What's new in QRadar Network Insights 7.5.0
IBM QRadar Network Insights 7.5.0 includes new features and enhancements.
SSH extraction enhancements
New in 7.5.0 Update Package 8
QRadar Network Insights introduces enhanced extraction for the SSH protocol. This functionality includes the extraction of several new fields around the SSH connection establishment and also the "Hassh" fingerprints of those connections. For more information, see Enriched inspection.
Tunnelling enhancements
New in 7.5.0 Update Package 8
QRadar Network Insights introduces enhanced protocol support for GRE and ERSPAN network traffic and new common features for all tunneled network traffic (including the existing VXLAN support). For more information, see Enriched inspection.
Data extraction enhancements
New in 7.5.0 Update Package 6
- MAC addresses are now supported.
The MAC addresses that are extracted from the observed network traffic might not reflect the final MAC address of the client or server, depending on the number of hops that exist between the inspection point and the endpoints.
- The HTTP
Request URL
property now includes the full arguments that are presented in the URL.For example, in earlier versions of QRadar Network Insights, the URL arguments were not extracted; www.ibm.com/docs/en/qsip/7.5. Now, the same URL extraction is more complete; www.ibm.com/docs/en/qsip/7.5?topic=installations-whats-new-in-qradar-network-insights.
If you are using custom rules that assume that the arguments are not included in the URL, you must update them.
Configurable IBM X-Force Signature policies
New in 7.5.0 Update Package 5
Now you can update the Protocol Analysis Module (PAM) to configure which IBM X-Force Signature policies are reported on.
You can update PAM to use a preconfigured policy, or you can configure a policy for individual signatures. You can also change the way that QRadar Network Insights reports on attacks and audits.
Deprecation for NT40E3 network interface card
New in 7.5.0 Update Package 4Support for the Napatech NT40E3 network interface card is deprecated in QRadar Network Insights 7.5.0 Update Package 4.
It is recommended that new QRadar Network Insights software installations (appliance type 6500) use the Napatech NT100A01 network interface card.
Learn more about installing QRadar Network Insights on your own hardware...
New installation option for the QRadar Network Insights 1940 appliance
New in 7.5.0 Update Package 3
QRadar Network Insights 7.5.0 Update Package 3 introduces a new 6610 appliance type. With the QRadar Network Insights 6610 appliance, you can connect 4x10G breakout cables to the primary Napatech card.
During the installation, the firmware on the Napatech cards is updated. Each card takes approximately 5 minutes to update, which causes the installation to run a bit longer than when you install other appliance types.
Session Initiation Protocol (SIP) inspector removed
New in 7.5.0 Update Package 3IBM QRadar Network Insights no longer inspects SIP traffic.
Learn more about the types of inspectors that are supported in QRadar Network Insights...
Performance improvements for the QRadar Network Insights 6500 appliance
New in 7.5.0 Update Package 1- Intel x520
- Intel x710
- VMware vmxnet3
The DPDK library provides better performance than the PF_RING library that is used in earlier versions of QRadar Network Insights. Network interface cards that DPDK uses are not visible to the operating system. You must use DPDK utilities to work with these interfaces.
Napatech-based appliances use a different library to process network data, so they are not affected by this change.
Learn more about inspection level performance in QRadar Network Insights...
Modified process for identifying file types
New in 7.5.0 Update Package 1Earlier versions of QRadar Network Insights used the Apache Tika library to identify the file type, but only at the advanced inspection level.
QRadar Network Insights 7.5.0 Update Package 1 uses a different library to identify file types, and does the identification at all inspection levels as part of the main traffic inspection process.
With this change, fewer files are sent to the Apache Tika library for analysis, which might result in improved performance at the advanced inspection level. Individual performance improvements depend on the volume and type of files that are sent for analysis.
Learn more about inspection level performance in QRadar Network Insights...
More integration with IBM® X-Force®
QRadar Network Insights 7.5.0 introduces a new series of suspect content descriptions that are derived from IBM X-Force signatures. When a flow matches one or more of the X-Force signatures, the suspect content description is shown on the Network Activity tab.
Also introduced in this release, some properties on the Flow information window are directly integrated with IBM X-Force Exchange. With a single click, you can quickly determine whether the property value requires further investigation.
Learn more about IBM X-Force integration in QRadar Network Insights...
Improved application detection
QRadar Network Insights 7.5.0 includes protocol parsing improvements and can now analyze the payload to identify 300 more applications. By comparison, protocol inspectors in QRadar Network Insights 7.4.3 can identify 32 applications.
After the upgrade is complete, view these files to see the complete list of applications that can be identified:- /opt/ibm/xforce/metadata/protocols.hdr (column headers)
- /opt/ibm/xforce/metadata/protocols.csv (values)
Learn more about application detection in QRadar Network Insights...
Data aggregation and segmentation
QRadar Network Insights 7.5.0 includes improvements to the way that data is segmented and aggregated.
- IP address
- Ports (TCP/UDP)
- Protocol
- VLAN IDs
- VXLAN Identifier
Learn more about domain segmentation in QRadar Network Insights...
Network inspection performance
The network inspection performance at the basic and enriched inspection levels is increased in IBM QRadar Network Insights 7.5.0.
System performance and data throughput depend on many factors, including the amount of multiprogramming in the job stream, I/O configuration, storage configuration, and the workload volume that is processed. Individual performance improvements are not guaranteed.
Learn more about inspection level performance in QRadar Network Insights...
Some inspectors are no longer supported
- All web domain inspectors
- Myspace protocol inspector
- SPDY protocol inspector
These inspectors were removed in IBM QRadar Network Insights 7.5.0.
Learn more about the types of inspectors that are supported in QRadar Network Insights...