QRadar

The IBM® QRadar® 7.5.0 family of products includes enhancements to operational efficiency and flow improvements. An update package includes new features, enhancements, and bug fixes to improve the performance and functionality of QRadar. They are available for download from the IBM Support Fix Central.

IBM QRadar Console-only DR by using Data Synchronization App

New in 7.5.0 Update Package 9
In QRadar 7.5.0 Update Package 9, Console-only disaster recovery (DR) feature is added. Console-only DR implementation is useful for customers in the following scenarios.
  • An actual disaster recovery where the console is not available but the other deployment hosts are still running.
  • A disaster recovery exercise where the main site is still available during the disaster recovery process.

You can switch deployment control from the main site console to the destination site console (failover) which activates your destination site. Later on, you can switch deployment control back to the main site from the destination site (failback) which reactivates your main site. The QRadar Console-only DR feature is supported in IBM QRadar Data Synchronization 3.2.0 and later.

IBM QRadar updated to dark theme

New in 7.5.0 Update Package 9

The IBM QRadar user interface (UI) is updated to a dark theme. The light mode option is no longer available. This update does not affect the functionality of the product.

CIDR data type for reference data

New in 7.5.0 Update Package 9

Added a new data type called CIDR (Classless Inter-Domain Routing) for reference data. The CIDR data type supports both IPv4 and IPv6 addresses. For more information, see Command reference for reference data utilities.

Monitor-only mode in RegexMonitor

New in 7.5.0 Update Package 9

RegexMonitor now supports an optional Monitor-only mode that can notify you about expensive artifacts that are detected during parsing without disabling them automatically.

Performance enhancements

New in 7.5.0 Update Package 9
  • Search performance is up to 2 times higher on Data Nodes in certain scenarios.
  • Quick Filter index generation is now faster on Data Nodes, and allows timely indexing of larger data volumes.
  • The JSON encoded offline forwarding speed is increased up to 80 times, depending on the forwarded event sizes and the custom properties used in forwarding.

RHEL8 support as RHEL7 reaches end of life

New in 7.5.0 Update Package 8

Red Hat® Enterprise Linux® 7 (RHEL) is end of life (EOL) as of June 2024. IBM QRadar 7.5.0 Update Package 8 upgrades the existing support for RHEL 7 to RHEL 8.

Attention: For existing customers there is a significant change to upgrade to RHEL 8. You must read the following topics before beginning your upgrade.

Minimum permitted app base image stream

New in 7.5.0 Update Package 8

In QRadar 7.5.0 Update Package 8, you can disable older base image streams that might have security vulnerabilities by using the new Minimum Permitted App Base Image Stream system setting on the Admin tab. For more information, see Minimum Permitted App Base Image Stream.

SSH extraction enhancements

New in 7.5.0 Update Package 8

In QRadar 7.5.0 Update Package 8, QRadar Network Insights introduces enhanced extraction for the SSH protocol. This functionality includes the extraction of several new fields around the SSH connection establishment and also the "Hassh" fingerprints of those connections.

New information Learn more about enriched inspection ...

Tunnelling enhancements

New in 7.5.0 Update Package 8

QRadar Network Insights introduces enhanced protocol support for GRE and ERSPAN network traffic and new common features for all tunneled network traffic (including the existing VXLAN support).

New information Learn more about enriched inspection ...

Leapp pretest added for RHEL8 migration

New in 7.5.0 Update Package 8

You must run a Leapp pretest on your console or managed host before you upgrade from Red Hat Enterprise Linux V7.9 to Red Hat Enterprise Linux V8.8 to reduce the risk of failure. If the Leapp pretest fails on your deployment, the upgrade is blocked.

To run the Leapp pretest before you run the upgrade installer, use the following command:
/media/updates/installer --leapp-only

New informationLearn more about Upgrading QRadar SIEM to 7.5.0 UP8...

Read-only configuration

New in 7.5.0 Update Package 8

In QRadar 7.5.0 Update Package 8, Read-only Configuration permission on the User Role Management window grants permission to view other users without the ability to create or edit them.

New in 7.5.0 Update Package 7

In QRadar 7.5.0 Update Package 7, the new Read-only Configuration permission on the User Role Management window grants users permission to view, but not create or edit, log sources or offenses.

New informationLearn more about Creating a user role...

New WinCollect update package for QRadar 7.5.0UP8

New in 7.5.0 Update Package 8

WinCollect 7.3.1 P3 supports QRadar UP8 or later. If your QRadar system is upgraded to UP8 or later but is running WC 7.3.1 P1 or earlier, you must upgrade to WinCollect 7.3.1 P3 so that the agents work properly. For more information, see the ‘Known issues’ section in this release note: https://www.ibm.com/support/pages/node/7029393 and this tech note: https://www.ibm.com/support/pages/node/6953887.

New WinCollect update package for QRadar 7.5.0 Update Package 8

New in 7.5.0 Update Package 8

WinCollect 7.3.1 P3 supports QRadar 7.5.0 Update Package 8 or later. If your QRadar system is upgraded to UP8 or later but is running WC 7.3.1 P1 or earlier, you must upgrade to WinCollect 7.3.1 P3 so that the agents work properly. For more information, see the ‘Known issues’ section in this release note: https://www.ibm.com/support/pages/node/7029393 and this tech note: https://www.ibm.com/support/pages/node/6953887.

LDAP server synchronization changes

New in 7.5.0 Update Package 3

When you upgrade to QRadar 7.5.0 Update Package 3 or later and you run LDAP synchronization if the system finds a user that is no longer in the LDAP server and is not set to Local Fallback or set as Local Only, that user is disabled in QRadar. If the user is set to Local Fallback or set as Local Only, then the user is not disabled but is flagged on the User Management page. A system notification is sent to inform the administrator of the change to the user account.

New informationLearn more about LDAP synchronization...

Local only authentication

New in 7.5.0 Update Package 2

When you upgrade to QRadar 7.5.0 Update Package 2 or later, the Manage Local Only Authentication role is added to manage the Local Only authentication for users. Local Only authentication is a setting that is used when external authentication is enabled on IBM QRadar. Setting Local Only authentication to true for a user ensures that the user authenticates to QRadar locally rather than through external authentication. Local Only authentication prevents unintended access to QRadar from the accounts that are configured in the external authentication repository.

New informationLearn more about Local Only authentication...

Secure boot

New in 7.5.0 Update Package 2

In QRadar 7.5.0 Update Package 2 you can use secure boot to ensure that only trusted kernels and kernel modules are loaded when you start QRadar. The firmware ensures that the kernel and kernel modules are signed and a valid key is stored in the system keyring before passing control to the kernel.

QRadar 7.5.0 Update Package 2 and any current EFI systems that is upgraded to 7.5.0 Update Package 2 can turn on secure boot as long as the IBM public key has been imported into the system keyring.

New informationLearn more about secure boot...

Offense rule tests

New in 7.5.0

In QRadar 7.5.0, there are two new offense rule tests: when an offense is closed and when an offense is modified. A modified offense rule test is applied when any offense property is changed based on the events that are associated with that offense. Modified rule tests allow for better configuration of how and when rules are implemented.

A closed offense rule test is applied when the offense is closed.

New information Learn more about modified offense rule tests...

More secure operating system

New in 7.5.0

QRadar 7.5.0 runs on Red Hat Enterprise Linux version 7.9. The upgrade to RHEL V7.9 is necessary to continue receiving security updates from Red Hat Enterprise Linux.

OFFENSE_TIME function

New in 7.5.0

In QRadar 7.5.0, use the new OFFENSE_TIME function to increase the speed of your offense queries.

The OFFENSE_TIME function limits the query to applicable times that an offense might be active.

For example, if you want to query for an offense within a time range, use the OFFENSE_TIME function together with the IN_OFFENSE function to limit the query to the times that the offense might have occurred.

SELECT * FROM events
 WHERE INOFFENSE(1) times OFFENSE_TIME(1)

New information Learn more about AQL data retrieval functions...

DISTINCTCOUNT function

New in 7.5.0

In QRadar 7.5.0, use the new DISTINCTCOUNT function to return the unique count of the value in the aggregate.

The DISTINCTCOUNT function uses the HyperLogLog+ approximation algorithm to calculate the unique count and operates with a constant memory requirement. The function supports unlimited data sets.

For example,

SELECT username, 
DISTINCTCOUNTCOUNT(sourceip) 
AS CountSrcIP
FROM events 
GROUP BY username 

New information Learn more about AQL data aggregation functions...

Encryption of managed hosts enabled by default

New in 7.5.0

To provide secure data transfer between each of the appliances in your environment, IBM QRadar integrates encryption support that uses OpenSSH. In QRadar 7.5.0, encryption between managed hosts is enabled by default when you add a managed host. Previously, you were required to manually enable encryption when you added a managed host.

New information Learn more about encryption of managed hosts...