SOAR Breach Response add-on

The SOAR Breach Response add-on is updated. For more information, see Breach response updates.

QRadar Suite Software platform

Create a secret to store your AES key

You can now create a secret in the QRadar Suite Software namespace to store your AES that you can use to encrypt your data backups. You can use the secret name to back up data stores, schedule backups, or restore backup files.

For more information, see Creating a secret for an AES Key and Backup and restore.

SOAR Breach Response add-on

The SOAR Breach Response add-on is updated. For more information, see Breach response updates.

SOAR Breach Response add-on

The SOAR Breach Response add-on is updated. For more information, see Breach response updates.

QRadar Suite Software platform

Red Hat® OpenShift® Container Platform 4.16.x support

You can now install QRadar Suite Software on Red Hat OpenShift Container Platform 4.16.x.

For more information, see System requirements.

Important: Upgrade to QRadar Suite Software version 1.10.25 before you upgrade to Red Hat OpenShift Container Platform version 4.16.x.

SOAR playbook statistics

From the Playbook instances tab, you can view new cards showing important playbook statistics. You can view the five most error prone playbooks, the five most frequently run playbooks, and the five longest running playbooks.

For more information, see Playbook instances.

SOAR playbook condition point enhancements

When creating a condition point, you can now add field and script as the condition type. This provides greater flexibility for composing complex logic in one condition point. Previously, if you wanted to add field and script in condition points, you needed to create two separate condition points. The data navigator was available in the script builder, but not in the condition builder, and it was not possible to use both field and script in a single condition for a condition point.

You can still use the existing functionality (All, Any, Advanced) to compose the combinations.

For more information, see Playbook decisions and condition point.

SOAR Breach Response add-on

The SOAR Breach Response add-on is updated. For more information, see Breach response updates.

QRadar Suite Software platform

IBM® Security QRadar SOAR applications back up

The IBM Security QRadar SOAR applications are now included when you back up the QRadar Suite Software platform. Previously, you had to back up the SOAR applications separately. For more information about backing up and restoring, see Backup and restore.

Red Hat OpenShift Container Platform 4.12.x support

Red Hat OpenShift Container Platform 4.12.x is no longer supported. You must upgrade to 4.14.x before you upgrade QRadar Suite Software.

For more information, see System requirements.

SOAR Breach Response add-on

The SOAR Breach Response add-on is updated. For more information, see Breach response updates.

Add functions to SOAR playbooks with low code or no code

From the playbook designer canvas, you can add the functions to your playbooks from a new Functions > Connectors tab, without deploying apps to Edge Gateway. For more information, see Connectors and functions.

SOAR Breach Response add-on

The SOAR Breach Response add-on is updated. For more information, see Breach response updates.

Certificate validation for SOAR email connections

When configuring inbound email connections in IBM Security QRadar SOAR, you can choose between a client secret or certificate validation for the OAuth protocol.

For more information, see Configuring an inbound email connection.

SOAR Breach Response add-on

The SOAR Breach Response add-on is updated. For more information, see Breach response updates.

SOAR Breach Response add-on

The SOAR Breach Response add-on is updated. For more information, see Breach response updates.

IBM Security QRadar Suite audit inventory

The IBM Security QRadar Suite audit inventory is added. For more information, see Audit Inventory.

IBM Security QRadar Suite installation in an air-gapped environment

The IBM Security QRadar Suite installation in an air-gapped environment is updated.

For more information, see Installing QRadar Suite Software in an air-gapped environment by using a bastion host or Installing QRadar Suite Software in an air-gapped environment by using a portable device.

IBM Security QRadar SOAR search

The internal search engine for searching the IBM Security QRadar SOAR application data in Case Management is updated from Elasticsearch 7.10.2 to OpenSearch 2.11.

SOAR Breach Response add-on

The SOAR Breach Response add-on is updated. For more information, see Breach response updates.

QRadar Suite Software platform

Disabled type-ahead for user search in CLX

User suggestions from connected IDPs now appear only after a full and exact username or email is entered in the input field. Partial input no longer triggers user list suggestions, enhancing user privacy and access control.

IBM Security QRadar SOAR MSSP enhancements

User management and group management are improved for IBM Security QRadar SOAR MSSP deployments.

For more information, see Adding SOAR MSSP analystsAdding SOAR MSSP analysts.

SOAR Breach Response add-on

The SOAR Breach Response add-on is updated. For more information, see Breach response updates.

QRadar Suite Software platform

Resource allocations in QRadar Suite Software

If you previously installed QRadar Suite Software and changed the resource allocations for IBM Security QRadar SOAR, these allocations are no longer suitable. Change the resource allocations as described in step 6 of Upgrading QRadar Suite Software.

Red Hat OpenShift Container Platform

Red Hat OpenShift Container Platform 4.10.x is no longer supported. You must upgrade to 4.12.x or 4.14.x before you upgrade QRadar Suite Software.

For more information, see System requirements.

SOAR Breach Response add-on

The SOAR Breach Response add-on is updated. For more information, see Breach response updates.

IBM Security QRadar SOAR playbook enhancements

You can view instances of running playbooks over time on the Playbook Instances tab.

For more information, see Playbook instances.

IBM QRadar Network Threat Analytics app integration

IBM QRadar Network Threat Analytics 1.3.0 is a tool that continuously monitors the flow records in your network to identify anomalous traffic. IBM QRadar collects information about the way that devices in your network communicate with each other, and creates a flow record to capture information about the communication. QRadar Network Threat Analytics analyzes the flow records on your system to determine normal traffic patterns, and then compares all incoming flows to the latest network baseline that was created by the app.

IBM Security QRadar EDR available as an on-premises deployment option

For more information, see the IBM Security QRadar EDR docs collection.

A simpler way to manage dashboard parameters

Improved how you manage dashboard parameters in the Manage Parameters window. You can now add labels for a parameter when it’s displayed in the Parameters card on a dashboard. For example, a label might provide more details about how to use the parameter or suggest a use case. You can also add a parameter description to provide more context, if required. For more information, see Creating parameters for your dashboards.

Licensing updates

The licensing options document is updated to reflect current packaging and entitlements. For more information, see License options.

SOAR Breach Response add-on

The SOAR Breach Response add-on is updated with a new regulator. For more information, see Breach response updates.

New installation command argument available

New federated search data source for Amazon GuardDuty

The Amazon GuardDuty UDI Connector connects to the Amazon GuardDuty data source by using the API credentials (Access Key Id/ Secret Access key/ IAM Role (optional)). It loads the event data from the configured Amazon GuardDuty account into IBM Security QRadar Suite Software.

QRadar Suite Software uses this connector with the following services:

QRadar Suite Software platform

Parts and licensing entitlements

The parts and licensing documentation is updated to provide better clarity. For more information, see License options.

Dashboards

Added two new data formats to the Big Number Chart: Number (compact number) and Duration (days and time). For more information, see Creating a big number chart.

IBM Security QRadar SOAR

The SOAR Breach Response add-on is updated with a new regulator. For more information, see Breach response updates.

Integration data sources

The Data sources permission is changed to Integration data sources in the Administration roles and permissions settings.

New homepage and welcome experience

QRadar Suite Software 1.10.15 has a new homepage that provides an easier navigation and a high-level threat intelligence and case investigation overview of your security posture. Connect all your data sources, conduct a federated search, or start a threat investigation all from one place. Visualize your security data by using the Dashboards app to view out of the box dashboards or create your own custom dashboards to share with your team.

Improved homepage layout

Decluttered the homepage by removing the side panels to make it easier to visualize the critical areas of your organization

Full application status for key beta apps

The Detection and Response Center and the Threat Hunt component of Data Explorer are full applications and no longer in Beta, giving you added support from IBM

More assistance to help you manage your security posture

Augmented the Getting Started and WalkMe tours to improve the user learning experience

QRadar Suite Software platform

User management changes

Dashboards no longer require permission on the User management page. A new permission for Edge Gateway management was added to the User management page.

IBM Security QRadar SOAR

Detection and Response Center

Beta program ended

Detection and Response Center is no longer in Beta.

User interface changes

• An information banner appears on the main application page to help you understand what you can do with the app and explain the different types of rules that the app uses.
• The Override rule origin attribute was renamed to Customized system rule to better reflect its functionality.
• A new filter for Supported rule format was added. The rule format determines the purpose of the rule and what part of the product supports the rule.

MITRE support

Support for MITRE ATT&CK was updated to v11.2, which updates techniques, groups, and software for Enterprise, and adds a beta version of Sub-Tehniques for Mobile. For more information, see https://attack.mitre.org/resources/updates/updates-april-2022/index.html.

The MITRE confidence level was removed.

Data Explorer

Beta program ended

Threat Hunt is no longer in Beta.

User interface changes

• Search and Threat Hunt capabilities are now separated under Data Explorer in the menu.
• The Advanced builder tab is removed. The STIX and AQL tab content is now available from a dropdown menu on the Search page.

IBM Security Threat Investigator

IBM Security QRadar SOAR

IBM Security QRadar SOAR now includes all features matching the standalone IBM Security QRadar SOAR Platform V49.1.

Playbook progress visualization

Playbook progress visualization makes it easier for security analysts to monitor the progress of a running playbook instance and to see the status of each node as the playbook progresses.

For more information, see Playbook progress.

Analytics dashboard enhancements

When you add widgets to the Analytics dashboard, you can see the number of times that each type of widget is used on the dashboard. This enhancement makes it easier to avoid unintended duplication of widgets, particularly on larger dashboards.

For more information, see Analytics dashboard.

Data navigator for inputs to playbook functions and sub-playbooks

In previous versions, you had to hardcode a static value or create a script to provide inputs to functions and sub-playbooks. Whether you chose to hardcode or script the inputs, you had to use the same method for all inputs. This method of defining inputs requires users to have some scripting knowledge, particularly when your function or sub-playbook has many inputs.

Now you can use the Data Navigator window to provide dynamic input to function and sub-playbook inputs, eliminating the need for scripting expertise. Inputs for functions and sub-playbooks can be defined to use one of these options:

• Attributes of the case or the playbook object.
• Inputs that are passed to the playbook.
• Outputs from other functions or sub-playbooks within the playbook.

For more information, see Functions in a playbook and Sub-playbooks.

Report templates included in export settings

You can include report templates when you export settings. The report templates are considered shared layouts and unlike common layouts that are the same for all users in the account, shared layouts are created by users and shared with the account. You can have an unlimited number of shared layouts in an account.

By including the shared layouts in your export, you can easily import the report templates to another account.

For more information, see Migrate settings.

New playbook revision field

A new revision number field appears on several playbook and sub-playbook pages, making it easier to troubleshoot issues with playbooks. By comparing the revision number of a running playbook to the latest revision, you can use the revision field to identify changes that might introduce issues.

Some changes to a playbook might result in multiple increments to the playbook revision number.

Improved access and sharing for dashboards and report templates

You can share dashboards and report templates with another user by sending them the direct URL link, or you can bookmark them for your own ease of access. For the URL link to work for another user, the dashboard or report template must be made sharable.

For more information, see Analytics dashboard.

Manage email as a group

You can select multiple emails and perform actions in bulk.

On the case Email tab, you can download multiple emails in a single .zip file. In the Inbox, you can complete actions such as downloading, deleting, or running custom actions on multiple inbound email at once.

For more information, see Inbound email.

Dashboards and preset filters included in export settings

You can include dashboards and preset filters when you export settings. The dashboard and preset filters are considered shared layouts. Unlike common layouts that are the same for all users in the account, shared layouts are created by users and shared with the account. You can have an unlimited number of shared layouts. By including the shared layouts in your export, you can easily import the dashboards and preset filters to another account.

For more information, see Migrate settings.

Improved access and sharing for preset filters

You can quickly access and share presets for filtering the Cases list. Previously, you had to select the preset from the filter list. Now, you can share a preset with another user by sending them the direct URL link, or you can bookmark the preset for your own ease of access. For the URL link to be shareable, the preset must be set to allow access for all users.

For more information, see Filters.

Preview the contents of an email

Case management team members can now preview the contents of an email and see if the email includes attachments. For emails that are not automatically processed, the preview option is available from the Inbox. For inbound emails that trigger a new case or are associated with an existing case, previews are available from the case Email tab.

For more information, see Inbound email.

Remove tasks from a canceled playbook

Playbook designers can choose which tasks are to be removed from the case task list when a playbook is canceled. When you configure the automatic cancellation options, you can specify that the playbook cancellation deactivates all tasks or only incomplete tasks.

For more information, see Cancelling a playbook automatically.

Duplicate playbooks and sub-playbooks

Playbook designers can duplicate playbooks and sub-playbooks. This new feature reduces the time that it takes to create similar workflows that require only a few parameter changes. It also helps you run and modify existing playbooks and sub-playbooks without impacting your case management team, such as when you want to reproduce errors in a test environment.

For more information, see Duplicate playbooks and sub-playbooks.

Python 2 is deprecated

Support for Python 2 is deprecated and will be removed in a future release.

You can run existing Python 2 scripts but you cannot change them. Use Python 3 to create new scripts and modify existing scripts.

In the script editor, when you change the Language field to Python 3, you cannot revert it back to Python 2. Change the language only when you are prepared to update the script to Python 3.

As part of this change, the sample script to process inbound email message objects is now updated to use Python 3. The updated script is available in new accounts and in existing accounts that are upgraded.

API endpoint deprecation

The following API endpoint is deprecated and will be removed in a future release.

GET /orgs/{org_id}/users/{id}/incidents

In QRadar Suite Software V1.10.14, the endpoint is restricted to return a maximum of 1000 records to address a potential out of memory condition.

You can change existing integrations to use the following endpoint:

POST /orgs/{org_id}/incidents/query_paged

QRadar Suite Software platform

You can now install and run QRadar Suite Software in a Red Hat OpenShift Container Platform cluster that uses a cluster-wide HTTPS proxy. For more information, see Configuring a cluster-wide HTTPS proxy.

IBM Security Threat Investigator

The Threat Investigator app is updating the available license options in version 1.10.13 to remove Threat Investigator Advanced with Watson and the corresponding open-source content enrichment feed for the Watson Discovery Service (WDS). For users, the removal of the Watson Discovery Service is not expected to reduce data quality. No administrator actions are required in the Threat Investigator application. For more information, see https://www.ibm.com/support/pages/threat-investigator-upcoming-changes-remove-additional-license-options.

QRadar Suite Software platform

New license options

You can use new license options. For more information, see License options.

Red Hat OpenShift Container Platform 4.12.x support

You can now install QRadar Suite Software on Red Hat OpenShift Container Platform 4.12.x.

Backup and restore now uses AES keys for encryption

You need to supply an AES-128 GCM key, an AES-192 GCM key, or an AES-256 GCM key when you back up QRadar Suite Software data, and the same key when you restore that data from the backup.

Important: When you update to QRadar Suite Software 1.10.12, you must update any scheduled backups to use an AES encryption key.

For more information, see backup-intro.html#concept_nyf_b41_ftb.

To generate an AES encryption key, see Generating an AES key.

Custom namespace for foundational services

You can now install IBM Cloud Pak® foundational services in a custom namespace by using the CSNamespace parameter when you install QRadar Suite Software by using CASE or the Red Hat OpenShift CLI. For more information, see Installing QRadar Suite Software by using CASE or Installing QRadar Suite Software by using the Red Hat OpenShift CLI.

IBM Security QRadar SOAR

SOAR apps support third-party credential managers, referred to as Privileged Access Management (PAM) solutions.

For more information, see Third-party credential managers.

QRadar Suite Software platform

New content extension for connecting to the IBM Security QRadar data source

To connect to an IBM Security QRadar data source, you must install the IBM QRadar Custom Properties Dictionary content extension 1.3.1 or later on your QRadar environment. For more information, see Connecting to an IBM Security QRadar data source and Connecting to an IBM Security QRadar on Cloud data source.

Federated search for domain names in your IBM Security QRadar data source

To conduct a federated search for domain names in your IBM Security QRadar data source, you must add the DNS Request Domain custom event property to the appropriate DSMs in QRadar. For more information, see Adding the DNS Request Domain custom event property to your DSMs.

QRadar Suite Software platform

Microsoft Azure Sentinel connector rename

The Microsoft Azure Sentinel connector is renamed as Microsoft Graph Security connector in QRadar Suite Software 1.10.10 and later. For more information, see Connecting to a Microsoft Graph Security data source.

SOAR Case Management and Orchestration & Automation

Playbooks supported for MSSPs

Playbooks are now supported for MSSP deployments. You must create and update playbooks in the Provider account and push the configuration to the standard accounts.

QRadar Suite Software platform

Red Hat OpenShift Container Platform 4.6.x and 4.7.x deprecated

Red Hat OpenShift Container Platform 4.6.x and 4.7.x are no longer supported. You must upgrade to 4.8.x or 4.10.x before you can upgrade QRadar Suite Software to 1.10.9. The following message is displayed in the operator-lifecycle-manager-packageserver cluster operator until you upgrade the 4.8.x or 4.10.x.

error: unable to retrieve the complete list of server APIs: packages.operators.coreos.com/v1: the server is currently unable to handle the request

Risk Manager

Risk Manager application path

The Risk Manager application path is now consistent with other applications on QRadar Suite Software.

QRadar Suite Software platform

NFS support

You can now use NFS for QRadar Suite Software storage. For more information, see Storage requirements.

Risk Manager

Improved interface to manage recommendations

1.10.7 and later

Improved the Recommendations page with better navigation, filtering, and searching capabilities. For remediation, you can add multiple recommendations to a new case or to an existing case.

Learn more about recommendations...

Asset enrichment

1.10.7 and later

Enrich assets by including more attributes when you create tags. You can now create and manage logical assets in Risk Manager.

Learn more about managing assets...

Performance improvements

1.10.7 and later

The following performance improvements were added:

• CPU and memory usage
  • The idrmriskengine pod shows reduction in CPU usage by 81% and memory usage by 85%.
  • The idrmvms and idrmapp pods show low CPU and memory consumption.
• Seamless UDI import with higher asset count and threat processing.
• Performance fixes

  Manage assets page

  Request processing time is reduced by 81%.

  Throughput is enhanced by 27%.

  Recommendations page

  Request processing time is reduced by 3%.

  Throughput is enhanced by 28%.

Registry Builder feature deprecated

1.10.7 and later

The Registry Builder feature of Risk Manager is deprecated in QRadar Suite Software 1.10.7.

QRadar Suite Software platform

FireEye iSight version 2 APIs deprecated

1.10.5 and later

The iSight version 2 APIs used by previous versions of QRadar Suite Software are deprecated. You cannot migrate existing iSight connectors to QRadar Suite Software version 1.10.5 or later. If you want to configure the new Mandiant iSight version 4 connector, you must acquire new API keys for the iSight version 4 APIs.

Learn more about installing or updating a connector...

Install on Google Cloud Platform

1.10.5 and later

You can now install QRadar Suite Software on Google Cloud Platform. For more information, see System requirements and Storage requirements.

IBM Cloud Security Advisor Adapter removal

1.10.5 and later

The adapter is deprecated in QRadar Suite Software 1.10.4 and removed from 1.10.5. The capability that was provided by the IBM Cloud Security Advisor Adapter in QRadar Suite Software is replaced by a similar capability that is included in IBM QRadar Suite. IBM QRadar Suite enables automated response orchestration based on alerts from a range of connected data sources.

QRadar Suite Software platform

WalkMe is enabled

In QRadar Suite Software versions 1.10.3 and later, WalkMe is enabled. The WalkMe tool is enabled to provide guided tours to new users.

Learn more about disabling or re-enabling WalkMe on QRadar Suite Software...

QRadar Suite Software platform

WalkMe is disabled

In QRadar Suite Software versions 1.10.0 to 1.10.2, WalkMe is disabled. In earlier QRadar Suite Software versions, the WalkMe tool was enabled to provide guided tours to new users.

Single sign-on method of authentication

Use the Security Assertion Markup Language (SAML) protocol to configure the single sign-on (SSO) authentication method between IBM Security QRadar Suite Software and an IBM Security® Verify enterprise identity source.

Learn more about configuring SSO...

Red Hat OpenShift Container Platform 4.10.x support

You can now install QRadar Suite Software on Red Hat OpenShift Container Platform 4.10.x.

Important:

• If you are upgrading QRadar Suite Software to 1.10 and Red Hat OpenShift Container Platform to 4.10.x, you must upgrade QRadar Suite Software first because earlier versions of QRadar Suite Software are not supported on Red Hat OpenShift Container Platform 4.10.x.
• Before you upgrade Red Hat OpenShift Container Platform, you must ensure that Knative serving is set to use two replicas. For more information, see Knative serving is set to use one replica instead of two.
• When you upgrade to Red Hat OpenShift Container Platform 4.10.x, you might encounter a warning that the ingresses.v1beta1.extensions API call is deprecated. Acknowledge this warning and proceed with the upgrade.

Simplified air-gapped environment installation

Installation in an air-gapped environment now requires fewer CLI tools, and doesn't require you to mirror packages from the Red Hat operator catalog that aren't needed.

Learn more about installing QRadar Suite Software in an air-gapped environment...

IBM Security QRadar SOAR Case Management and Orchestration & Automation

SOAR for MSSPs

SOAR for Managed Security Service Providers (MSSP) provides managed security service providers with the ability to manage multiple customers' cases from a single dashboard. Customer case data is stored separately, but can be viewed and accessed from one dashboard. Review the known issues for SOAR for MSSP described in Known issues in QRadar Suite Software 1.10.

Learn more about SOAR for MSSPs...

Important: SOAR for Managed Security Service Providers (MSSP) replaces the Global Case Management (Beta) application that was available in previous versions of QRadar Suite Software.

Email and system notifications

Administrators can configure the application to send system and email notifications when specific conditions occur, for example, if a user is added to a case.

Learn more about notifications...

Learn more about creating email and system notifications...

Learn more about SMTP configuration for notifications...

Playbooks features and enhancements

The Playbooks feature includes several enhancements:

• Playbooks import and export. For more information, see Exporting and importing Playbooks.
• Playbook designers can add sub-playbooks to a playbook. Playbook designers can create sub-playbooks to define repeatable activities to use within other playbooks. For more information, see Sub-playbooks.
• Playbook designers can cancel the running instances of a playbook. For more information, see Canceling a running playbook.
• Playbook designers can configure the automatic cancellation of playbooks whose activation conditions are no longer true.
• Playbook designers can design an activation form for manually triggered playbooks where analysts can enter data when they activate the playbook. For more information, see Activation form.
• Only scripts with object types that are compatible with the playbook's object type are shown in the library.

SOAR search

You can search through all of the SOAR application data for the QRadar Suite Software account.

Learn more about SOAR search...

Artifacts sidebar view

There is a new artifacts sidebar view from the case Overview tab.

Learn more about the artifacts sidebar...

Edge Gateway

The App Host component has been renamed and re branded to Edge Gateway and the management of the component is from the General settings > Connections > Edge gateways page in QRadar Suite Software.

Privacy updates

The Privacy module includes several new updates.

Learn more about the Privacy updates...

Detection and Response Center

MITRE enhancements

Support was added to upgrade from MITRE 9.0 to MITRE v10.1, which updates Techniques, Groups, and Software for Enterprise, Mobile, and ICS. Version 10 deprecates the Scheduled Task/Job: Launchd sub-technique. As a result, Detection and Response Center redirects that mapping to the parent technique instead. For more information, see Updates - October 2021.

Learn more about MITRE mapping and visualization ...