IBM Support

Release of IBM Security QRadar Analyst Workflow 1.4.0

Release Notes


Abstract

This release provides usability enhancements and fixes several known issues.

Content

IBM® Security QRadar® Analyst Workflow provides new methods for filtering offenses and events, and graphical representations of offenses, by magnitude, assignee, and type. The improved offenses workflow provides a more intuitive method to investigate offenses to determine the root cause of an issue and work to resolve it. Use the built-in query builder to create AQL queries by using examples and saved or shared searches, or by typing plain text into the search field.
For more information about QRadar Analyst Workflow, see the QRadar Knowledge Center.

Resolved issues

QRadar Analyst Workflow 1.4.0 fixes a problem where the app appears blank, due to named service issue with other installed apps.

What's new

QRadar Analyst Workflow 1.4.0 includes the following new features:
  • Introduction of Flows search.
  • Upgrades to Query builder: Prompting user with custom properties, improved query handling, improved time selection.
  • Events search screen upgrade: Users can now expand the period of a search.
  • Custom columns available on the offense search screen.
  • Offenses page now has a refresh option. User can set refresh time preferences.
  • Application tabs now display the app name in the title, rather than the app ID.
  • Internal hostname now uses correct capitalization.
  • SSL pages now have appropriate headers to prevent caching.
  • Browser local storage was removed and replaced by persistent storage.

Known issues

QRadar Analyst Workflow 1.4.0 contains one known issue:
  • Dates and results might not display correctly if correct system time and time zone are not set in the QRadar system.

Supported browsers

You can use QRadar Analyst Workflow on any browser that is supported by QRadar. For a list of
supported browsers, see: https://www.ibm.com/support/knowledgecenter/SS42VS_latest/com.ibm.qradar.doc/c_shi_browser_support.html

Installing or upgrading QRadar Analyst Workflow

Important: The QRadar Analyst Workflow requires root access to install. If you are using the command
line to enable root user privileges, you must use the following command:
sudo su -
If you use sudo su (without -), full root access is not granted.
Procedure
  1. Download the latest QRadarAnalystWorkflow<x.x.x>.zip file from IBM Fix Central.
    See also the documentation for the QRadar Analyst Workflow on the IBM Security App Exchange.
  2. If you have custom SSL certificates, run the following commands in any directory on your QRadar Console:
    • update-ca-trust
    • systemctl restart docker
  3. If you have a previous installation directory, you must delete it before you extract the .zip file. For example, on the QRadar Console run the following command:
    rm -rf /store/qradar-ui /root/qradar-ui
  4. Copy QRadarAnalystWorkflow<x.x.x>.zip to your QRadar console by using the Linux "secure copy" (scp) command or an SFTP client.
    Secure copy example: scp QRadarAnalystWorkflow<x.x.x>.zip <QRadar host>:/<directory>
  5. To extract the QRadarAnalystWorkflow<x.x.x>.zip file on your QRadar console, type the following command:
    rm -rf /root/qradar-ui /store/qradar-ui && unzip tmp/QRadarAnalystWorkflow<x.x.x>.zip -d /store/qradar-ui
  6. On the QRadar console, run ./qradar-ui/start.sh, then wait for the logs to run.
  7. Access the QRadar Analyst Workflow by using one of the following methods:
    • In the navigation menu, click Try the New UI.
    • Access the new UI in your browser at https://<QRadar IP address>/console/ui.
  8. Delete QRadarAnalystWorkflow<x.x.x>.zip and the installation folder.
    Example: rm -fr /store/qradar-ui /tmp/QRadarAnalystWorkflow<x.x.x>.zip

Removing QRadar Analyst Workflow

To remove the QRadar Analyst Workflow, run the following commands:

/opt/ibm/si/conman/bin/conman-api-cli.sh remove -n ui

/opt/ibm/si/conman/bin/conman-api-cli.sh remove -n graphql

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwthAAA","label":"Offenses"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.4.0;7.4.1;7.4.2"}]

Document Information

Modified date:
27 January 2021

UID

ibm16406358