What's new
Stay up to date with the new features that are available in the IBM QRadar SOAR Plug-in app 5.x so that you can respond to cyberthreats faster and more efficiently.
Version 5.6.4
-
Added a bug fix for
qradar_note for qradarrule. -
Various security vulnerability fixes.
Version 5.6.3
- Updated Resilient® python libraries to V51.0.7.2.14777.
- Updated
resilient_app_config_pluginsto V1.0.3. - Updated
requests_pkcs12to V1.27. - Updated requests to V2.32.5.
- The load artifact number of threads and payload size parameters is now configurable.
- Fixed a bug with the Artifact Limit setting, where the limit was not applied.
- Updates to the user interface Escalation tab:
- New heading added under Escalations: Control the number of artifacts and how they are added to a case.
- New tooltip added: Applied separately for source_addresses and local_destination_addresses in an offense, this limits the max number of IP artifacts allowed for a case_create or case_update escalation action.
- New setting: Number of Artifact threads and new tooltip: The number of separate threads used to add artifacts to a case.
-
New setting: Maximum Number Of Artifacts Per Payload and new tooltip: The maximum number of artifacts allowed for each case update payload.
Version 5.6.2
- Bug fix for offense escalation failure when Unicode characters are used in template mapping.
- Improved retry case_crease logic to avoid duplicate SOAR case creation after original case creation failure response.
- Other bug fixes and security vulnerabilities fixes.
Version 5.6.0
- Added a configuration option to process offense update message as a case_create request when an existing SOAR case is not found for the QRadar offense.
- Resolved automatic offense escalation issue occurred when opening offense details page.
- Upgraded Resilient® Circuits and Python package dependencies to later versions to address defects and to mitigate security vulnerabilities.
- Bug fixes for escaping illegal characters in the plugin template.
- Bug fixes for editing templates that have JSON type incident fields in SOAR.
Version 5.5.0
- Resolved application UI tab focus issue.
- Improved retry case create logic for automatic offense escalation failure.
- Updated manual escalation to use same architecture as automatic escalation.
- Improved error message on CONFLICT status during app configuration for better diagnosis.
- Updated Python package dependencies to newer versions to mitigate security vulnerabilities.
- Addressed offense note duplication issue when SOAR plugin app and Enhanced Data Migration (a SOAR app) is used together.
Version 5.4.0
- Enabled multi-tenancy support to create multiple plug-in app instances.
- Updated Python package dependencies to newer versions to mitigate security vulnerabilities.
- Updated automatic escalation condition rules with integer values.
- Clarified offense notes originating from SOAR.
- In multi-tenanted instances, the mapping tab restricts domain mapping to only those domains that are assigned to the security profile of an instance.
Version 5.3.1
- Resolved installation conflict with IBM QRadar 7.5.x UP7.
- Improved escalation reliability during network outage.
- Removed the ability to adjust the number of worker threads from the user interface as it is less relevant with the new architecture.
- Addressed security vulnerabilities. These updates impact template naming conventions. For more information, see Upgrading the app.
- Added resiliency when connection errors occur, queuing the case action for reprocessing when the connection error is resolved.
- Added deduplication of artifact creation for faster case processing.
- Added logic to avoid creating duplicate cases for the same offense.
Version 5.0.3
- Addressed security vulnerabilities.
- Bugs fixes for automatic escalations and templates.
Version 5.0.0
- Multi-tenancy is disabled.
- Updated architecture.
Learn more about the
architecture improvements... - New features in the product interface to enable DEBUG logging level, SOAR Configuration Push from the Plug-in app UI, and ability to download log and configuration files from the user interface.
- SOAR user accounts can no longer be used for authentication. You must have an API Key Account to authenticate.
Minimum QRadar version
The IBM QRadar SOAR Plug-in app 5.0 works only with IBM QRadar 7.5.x UP7 or later.
Architecture improvements
Instead of using a poller to pull offenses from QRadar, the app now relies on QRadar to push the offense candidates to an internal SOAR queue for case creation. You might see improvements to performance and reliability as a result of this change.
New capabilities in the product interface
The following capabilities are added in QRadar SOAR Plug-in 5.0:
- When you configure multiple organizations in the QRadar SOAR Plug-in app, you can push the
configuration changes directly to the child organizations in SOAR.
Learn more about
configuring multiple organization organizations...
- With the new Enable DEBUG mode option, you can collect advanced technical information in the log files.
- You can download log and configuration files from the product interface.
Inbound destinations
In QRadar SOAR Plug-in 5.x, the inbound destinations for SOAR and QRadar are created automatically.
Before you configure the app, you must copy the SOAR CA certificates to the QRadar Console to allow access to the SOAR inbound destinations.
Learn more about
configuring access to the inbound destinations...
Authentication changes
SOAR user accounts can no longer be used for authentication. You must have an API Key Account to authenticate.
Learn
more about configuring API Key Account authentication...
Terminology used in this document
You can use the IBM QRadar SOAR Plug-in app with several different SOAR instances.
In SOAR for IBM Cloud Pak for Security, the term case is used to refer to an incident or event in which data or a system might be compromised. IBM Security SOAR Platform uses the term incident.
In this document, case is used throughout, but it can be used interchangeably with incident.