Upgrading QRadar Use Case Manager

To take advantage of new capabilities, defect fixes, and updated workflows, upgrade to new versions of the IBM® QRadar® Use Case Manager app. Use either the Extensions Management tool in IBM® QRadar® or the IBM QRadar Assistant app to upgrade the app.

Before you begin

You must have an IBM ID to access the IBM Security App Exchange. If you don't have an ID, you can create one by clicking Create IBM ID on the upper right of the IBM Security App Exchange login page.

About this task

In QRadar Use Case Manager 2.3.0 or later, the Cyber Adversary Framework Mapping app is no longer required. QRadar Use Case Manager detects the presence of the Cyber Adversary Framework Mapping app and prompts you to uninstall the app on the configuration page. QRadar Use Case Manager gathers any existing mappings from the Cyber Adversary Framework Mapping app during installation. If you continue to use the Cyber Adversary Framework Mapping app to edit MITRE mappings, any new or updated mappings are not added to QRadar Use Case Manager and the data becomes out of sync. In that case, you must manually export and import the mappings into QRadar Use Case Manager.

Procedure

  1. If the IBM QRadar Assistant app is configured on QRadar, use the following instructions to install the QRadar Use Case Manager app: QRadar Assistant app (https://www.ibm.com/support/knowledgecenter/SS42VS_latest/com.ibm.apps.doc/t_qradar_adm_assistant_download.html).
  2. If the QRadar Assistant app is not configured, download the QRadar Use Case Manager app archive from the IBM Security App Exchange (https://apps.xforce.ibmcloud.com/) onto your local computer. You must have an IBM ID to access the App Exchange.
    1. On the Admin tab, click Extension Management.
    2. In the Extension Management page, click Add and select the app archive that you want to upload to the console.
    3. Select the Install immediately checkbox.
      Important: You might have to wait several minutes before your app becomes active. When the installation is complete, clear your browser cache and refresh the browser window before you use the app.
  3. On the page that prompts you to update the current app version, leave the Replace existing items option selected, and click Install.
  4. After the installation is complete, go to Admin > Apps > QRadar Use Case Manager > Configuration.
  5. On the Configuration page, click Uninstall to remove the Cyber Adversary Framework Mapping app from your environment.
    All of your previous MITRE-mappings are preserved.
  6. After the Cyber Adversary Framework Mapping app is removed, export your MITRE mappings as a backup copy, in case you delete the QRadar Use Case Manager app later. If you uninstall QRadar Use Case Manager later, all of the mappings are deleted from your environment.

Results

In deployments where QRadar User Behavior Analytics 4.1.0 or later and QRadar Use Case Manager 3.2.0 or later are both installed, the two apps automatically communicate with each other. The rules from QRadar User Behavior Analytics are integrated into the QRadar Use Case Manager app for further investigation and tuning.

What to do next

Configuring QRadar Use Case Manager.