IBM Support

Release of IBM Security QRadar Analyst Workflow 1.3.0

Release Notes


Abstract

This release provides usability enhancements and fixes several known issues.

Content

IBM® Security QRadar® Analyst Workflow provides new methods for filtering offenses and events, and graphical representations of offenses, by magnitude, assignee, and type. The improved offenses workflow provides a more intuitive method to investigate offenses to determine the root cause of an issue and work to resolve it. Use the built-in query builder to create AQL queries by using examples and saved or shared searches, or by typing plain text into the search field.
For more information about QRadar Analyst Workflow, see the QRadar Knowledge Center.
QRadar Analyst Workflow 1.3.0 fixes several known issues and provides several new features and enhancements.

Resolved issues

QRadar Analyst Workflow 1.3.0 fixes the following known issues:
  • Percent sign missing from progress indicator in long running searches.
  • Panel endpoint URL is missing a forward slash.
  • Copy and paste of event payload data does not work.
  • Search results display incorrect layout and styling.
  • Context menu appears in the wrong location when you right-click in the Event panel.
  • Custom column data does not appear on hover and clicking on the data does not open the offense details.
  • UI screen crash on Offenses page.
  • Table row size settings do not persist when a user logs out.

What's New

QRadar Analyst Workflow 1.3.0 includes the following new features:
  • QRadar Core apps are now separated from other apps in the application menu
  • Added persistent logging for deployed apps.
  • Added indicators for internal/external IPs based on network heirarchy.
  • User panel integration for apps.
  • User filter integration for apps.
  • Added links to X-Force Exchange from the external IP/Threat panel.
  • Full custom properties are now displayed in the Events panel.
  • The Offense Description now links to offense details.
  • Added cache to retain app data when you navigate between apps.

Known issues

QRadar Analyst Workflow 1.3.0 contains one known issue:
  • The Search page can appear blank if your browser’s Web Storage setting is not enabled (dom.storage.enabled = true).

Supported browsers

You can use QRadar Analyst Workflow on any browser that is supported by QRadar. For a list of
supported browsers, see: https://www.ibm.com/support/knowledgecenter/SS42VS_latest/com.ibm.qradar.doc/c_shi_browser_support.html

Installing or upgrading QRadar Analyst Workflow

Important: The QRadar Analyst Workflow requires root access to install. If you are using the command
line to enable root user privileges, you must use the following command:
sudo su -
If you use sudo su (without -), full root access is not granted.
Procedure
  1. If you have custom certificates, run the following commands on your QRadar Console, in any directory:
    • update-ca-trust
    • systemctl restart docker
  2. Download the QRadarAnalystWorkflow<x.x.x>.zip file from Fix Central. See the instructions on the IBM Security App Exchange.
  3. Copy the bundle onto your QRadar host by using the Linux "secure copy" (scp) command or an FTP client.
    Secure copy example: scp QRadarAnalystWorkflow<x.x.x>.zip <QRadar host>:/<directory>
  4. Type the following command to create a new directory on your QRadar host: mkdir qradar-ui
    Note:
    If the directory exists from a previous installation, you must delete it before you extract the .zip file.
  5. To extract the QRadarAnalystWorkflow<x.x.x>.zip file on your QRadar host, type the following command:
    rm -rf qradar-ui && unzip QRadarAnalystWorkflow<x.x.x>.zip -d qradar-ui
  6. Run ./qradar-ui/start.sh, then wait for the logs to run.
  7. Access QRadar Analyst Workflow by using one of the following methods:
  • In the navigation menu, click Try the New UI.
  • Access the new UI in your browser at https://<QRadar IP address>/console/ui.

Removing QRadar Analyst Workflow

To remove the QRadar Analyst Workflow, run the following commands:

/opt/ibm/si/conman/bin/conman-api-cli.sh remove -n ui

/opt/ibm/si/conman/bin/conman-api-cli.sh remove -n graphql

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwthAAA","label":"Offenses"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.4.0;7.4.1;7.4.2"}]

Document Information

Modified date:
03 December 2020

UID

ibm16368727