What's new
Stay up to date with the new features that are available in the IBM QRadar SOAR Plug-in app 5.x so that you can respond to cyberthreats faster and more efficiently.
Version 5.5.0
- Resolved application UI tab focus issue.
- Improved retry case create logic for automatic offense escalation failure.
- Updated manual escalation to use same architecture as automatic escalation.
- Improved error message on CONFLICT status during app configuration for better diagnosis.
- Updated Python package dependencies to newer versions to mitigate security vulnerabilities.
- Addressed offense note duplication issue when SOAR plugin app and Enhanced Data Migration (a SOAR app) is used together.
Version 5.4.0
- Enabled multi-tenancy support to create multiple plug-in app instances.
- Updated Python package dependencies to newer versions to mitigate security vulnerabilities.
- Updated automatic escalation condition rules with integer values.
- Clarified offense notes originating from SOAR.
- In multi-tenanted instances, the mapping tab restricts domain mapping to only those domains that are assigned to the security profile of an instance.
Version 5.3.1
- Resolved installation conflict with IBM QRadar 7.5.x UP7.
- Improved escalation reliability during network outage.
- Removed the ability to adjust the number of worker threads from the user interface as it is less relevant with the new architecture.
- Addressed security vulnerabilities. These updates impact template naming conventions. For more information, see Upgrading the app.
- Added resiliency when connection errors occur, queuing the case action for reprocessing when the connection error is resolved.
- Added deduplication of artifact creation for faster case processing.
- Added logic to avoid creating duplicate cases for the same offense.
Version 5.0.3
- Addressed security vulnerabilities.
- Bugs fixes for automatic escalations and templates.
Version 5.0.0
- Multi-tenancy is disabled.
- Updated architecture.
Learn more about the architecture improvements...
- New features in the product interface to enable DEBUG logging level, SOAR Configuration Push from the Plug-in app UI, and ability to download log and configuration files from the user interface.
- SOAR user accounts can no longer be used for authentication. You must have an API Key Account to authenticate.
Minimum QRadar version
The IBM QRadar SOAR Plug-in app 5.0 works only with IBM QRadar 7.5.x UP7 or later.
Architecture improvements
Instead of using a poller to pull offenses from QRadar, the app now relies on QRadar to push the offense candidates to an internal SOAR queue for case creation. You might see improvements to performance and reliability as a result of this change.
New capabilities in the product interface
The following capabilities are added in QRadar SOAR Plug-in 5.0:
- When you configure multiple organizations in the QRadar SOAR Plug-in app, you can push the
configuration changes directly to the child organizations in SOAR.
Learn more about configuring multiple organization organizations...
- With the new Enable DEBUG mode option, you can collect advanced technical information in the log files.
- You can download log and configuration files from the product interface.
Inbound destinations
In QRadar SOAR Plug-in 5.x, the inbound destinations for SOAR and QRadar are created automatically.
Before you configure the app, you must copy the SOAR CA certificates to the QRadar Console to allow access to the SOAR inbound destinations.
Learn more about
configuring access to the inbound destinations...
Authentication changes
SOAR user accounts can no longer be used for authentication. You must have an API Key Account to authenticate.
Learn
more about configuring API Key Account authentication...
Terminology used in this document
You can use the IBM QRadar SOAR Plug-in app with several different SOAR instances.
In SOAR for IBM Cloud Pak for Security, the term case is used to refer to an incident or event in which data or a system might be compromised. IBM Security SOAR Platform uses the term incident.
In this document, case is used throughout, but it can be used interchangeably with incident.