permissions. The AWS S3 REST API Protocol can retrieve events if the log source created by the administrator has permissions to poll the SQS queue. Administrators without automatic updates enabled must have the latest version of the following RPMs installed to collect and parse events: AWS S3 REST API Protocol, Protocol Common, and the Amazon AWS Network Firewall DSM.

Resolves a reported issue in the McAfee ePolicy Orchestrator DSM where TLS Syslog events can categorize as ‘Stored’ when the xml event tag uses different capitalization. For example, EPOEvent tags parse correctly, but xml event payloads that use the tag EPOevent did not parse as expected. This RPM release resolves issues where users reported issues parsing some TLS Syslog events in McAfee ePolicy Orchestrator version 5.10.

Resolves multiple issues in the ISC BIND Device Support Module (DSM): 1. Resolves an issue where events could be categorize as ‘Stored’ when multiple named instances were configured. For example, ‘named’ instances parse as expected where ‘named2’ instances caused parsing issues and Stored events. 2. Updated ISC BIND documentation in the DSM Configuration Guide to list 9.12 as a supported version.

Resolves multiple issues in the Symantec Endpoint Protection DSM: 1. Resolves an issue where ‘Log writing to USB drives’ events could incorrectly categorize as ‘event continue’ due to a parsing error. 2. Resolves an issue where ‘Firewall Allow’ events can parse as ‘Firewall Block’. This RPM release adds logic to consider the Action field from the event when parsing the payload to correct Allow versus Blocked categorization issues.

Resolves an issue in the Google Cloud Audit DSM to where Kubernetes events parse as ‘Unknown’. This RPM release adds 23 QIDs for new method names to support parsing and categorization for Kubernetes events.

Auto Updates

Software Versions

Features and what’s new

What’s New in QRadar v7.4.1?

DSM Editor Enhancements

  • Parsing status is color coded in the user interface to display unparsed and unmapped data
  • An Override Delimiter option allows users to parse multiline event payloads more easily in the DSM Editor
  • Event ID and Event Category fields copied to Event Mapping

Workflow Enhancements

  • IBM QRadar Use Case Manager app installed by default
  • QRadar Analyst Workflow to help you investigate offenses

Security Enhancements

  • The core Operating System is updated to Red Hat Enterprise Linux® V7.7

Flow Sources Improvements

  • Support for the flow ID field in NetFlow V9 flow records
  • Support for 40 Gbps Napatech card

SFS Release notes ISO Release notes Upgrade Guide What’s new

What’s New in QRadar v7.4.0?

Performance Enhancements

  • Enhanced parsing support for XML events in the DSM Editor
  • Combined IPv4 & IPv6 columns to allow for more performant APIs and UIs
  • Added support for DSM Parameters in the DSM Editor
  • New event details provide extra context to how events are processed.

Application & Framework Enhancements

  • Apps can now run in multi-tenanted environments
  • Log Source Management app, now multi-tenanted
  • QRadar Assistant app can now manage installed applications
  • Pulse Dashboard V2.2 is now multi-tenanted and supports dashboard sharing

Security Enhancements

  • QRadar 7.4 is upgraded to Red Hat Enterprise Linux V7.6
  • SSH tunnel between two managed hosts can now be initiated from the remote host instead of the local host
  • A secure email server update allows you to send alerts, reports, or notifications with SMTP authentication and TLS

API & Core Improvements

  • Content Management Export API expands the ability to export Custom Rules, Custom Searches, Reports, and required dependencies
  • Dynamic Search API allows users to complete advanced queries using a selection of fields available in the Offenses Rest API
  • Offense related searches possible in the Dynamic Search API
  • QRadar V7.4.0 introduces API V13.0 and marks V11.0 endpoints as deprecated

Release notes Upgrade Guide What’s new

What’s New in QRadar v7.3.3?

Performance Enhancements

  • Enhanced parsing support for Name Value Pair events in the DSM Editor
  • Enhanced parsing support for Generic List events
  • Removing reference data when you uninstall a content extension
  • Export content faster in the DSM Editor

Security Enhancements

Inactivity timeout for user accounts

As an administrator, if you have users who require longer periods of inactivity before they are logged out of the system, you can configure their inactivity timeout threshold individually. The default is 30 minutes.

Flow Improvements

  • A new Flow Aggregation Count field displays a total number for each flow that contributed.
  • VXLAN flow information now available
  • Flow ID enhancements now give unique values to the flow session

QRadar Network Insights

  • New inspector for Remote Desktop Protocol (RDP)
  • New inspector for Berkeley remote commands
  • Protocol name and version information is now available
  • TLS inspector now extracts more data

Release notes Upgrade Guide What’s new

What’s New in QRadar v7.3.2?

QRadar Incident Forensics

  • Enhanced custom certificate support
  • Non-administrative users can use Berkeley Packet Filters
  • New protocol inspectors
  • Network Packet Capture improvements

QRadar Network Insights

  • QRadar on Cloud support
  • Basic inspection level now includes application detection
  • Configuration improvements for stacked and stand-alone appliances
  • More control over the appliance inspection level

QRadar Risk Manager

Network Links

Add a Network Link to your topology diagram to represent network hardware that QRadar Risk Manager can’t model in the standard way. A Network Link connects your core network to network branches that are not directly connected to your network or that you don’t control directly.

Release notes Upgrade Guide What’s new

What’s New in QRadar v7.4.2?

Opertional Efficiency

Adjusting the number of MAC addresses allowed for an asset

DSM Editor Enhancements

Generating regex for parsing event properties

Flow Improvements

  • MAC address support
  • Accumulated byte and packet counters
  • New “Common Destination Port” flow direction algorithms

What is Changed or Removed?

  • TUser authentication with Active Directory (AD) is no longer supported
  • GlusterFS no longer supported

QRadar Network Insights

  • Support for 40 Gbps connectivity
  • QRadar Network Insights 1940 appliance stacking
  • Content flows are more easily identified
  • New TCP flow direction algorithms
  • Easily determine the direction of a content flow
  • More descriptive entity alerts

SFS Release notes ISO Release notes Upgrade Guide What’s new

IBM prides itself on delivering world class software support with highly skilled, customer-focused people. QRadar Support is available 24×7 for all high severity issues. For QRadar resources, technical help, guidance, and information, see our QRadar Support 101 pages.

Contact Support

Find your regional support contact

Contact Support

Find your regional support contact