IBM Support

Release of IBM Security QRadar Analyst Workflow 2.0.0

Release Notes


Abstract

This release provides usability enhancements and fixes several known issues.

Content

IBM® Security QRadar® Analyst Workflow provides new methods for filtering offenses and events, and graphical representations of offenses, by magnitude, assignee, and type. The improved offenses workflow provides a more intuitive method to investigate offenses to determine the root cause of an issue and work to resolve it. Use the built-in query builder to create AQL queries by using examples and saved or shared searches, or by typing plain text into the search field.
For more information about QRadar Analyst Workflow, see IBM Documentation.

Resolved issues

QRadar Analyst Workflow 2.0.0 resolves the following known issues:
  • Fixed a time zone issue that caused no results to be returned when you selected Categories, Events, or Flows on the Offense Details page.
  • Removed caching of usernames, which caused users to see the previous username when they logged in from a different browser.

What's new

QRadar Analyst Workflow 2.0.0 includes the following new features:
  • A new Visual Builder on the Search page lets you create queries for events and flows without AQL. You can now dynamically construct queries with the visual condition builder.
  • Added exporting of events and flows in JSON or CSV format. You can now view the results on screen in either a CSV file, Excel, or JSON file.
  • Accessibility improvements.

Supported browsers

You can use QRadar Analyst Workflow on any browser that is supported by QRadar. For a list of supported browsers, see: https://www.ibm.com/docs/SS42VS_7.4/com.ibm.qradar.doc/c_shi_browser_support.html

Installing or upgrading QRadar Analyst Workflow

These instructions describe the installation process for QRadar versions 7.4.0 to 7.4.3 GA only. For installations with QRadar version 7.4.3 Fix Pack 1 and later, QRadar Analyst Workflow is installed as a standard application by using extensions management.
For more information, see IBM Documentation.
Important: The QRadar Analyst Workflow requires root access to install. If you are using the command line to enable root user privileges, you must use the following command:
sudo su -
If you use sudo su (without -), full root access is not granted.
Procedure
  1. Download the latest QRadarAnalystWorkflow<x.x.x>.zip file from IBM Fix Central.
    See also the documentation for the QRadar Analyst Workflow on the IBM Security App Exchange.
  2. If you have custom SSL certificates, run the following commands in any directory on your QRadar Console:
    • update-ca-trust
    • systemctl restart docker
  3. If you have a previous installation directory, you must delete it before you extract the .zip file. For example, on the QRadar Console run the following command:
    rm -rf /store/qradar-ui /root/qradar-ui
  4. Copy QRadarAnalystWorkflow<x.x.x>.zip to your QRadar console by using the Linux "secure copy" (scp) command or an SFTP client.
    Secure copy example: scp QRadarAnalystWorkflow<x.x.x>.zip <QRadar host>:/<directory>
  5. To extract the QRadarAnalystWorkflow<x.x.x>.zip file on your QRadar console, type the following command:
    rm -rf /root/qradar-ui /store/qradar-ui && unzip tmp/QRadarAnalystWorkflow<x.x.x>.zip -d /store/qradar-ui
  6. On the QRadar console, run ./qradar-ui/start.sh, then wait for the logs to run.
  7. Access the QRadar Analyst Workflow by using one of the following methods:
    • In the navigation menu, click Try the New UI.
    • Access the new UI in your browser at https://<QRadar IP address>/console/ui.
  8. Delete QRadarAnalystWorkflow<x.x.x>.zip and the installation folder.
    Example: rm -fr /store/qradar-ui /tmp/QRadarAnalystWorkflow<x.x.x>.zip

Removing QRadar Analyst Workflow

To remove the QRadar Analyst Workflow, run the following commands:

/opt/ibm/si/conman/bin/conman-api-cli.sh remove -n ui

/opt/ibm/si/conman/bin/conman-api-cli.sh remove -n graphql

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwthAAA","label":"Offenses"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.4.0;7.4.1;7.4.2;7.4.3"}]

Document Information

Modified date:
03 November 2021

UID

ibm16492565

Page Feedback