Question & Answer
Question
I am trying to upgrade from 6.3.1 to 7.0, are there any changes to my data I need to know about?
Cause
The upgrade from QRadar 6.3.1 to any version of QRadar 7.0 requires administrators to update the security template. During the upgrade, administrators are prompted to select how they want the system to handle their data.
Answer
Note: The text provided below is not a substitute for the official upgrade guide documentation, which contains additional requirements and information (QRadar 7.0MR5 Upgrade Guide PDF).
----------------------
QRadar 7.0 provides significant changes to the way rules and reports are stored. During the upgrade process, you are prompted to select one of four tuning template options. The options are described in the upgrade script, however, we suggest that you carefully evaluate the following tuning template options before you begin an upgrade:
Options:
1 Reset the system to the default security template.
This is the recommended option as it ensures the cleanest set of rules for your system. The system is reconfigured to factory settings.
This option:
- Maintains all your data, including offenses, events, flows, assets, and reports.
- Removes all previous rules, report templates, saved searches, and system tuning.
We recommend that you recreate any custom rules, searches, reports, and retune the system, if necessary.
2 Apply the new default template and maintain the existing configuration.
This option:
- Enables new default rules and time series accumulations without modifying any existing rules or searches.
- Maintains all your data, including offenses, events, flows, assets, and reports.
- Provides all new reports and accumulations.
- Resets all modified default reports to the default state, overwriting any customizations.
- Maintains all custom-created reports.
If you choose this option, then you can introduces duplicate rules as the system contains both existing and new rules.
If you select option two, then we suggest that you:
- Review your system for duplicate rules and building blocks that may cause false positive offenses and tune your system accordingly.
- Recreate reports that require time series data using the new time series data options.
3 Apply the new template and maintain the current configuration, while enabling only new flow rules, common rules, and specific event rules that are required for new reports.
This option:
- Maintains all your data, including offenses, events, flows, assets, and reports.
- Maintains all new reports and accumulations.
- Configures all modified default reports to the default state, overwriting any customizations.
- Maintains custom-created reports.
- Maintains existing rules and saved searches.
- Enables flow rules that detect activity from flow data that was removed during the upgrade process.
If you choose this option, we suggest that you:
- Review all common rules and enable the rules you want to use for flow-based analysis.
- Review your system for duplicate rules and building blocks that could cause false positive offenses and tune your system accordingly.
- Recreate reports that require time series data using the new time series data options.
4 Apply only the new rules and enable a minimal set of these rules.
This option:
- Maintains all your data, including offenses, events, flows, assets, and reports.
- Maintains all existing reports.
- Prevents installation of new default saved searches and reports.
- Maintains existing saved searches and reports.
If you choose this option, we suggest that you:
- Review newly installed common rules and flow rules that are disabled by default, and enable the appropriate rules.
- Review duplicate rules and building blocks that could cause false positive offenses and tune your system accordingly.
- Recreate reports that require time series data using the new time series data options.
Was this topic helpful?
Document Information
Modified date:
10 May 2019
UID
swg21665931