QRadar
RHEL8 support as RHEL7 reaches end of life
New in 7.5.0 Update Package 8Red Hat® Enterprise Linux® 7 (RHEL) is end of life (EOL) as of June 2024. IBM QRadar 7.5.0 Update Package 8 upgrades existing support for RHEL 7 to RHEL 8.
Minimum permitted app base image stream
New in 7.5.0 Update Package 8In QRadar 7.5.0 Update Package 8, you can disable older base image streams that might have security vulnerabilities by using the new Minimum Permitted App Base Image Stream system setting on the Admin tab. For more information, see Minimum Permitted App Base Image Stream.
SSH extraction enhancements
New in 7.5.0 Update Package 8In QRadar 7.5.0 Update Package 8, QRadar Network Insights introduces enhanced extraction for the SSH protocol. This functionality includes the extraction of several new fields around the SSH connection establishment and also the "Hassh" fingerprints of those connections.
Tunnelling enhancements
New in 7.5.0 Update Package 8QRadar Network Insights introduces enhanced protocol support for GRE and ERSPAN network traffic and new common features for all tunneled network traffic (including the existing VXLAN support).
Leapp pretest added for RHEL8 migration
New in 7.5.0 Update Package 8You must run a Leapp pretest on your console or managed host before you upgrade from Red Hat Enterprise Linux V7.9 to Red Hat Enterprise Linux V8.8 to reduce the risk of failure. If the Leapp pretest fails on your deployment, the upgrade is blocked.
/media/updates/installer --leapp-onlyRead-only configuration
New in 7.5.0 Update Package 8In QRadar 7.5.0 Update Package 8, Read-only Configuration permission on the User Role Management window grants permission to view other users without the ability to create or edit them.
New in 7.5.0 Update Package 7In QRadar 7.5.0 Update Package 7, the new Read-only Configuration permission on the User Role Management window grants users permission to view, but not create or edit, log sources or offenses.
New WinCollect update package for QRadar 7.5.0 Update Package 8
New in 7.5.0 Update Package 8WinCollect 7.3.1 P3 supports QRadar 7.5.0 Update Package 8 or later. If your QRadar system is upgraded to UP8 or later but is running WC 7.3.1 P1 or earlier, you must upgrade to WinCollect 7.3.1 P3 so that the agents work properly. For more information, see the ‘Known issues’ section in this release note: https://www.ibm.com/support/pages/node/7029393 and this tech note: https://www.ibm.com/support/pages/node/6953887.
LDAP server synchronization changes
New in 7.5.0 Update Package 3When you upgrade to QRadar 7.5.0 Update Package 3 or later and you run LDAP synchronization if the system finds a user that is no longer in the LDAP server and is not set to Local Fallback or set as Local Only, that user is disabled in QRadar. If the user is set to Local Fallback or set as Local Only, then the user is not disabled but is flagged on the User Management page. A system notification is sent to inform the administrator of the change to the user account.
Local only authentication
New in 7.5.0 Update Package 2When you upgrade to QRadar 7.5.0 Update Package 2 or later, the Manage Local Only Authentication role is added to manage the Local Only authentication for users. Local Only authentication is a setting that is used when external authentication is enabled on IBM QRadar. Setting Local Only authentication to true for a user ensures that the user authenticates to QRadar locally rather than through external authentication. Local Only authentication prevents unintended access to QRadar from the accounts that are configured in the external authentication repository.
Secure boot
New in 7.5.0 Update Package 2In QRadar 7.5.0 Update Package 2 you can use secure boot to ensure that only trusted kernels and kernel modules are loaded when you start QRadar. The firmware ensures that the kernel and kernel modules are signed and a valid key is stored in the system keyring before passing control to the kernel.
QRadar 7.5.0 Update Package 2 and any current EFI systems that is upgraded to 7.5.0 Update Package 2 can turn on secure boot as long as the IBM public key has been imported into the system keyring.
Offense rule tests
New in 7.5.0In QRadar 7.5.0, there are two new offense rule tests: when an offense is closed and when an offense is modified. A modified offense rule test is applied when any offense property is changed based on the events that are associated with that offense. Modified rule tests allow for better configuration of how and when rules are implemented.
A closed offense rule test is applied when the offense is closed.
More secure operating system
New in 7.5.0QRadar 7.5.0 runs on Red Hat Enterprise Linux version 7.9. The upgrade to RHEL V7.9 is necessary to continue receiving security updates from Red Hat Enterprise Linux.
OFFENSE_TIME function
New in 7.5.0In QRadar 7.5.0, use the new OFFENSE_TIME function to increase the speed of your offense queries.
The OFFENSE_TIME function limits the query to applicable times that an offense might be active.
For example, if you want to query for an offense within a time range, use the OFFENSE_TIME function together with the IN_OFFENSE function to limit the query to the times that the offense might have occurred.
SELECT * FROM events
WHERE INOFFENSE(1) times OFFENSE_TIME(1)DISTINCTCOUNT function
New in
7.5.0In
QRadar
7.5.0, use the new
DISTINCTCOUNT function to return the unique count of the value in the aggregate.
The DISTINCTCOUNT function uses the HyperLogLog+ approximation algorithm to
calculate the unique count and operates with a constant memory requirement. The function supports
unlimited data sets.
For example,
SELECT username,
DISTINCTCOUNTCOUNT(sourceip)
AS CountSrcIP
FROM events
GROUP BY username Encryption of managed hosts enabled by default
New in 7.5.0To provide secure data transfer between each of the appliances in your environment, IBM QRadar integrates encryption support that uses OpenSSH. In QRadar 7.5.0, encryption between managed hosts is enabled by default when you add a managed host. Previously, you were required to manually enable encryption when you added a managed host.