What's new in QRadar Network Insights 7.5.0

IBM QRadar Network Insights 7.5.0 includes new features and enhancements.

SSH extraction enhancements

New in 7.5.0 Update Package 8

QRadar Network Insights introduces enhanced extraction for the SSH protocol. This functionality includes the extraction of several new fields around the SSH connection establishment and also the "Hassh" fingerprints of those connections. For more information, see Enriched inspection.

Tunnelling enhancements

New in 7.5.0 Update Package 8

QRadar Network Insights introduces enhanced protocol support for GRE and ERSPAN network traffic and new common features for all tunneled network traffic (including the existing VXLAN support). For more information, see Enriched inspection.

Data extraction enhancements

New in 7.5.0 Update Package 6

The following improvements were made to data extractions:
  • MAC addresses are now supported.

    The MAC addresses that are extracted from the observed network traffic might not reflect the final MAC address of the client or server, depending on the number of hops that exist between the inspection point and the endpoints.

  • The HTTP Request URL property now includes the full arguments that are presented in the URL.

    For example, in earlier versions of QRadar Network Insights, the URL arguments were not extracted; www.ibm.com/docs/en/qsip/7.5. Now, the same URL extraction is more complete; www.ibm.com/docs/en/qsip/7.5?topic=installations-whats-new-in-qradar-network-insights.

    If you are using custom rules that assume that the arguments are not included in the URL, you must update them.

Configurable IBM X-Force Signature policies

New in 7.5.0 Update Package 5

Now you can update the Protocol Analysis Module (PAM) to configure which IBM X-Force Signature policies are reported on.

You can update PAM to use a preconfigured policy, or you can configure a policy for individual signatures. You can also change the way that QRadar Network Insights reports on attacks and audits.

New information Learn more about IBM X-Force Signature reporting...

Deprecation for NT40E3 network interface card

New in 7.5.0 Update Package 4

Support for the Napatech NT40E3 network interface card is deprecated in QRadar Network Insights 7.5.0 Update Package 4.

It is recommended that new QRadar Network Insights software installations (appliance type 6500) use the Napatech NT100A01 network interface card.

New information Learn more about installing QRadar Network Insights on your own hardware...

New installation option for the QRadar Network Insights 1940 appliance

New in 7.5.0 Update Package 3

QRadar Network Insights 7.5.0 Update Package 3 introduces a new 6610 appliance type. With the QRadar Network Insights 6610 appliance, you can connect 4x10G breakout cables to the primary Napatech card.

During the installation, the firmware on the Napatech cards is updated. Each card takes approximately 5 minutes to update, which causes the installation to run a bit longer than when you install other appliance types.

New information Learn more about the 6610 appliance type...

Session Initiation Protocol (SIP) inspector removed

New in 7.5.0 Update Package 3

IBM QRadar Network Insights no longer inspects SIP traffic.

New information Learn more about the types of inspectors that are supported in QRadar Network Insights...

Performance improvements for the QRadar Network Insights 6500 appliance

New in 7.5.0 Update Package 1
QRadar Network Insights 7.5.0 Update Package 1 software and virtual appliance installations (appliance type 6500) now use the DPDK library to capture network traffic on appliances that use one of the following network interfaces:
  • Intel x520
  • Intel x710
  • VMware vmxnet3

The DPDK library provides better performance than the PF_RING library that is used in earlier versions of QRadar Network Insights. Network interface cards that DPDK uses are not visible to the operating system. You must use DPDK utilities to work with these interfaces.

Napatech-based appliances use a different library to process network data, so they are not affected by this change.

New information Learn more about inspection level performance in QRadar Network Insights...

Modified process for identifying file types

New in 7.5.0 Update Package 1

Earlier versions of QRadar Network Insights used the Apache Tika library to identify the file type, but only at the advanced inspection level.

QRadar Network Insights 7.5.0 Update Package 1 uses a different library to identify file types, and does the identification at all inspection levels as part of the main traffic inspection process.

With this change, fewer files are sent to the Apache Tika library for analysis, which might result in improved performance at the advanced inspection level. Individual performance improvements depend on the volume and type of files that are sent for analysis.

New information Learn more about inspection level performance in QRadar Network Insights...

More integration with IBM® X-Force®

QRadar Network Insights 7.5.0 introduces a new series of suspect content descriptions that are derived from IBM X-Force signatures. When a flow matches one or more of the X-Force signatures, the suspect content description is shown on the Network Activity tab.

Also introduced in this release, some properties on the Flow information window are directly integrated with IBM X-Force Exchange. With a single click, you can quickly determine whether the property value requires further investigation.

New information Learn more about IBM X-Force integration in QRadar Network Insights...

Improved application detection

QRadar Network Insights 7.5.0 includes protocol parsing improvements and can now analyze the payload to identify 300 more applications. By comparison, protocol inspectors in QRadar Network Insights 7.4.3 can identify 32 applications.

After the upgrade is complete, view these files to see the complete list of applications that can be identified:
  • /opt/ibm/xforce/metadata/protocols.hdr (column headers)
  • /opt/ibm/xforce/metadata/protocols.csv (values)

New information Learn more about application detection in QRadar Network Insights...

Data aggregation and segmentation

QRadar Network Insights 7.5.0 includes improvements to the way that data is segmented and aggregated.

Flows that are received through any supported network interface on the same NUMA node are now aggregated together when the following properties match:
  • IP address
  • Ports (TCP/UDP)
  • Protocol
  • VLAN IDs
  • VXLAN Identifier

New information Learn more about domain segmentation in QRadar Network Insights...

Network inspection performance

The network inspection performance at the basic and enriched inspection levels is increased in IBM QRadar Network Insights 7.5.0.

Important:

System performance and data throughput depend on many factors, including the amount of multiprogramming in the job stream, I/O configuration, storage configuration, and the workload volume that is processed. Individual performance improvements are not guaranteed.

New information Learn more about inspection level performance in QRadar Network Insights...

Some inspectors are no longer supported

IBM QRadar Network Insights 7.4.3 announced deprecation for the following inspectors:
  • All web domain inspectors
  • Myspace protocol inspector
  • SPDY protocol inspector

These inspectors were removed in IBM QRadar Network Insights 7.5.0.

New information Learn more about the types of inspectors that are supported in QRadar Network Insights...