page-brochureware.php

QRadar 101

A one-stop experience to help you navigate through content available for supporting QRadar.

News and Notices

Important: A critical qchange_netsetup issue identified

The 14 April 2021 weekly auto update disables qchange_netsetup for all users to ensure that administrators can complete network changes and avoid a critical issue on older QRadar versions. Administrators are advise to upgrade to a version with the qchange_netsetup fix, such as 7.4.2 Fix Pack 3 or 7.3.3 Fix Pack 7. If you are unable to upgrade at this time, the flash notice issued for IJ31239 includes instructions on how to enable qchange_netsetup.

Instructions to enable qchange_netsetup (APAR IJ31239)

Updated: Deploy changes service issue

An updated flash notice has been issued for administrators that includes a workaround to resolve the “Waiting for license…” service issue. QRadar Support is notifying all users of a single-line command that must be run on the Console appliance to resolve this issue. If you previously received support or an updated JAR file, you must still complete the procedure in the updated technical note on your QRadar Console.

Read the flash notice

F5 Networks vulnerability monitoring with QRadar

Read this blog post to learn how to use QRadar to detect new vulnerabilities in F5 Networks Big-IP and Big-IQ. Fixes are available for both products and this article guides users how to use the F5 Networks detection utility and how to monitor for F5 product updates by device version.

Read the QRadar blog Read the F5 blog

New! M5 and M6 QRadar firmware on IBM Fix Central

QRadar administrators with Lenovo xSeries M5 and M6 appliances can download new firmware updates from IBM Fix Central. The QRadar development team offers two download options for administrators: 1. An EXE file that contains an ISO to remotely update appliances over IMM2 or XCC. 2. An IMG file to create a USB flash drive for users who are on-premise for their appliances. These firmware releases update UEFI, IMM/XCC, HDD drivers, RAID controllers, and also resolve reported vulnerabilities as listed in the release notes. For more information, see the release notes:

M5 V6.0.0 ISO release notes M5 V6.0.0 USB release notes M6 V3.1.0 ISO release notes M6 V3.1.0 USB release notes

QRadar on Cloud Support FAQ

A new technical note is available from the IBM Support Team for QRadar on Cloud users to address common questions we receive. This technical note contain information on basic troubleshooting, access issues, and common Data Gateway questions, and more.

QRadar on Cloud: Support FAQ and common questions

Custom Property Dictionary Content Pack

The Custom Property Dictionary is a new content pack that contains only CEP Definitions, no expressions. The goal of this release is to normalize Custom Properties the same way it is done for DSMs where Source IP or Username is a consistent definition used to parse data. This content pack creates a base set of custom property names which everyone can use for future content releases from IBM or IBM Business Partners. For example, use ‘URL’ instead of unique naming conventions like ‘Bluecoat_URL’. These definitions are intended to orient users and build common naming definitions within QRadar for future rules, searches, and reporting.

Read the documentation Custom Property Dictionary Download

News and Notices

Important: A critical qchange_netsetup issue identified
Updated: Deploy changes service issue
F5 Networks vulnerability monitoring with QRada
New! M5 and M6 QRadar firmware on IBM Fix Central
QRadar on Cloud Support FAQ
Custom Property Dictionary Content Pack

Auto Updates

Current: 14 April 2021 (Build 1618430623)
View More Updates

14 April: No RPM file updates were delivered in this QRadar weekly auto update. All changes for 14 April 2021 were completed as QID changes, which do not require an RPM file from the QRadar Integration Team. For more information, see the QIDMAP tab.

06 April: Resolves multiple issues in this release: 1. Resolves a reported issue where Sophos Astaro Security Gateway version 17.5 devices use a new Syslog format for events. This RPM release updates parsing patterns to ensure the DSM can parse and categorize event that use the new Syslog format. 2. Added support for parsing OpenVPN events and other services, such as pluto, awed, argos, awclient, dhcpd, hostapd, and audid as some events did not parse as expected. 3. If you manually update RPMs from the command line, administrators should confirm they also have the latest version of the DSM Common framework installed. The Sophos Astaro Security Gateway RPM includes parsing dependencies contained in DSM Common.

06 April: Resolves multiple issues in the LEA protocol: 1. Resolves an issue in the QRadar Log Source Management app (7.3 version only) where the Specify Certificate field in the log source might not display all configuration options to the user when the field is toggled on. All configuration parameters should correctly display to the user after this RPM update. 2. Resolves an issue in the LEA protocol where a certificate auto download is attempted when the certificate was previously copied manually. This update ensures a new certificate retrieval is not started if the conditions to pull the cert are not fully met. This change prevents unintended ‘-93 The referred entity does not exist in the Certificate Authority’ error messages when users update certain log source parameters.

06 April: Resolves an issue where McAfee ePolicy Orchestrator events categorized as ‘Stored’ when the event payload does not contain a CommonFields value, which can cause Source IP parsing issue. This RPM release includes an event ID review that identify payloads that might parse as ‘Unknown McAfee ePolicy Orchestrator’ or ‘Stored’.

06 April: Enhanced the DSM Common framework to add support for parsing OpenVPN events and other services, such as pluto, awed, argos, awclient, dhcpd, hostapd, and audid as some service events did not parse as expected. This RPM release adds parsing changes reported from shared services that can appear in Sophos Astaro Security Gateway event payloads to ensure they parse properly.

Auto Updates

Software Versions

Features and what’s new

What’s New in QRadar v7.4.1?

DSM Editor Enhancements

  • Parsing status is color coded in the user interface to display unparsed and unmapped data
  • An Override Delimiter option allows users to parse multiline event payloads more easily in the DSM Editor
  • Event ID and Event Category fields copied to Event Mapping

Workflow Enhancements

  • IBM QRadar Use Case Manager app installed by default
  • QRadar Analyst Workflow to help you investigate offenses

Security Enhancements

  • The core Operating System is updated to Red Hat Enterprise Linux® V7.7

Flow Sources Improvements

  • Support for the flow ID field in NetFlow V9 flow records
  • Support for 40 Gbps Napatech card

SFS Release notes ISO Release notes Upgrade Guide What’s new

What’s New in QRadar v7.4.0?

Performance Enhancements

  • Enhanced parsing support for XML events in the DSM Editor
  • Combined IPv4 & IPv6 columns to allow for more performant APIs and UIs
  • Added support for DSM Parameters in the DSM Editor
  • New event details provide extra context to how events are processed.

Application & Framework Enhancements

  • Apps can now run in multi-tenanted environments
  • Log Source Management app, now multi-tenanted
  • QRadar Assistant app can now manage installed applications
  • Pulse Dashboard V2.2 is now multi-tenanted and supports dashboard sharing

Security Enhancements

  • QRadar 7.4 is upgraded to Red Hat Enterprise Linux V7.6
  • SSH tunnel between two managed hosts can now be initiated from the remote host instead of the local host
  • A secure email server update allows you to send alerts, reports, or notifications with SMTP authentication and TLS

API & Core Improvements

  • Content Management Export API expands the ability to export Custom Rules, Custom Searches, Reports, and required dependencies
  • Dynamic Search API allows users to complete advanced queries using a selection of fields available in the Offenses Rest API
  • Offense related searches possible in the Dynamic Search API
  • QRadar V7.4.0 introduces API V13.0 and marks V11.0 endpoints as deprecated

Release notes Upgrade Guide What’s new

What’s New in QRadar v7.3.3?

Performance Enhancements

  • Enhanced parsing support for Name Value Pair events in the DSM Editor
  • Enhanced parsing support for Generic List events
  • Removing reference data when you uninstall a content extension
  • Export content faster in the DSM Editor

Security Enhancements

Inactivity timeout for user accounts

As an administrator, if you have users who require longer periods of inactivity before they are logged out of the system, you can configure their inactivity timeout threshold individually. The default is 30 minutes.

Flow Improvements

  • A new Flow Aggregation Count field displays a total number for each flow that contributed.
  • VXLAN flow information now available
  • Flow ID enhancements now give unique values to the flow session

QRadar Network Insights

  • New inspector for Remote Desktop Protocol (RDP)
  • New inspector for Berkeley remote commands
  • Protocol name and version information is now available
  • TLS inspector now extracts more data

Release notes Upgrade Guide What’s new

What’s New in QRadar v7.3.2?

QRadar Incident Forensics

  • Enhanced custom certificate support
  • Non-administrative users can use Berkeley Packet Filters
  • New protocol inspectors
  • Network Packet Capture improvements

QRadar Network Insights

  • QRadar on Cloud support
  • Basic inspection level now includes application detection
  • Configuration improvements for stacked and stand-alone appliances
  • More control over the appliance inspection level

QRadar Risk Manager

Network Links

Add a Network Link to your topology diagram to represent network hardware that QRadar Risk Manager can’t model in the standard way. A Network Link connects your core network to network branches that are not directly connected to your network or that you don’t control directly.

Release notes Upgrade Guide What’s new

What’s New in QRadar v7.4.2?

Operational Efficiency

Adjusting the number of MAC addresses allowed for an asset

DSM Editor Enhancements

Generating regex for parsing event properties

Flow Improvements

  • MAC address support
  • Accumulated byte and packet counters
  • New “Common Destination Port” flow direction algorithms

What is Changed or Removed?

  • User authentication with Active Directory (AD) is no longer supported
  • GlusterFS no longer supported

QRadar Network Insights

  • Support for 40 Gbps connectivity
  • QRadar Network Insights 1940 appliance stacking
  • Content flows are more easily identified
  • New TCP flow direction algorithms
  • Easily determine the direction of a content flow
  • More descriptive entity alerts

SFS Release notes ISO Release notes Upgrade Guide What’s new

IBM prides itself on delivering world class software support with highly skilled, customer-focused people. QRadar Support is available 24×7 for all high severity issues. For QRadar resources, technical help, guidance, and information, see our QRadar Support 101 pages.

Contact Support

Find your regional support contact

Contact Support

Find your regional support contact