What's new in QRadar App for Splunk Data Forwarding
Learn about the new features in each app release.
Version 3.3.0
The app was upgraded to use the App Framework SDK version 2.
The QRadar® authentication token was encrypted. The encryption algorithm for storing Splunk instance details was upgraded.
Version 3.2.0
Fixed a defect where unvalidated certificates caused authentication tokens to fail in the configuration page.
Version 3.1.0
User interface improvements include the following changes:
- Making fonts, margins, and element sizes consistent across checkboxes and buttons.
- Ensuring messages and field values appear correctly in Mozilla Firefox and Microsoft Internet Explorer.
- Adding a tooltip to the delete button in preview-only mode.
- Improving how buttons work when tabs are switched.
Usability improvements include the following changes:
- The workflow step indicator shows the selected step to be 'Start Forwarding' between "Set Port" and "Finish".
- The message shown below the source names contains a link to switch the current tab to “Forwarded Data Sources”.
Security was improved by addressing the CWE Top 25 vulnerability CWE-295 regarding improper certificate validation.
Version 3.0.0
Improved the user interface
- Clear the forwarding queue by using the new X button when the Forward button on the Splunk Instances tab is enabled.
- Windows source names are identified with an asterisk.
Usability improvements
- Manually enter your forwarding destination if your preferred event collector is not populated within the selection box.
- Forwarding Windows-based log sources is now handled by the app. QRadar App for Splunk Data Forwarding creates a Windows Multiline Event log source on QRadar to identify the events that are coming in from a Windows log source. You can also configure this log source as a gateway to identify logs that are coming in from multiple sources. For more information, see Forwarding data from Splunk universal forwarders to QRadar.
Support enhancements
- Added support for QRadar on Cloud.
- Globalization support is included.
Version 2.0.0
- Improved the user interface
- Add new Splunk instances by using the Multi-Button feature to add single or multiple instances.
- Add new instances or modify existing ones from the side pane.
- Last refresh for every instance displays on the main pane.
- Upgraded pagination to view more than 10 instances at a time.
- Renamed Remove to Delete when you remove Splunk instances.
- New workflow design makes it easier to forward Splunk data to IBM® QRadar.
- Removed the Filter button and merged the two filter boxes into a dynamic
search feature for instances based on location, description, and source types. Tip: To narrow down your result, you can search for two or more values that are separated by spaces. For example, you want to search for "Universal Forwarder" that is located in the IP range of "10.35" and has a "WinEventLogs" source type. Enter your search query as 10.35 Universal Forwarder WinEventLogs to see the corresponding Splunk instances that satisfy the condition.
- Added the ability to configure the Splunk port number and its IP address or host name when you add a new Splunk instance that runs on a different port than the default 8089 port.
- Added the ability to view the steps that the app performs when it starts and stops forwarding data from the Splunk instances to QRadar.
- The app generates Audit Event logs for user activity within the app.
- Removed the ability to forward all to QRadar for heavy forwarders.
Version 1.1.0
- The Refresh function is renamed to Sync to better reflect the operation of synchronizing the data from configured Splunk instances.
- You can now configure an automatic sync of Splunk Sources data. When you enable the Automatic Sync feature on the configuration page, the application periodically connects to configured instances of Splunk Enterprise or Splunk Universal Forwarder and synchronize the list of available Splunk Sources. Only the Administrator can configure Auto-Sync and the time interval for Auto-Sync.
- The application will now generate and provide Notifications after every sync operation to highlight Splunk Sources that were added or removed from configured Splunk instances. Generated notifications are available by clicking the bell icon in the upper right of the app. Notifications are generated after both manual sync and automatic sync.