QRadar 101

A one-stop experience to help you navigate through content available for supporting QRadar.

News and Notices

QRadar Security Bulletins issued on 13 July 2020

The IBM Security QRadar Product Security (PSIRT) team published several security bulletins on 13 July 2020 for QRadar V7.3.3 and V7.4.0 administrators. Software is available to mitigate CVEs in QRadar 7.4.0 Fix Pack 3 and QRadar 7.3.3 Fix Pack 4 on IBM Fix Central. QRadar Support recommends administrators review the published bulletins and click on the CVE numbers to read more about the issue and determine if your QRadar deployment is affected. To assist administrators, We recently updated the QRadar Master Software list to include clickable links to filter for security bulletins.

13 July 2020: Security Bulletins QRadar Master Software List

QRadar M4 V7.0.0 firmware is released

A new firmware release is available for administrators with QRadar M4 appliances. This release includes updates for UEFI, IMM2, DSA, and RAID controllers. This update resolves several security issues and CVE links are provided in the release notes. Administrators have the option of remotely updating appliances by downloading an EXE file that includes an ISO file that can be installed over IMM. Optionally, administrators who are on-premise with their appliances can use a USB flash drive to update their M4 appliance firmware.

1U M4 USB (local) 2U M4 USB (local) 1U M4 ISO/IMM (remote install) 2U M4 ISO/IMM (remote install)

QRadar lifecycle technical note updated

A reminder to QRadar administrators that an exception for QRadar 7.3.2 and QRadar 7.3.3 expires on 6 July 2020. Administrators on older versions of QRadar can review the lifecycle technical note for the information about software and hardware support.

IBM QRadar Support Lifecycle

Upcoming changes to support for Napatech SmartNIC cards

Napatech has deprecated support for the NT20E SmartNIC. As a result of this change, future releases of QRadar will not support this network card. Although QRadar 7.4.1 is still under development, customers who install QRadar on their own hardware and who use the NT20E SmartNIC to collect flows will need to consider this change before they upgrade to QRadar 7.4.1 in the future.

QRadar Risk Manager Adapter Bundle 13.1

QRadar Risk Manager Adapter Bundle 13.1 is available on IBM Fix Central. This release adds Juniper JunOS Virtual Interface support and includes multiple adapter updates to CLOSE existing problems reported by users for Cisco IOS, Cisco ASA, Check Point, and Cisco Next-Generation IPS adapters. Adapter Bundle 13.1 supercedes Bundle 13 and is intended for QRadar Risk Manager 7.3.2 and earlier deployments.

View Adapter Bundle 13.1 APARs Adapter Bundle 13.1 on IBM Fix Central

News and Notices

QRadar security bulletins (13 July 2020)
QRadar M4 V7.0.0 firmware is released
QRadar lifecycle date upcoming in July
Napatech NT20E SmartNIC support
QRadar Risk Manager Adapter Bundle 13.1

Auto Updates

Current: 09 July 2020 (1593895696)
View More Updates

Resolves multiple issues in the Aruba ClearPass Policy Manager DSM: 1. Resolves an issue where several events for Aruba ClearPass Insight logs where parsing as ‘Unknown’. This RPM release adds parsing for several predefined and default from Insight logs to prevent ‘Unknown’ events, such as Radius Authentications, TACACS Authentication, WebAUTH, Application authentication, Endpoints, Onboard, Posture, and Guest Access events. 2. Resolves a spelling error in the field name Tacacs.Auth-Source, which caused events to categorize as ‘Unknown Arua ClearPass”. The weekly auto update published on 15 July 2020 includes this change.

Enhanced the Microsoft DHCP Server device support module (DSM) to add parsing and categorization for French and Spanish language DHCP events. The weekly auto update published on 15 July 2020 includes this change.

Enhanced the VMware vCloud Director protocol to add troubleshooting test cases to the QRadar Log Source Management (LSM) app. Administrators with Log Source Management app V5.0.0 or later and QRadar 7.3.2 patch 3 ( or later can test protocol configurations when you add or edit VMware vCloud protocol-based log sources. The weekly auto update published on 15 July 2020 includes this change.

Resolves an issue where Check Point events categorize as ‘Stored’ for compliance events. This RPM release adds parsing for compliance events sent as non-LEEF formatted payloads. The weekly auto update published on 15 July 2020 includes this change.

Resolves an issue where users who leverage the API or Log Source Management app to update log sources can experience ‘invalid certification filename’ errors that prevents the log source from saving properly. This issue is identified in APAR IJ19050: ‘Error: Invalid certificate filename when using the log source management app to configure a Check Point log source’. This protocol update corrects the certificate validation issue to allow QRadar 7.4 administrators to save log their Check Point sources from the Log Source Management app.

Auto Updates

Software Versions

Features and what’s new

What’s New in QRadar v7.4.0?

Performance Enhancements

  • Enhanced parsing support for XML events in the DSM Editor
  • Combined IPv4 & IPv6 columns to allow for more performant APIs and UIs
  • Added support for DSM Parameters in the DSM Editor
  • New event details provide extra context to how events are processed.

Application & Framework Enhancements

  • Apps can now run in multi-tenanted environments
  • Log Source Management app, now multi-tenanted
  • QRadar Assistant app can now manage installed applications
  • Pulse Dashboard V2.2 is now multi-tenanted and supports dashboard sharing

Security Enhancements

  • QRadar 7.4 is upgraded to Red Hat Enterprise Linux V7.6
  • SSH tunnel between two managed hosts can now be initiated from the remote host instead of the local host
  • A secure email server update allows you to send alerts, reports, or notifications with SMTP authentication and TLS

API & Core Improvements

  • Content Management Export API expands the ability to export Custom Rules, Custom Searches, Reports, and required dependencies
  • Dynamic Search API allows users to complete advanced queries using a selection of fields available in the Offenses Rest API
  • Offense related searches possible in the Dynamic Search API
  • QRadar V7.4.0 introduces API V13.0 and marks V11.0 endpoints as deprecated

Release notes Upgrade Guide What’s new

What’s New in QRadar v7.3.3?

Performance Enhancements

  • Enhanced parsing support for Name Value Pair events in the DSM Editor
  • Enhanced parsing support for Generic List events
  • Removing reference data when you uninstall a content extension
  • Export content faster in the DSM Editor

Security Enhancements

Inactivity timeout for user accounts

As an administrator, if you have users who require longer periods of inactivity before they are logged out of the system, you can configure their inactivity timeout threshold individually. The default is 30 minutes.

Flow Improvements

  • A new Flow Aggregation Count field displays a total number for each flow that contributed.
  • VXLAN flow information now available
  • Flow ID enhancements now give unique values to the flow session

QRadar Network Insights

  • New inspector for Remote Desktop Protocol (RDP)
  • New inspector for Berkeley remote commands
  • Protocol name and version information is now available
  • TLS inspector now extracts more data

Release notes Upgrade Guide What’s new

What’s New in QRadar v7.3.2?

QRadar Incident Forensics

  • Enhanced custom certificate support
  • Non-administrative users can use Berkeley Packet Filters
  • New protocol inspectors
  • Network Packet Capture improvements

QRadar Network Insights

  • QRadar on Cloud support
  • Basic inspection level now includes application detection
  • Configuration improvements for stacked and stand-alone appliances
  • More control over the appliance inspection level

QRadar Risk Manager

Network Links

Add a Network Link to your topology diagram to represent network hardware that QRadar Risk Manager can’t model in the standard way. A Network Link connects your core network to network branches that are not directly connected to your network or that you don’t control directly.

Release notes Upgrade Guide What’s new

IBM prides itself on delivering world class software support with highly skilled, customer-focused people. QRadar Support is available 24×7 for all high severity issues. For QRadar resources, technical help, guidance, and information, see our QRadar Support 101 pages.

Contact Support

Find your regional support contact

Contact Support

Find your regional support contact