What's new for users in QRadar Network Insights 7.5.0

IBM QRadar Network Insights 7.5.0 provides users with more IBM X-Force Exchange integration and improvements to file type identification and application detection.

To learn more about the new features for installers, see What's new for installers in QRadar Network Insights 7.5.0.

Data extraction enhancements

New in 7.5.0 Update Package 6

The following improvements were made to data extractions:
  • MAC addresses are now supported.

    The MAC addresses that are extracted from the observed network traffic might not reflect the final MAC address of the client or server, depending on the number of hops that exist between the inspection point and the endpoints.

  • The HTTP Request URL property now includes the full arguments that are presented in the URL.

    For example, in earlier versions of QRadar Network Insights, the URL arguments were not extracted; www.ibm.com/docs/en/qsip/7.5. Now, the same URL extraction is more complete; www.ibm.com/docs/en/qsip/7.5?topic=installations-whats-new-in-qradar-network-insights.

    If you are using custom rules that assume that the arguments are not included in the URL, you must update them.

Configurable IBM X-Force Signature policies

New in 7.5.0 Update Package 5

Now you can update the Protocol Analysis Module (PAM) to configure which IBM X-Force Signature policies are reported on.

You can update PAM to use a preconfigured policy, or you can configure a policy for individual signatures. You can also change the way that QRadar Network Insights reports on attacks and audits.

New information Learn more about IBM X-Force Signature reporting...

Session Initiation Protocol (SIP) inspector removed

New in 7.5.0 Update Package 3

IBM QRadar Network Insights no longer inspects SIP traffic.

New information Learn more about the types of inspectors that are supported in QRadar Network Insights...

Performance improvements for the QRadar Network Insights 6500 appliance

New in 7.5.0 Update Package 1
QRadar Network Insights 7.5.0 Update Package 1 software and virtual appliance installations (appliance type 6500) now use the DPDK library to capture network traffic on appliances that use one of the following network interfaces:
  • Intel x520
  • Intel x710
  • VMware vmxnet3

The DPDK library provides better performance than the PF_RING library that is used in earlier versions of QRadar Network Insights. Network interface cards that DPDK uses are not visible to the operating system. You must use DPDK utilities to work with these interfaces.

Napatech-based appliances use a different library to process network data, so they are not affected by this change.

New information Learn more about inspection level performance in QRadar Network Insights...

Modified process for identifying file types

New in 7.5.0 Update Package 1

Earlier versions of QRadar Network Insights used the Apache Tika library to identify the file type, but only at the advanced inspection level.

QRadar Network Insights 7.5.0 Update Package 1 uses a different library to identify file types, and does the identification at all inspection levels as part of the main traffic inspection process.

With this change, fewer files are sent to the Apache Tika library for analysis, which might result in improved performance at the advanced inspection level. Individual performance improvements depend on the volume and type of files that are sent for analysis.

New information Learn more about inspection level performance in QRadar Network Insights...

More integration with IBM® X-Force®

QRadar Network Insights 7.5.0 introduces a new series of suspect content descriptions that are derived from IBM X-Force signatures. When a flow matches one or more of the X-Force signatures, the suspect content description is shown on the Network Activity tab.

Also introduced in this release, some properties on the Flow information window are directly integrated with IBM X-Force Exchange. With a single click, you can quickly determine whether the property value requires further investigation.

New information Learn more about IBM X-Force integration in QRadar Network Insights...

Improved application detection

QRadar Network Insights 7.5.0 includes protocol parsing improvements and can now analyze the payload to identify 300 more applications. By comparison, protocol inspectors in QRadar Network Insights 7.4.3 can identify 32 applications.

After the upgrade is complete, view these files to see the complete list of applications that can be identified:
  • /opt/ibm/xforce/metadata/protocols.hdr (column headers)
  • /opt/ibm/xforce/metadata/protocols.csv (values)

New information Learn more about application detection in QRadar Network Insights...

Some inspectors are no longer supported

IBM QRadar Network Insights 7.4.3 announced deprecation for the following inspectors:
  • All web domain inspectors
  • Myspace protocol inspector
  • SPDY protocol inspector

These inspectors were removed in IBM QRadar Network Insights 7.5.0.

New information Learn more about the types of inspectors that are supported in QRadar Network Insights...