QRadar

The IBM QRadar 7.5.0 family of products includes enhancements to operational efficiency and flow improvements. An update package includes new features, enhancements, and bug fixes to improve the performance and functionality of QRadar. They are available for download from the IBM Support Fix Central.

Light and Dark UI theme in IBM QRadar

New in 7.5.0 Update Package 10

In QRadar 7.5.0 Update Package 10, you can change the IBM QRadar user-interface (UI) theme to your preferred mode. To change the UI theme, go to the Theme drop down in the User Preferences tab, and select the Light or Dark option.​

Parallel patching

New in 7.5.0 Update Package 10

After you upgrade the QRadar Console, you can upgrade all other managed hosts in parallel. A new reporting service is introduced to capture and display the status of managed hosts on the Console.

Important:
  1. If a high number of managed hosts are attached to the deployment before a Console HA is removed, parallel patching for the detached or removed Console HA can increase the upgrade time. Use the legacy upgrade process to upgrade a detached or removed Console HA.
  2. If a managed host fails to upgrade and the Exit parallel patching option is selected, a console reboot occurs. To continue the upgrade, complete the following steps:
    • Remount the SFS file and select Parallel patching.
    • Select Check patching status, and then select Parallel patching to start the upgrade.

New informationLearn more about parallel patching...

WinCollectHealthCheck.sh support script

New in 7.5.0 Update Package 10
To use managed Wincollect after you upgrade to QRadar 7.5.0 Update Package 10, complete the following steps to configure the iptables rules by using the updated WinCollectHealthCheck.sh support script.
  1. Upgrade to QRadar 7.5.0 Update Package 10.
  2. Apply Auto Updates to pull the latest support tools.
  3. Run the following script.
    /opt/qradar/support/WinCollectHealthCheck.sh
  4. Verify that the iptables rules are successfully configured.

If an issue occurs when the iptables rules are configured, an error message with a manual workaround is displayed.

Disabled 24 Java ciphers

New in 7.5.0 Update Package 10

The following Java ciphers are disabled in QRadar 7.5.0 Update Package 10.

jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, DH keySize < 1024, DESede, 3DES_EDE_CBC, anon, NULL, DES_CBC, SHA1, DHE, SSL_RSA_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_AES_256_CBC_SHA256, EC keySize < 224, include jdk.disabled.namedCurves

If the disabled ciphers cause issues with customer deployments, you can add or remove ciphers from the configuration file.

Performance enhancements for event and flow searches

New in 7.5.0 Update Package 10
  • Improved event and flow search stability and performance for large deployments, high query concurrency, and complex data sets by managing memory more effectively.
  • Event and flow searches that interact with IPv6 addresses are up to 200 times faster.

IPv6 capabilities for FISMA

New in 7.5.0 Update Package 10
In QRadar 7.5.0 Update Package 10, the following new capabilities are added for Federal Information Security Modernization Act (FISMA):
  • Scanner integrations can now forward IPv6 addresses to the Asset Profiler.
  • Asset profiling is supported for IPv6 host addresses, and processing of link-local addresses is optional.
  • IPv6 addresses in syslog headers can now be parsed for Log Source IDs.
  • Updated several DSMs and scanner integrations to improve IPv6 parsing.
  • Validated Custom Rules Engine (CRE) rule tests with IPv6 address fields.
  • Added support for right-click filters on IPv6 address fields.
  • Network configuration is now completed for IPv6 during the installation process.
  • Revalidated several applications to work in pure IPv6 networks.
  • Verified remote nets and GeoData to work with IPv6 content.
  • Improved search performance on IPv6 address fields.

IBM QRadar Console-only DR by using Data Synchronization App

New in 7.5.0 Update Package 9
In QRadar 7.5.0 Update Package 9, Console-only disaster recovery (DR) feature is added. Console-only DR implementation is useful for customers in the following scenarios.
  • An actual disaster recovery where the console is not available but the other deployment hosts are still running.
  • A disaster recovery exercise where the main site is still available during the disaster recovery process.

You can switch deployment control from the main site console to the destination site console (failover) which activates your destination site. Later on, you can switch deployment control back to the main site from the destination site (failback) which reactivates your main site. The QRadar Console-only DR feature is supported in IBM QRadar Data Synchronization 3.2.0 and later.

IBM QRadar updated to dark theme

New in 7.5.0 Update Package 9

The IBM QRadar user interface (UI) is updated to a dark theme. The light mode option is no longer available. This update does not affect the functionality of the product.

CIDR data type for reference data

New in 7.5.0 Update Package 9

Added a data type for reference data called CIDR (Classless Inter-Domain Routing). The CIDR data type supports both IPv4 and IPv6 addresses.

New informationLearn more about reference data utilities...

Monitor-only mode in RegexMonitor

New in 7.5.0 Update Package 9

RegexMonitor now supports an optional Monitor-only mode that can notify you about expensive artifacts that are detected during parsing without disabling them automatically.

Performance enhancements

New in 7.5.0 Update Package 9
  • Search performance is up to 2 times higher on Data Nodes in certain scenarios.
  • Quick Filter index generation is now faster on Data Nodes, and allows timely indexing of larger data volumes.
  • The JSON encoded offline forwarding speed is increased up to 80 times, depending on the forwarded event sizes and the custom properties used in forwarding.

RHEL8 support as RHEL7 reaches end of life

New in 7.5.0 Update Package 8

Red Hat® Enterprise Linux® 7 (RHEL) is end of life (EOL) as of June 2024. IBM QRadar 7.5.0 Update Package 8 upgrades the existing support for RHEL 7 to RHEL 8.

Attention: For existing customers, significant changes are made to upgrade to RHEL 8. Read the following topics before you begin your upgrade.

Minimum permitted app base image stream

New in 7.5.0 Update Package 8

In QRadar 7.5.0 Update Package 8, you can disable older base image streams that might have security vulnerabilities by using the new Minimum Permitted App Base Image Stream system setting on the Admin tab.

New informationMinimum Permitted App Base Image Stream

SSH extraction enhancements

New in 7.5.0 Update Package 8

In QRadar 7.5.0 Update Package 8, QRadar Network Insights introduces enhanced extraction for the SSH protocol. This functionality includes the extraction of several new fields around the SSH connection establishment and also the "Hassh" fingerprints of those connections.

New information Learn more about enriched inspection ...

Tunnelling enhancements

New in 7.5.0 Update Package 8

QRadar Network Insights introduces enhanced protocol support for GRE and ERSPAN network traffic and new common features for all tunneled network traffic (including the existing VXLAN support).

New information Learn more about enriched inspection ...

Leapp pretest added for RHEL8 migration

New in 7.5.0 Update Package 8

Run a Leapp pretest on your console or managed host before you upgrade from Red Hat Enterprise Linux V7.9 to Red Hat Enterprise Linux V8.8 to reduce the risk of failure. If the Leapp pretest fails on your deployment, the upgrade is blocked.

To run the Leapp pretest before you run the upgrade installer, use the following command:
/media/updates/installer --leapp-only

New informationLearn more about upgrading QRadar SIEM to 7.5.0 UP8...

Read-only configuration

New in 7.5.0 Update Package 8

In QRadar 7.5.0 Update Package 8, Read-only Configuration permission on the User Role Management window grants permission to view other users without the ability to create or edit them.

New in 7.5.0 Update Package 7

In QRadar 7.5.0 Update Package 7, the new Read-only Configuration permission on the User Role Management window grants users permission to view, but not create or edit, log sources or offenses.

New informationLearn more about creating a user role...

New WinCollect update package for QRadar

New in 7.5.0 Update Package 8

WinCollect 7.3.1 P3 supports QRadar 7.5.0 Update Package 8 or later. If your QRadar system is upgraded to UP8 or later but is running WC 7.3.1 P1 or earlier, upgrade to WinCollect 7.3.1 P3 so that the agents work properly. For more information, see release note 7029393 and technote 6953887.

LDAP server synchronization changes

New in 7.5.0 Update Package 3

When you upgrade to QRadar 7.5.0 Update Package 3 or later and you run LDAP synchronization if the system finds a user that is no longer in the LDAP server and is not set to Local Fallback or set as Local Only, that user is disabled in QRadar. If the user is set to Local Fallback or set as Local Only, then the user is not disabled but is flagged on the User Management page. A system notification is sent to inform the administrator of the change to the user account.

New informationLearn more about LDAP synchronization...

Local only authentication

New in 7.5.0 Update Package 2

When you upgrade to QRadar 7.5.0 Update Package 2 or later, the Manage Local Only Authentication role is added to manage the Local Only authentication for users. Local Only authentication is a setting that is used when external authentication is enabled on IBM QRadar. Setting Local Only authentication to true for a user makes sure that the user authenticates to QRadar locally rather than through external authentication. Local Only authentication prevents unintended access to QRadar from the accounts that are configured in the external authentication repository.

New informationLearn more about Local Only authentication...

Secure boot

New in 7.5.0 Update Package 2

In QRadar 7.5.0 Update Package 2, you can use secure boot to make sure that only trusted kernels and kernel modules are loaded when you start QRadar. The firmware makes sure that the kernel and kernel modules are signed and a valid key is stored in the system keyring before the control is passed to the kernel.

QRadar 7.5.0 Update Package 2 and any current EFI systems that are upgraded to 7.5.0 Update Package 2 can turn on secure boot when the IBM public key is imported into the system keyring.

New informationLearn more about secure boot...

Offense rule tests

New in 7.5.0

In QRadar 7.5.0, there are two new offense rule tests: when an offense is closed and when an offense is modified. A modified offense rule test is applied when any offense property is changed based on the events that are associated with that offense. Modified rule tests allow for better configuration of how and when rules are implemented.

A closed offense rule test is applied when the offense is closed.

New information Learn more about modified offense rule tests...

More secure operating system

New in 7.5.0

QRadar 7.5.0 runs on Red Hat Enterprise Linux version 7.9. The upgrade to RHEL V7.9 is necessary to continue receiving security updates from Red Hat Enterprise Linux.

OFFENSE_TIME function

New in 7.5.0

In QRadar 7.5.0, use the new OFFENSE_TIME function to increase the speed of your offense queries.

The OFFENSE_TIME function limits the query to applicable times that an offense might be active.

For example, if you want to query for an offense within a time range, use the OFFENSE_TIME function together with the IN_OFFENSE function to limit the query to the times that the offense might have occurred.

SELECT * FROM events
 WHERE INOFFENSE(1) times OFFENSE_TIME(1)

New information Learn more about AQL data retrieval functions...

DISTINCTCOUNT function

New in 7.5.0

In QRadar 7.5.0, use the new DISTINCTCOUNT function to return the unique count of the value in the aggregate.

The DISTINCTCOUNT function uses the HyperLogLog+ approximation algorithm to calculate the unique count and operates with a constant memory requirement. The function supports unlimited data sets.

For example,

SELECT username, 
DISTINCTCOUNTCOUNT(sourceip) 
AS CountSrcIP
FROM events 
GROUP BY username 

New information Learn more about AQL data aggregation functions...

Encryption of managed hosts enabled by default

New in 7.5.0

To provide secure data transfer between each of the appliances in your environment, IBM QRadar integrates encryption support that uses OpenSSH. In QRadar 7.5.0, encryption between managed hosts is enabled by default when you add a managed host. Previously, you were required to manually enable encryption when you added a managed host.

New information Learn more about encryption of managed hosts...