QRadar

The IBM® QRadar® 7.5.0 family of products includes enhancements to operational efficiency and flow improvements.

LDAP server synchronization changes

When you upgrade to QRadar 7.5.0 Update Package 3 or later and you run LDAP synchronization, if the system finds a user that is no longer in the LDAP server and is not set to Local Fallback or set as Local Only, that user is disabled in QRadar. If the user is set to Local Fallback or set as Local Only, then the user is not disabled but is flagged on the User Management page. A system notification is sent to inform the administrator of the change to the user account.

New informationLearn more about LDAP synchronization...

Local Only authentication

When you upgrade to QRadar 7.5.0 Update Package 2 or later, the Manage Local Only Authentication role is added to manage the Local Only authentication for users. Local Only authentication is a setting that is used when external authentication is enabled on IBM QRadar. Setting Local Only authentication to true for a user ensures that the user authenticates to QRadar locally rather than through external authentication. Local Only authentication prevents unintended access to QRadar from the accounts that are configured in the external authentication repository.

New informationLearn more about Local Only authentication...

Secure boot

In QRadar 7.5.0 Update Package 2 you can use secure boot to ensure that only trusted kernels and kernel modules are loaded when you start QRadar. The firmware ensures that the kernel and kernel modules are signed and a valid key is stored in the system keyring before passing control to the kernel.

QRadar 7.5.0 Update Package 2 and any current EFI systems that is upgraded to 7.5.0 Update Package 2 can turn on secure boot as long as the IBM public key has been imported into the system keyring.

New informationLearn more about secure boot...

Offense rule tests

In QRadar 7.5.0, there are two new offense rule tests: when an offense is closed and when an offense is modified. A modified offense rule test is applied when any offense property is changed based on the events that are associated with that offense. Modified rule tests allow for better configuration of how and when rules are implemented.

A closed offense rule test is applied when the offense is closed.

New information Learn more about modified offense rule tests...

More secure operating system

QRadar 7.5.0 runs on Red Hat® Enterprise Linux® version 7.9. The upgrade to RHEL V7.9 is necessary to continue receiving security updates from Red Hat Enterprise Linux.

OFFENSE_TIME function

In QRadar 7.5.0, use the new OFFENSE_TIME function to increase the speed of your offense queries.

The OFFENSE_TIME function limits the query to applicable times that an offense might be active.

For example, if you want to query for an offense within a time range, use the OFFENSE_TIME function together with the IN_OFFENSE function to limit the query to the times that the offense might have occurred.

SELECT * FROM events
 WHERE INOFFENSE(1) times OFFENSE_TIME(1)

New information Learn more about AQL data retrieval functions...

DISTINCTCOUNT function

In QRadar 7.5.0, use the new DISTINCTCOUNT function to return the unique count of the value in the aggregate.

The DISTINCTCOUNT function uses the HyperLogLog+ approximation algorithm to calculate the unique count and operates with a constant memory requirement. The function supports unlimited data sets.

For example,

SELECT username, 
DISTINCTCOUNTCOUNT(sourceip) 
AS CountSrcIP
FROM events 
GROUP BY username 

New information Learn more about AQL data aggregation functions...

Encryption of managed hosts enabled by default

To provide secure data transfer between each of the appliances in your environment, IBM QRadar integrates encryption support that uses OpenSSH. In QRadar 7.5.0, encryption between managed hosts is enabled by default when you add a managed host. Previously, you were required to manually enable encryption when you added a managed host.

New information Learn more about encryption of managed hosts...