Topic
  • 7 replies
  • Latest Post - ‏2014-08-07T12:55:34Z by sxs
Jonathan.Pechta (IBM)
139 Posts

Pinned topic News! QRadar 7.2.2 Patch 1 is released

‏2014-04-28T15:36:18Z |

I just wanted to put up a new notice to inform everyone that QRadar 7.2.2 Patch 1 is released and available on Fix Central.

 

You might notice that we are not offering an upgrade to QRadar 7.2.2, but instead releasing an SFS file for customers to upgrade directly to QRadar 7.2.2 Patch 1. This is intended as we want customers to upgrade directly to Patch 1. There will be an ISO posted for new appliance installs for QRadar 7.2.2, however, those customers installing new appliances should also install the SFS file listed below to update those appliances to QRadar 7.2.2 Patch 1.

 

Information for users at QRadar 7.1 MR2

As mentioned in the install instructions, this fix pack requires QRadar 7.1 MR2 (7.1.2.519185) or above. It is recommended that users at 7.1 MR2 review the upgrade guide before they start an installation. An Asset Profile update requires administrators to decide on how to migrate asset data on their system when they apply the fix pack. The section, "Upgrade considerations for your asset data" should be reviewed if you are on QRadar 7.1 MR2 and updating your system to QRadar 7.2 MR1 Patch 2. The upgrade guide can be found here: https://ibm.biz/BdR2Uj (opens in a new window).

 

Note: IBM's link shortener uses IBM.biz. I know it seems strange, but IBM.biz shortened URLs are official.

 

As always, feel free to ask a question here or in the forums if you have a patch (fix pack) specific question.

Updated on 2014-04-30T17:42:20Z at 2014-04-30T17:42:20Z by Jonathan.Pechta (IBM)
  • thloeber
    thloeber
    11 Posts

    Re: News! QRadar 7.2.2 Patch 1 is released

    ‏2014-04-29T10:55:44Z  

    What new functionality, if any, is included in 7.2.2?

  • Jonathan.Pechta (IBM)
    139 Posts

    Re: News! QRadar 7.2.2 Patch 1 is released

    ‏2014-04-29T13:24:41Z  
    • thloeber
    • ‏2014-04-29T10:55:44Z

    What new functionality, if any, is included in 7.2.2?

    Here is a list of the features announced. The full announcement is available Here: IBM QRadar 7.2.2 Announcement Information.

     

     

    IBM Security QRadar SIEM, IBM Security QRadar Log Manger, and IBM Security QRadar Network Anomaly Detection new capabilities:

    IBM Security QRadar Risk Manager new capabilities:

    IBM Security QRadar Vulnerability Manager new capabilities:

     

     

    Hope this helps...if you have additional questions about a feature, feel free to ask.

    Updated on 2014-04-29T13:26:18Z at 2014-04-29T13:26:18Z by Jonathan.Pechta (IBM)
  • thloeber
    thloeber
    11 Posts

    Re: News! QRadar 7.2.2 Patch 1 is released

    ‏2014-06-11T17:54:33Z  

    Here is a list of the features announced. The full announcement is available Here: IBM QRadar 7.2.2 Announcement Information.

     

     

    IBM Security QRadar SIEM, IBM Security QRadar Log Manger, and IBM Security QRadar Network Anomaly Detection new capabilities:

    IBM Security QRadar Risk Manager new capabilities:

    IBM Security QRadar Vulnerability Manager new capabilities:

     

     

    Hope this helps...if you have additional questions about a feature, feel free to ask.

    Where can I get information/details on the new Qradar Data Node feature.

  • Jonathan.Pechta (IBM)
    139 Posts

    Re: News! QRadar 7.2.2 Patch 1 is released

    ‏2014-06-11T20:36:26Z  
    • thloeber
    • ‏2014-06-11T17:54:33Z

    Where can I get information/details on the new Qradar Data Node feature.

    thloeber,

     

    The information is a little scattered. However, I will give you a short explanation of this new appliance and then try to follow up my post with a link after I locate you an official source.

     

    What is data node?

    A data node appliance is offered as an appliance, software install on your own hardware, or offered as a VM license. Data node in essence is a dedicated storage and search appliance that allows Event Processors/Flow Processors to scale up capability by adding snap-in storage and search performance. These appliances can be added to event or flow processors and as data comes in, the EP/FP distributes the data across however many nodes are available, which provides a significant search improvement and storage improvement.  As data nodes are added, the systems automatically balances incoming event or flow data across the EP or FP that they are attach to.

     

    Can you give me an example?

    Let's say I have an EP that is receiving 20,000 events per second. As you start adding data nodes (appliances, VMs, on your own hardware..however you decide to add them) the EP is going to look for available data nodes and start to automatically start distributing events across each available node. So, if you have your EP and 3 data nodes, the 20,000 EPS is going to be broken down to 5,000 EPS across each device with 5k going to the EP storage and 5k going to each data node.  

     

    How many data nodes can I have?

    There is no limit to the number of data nodes that you can have in your deployment.

     

    What happens when a node drops offline?

    When a data node drops offline, then the system rebalances and redistributes the incoming events to any available data nodes.

     

    I am reaching the storage limit and my data is compressed making my searches slow. How does data node help?

    Data nodes when added to an EP/FP will start to uncompress and move the existing data to distribute is across any nodes that are attached to the EP/FP. I am not in sales, but I've heard it is an easy way to add storage and also improve search performance at the same time as compared to just adding storage through a SAN. I do know that each data node can support up to a 100TB of storage. However, I do not know how much storage is available in our standard appliance.

    I think our Hardware Guide provides some info on default storage: http://public.dhe.ibm.com/software/security/products/qradar/documents/7.2.2/QRadar/EN/QRadar_Hardware_Guide_7.2.2_en.pdf

     

    As mentioned, I will see if there is a presentation that outlines this in more detail. If you have questions, you can start up a new post in the General forum and we can discuss data nodes in more detail there.

     

    Hope this helps....

     

     

    -----

    Our first support webcast is announced for June 18th @ 11am EST (webcast details: http://bit.ly/1wUIT32).
    To vote on topics you are interested in for future webcasts, see our anonymous survey https://www.surveymonkey.com/s/QRadarOpenmic.

     

    Updated on 2014-06-11T20:59:32Z at 2014-06-11T20:59:32Z by Jonathan.Pechta (IBM)
  • sxs
    sxs
    2 Posts

    Re: News! QRadar 7.2.2 Patch 1 is released

    ‏2014-08-07T06:54:27Z  

    thloeber,

     

    The information is a little scattered. However, I will give you a short explanation of this new appliance and then try to follow up my post with a link after I locate you an official source.

     

    What is data node?

    A data node appliance is offered as an appliance, software install on your own hardware, or offered as a VM license. Data node in essence is a dedicated storage and search appliance that allows Event Processors/Flow Processors to scale up capability by adding snap-in storage and search performance. These appliances can be added to event or flow processors and as data comes in, the EP/FP distributes the data across however many nodes are available, which provides a significant search improvement and storage improvement.  As data nodes are added, the systems automatically balances incoming event or flow data across the EP or FP that they are attach to.

     

    Can you give me an example?

    Let's say I have an EP that is receiving 20,000 events per second. As you start adding data nodes (appliances, VMs, on your own hardware..however you decide to add them) the EP is going to look for available data nodes and start to automatically start distributing events across each available node. So, if you have your EP and 3 data nodes, the 20,000 EPS is going to be broken down to 5,000 EPS across each device with 5k going to the EP storage and 5k going to each data node.  

     

    How many data nodes can I have?

    There is no limit to the number of data nodes that you can have in your deployment.

     

    What happens when a node drops offline?

    When a data node drops offline, then the system rebalances and redistributes the incoming events to any available data nodes.

     

    I am reaching the storage limit and my data is compressed making my searches slow. How does data node help?

    Data nodes when added to an EP/FP will start to uncompress and move the existing data to distribute is across any nodes that are attached to the EP/FP. I am not in sales, but I've heard it is an easy way to add storage and also improve search performance at the same time as compared to just adding storage through a SAN. I do know that each data node can support up to a 100TB of storage. However, I do not know how much storage is available in our standard appliance.

    I think our Hardware Guide provides some info on default storage: http://public.dhe.ibm.com/software/security/products/qradar/documents/7.2.2/QRadar/EN/QRadar_Hardware_Guide_7.2.2_en.pdf

     

    As mentioned, I will see if there is a presentation that outlines this in more detail. If you have questions, you can start up a new post in the General forum and we can discuss data nodes in more detail there.

     

    Hope this helps....

     

     

    -----

    Our first support webcast is announced for June 18th @ 11am EST (webcast details: http://bit.ly/1wUIT32).
    To vote on topics you are interested in for future webcasts, see our anonymous survey https://www.surveymonkey.com/s/QRadarOpenmic.

     

    Jonathan,

     

    Thanks for this information! Really useful.

    Can you also share links for downloading the software for Data nodes to test it out in environment?!

     

     

  • Jonathan.Pechta (IBM)
    139 Posts

    Re: News! QRadar 7.2.2 Patch 1 is released

    ‏2014-08-07T12:46:32Z  
    • sxs
    • ‏2014-08-07T06:54:27Z

    Jonathan,

     

    Thanks for this information! Really useful.

    Can you also share links for downloading the software for Data nodes to test it out in environment?!

     

     

    SXS,

     

    The software ISO for QRadar contains the ability to install all QRadar appliance types. The activation key determines what appliance type is installed, so it is critical to define the activation key correctly when you first do an install.

     

    You should be able to inquire with your sales representative if there is a activation key to do a trial for a data node appliance. By default, all appliance have a 30-day license applied to them. If that is enough time to complete your trial, then you would just need an activation key and an ISO with the same version as your Console. However, if you need a longer activation for your trial. then make sure you mention that to your sales rep that you need more than 30-days. They might be able to provide you with an activation key + a temporary license that you can apply over top of the default to give you more time. I'm not sure if they provide these, but it never hurts to ask. :)

     

    One thing to mention. All managed hosts (QRadar appliances) must be at the same software version as the Console. We do not release ISO files every release, so to get the data node up to the same version as the Console it might require an ISO + Fix Pack (sfs file) depending on what version of software is running on the Console. 

     

    Hope this helps..

     

    Updated on 2014-08-07T12:46:43Z at 2014-08-07T12:46:43Z by Jonathan.Pechta (IBM)
  • sxs
    sxs
    2 Posts

    Re: News! QRadar 7.2.2 Patch 1 is released

    ‏2014-08-07T12:55:34Z  

    SXS,

     

    The software ISO for QRadar contains the ability to install all QRadar appliance types. The activation key determines what appliance type is installed, so it is critical to define the activation key correctly when you first do an install.

     

    You should be able to inquire with your sales representative if there is a activation key to do a trial for a data node appliance. By default, all appliance have a 30-day license applied to them. If that is enough time to complete your trial, then you would just need an activation key and an ISO with the same version as your Console. However, if you need a longer activation for your trial. then make sure you mention that to your sales rep that you need more than 30-days. They might be able to provide you with an activation key + a temporary license that you can apply over top of the default to give you more time. I'm not sure if they provide these, but it never hurts to ask. :)

     

    One thing to mention. All managed hosts (QRadar appliances) must be at the same software version as the Console. We do not release ISO files every release, so to get the data node up to the same version as the Console it might require an ISO + Fix Pack (sfs file) depending on what version of software is running on the Console. 

     

    Hope this helps..

     

    Great!

    Thanks... :)