Release Notes
Abstract
This release provides usability enhancements and fixes several known issues.
Content
IBM® Security QRadar® Analyst Workflow provides new methods for filtering offenses and events, and graphical representations of offenses, by magnitude, assignee, and type. The improved offenses workflow provides a more intuitive method to investigate offenses to determine the root cause of an issue and work to resolve it. Use the built-in query builder to create AQL queries by using examples and saved or shared searches, or by typing plain text into the search field.
For more information about QRadar Analyst Workflow, see IBM Documentation.
Resolved issues
QRadar Analyst Workflow 2.15.10 resolves the following known issues:
- Removed reRunQuery from URL when users run the query again.
- Fixed an issue that caused the Quick filter value component fail to accept CSV or add on blur.
- Fixed an issue that produced an error when polling a query.
- Fixed an issue that caused navigating from search results to offenses to fail.
- Fixed a truncation issue in titles on the Offense Details page.
- Fixed an issue that loses search filters when users refresh the page or click the breadcrumb trail.
- Fixed an issue that displayed incorrect date when users switch between AM and PM.
- Fixed an issue that caused the gradient not to appear in tables.
- Fixed an issue that caused the context menu to display incorrect text style.
- Fixed an issue that displayed incomplete long offense titles.
- Fixed an issue that displayed the rule ID rather than the rule name when the user applied a filter on an Offense table item.
- Fixed a search issue that caused 422 error.
- Fixed an issue that displayed incorrect filter name on the Flow Filter pane.
- Fixed an issue that caused the Flow search to return 422 error for the filter name “Has Payload.”
- Fixed an issue that displayed incorrect Suspect content information on the Flow record details.
- Fixed permission privilege issues for viewing condition set and custom rules.
What's new
QRadar Analyst Workflow 2.15.10 includes the following new features:
- Visual Builder enhancements
- Added real-time streaming.
- Pre-populate Visual Builder with query template.
- Direct to search on opening Visual Builder.
- Improve the scrollability of the Operator dropdown list.
- Force refresh Visual Builder when a PouchDB file is updated.
- Search enhancements
- Added Visual Builder population to Search History table.
- Added Recent search status.
- Added a Recent Search table to the main Search page.
- Performance improvements.
- Event pane design improvements.
- Pane section improvements.
- Skeleton data improvements on Offense Details page for Users.
- Changed history list limit to 50.
- Username is now case-insensitive.
- The texts “preceded by” in chained offenses titles are now bold.
- Reformatted the tooltips texts on the Offense details page.
- Reformatted the texts “Reference Sets” on the Threat panel.
- JSON payloads are now color coded.
- The text “USER” on the User pane is now in plain text and unclickable when the user does not have any apps that are installed.
- Repositioned the clear (x) icon in the condition box.
- Reformatted the JSON payload in the Payload Modal view on the Event side pane.
- Users now can run an Advanced Query on the Recent Searches Table.
- Filter pane design improvements.
- Added an option menu to the Recent Search table item to allow users to select the “Run Search" or the "Delete Query" action.
- Reformatted the Flow pane payload titles to show source and destination payload volumes.
- Recent Search table row now is expandable to show full query string.
- Upgraded the Query Builder for Visual Search Advanced builder.
Known issues
QRadar Analyst Workflow 2.15.10 contains the following known issue:
- If you view event data by using the custom rules redirect, the query does not display. For more information, see https://www.ibm.com/docs/en/qsip/7.4?topic=workflow-known-issues.
Supported browsers
You can use QRadar Analyst Workflow on any browser that is supported by QRadar. For a list of supported browsers, see:
https://www.ibm.com/docs/en/qsip/7.4?topic=administration-supported-web-browsers
https://www.ibm.com/docs/en/qsip/7.4?topic=administration-supported-web-browsers
Installing or upgrading QRadar Analyst Workflow
These instructions describe the installation process for QRadar versions 7.4.0 to 7.4.3 GA only. For installations with QRadar version 7.4.3 Fix Pack 1 and later, QRadar Analyst Workflow is installed as a standard application by using extensions management.
For more information, see IBM Documentation.
For more information, see IBM Documentation.
Important: The QRadar Analyst Workflow requires root access to install. If you are using the command line to enable root user privileges, you must use the following command:
sudo su -
If you use sudo su (without -), full root access is not granted.
sudo su -
If you use sudo su (without -), full root access is not granted.
Procedure
- Download the latest QRadarAnalystWorkflow<x.x.x>.zip file from IBM Fix Central.
See also the documentation for the QRadar Analyst Workflow on the IBM Security App Exchange. - If you have custom SSL certificates, run the following commands in any directory on your QRadar Console:
- update-ca-trust
- systemctl restart docker
- If you have a previous installation directory, you must delete it before you extract the .zip file. For example, on the QRadar Console run the following command:
rm -rf /store/qradar-ui /root/qradar-ui - Copy QRadarAnalystWorkflow<x.x.x>.zip to your QRadar console by using the Linux "secure copy" (scp) command or an SFTP client.
Secure copy example: scp QRadarAnalystWorkflow<x.x.x>.zip <QRadar host>:/<directory> - To extract the QRadarAnalystWorkflow<x.x.x>.zip file on your QRadar console, type the following command:
rm -rf /root/qradar-ui /store/qradar-ui && unzip tmp/QRadarAnalystWorkflow<x.x.x>.zip -d /store/qradar-ui - On the QRadar console, run ./qradar-ui/start.sh, then wait for the logs to run.
- Access the QRadar Analyst Workflow by using one of the following methods:
- In the navigation menu, click Try the New UI.
- Access the new UI in your browser at https://<QRadar IP address>/console/ui.
- Delete QRadarAnalystWorkflow<x.x.x>.zip
and the installation folder.
Example: rm -fr /store/qradar-ui /tmp/QRadarAnalystWorkflow<x.x.x>.zip
Removing QRadar Analyst Workflow
To remove the QRadar Analyst Workflow, run the following commands:
/opt/ibm/si/conman/bin/conman-api-cli.sh remove -n ui
/opt/ibm/si/conman/bin/conman-api-cli.sh remove -n graphql
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwthAAA","label":"Offenses"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.4.3;7.5.0"}]
Was this topic helpful?
Document Information
Modified date:
29 March 2022
UID
ibm16563861