QRadar

The IBM QRadar 7.5.0 family of products includes enhancements to operational efficiency and flow improvements. An update package includes new features, enhancements, and bug fixes to improve the performance and functionality of QRadar. They are available for download from the IBM Support Fix Central.

QRadar 7.5.0 Update Package 11

Upgraded Red Hat Operating System from 8.8 to 8.10
Red Hat Enterprise Linux is upgraded to version 8.10. For more information, see Red Hat Enterprise Linux 8.10.
Default dashboard in QRadar is set to the Analyst Workflow App
In QRadar 7.5.0 Update Package 11, the default dashboard in QRadar is set to Analyst Workflow App (AWF), You can toggle between the AWF dashboard and legacy dashboards as needed. If AWF is not installed during the upgrade process or you uninstall it, the default dashboard reverts to the legacy dashboard.
Improved JSON performance for offline forwarding of flows
The Flow Rate (FPS) is increased for offline forwarding with JSON type to improve performance.
Added support to create an asset by using the asset_model Rest API interface
You can now create an asset by using the /api/asset_model Rest API interface.
Added support to create a new log source group and log source type in the Log Source Management App
You can now create log source groups directly in the Log Source Management App. You can also create a new log source type by using the DSM Editor button that is available on the Single Log Source and Multiple Log Source creation pages.
Improved the installation process of OOTB apps
You can now create log source groups directly in the Log Source Management App. You can also create a new log source type by using the DSM Editor button that is available on the Single Log Source and Multiple Log Source creation pages.
Upgraded Apache Struts to the latest 6.x version
Apache Struts is upgraded to the latest 6.x version. This update improves support and response time for related security fixes and enhances compatibility with newer versions of Java.
Added an offense API endpoint for OCSF
You can now view the offense API output in the OCSF (Open Cybersecurity Schema Framework) format by using the new endpoint under siem/offense_ocsf.

QRadar 7.5.0 Update Package 10

Light and dark mode UI theme in IBM QRadar
In QRadar 7.5.0 Update Package 10, you can change the IBM QRadar user-interface (UI) theme to your preferred light or dark mode. To change the UI theme, go to the Theme drop down in the User Preferences page of your user profile, and select the Light or Dark option.​
Parallel patching
After you upgrade the QRadar Console, you can upgrade all other managed hosts in parallel. A new reporting service is introduced to capture and display the status of managed hosts on the Console.
Important:
  1. If a high number of managed hosts are attached to the deployment before a Console HA is removed, parallel patching for the detached or removed Console HA can increase the upgrade time. Use the legacy upgrade process to upgrade a detached or removed Console HA.
  2. If a managed host fails to upgrade and the Exit parallel patching option is selected, a console reboot occurs. To continue the upgrade, complete the following steps:
    • Remount the SFS file and select Parallel patching.
    • Select Check patching status, and then select Parallel patching to start the upgrade.

New information Learn more about parallel patching...

WinCollectHealthCheck.sh support script
To use managed Wincollect after you upgrade to QRadar 7.5.0 Update Package 10, complete the following steps to configure the iptables rules by using the updated WinCollectHealthCheck.sh support script.
  1. Upgrade to QRadar 7.5.0 Update Package 10.
  2. Apply Auto Updates to pull the latest support tools.
  3. Run the following script.
    /opt/qradar/support/WinCollectHealthCheck.sh
  4. Verify that the iptables rules are successfully configured.

If an issue occurs when the iptables rules are configured, an error message with a manual workaround is displayed.

Disabled 24 Java ciphers
The following Java ciphers are disabled in QRadar 7.5.0 Update Package 10.

jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, DH keySize < 1024, DESede, 3DES_EDE_CBC, anon, NULL, DES_CBC, SHA1, DHE, SSL_RSA_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_AES_256_CBC_SHA256, EC keySize < 224, include jdk.disabled.namedCurves

If the disabled ciphers cause issues with customer deployments, you can add or remove ciphers from the configuration file.
Performance enhancements for event and flow searches
  • Improved event and flow search stability and performance for large deployments, high query concurrency, and complex data sets by managing memory more effectively.
  • Event and flow searches that interact with IPv6 addresses are up to 200 times faster.
IPv6 capabilities for FISMA
In QRadar 7.5.0 Update Package 10, the following new capabilities are added for Federal Information Security Modernization Act (FISMA):
  • Scanner integrations can now forward IPv6 addresses to the Asset Profiler.
  • Asset profiling is supported for IPv6 host addresses, and processing of link-local addresses is optional.
  • IPv6 addresses in syslog headers can now be parsed for Log Source IDs.
  • Updated several DSMs and scanner integrations to improve IPv6 parsing.
  • Validated Custom Rules Engine (CRE) rule tests with IPv6 address fields.
  • Added support for right-click filters on IPv6 address fields.
  • Network configuration is now completed for IPv6 during the installation process.
  • Revalidated several applications to work in pure IPv6 networks.
  • Verified remote nets and GeoData to work with IPv6 content.
  • Improved search performance on IPv6 address fields.

QRadar 7.5.0 Update Package 9

IBM QRadar Console-only DR by using Data Synchronization App
In QRadar 7.5.0 Update Package 9, Console-only disaster recovery (DR) feature is added. Console-only DR implementation is useful for customers in the following scenarios.
  • An actual disaster recovery where the console is not available but the other deployment hosts are still running.
  • A disaster recovery exercise where the main site is still available during the disaster recovery process.

You can switch deployment control from the main site console to the destination site console (failover) which activates your destination site. Later on, you can switch deployment control back to the main site from the destination site (failback) which reactivates your main site. The QRadar Console-only DR feature is supported in IBM QRadar Data Synchronization 3.2.0 and later.

IBM QRadar updated to dark theme
The IBM QRadar user interface (UI) is updated to a dark theme. The light mode option is no longer available. This update does not affect the functionality of the product.
CIDR data type for reference data
Added a data type for reference data called CIDR (Classless Inter-Domain Routing). The CIDR data type supports both IPv4 and IPv6 addresses.

New information Learn more about reference data utilities...

Performance enhancements
RegexMonitor now supports an optional Monitor-only mode that can notify you about expensive artifacts that are detected during parsing without disabling them automatically.
Monitor-only mode in RegexMonitor
  • Search performance is up to 2 times higher on Data Nodes in certain scenarios.
  • Quick Filter index generation is now faster on Data Nodes, and allows timely indexing of larger data volumes.
  • The JSON encoded offline forwarding speed is increased up to 80 times, depending on the forwarded event sizes and the custom properties used in forwarding.

QRadar 7.5.0 Update Package 8

RHEL8 support as RHEL7 reaches end of life
Red Hat® Enterprise Linux® 7 (RHEL) is end of life (EOL) as of June 2024. IBM QRadar 7.5.0 Update Package 8 upgrades the existing support for RHEL 7 to RHEL 8.
Attention: For existing customers, significant changes are made to upgrade to RHEL 8. Read the following topics before you begin your upgrade.
Minimum permitted app base image stream
In QRadar 7.5.0 Update Package 8, you can disable older base image streams that might have security vulnerabilities by using the new Minimum Permitted App Base Image Stream system setting on the Admin tab.

New information Learn more about Minimum Permitted App Base Image Stream

SSH extraction enhancements
In QRadar 7.5.0 Update Package 8, QRadar Network Insights introduces enhanced extraction for the SSH protocol. This functionality includes the extraction of several new fields around the SSH connection establishment and also the "Hassh" fingerprints of those connections.

New information Learn more about enriched inspection ...

Tunnelling enhancements
QRadar Network Insights introduces enhanced protocol support for GRE and ERSPAN network traffic and new common features for all tunneled network traffic (including the existing VXLAN support).

New information Learn more about enriched inspection ...

Leapp pretest added for RHEL8 migration
Run a Leapp pretest on your console or managed host before you upgrade from Red Hat Enterprise Linux V7.9 to Red Hat Enterprise Linux V8.8 to reduce the risk of failure. If the Leapp pretest fails on your deployment, the upgrade is blocked.
To run the Leapp pretest before you run the upgrade installer, use the following command:
/media/updates/installer --leapp-only

New information Learn more about upgrading QRadar SIEM to 7.5.0 UP8...

Read-only configuration
In QRadar 7.5.0 Update Package 8, Read-only Configuration permission on the User Role Management window grants permission to view other users without the ability to create or edit them.

New information Learn more about creating a user role...

New WinCollect update package for QRadar
WinCollect 7.3.1 P3 supports QRadar 7.5.0 Update Package 8 or later. If your QRadar system is upgraded to UP8 or later but is running WC 7.3.1 P1 or earlier, upgrade to WinCollect 7.3.1 P3 so that the agents work properly. For more information, see release note 7029393 and technote 6953887.

QRadar 7.5.0 Update Package 7

Read-only configuration
In QRadar 7.5.0 Update Package 7, the new Read-only Configuration permission on the User Role Management window grants users permission to view, but not create or edit, log sources or offenses.

New informationLearn more about creating a user role...

QRadar 7.5.0 Update Package 3

LDAP server synchronization changes
When you upgrade to QRadar 7.5.0 Update Package 3 or later and you run LDAP synchronization if the system finds a user that is no longer in the LDAP server and is not set to Local Fallback or set as Local Only, that user is disabled in QRadar. If the user is set to Local Fallback or set as Local Only, then the user is not disabled but is flagged on the User Management page. A system notification is sent to inform the administrator of the change to the user account.

New information Learn more about LDAP synchronization...

QRadar 7.5.0 Update Package 2

Local only authentication
When you upgrade to QRadar 7.5.0 Update Package 2 or later, the Manage Local Only Authentication role is added to manage the Local Only authentication for users. Local Only authentication is a setting that is used when external authentication is enabled on IBM QRadar. Setting Local Only authentication to true for a user makes sure that the user authenticates to QRadar locally rather than through external authentication. Local Only authentication prevents unintended access to QRadar from the accounts that are configured in the external authentication repository.

New information Learn more about Local Only authentication...

Secure boot

In QRadar 7.5.0 Update Package 2, you can use secure boot to make sure that only trusted kernels and kernel modules are loaded when you start QRadar. The firmware makes sure that the kernel and kernel modules are signed and a valid key is stored in the system keyring before the control is passed to the kernel.

QRadar 7.5.0 Update Package 2 and any current EFI systems that are upgraded to 7.5.0 Update Package 2 can turn on secure boot when the IBM public key is imported into the system keyring.

New information Learn more about secure boot...

QRadar 7.5.0

Offense rule tests
In QRadar 7.5.0, there are two new offense rule tests: when an offense is closed and when an offense is modified. A modified offense rule test is applied when any offense property is changed based on the events that are associated with that offense. Modified rule tests allow for better configuration of how and when rules are implemented.

A closed offense rule test is applied when the offense is closed.

New information Learn more about modified offense rule tests...

More secure operating system
QRadar 7.5.0 runs on Red Hat Enterprise Linux version 7.9. The upgrade to RHEL V7.9 is necessary to continue receiving security updates from Red Hat Enterprise Linux.
OFFENSE_TIME function
In QRadar 7.5.0, use the new OFFENSE_TIME function to increase the speed of your offense queries.

The OFFENSE_TIME function limits the query to applicable times that an offense might be active.

For example, if you want to query for an offense within a time range, use the OFFENSE_TIME function together with the IN_OFFENSE function to limit the query to the times that the offense might have occurred.

SELECT * FROM events
 WHERE INOFFENSE(1) times OFFENSE_TIME(1)

New information Learn more about AQL data retrieval functions...

DISTINCTCOUNT function
In QRadar 7.5.0, use the new DISTINCTCOUNT function to return the unique count of the value in the aggregate.

The DISTINCTCOUNT function uses the HyperLogLog+ approximation algorithm to calculate the unique count and operates with a constant memory requirement. The function supports unlimited data sets.

For example,

SELECT username, 
DISTINCTCOUNTCOUNT(sourceip) 
AS CountSrcIP
FROM events 
GROUP BY username 

New information Learn more about AQL data aggregation functions...

Encryption of managed hosts is enabled by default
To provide secure data transfer between each of the appliances in your environment, IBM QRadar integrates encryption support that uses OpenSSH. In QRadar 7.5.0, encryption between managed hosts is enabled by default when you add a managed host. Previously, you manually enabled encryption when you added a managed host.

New information Learn more about encryption of managed hosts...