LDAP server synchronization changes
When you upgrade to QRadar 7.5.0 Update Package 3 or later and you run LDAP synchronization, if the system finds a user that is no longer in the LDAP server and is not set to Local Fallback or set as Local Only, that user is disabled in QRadar. If the user is set to Local Fallback or set as Local Only, then the user is not disabled but is flagged on the User Management page. A system notification is sent to inform the administrator of the change to the user account.
Local Only authentication
When you upgrade to QRadar 7.5.0 Update Package 2 or later, the Manage Local Only Authentication role is added to manage the Local Only authentication for users. Local Only authentication is a setting that is used when external authentication is enabled on IBM QRadar. Setting Local Only authentication to true for a user ensures that the user authenticates to QRadar locally rather than through external authentication. Local Only authentication prevents unintended access to QRadar from the accounts that are configured in the external authentication repository.
In QRadar 7.5.0 Update Package 2 you can use secure boot to ensure that only trusted kernels and kernel modules are loaded when you start QRadar. The firmware ensures that the kernel and kernel modules are signed and a valid key is stored in the system keyring before passing control to the kernel.
QRadar 7.5.0 Update Package 2 and any current EFI systems that is upgraded to 7.5.0 Update Package 2 can turn on secure boot as long as the IBM public key has been imported into the system keyring.
Offense rule tests
In QRadar 7.5.0, there are two new offense rule tests: when an offense is closed and when an offense is modified. A modified offense rule test is applied when any offense property is changed based on the events that are associated with that offense. Modified rule tests allow for better configuration of how and when rules are implemented.
A closed offense rule test is applied when the offense is closed.
More secure operating system
QRadar 7.5.0 runs on Red Hat® Enterprise Linux® version 7.9. The upgrade to RHEL V7.9 is necessary to continue receiving security updates from Red Hat Enterprise Linux.
In QRadar 7.5.0, use the new OFFENSE_TIME function to increase the speed of your offense queries.
The OFFENSE_TIME function limits the query to applicable times that an offense might be active.
For example, if you want to query for an offense within a time range, use the OFFENSE_TIME function together with the IN_OFFENSE function to limit the query to the times that the offense might have occurred.
SELECT * FROM events WHERE INOFFENSE(1) times OFFENSE_TIME(1)
7.5.0, use the new
DISTINCTCOUNT function to return the unique count of the value in the aggregate.
DISTINCTCOUNT function uses the HyperLogLog+ approximation algorithm to
calculate the unique count and operates with a constant memory requirement. The function supports
unlimited data sets.
SELECT username, DISTINCTCOUNTCOUNT(sourceip) AS CountSrcIP FROM events GROUP BY username
Encryption of managed hosts enabled by default
To provide secure data transfer between each of the appliances in your environment, IBM QRadar integrates encryption support that uses OpenSSH. In QRadar 7.5.0, encryption between managed hosts is enabled by default when you add a managed host. Previously, you were required to manually enable encryption when you added a managed host.