IBM Support

Release of IBM Security QRadar Analyst Workflow 1.1.0

Release Notes


Abstract

This release provides the ability to install on a high availability (HA) system and fixes several known issues.

Content

IBM® Security QRadar® Analyst Workflow provides new methods for filtering offenses and events, and graphical representations of offenses, by magnitude, assignee, and type. The improved offenses workflow provides a more intuitive method to investigate offense to determine the root cause of an issue and work to resolve it. Use the built-in query builder to create AQL queries by using examples and saved or shared searches, or by typing plain text into the search field.
For more information about QRadar Analyst Workflow, see the QRadar Knowledge Center.
QRadar Analyst Workflow 1.1.0 fixes the following known issues:
  • Can't install Analyst Workflow on a high availability (HA) system.
  • The Event details panel shows the wrong event details.
  • Missing rules on the Filter panel.
  • External IP information always displays January 1, 1970.
  • Multi-domain filtering does not work.
  • The Filter panel loads continuously on some searches.
  • Incorrect Creation Date on the Recent Search card.
  • Filters for logSources;null and logSourceType;null sometimes appear and can't be parsed on refresh.
  • Graph data is not updated when a NOT Filter is applied.

Known issues

QRadar Analyst Workflow 1.1.0 includes the following known issues:
  • All time zones are displayed in the client time zone instead of the server time zone.
  • The browser Back button does not work from the Offense Events page.
  • Proxies are not supported.
  • The Event panel can fail when a log source type has many custom properties.
  • The expected error message does not appear when the Analyst Workflow cannot connect to X-Force.

Supported browsers

You can use QRadar Analyst Workflow on any browser that is supported by QRadar. For a list of
supported browsers, see: https://www.ibm.com/support/knowledgecenter/SS42VS_latest/com.ibm.qradar.doc/c_shi_browser_support.html

Installing QRadar Analyst Workflow

Before you begin
If you previously installed a version of the workflow, make sure that you remove any folders that were created
during that installation process.
Procedure
  1. If you have custom certificates, run the following commands on your QRadar Console, in any directory:
    • update-ca-trust
    • systemctl restart docker
  2. Download the QRadarAnalystWorkflow<x.x.x>.zip file from Fix Central. See the instructions on the IBM Security App Exchange.
  3. Copy the bundle onto your QRadar host by using the Linux "secure copy" (scp) command or an FTP client.
    Secure copy example: scp QRadarAnalystWorkflow<x.x.x>.zip <QRadar host>:/<directory>
  4. Type the following command to create a new directory on your QRadar host: mkdir qradar-ui
    Note:
    If the directory exists from a previous installation, you must delete it before you extract the .zip file.
  5. To extract the QRadarAnalystWorkflow<x.x.x>.zip file on your QRadar host, type the following command: unzip QRadarAnalystWorkflow<x.x.x>.zip -d qradar-ui
  6. Run ./qradar-ui/start.sh, then wait for the logs to run.
  7. Access QRadar Analyst Workflow by using one of the following methods:
  • In the navigation menu, click Try the New UI.
  • Access the new UI in your browser at https://<QRadar IP address>/console/ui.

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwthAAA","label":"Offenses"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.4.0;7.4.1","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
07 August 2020

UID

ibm16255630