What's new in the IBM QRadar SOAR Plug-in app
Stay up to date with the new features that are available in the IBM® QRadar® SOAR Plug-in app 5.0 so that you can respond to cyberthreats faster and more efficiently.
Minimum QRadar version
The IBM QRadar SOAR Plug-in app 5.0 works only with IBM QRadar 7.5.0 UP4 or later.
Architecture improvements
Instead of using a poller to pull offenses from QRadar, the app now relies on QRadar to push the offense candidates to an internal SOAR queue for case creation. You might see improvements to performance and reliability as a result of this change.
New capabilities in the product interface
The following capabilities are added in QRadar SOAR Plug-in 5.0:
- When you configure multiple organizations in the QRadar SOAR
Plug-in app, you can push the
configuration changes directly to the child organizations in SOAR.
Learn more about
configuring multiple organization organizations... - With the new Enable DEBUG mode option, you can collect advanced technical information in the log files.
- You can download log and configuration files from the product interface.
Inbound destinations
In QRadar SOAR Plug-in 5.0, the inbound destinations for SOAR and QRadar are created automatically.
Before you configure the app, you must copy the SOAR CA certificates to the QRadar Console to allow access to the SOAR inbound destinations.
Learn more about
configuring access to the inbound destinations...
Authentication changes
SOAR user accounts can no longer be used for authentication. You must have an API Key Account to authenticate.
Learn
more about configuring API Key Account authentication...
Terminology used in this document
You can use the IBM QRadar SOAR Plug-in app with several different SOAR instances.
In SOAR for IBM Cloud Pak for Security, the term case is used to refer to an incident or event in which data or a system might be compromised. IBM Security SOAR Platform uses the term incident.
In this document, case is used throughout, but it can be used interchangeably with incident.