© Copyright IBM Corporation 2017. Product information o access the settings that wer e on the Admin...

IBM Security QRadarVersion 7.3.1

What's new

IBM

NoteBefore you use this information and the product that it supports, read the information in “Notices” on page 17.

Product information

This document applies to IBM QRadar Security Intelligence Platform V7.3.1 and subsequent releases unlesssuperseded by an updated version of this document.

© Copyright IBM Corporation 2017.US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM Corp.

Contents

Introduction to what's new in the QRadar family of products . . . . . . . . . . . . . v

1 What's new in QRadar V7.3.1 . . . . . . . . . . . . . . . . . . . . . . . . . . 1QRadar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

QRadar core capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Ariel Query Language (AQL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

QRadar Vulnerability Manager and QRadar Risk Manager . . . . . . . . . . . . . . . . . . . . 9QRadar Incident Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10QRadar Network Insights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

2 What's new in QRadar V7.3.0 . . . . . . . . . . . . . . . . . . . . . . . . . 11QRadar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

QRadar core capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11High Availability (HA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13RESTful APIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Ariel Query Language (AQL) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

QRadar apps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15QRadar Vulnerability Manager and QRadar Risk Manager. . . . . . . . . . . . . . . . . . . . 16QRadar Incident Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16QRadar Network Insights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Terms and conditions for product documentation. . . . . . . . . . . . . . . . . . . . . . . 18IBM Online Privacy Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

© Copyright IBM Corp. 2017 iii

iv QRadar What's new

Introduction to what's new in the QRadar family of products

Administrators review new features for IBM® Security QRadar® to help determine whether to upgrade,plan training for the users that they support, and to become aware of new capabilities.

Intended audience

This guide is intended for existing QRadar users who are responsible for investigating and managingnetwork security.

Technical documentation

To find IBM Security QRadar product documentation on the web, including all translated documentation,access the IBM Knowledge Center (http://www.ibm.com/support/knowledgecenter/SS42VS/welcome).

For information about how to access more technical documentation in the QRadar products library, seeAccessing IBM Security Documentation Technical Note (www.ibm.com/support/docview.wss?rs=0&uid=swg21614644).

Contacting customer support

For information about contacting customer support, see the Support and Download Technical Note(http://www.ibm.com/support/docview.wss?rs=0&uid=swg21612861).

Statement of good security practices

IT system security involves protecting systems and information through prevention, detection andresponse to improper access from within and outside your enterprise. Improper access can result ininformation being altered, destroyed, misappropriated or misused or can result in damage to or misuse ofyour systems, including for use in attacks on others. No IT system or product should be consideredcompletely secure and no single product, service or security measure can be completely effective inpreventing improper use or access. IBM systems, products and services are designed to be part of alawful comprehensive security approach, which will necessarily involve additional operationalprocedures, and may require other systems, products or services to be most effective. IBM DOES NOTWARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKEYOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

Please Note:

Use of this Program may implicate various laws or regulations, including those related to privacy, dataprotection, employment, and electronic communications and storage. IBM Security QRadar may be usedonly for lawful purposes and in a lawful manner. Customer agrees to use this Program pursuant to, andassumes all responsibility for complying with, applicable laws, regulations and policies. Licenseerepresents that it will obtain or has obtained any consents, permissions, or licenses required to enable itslawful use of IBM Security QRadar.

© Copyright IBM Corp. 2017 v

http://www.ibm.com/support/knowledgecenter/SS42VS/welcome

http://www.ibm.com/support/docview.wss?rs=0&uid=swg21614644

http://www.ibm.com/support/docview.wss?rs=0&uid=swg21612861

vi QRadar What's new

1 What's new in QRadar V7.3.1

IBM Security QRadar 7.3.1 family of products includes new navigation features, tighter IPv6 integration,more health metrics data for diagnosing issues, and more.

QRadarIBM Security QRadar V7.3.1 family of products includes enhancements to its core capabilities, RESTfulAPIs, and the Ariel Query Language (AQL).

QRadar core capabilitiesIBM Security QRadar V7.3.1 includes new navigation features, tighter IPv6 integration, more healthmetrics data for diagnosing issues, and more.

AQL-based custom properties

With AQL-based custom event or custom flow properties, you can use an AQL expression to extract datafrom the event or flow payload that IBM Security QRadar does not typically normalize and display.

For example, you can create an AQL-based property when you want to combine multiple extraction andcalculation-based properties, such as URLs, virus names, or secondary user names, into a single property.You can use the new property in custom rules, searches, reports, or you can use it for indexing offenses.

To learn more about creating and using custom properties, see the IBM Security QRadar User Guide.

Identifying flow direction reversal

As you're viewing a flow in the QRadar Console, you might want to know whether QRadar modified theflow direction, and whether any processing occurred. This algorithm provides information on how thetraffic originally appeared on the network and which traffic features caused it to be reversed, if at all.

When the Flow Collector detects flows, it checks some of the flow properties before it acts. In some cases,the communication or flows between devices is bidirectional (the client communicates with the serverand the server responds to the client). In this scenario, both the client and the server operate as thoughthey are the source and the other is the destination. In reality, QRadar normalizes the communication,and all flows between these two entities then follow the same convention: "destination" always refers tothe server, and "source" always refers to the client.

For more information, see Identifying whether a flow's direction was reversed in the IBM Security QRadar UserGuide.

Identifying how application fields are set for flows

As you're viewing a flow in the QRadar Console, you might want to know whether QRadar modified theflow application name, and whether any processing occurred. You can use this information to gaininsight into which algorithm classified the application, and to ensure that algorithms are extracting flowfeatures correctly.

When the Flow Collector detects a flow, it uses various algorithms to determine which application theflow came from. After the Flow Collector identifies the application, it sets the ‘Application’ property thatappears in the Flow Details window.

© Copyright IBM Corp. 2017 1

For more information, see Identifying how application fields are set for a flow in the IBM Security QRadar UserGuide.

Reduced downtime for event collection services

In earlier versions, deploying changes to your QRadar system sometimes resulted in gaps in datacollection while the hostcontext service restarted. To minimize these interruptions, the event collectionservice is now managed separately from other QRadar services. The new event collection service,ecs-ec-ingress, listens on port 7787.

With the new separation of services, the event collection service does not automatically restart each timethat you deploy changes. The service restarts only when the deployed changes impact the eventcollection service directly.

This enhancement significantly reduces interruptions in collecting data, and makes it easier for you tocomply with your organization's data collection targets.

For more information, see Making changes in your QRadar environment in the IBM Security QRadarAdministration Guide.

Continuous collection of events during minor patch updates

You can expect fewer disruptions in event collection when you apply future patches to QRadar V7.3.1 orlater. Minor patches that do not require the system to restart will not restart the event collection service.

Ability to restart only the event collection service

From the QRadar product interface, you can restart the event collection service on all managed hosts inyour deployment.

This new capability is useful when you want to restart the event collection service without impactingother QRadar services. For example, after you restore a configuration backup, you can defer restarting theservice to a time that is convenient for you.

For more information about restarting the event collection service, see the IBM Security QRadarAdministration Guide.

Event collection continues when you install or update a protocol RPM

Before QRadar V7.3.1, installing or updating a protocol RPM required a full deployment, which causedevent collection to stop for several minutes for all installed protocols.

Now, protocols are loaded dynamically when you deploy the changes. Only those protocols that wereupdated experience a brief outage (in seconds).

New slide-out navigation menu with favorite tabs

As the number of apps that are installed in your deployment grows, so does the number of visible tabs.The new slide-out navigation menu makes it easier for you to find the apps that you use the most bymanaging which tabs are visible in QRadar.

When you upgrade to QRadar V7.3.1, all QRadar tabs are available from the slide-out menu ( ). Eachmenu item is marked as a favorite, which also makes it available as a tab. You can control which tabs arevisible by selecting or clearing the star next to the menu item.

2 QRadar What's new

To access the settings that were on the Admin tab in earlier QRadar versions, click Admin at the bottomof the slide-out navigation menu.

Browser-based system notifications

QRadar now uses your browser notification settings to display system notifications. With thisenhancement, you can continue to monitor the status and health of your QRadar deployment even whenQRadar is not the active browser window. To show system notifications on your screen, you mustconfigure your browser to allow notifications from QRadar.

Browser notifications are supported for Mozilla Firefox, Google Chrome, and Microsoft Edge 10.Microsoft Internet Explorer does not support browser-based notifications. Notifications in InternetExplorer now appear in a restyled QRadar notification window.

For more information, see the System notifications topic in the IBM Security QRadar Administration Guide.

More health metrics data

QRadar collects up to 60x more health metrics data than before, making it easier for administrators tomonitor their deployment and diagnose issues when they occur. You can visualize the new health metricsby using the QRadar Deployment Intelligence app, which is available from the IBM Security AppExchange.

The QRadar Deployment Intelligence app replaces the System Health information that was previouslyavailable on the Admin tab.

The additional health metrics data increases the size of the QRadar log files and the disk storagerequirements for the data. Administrators who require more control over the disk storage that is requiredfor the accumulated health data can create a retention bucket that uses Log Source Type = HealthMetrics as the criteria.

For more information about working with retention buckets, see the Data retention topic in the IBMSecurity QRadar Administration Guide.

For more information about installing QRadar apps, see the IBM Security QRadar apps topic on the IBMKnowledge Center.

IPv6 support

QRadar uses the network hierarchy objects and groups to view network activity and monitor groups orservices in your network. The network hierarchy can be defined by a range of IP addresses in IPv6 aswell as IPv4 format. In addition to Network Hierarchy, Offense Manager used to only support IPv6indexing but it now updates and displays all the appropriate fields for an offense with IPv6 data.

For more information about setting password rules, see the IPv6 addressing in QRadar deployments topic inthe IBM Security QRadar Administration Guide.

Improved security with new password policy

When using local QRadar authentication, you can enforce minimum password length and complexity,and control password expiry and reuse. The rules that you set are enforced for administrative andnon-administrative users.

For more information about setting password rules, see the Configuring system authentication topic in theIBM Security QRadar Administration Guide.

1 What's new in QRadar V7.3.1 3

http://www.ibm.com/support/knowledgecenter/SS42VS_7.3.1/com.ibm.apps.doc/c_Qapps_intro.html

Create an alias for the User Base DN (distinguished name) that is used for LDAPauthentication

When you enter your user name on the login page, the Repository ID acts as an alias for the User BaseDN (distinguished name). This use of an alias omits the need for typing a long distinguished name thatmight be hard to remember.

For more information about configuring LDAP authentication, see the IBM Security QRadar AdministrationGuide.

Edit or create a login message that is displayed to users in QRadar

Provide users with important information before they log in to QRadar. If needed, you can force users toconsent to the login message terms before they can log in.

For more information about creating and editing login messages, see the IBM Security QRadarAdministration Guide.

Monitor successful login events by running reports in QRadar

Easily monitor successful login events for the time period that you configure by running the WeeklySuccessful Login Events report template on the QRadar Reports tab.

For more information about creating and managing reports, see the IBM Security QRadar User Guide.

Two new preinstalled apps in QRadar V7.3.1

App Authorization ManagerThe App Authorization Manager app provides improved security for app authorization tokens.Users who have the appropriate permissions can delete authorization tokens, or change theassigned user level authorization.

QRadar Assistant AppThe QRadar Assistant App provides the following functionality on the Dashboard tab:v Recommended apps and content extensions that are based on your configured preferences.v QRadar Help Center dashboard widget to help you access helpful information about QRadar.v Content update status is highlighted, and then users can download updates from within

QRadar.v IBM Security Support Twitter feed.

For more information about the new apps, see the IBM Security QRadar Administration Guide.

Log source auto-detection configuration

Before QRadar V7.3.1, log source auto-detection configuration was controlled by a configuration file thatwas edited manually on each event processor managed host.

As of QRadar V7.3.1, global configuration settings are now available. You can use the QRadar REST APIor a command line script to enable and disable which log source types are auto-detected. If you use asmaller number of log source types, you can configure which log sources are auto-detected to improvethe speed of detection. Log source auto-detection configuration also helps to improve the accuracy ofdetecting devices that share a common format, and can improve pipeline performance by avoiding thecreation of incorrectly detected devices.

Note: You can still enable per-event processor auto-detection settings by using the configuration filemethod. You can manage the method that is used on each event processor in Admin > System & License

4 QRadar What's new

Management > Component Management. Upgrades from previous versions do not enable globalsettings, and retain the use of the local configuration files. Fresh installations of QRadar V7.3.1 enable theglobal auto-detection settings option.

For more information about configuring managed hosts, see the IBM Security QRadar AdministrationGuide.

Configuring auto property discovery for log source types and a new Configurationtab in DSM Editor

You can configure the automatic discovery of new properties for a log source type. By default, the AutoProperty Discovery option for a log source type is disabled. When you enable the option on the newConfiguration tab of the DSM Editor, new properties are automatically generated. The new propertiescapture all the fields that are present in the events that are received by the selected log source type. Thenewly discovered properties become available in the Properties tab of the DSM Editor.

For more information about using the DSM Editor, see the IBM Security QRadar Administration Guide.

New IBM QRadar Data Store offering

A new offering, IBM QRadar Data Store, normalizes and stores both security and operational log data forfuture analysis and review. The offering supports the storage of an unlimited number of logs withoutcounting against your organization’s Events Per Second QRadar SIEM license, and enables yourorganization to build custom apps and reports based on this stored data to gain deeper insights into yourIT environments.

Enhancements to the routing rules in QRadar V7.3.1 require a license for QRadar Data Store. After thelicense is applied and the routing rule enhancement is selected, events that match the routing rule will bestored to disk and will be available to view and for searches. The events bypass the custom rule engineand no real-time correlation or analytics occur. The events can't contribute to offenses and are ignoredwhen historical correlation runs. Some apps will also ignore these events https://www-ibm.com/support/docview.wss?uid=swg22009471 (https://www-ibm.com/support/docview.wss?uid=swg22009471).

For more information about configuring routing rules to forward data, see the IBM Security QRadarAdministration Guide.

Log Source Extensions can extract values events in JSON format by key reference

Log Source Extensions can now extract values by using the JsonKeypath.

For an event data in a nested JSON format, a valid JSON expression is in the form /"<name of top-levelfield>"/"<name of sub-level field_1>".../"<name of sub-level field_n>".

The following two examples show how to extract data from a JSON record:v Simple case of an event for a flat JSON record: {"action": "login", "user": "John Doe"}

To extract the 'user' field, use this expression: /"user".v Complex case of an event for a JSON record with nested objects: { "action": "login", "user": {

"first_name": "John", "last_name": "Doe" } }

To extract just the 'last_name' value from the 'user' subobject, use this expression: /"user"/"last_name".

Ariel Query Language (AQL)IBM Security QRadar introduces new AQL functions and enhancements.


https://www-ibm.com/support/docview.wss?uid=swg22009471

https://www-ibm.com/support/docview.wss?uid=swg22009471

PARAMETERS REMOTESERVERS now includes the option to select servers inyour search by specifying the ID or name of Event Processors

By using the ARIELSERVERS4EPNAME function with PARAMETERS REMOTESERVERS, you canspecify an Event Processor by name in an AQL query; for example, PARAMETERSREMOTESERVERS=ARIELSERVERS4EPNAME(’eventprocessor0’, ’eventprocessor104’)

By using the ARIELSERVERS4EPID function with PARAMETERS REMOTESERVERS; you can specify anEvent Processor by ID in an AQL query, for example, PARAMETERS REMOTESERVERS=ARIELSERVERS4EPID(102)

By specifying an Event Processor, or servers that are connected to that Event Processor, you can run AQLqueries faster and more efficiently.

When you have multiple servers in your organization and you know where the data that you're lookingfor is saved, you can fine-tune the search to just the servers, clusters, or specific servers on EventProcessors.

In the following example, you search only the servers that are connected to 'eventprocessor104'.SELECT processorid,PROCESSORNAME(processorid),LOGSOURCENAME(logsourceid)FROM eventsGROUP BY logsourceidPARAMETERS REMOTESERVERS=ARIELSERVERS4EPNAME (’eventprocessor104’)

You can significantly reduce the load on your servers, run the query regularly, and get your results fasterwhen you filter your query to search fewer servers.

For more information, see the AQL data retrieval functions topic in the IBM Security QRadar Ariel QueryLanguage Guide.

PARAMETERS EXCLUDESERVERS excludes servers from your AQL search

Avoid having to search all AQL servers by using PARAMETERS EXCLUDESERVERS to exclude specificservers:v IP address; for example, PARAMETERS EXCLUDESERVERS=’177.22.123.246:32006,172.11.22.31:32006’v Event Processor name; for example, PARAMETERS EXCLUDESERVERS=ARIELSERVERS4EPNAME

(’<eventprocessor_name>’)

v Event Processor ID; for example, PARAMETERS EXCLUDESERVERS=ARIELSERVERS4EPID(<processor_ID>)

Searching only the servers that have the data that you require speeds up searches and uses less serverresources.

Refine your query to exclude the servers that don't have the data that you're searching for. In thefollowing example, you exclude servers that are connected to 'eventprocessorABC':SELECT processorid,PROCESSORNAME(processorid),LOGSOURCENAME(logsourceid)FROM eventsGROUP BY logsourceidPARAMETERS EXCLUDESERVERS=ARIELSERVERS4EPNAME (’eventprocessorABC’)

If you refine multiple queries by using PARAMETERS EXCLUDESERVERS, you can reduce the load onyour servers and get your results faster.


6 QRadar What's new

Specify the Event Processor name in an AQL query by using theARIELSERVERS4EPNAME function with PARAMETERS REMOTESERVERS orPARAMETERS EXCLUDESERVERS

In an AQL query, you can include or exclude the servers that are connected to an Event Processor byusing the ARIELSERVERS4EPNAME function to name an Event Processor in the query. For example, usethe ARIELSERVERS4EPNAME function with PARAMETERS REMOTESERVERS to includeeventprocessor_ABC in the query.PARAMETERS REMOTESERVERS=ARIELSERVERS4EPNAME(’eventprocessor_ABC’)

For example, you might want the search to exclude all servers on a named Event Processor by using theARIELSERVERS4EPNAME function with PARAMETERS EXCLUDESERVERS. In the following exampleeventprocessor_XYZ is excluded in the query.PARAMETERS EXCLUDESERVERS=ARIELSERVERS4EPNAME (’eventprocessor_XYZ’)


Specify the Event Processor ID in an AQL query by using theARIELSERVERS4EPID function with PARAMETERS REMOTESERVERS orPARAMETERS EXCLUDESERVERS

In an AQL query, you can include or exclude servers connected to an Event Processor by using theARIELSERVERS4EPID function to specify the ID of an Event Processor in the query.

For example, include servers on the Event Processor that has the ID 101, PARAMETERSREMOTESERVERS=ARIELSERVERS4EPID(101)

For example, exclude servers on the Event Processor that has the ID 102, PARAMETERSEXCLUDESERVERS=ARIELSERVERS4EPID(102)


Filter your search by using the ARIELSERVERS4EPID function with thePARAMETERS REMOTESERVERS or PARAMETERS EXCLUDESERVERS to specifyEvent Processors by ID and their Ariel servers.

You can use the ARIELSERVERS4EPID function with PARAMETERS REMOTESERVERS andPARAMETERS EXCLUDESERVERS to specify Ariel servers that you want to include or exclude fromyour search.

You can also use the following query to list Ariel servers by Event Processor ID.

SELECT processorid, ARIELSERVERS4EPNAME(PROCESSORNAME(processorid)) from events

Returns Ariel servers that are associated with an Event Processor that is identified by ID.

Here's an example of the output for the query, which shows the ID of the processor and the servers forthat processor:22 localhost:32011,172.16.158.95:32006



In an AQL query, you can specify Ariel servers that are connected to a namedEvent Processor by using the ARIELSERVERS4EPNAME function.

Use the ARIELSERVERS4EPNAME function with PARAMETERS REMOTESERVERS or PARAMETERSEXCLUDESERVERS to specify Ariel servers that you want to include or exclude from your search.

You can also use the following query to list Ariel servers by Event Processor name.

SELECT PROCESSORNAME(processorid), ARIELSERVERS4EPNAME(PROCESSORNAME(processorid)) from events

Here's an example of the output for the query, which shows the name of the processor and the servers:eventprocessorABC localhost:32011,172.16.158.95:32006


Use the COMPONENTID function to retrieve the ID for any named QRadarcomponent and return data for that component.

For example, you can retrieve events for a named Event Processor. In the following example you retrieveevents from eventprocessor0:SELECT * from events where processorid = COMPONENTID(’eventprocessor0’)

PARSETIMESTAMP function parses the text representation of date and time andconverts it to UNIX epoch time

Do time-based calculations easily in AQL when you convert time in text format to epoch time.

Include time-based calculations in your AQL queries and use the time-based criteria that you specify toreturn events that helps to enhance the security of your organization by making it easier to monitor useractivity. For example, you might want to find out that the difference between user logout and re-logintimes is less than 30 minutes. If this timing seems suspicious, you can investigate further.

For more information, see the AQL data calculation and formatting functions topic in the IBM SecurityQRadar Ariel Query Language Guide.

Retrieve information about the location and distance of IP addresses

Use geographical data that is provided by MaxMind to find information about the location and distancebetween IP addresses in QRadar.

The GEO::LOOKUP AQL function returns location data for a selected IP address.

The GEO::DISTANCE AQL function returns the distance, in kilometers, of two IP addresses.

Easily recognize the geographical origin of your data by organizing your data by location such as city orcountry instead of by IP address, and use the distance between IP addresses to evaluate the relativedistance between your QRadar locations.


8 QRadar What's new

Enhanced support for the AQL subquery

In QRadar V.7.2.8 and V.7.3.0, the subquery was accessible only by using API.

The subquery is now available for use in searches from the Log Activity or Network Activity tabs.

For more information, see the AQL subquery topic in the IBM Security QRadar Ariel Query Language Guide.

Enhanced support for the SESSION BY clause

In QRadar V.7.3.0 the SESSION BY clause was accessible only by using API.

The SESSION BY clause is now available for use in searches in QRadar.

For more information, see the Grouping related events into sessions topic in the IBM Security QRadar ArielQuery Language Guide.

QRadar Vulnerability Manager and QRadar Risk ManagerIBM Security QRadar Vulnerability Manager V7.3.1 introduces custom risks and enhanced support forCIS benchmarks. IBM Security QRadar Risk Manager V7.3.1 migrates features from Configuration SourceManagement to the Configuration Monitor and improves topology searches and views.

QRadar Vulnerability Manager Custom Risk classification

Classify vulnerabilities with Custom Risk to prioritize the vulnerabilities that pose most risk to yourenterprise. Override a vulnerability's risk with your own risk classification based on individualrequirements, and add comments to describe why you are changing the classification. For example, if anew internal policy requires all assets to disable SMBv1, you can raise the risk to Critical for all SMBv1required vulnerabilities.

For more information, see the IBM Security QRadar Vulnerability Manager User Guide.

QRadar Risk Manager migration from Configuration Source Management toConfiguration Monitor

Several features are migrated from Configuration Source Management to Configuration Monitor: add anew device, delete a device, back up a device, and discover devices in the Configuration Monitor. Thismigration is in preparation for when Google Chrome removes full support for Adobe Flash, and is thefirst stage in the removal of Flash dependency from QRadar Risk Manager.

For more information, see the IBM Security QRadar Risk Manager User Guide.

Improved QRadar Risk Manager topology searches and views

Each topology search opens a tabbed view, and results are cached for improved topology retrieval,resulting in faster processing time.

For more information, see the IBM Security QRadar Risk Manager User Guide.

Enhanced support for CIS benchmarks

Added CIS Benchmarks profile support for the following platforms:v Windows 2012 R2v Red Hat Enterprise Linux 7


v Solaris 10v Solaris 11v Solaris 11.1v Solaris 11.2v Ubuntu Linux 14v Ubuntu Linux 15v CentOS Linux 6v CentOS Linux 7

QRadar Incident ForensicsIBM Security QRadar Incident Forensics V7.3.1 introduces IBM QRadar Network Packet Capture stackingand SSH support. QRadar Incident Forensics offers managed host encryption.

Extend storage for Packet Capture data stacking

QRadar Network Packet Capture stacking is used to connect multiple QRadar Network Packet Captureappliances so that you can extend the storage available for capture data. For example, you now have theability to stack up to 16 Packet Capture storage devices to increase their data retention time.

For more information, see the IBM QRadar Network Packet Capture User Guide.

QRadar Network Packet Capture SSH support

Configure the SSH Widget to enable SSH command prompt access for specific QRadar Network PacketCapture users. Use SSH command line access to help with troubleshooting and debugging.

For more information, see the IBM QRadar Network Packet Capture User Guide.

QRadar Incident Forensics Managed Host encryption

Encryption is now supported in QRadar Incident Forensics.

QRadar Network InsightsIBM QRadar Network Insights V7.3.1 simplifies the configuration, deployment, and stacking of QRadarNetwork Insights appliances.

Stack appliances by using the user interface

QRadar Network Insights V7.3.1 makes it easier to configure up to four appliances in a stack to distributedata across multiple CPUs and Napatech cards.

Stacking appliances helps you increase your data throughput at higher inspection levels.

For more information about stacking appliances, see the IBM QRadar Network Insights Installation Guide.

10 QRadar What's new

2 What's new in QRadar V7.3.0

IBM Security QRadar V7.3.0 family of products includes new search analytics, simplified migration ofdeployed hosts and reduced time to deployment, improved performance, a more secure platform, andmore.

QRadarIBM Security QRadar V7.3.0 family of products includes new search analytics, simplified migration ofdeployed hosts, reduced time to deployment, improved performance, a more secure platform, and more.

QRadar core capabilitiesIBM Security QRadar core capabilities are enhanced with more flexible capacity management anddeployment options, more tenant user capabilities, and improved installation, licensing, and softwarepatching.

Activation keys are no longer needed

During the QRadar V7.3.0 installation, you select the appliance type that you are installing from a list. Inprevious releases, installers entered an activation key manually for the appliance during the installationprocess.

For more information about installing QRadar, see the IBM Security QRadar Installation Guide.

Log source limits are removed

Improvements to the licensing model in QRadar V7.3.0 now make it easier for you to manage logsources. Log source limits are removed and you no longer need to purchase licenses for log sources.

When you upgrade to QRadar V7.3.0, the previous log source limits are removed.

For more information about QRadar licenses, see the License Management chapter in the IBM SecurityQRadar Administration Guide.

Easily distribute event and flow capacity across your deployment

Adapt to workload changes by allocating events per second (EPS) and flows per minute (FPM) to anyhost in your deployment, regardless of which host the license is allocated to.

The EPS and FPM from individual licenses are now aggregated into a shared license pool. As anadministrator, you can use the new License Pool Management window to quickly see the cumulativeEPS and FPM capacity across the deployment, and to determine the best way to allocate the EPS andFPM to the managed hosts.

For example, you have a QRadar V7.2.8 distributed deployment that has two event processors, one with7,500 EPS and the other with 15,000 EPS. When you upgrade to QRadar V7.3.0, each processor maintainsthe pre-upgrade EPS allocations, but the combined 22,500 EPS become part of the shared license pool.When the data volumes for the event processors change, or when you add a managed host, you canredistribute the EPS capacity.

For more information about managing the shared license pool, see the License Management chapter in theIBM Security QRadar Administration Guide.


More secure operating system and flexible disk partitioning (LVM)

QRadar runs on Red Hat Enterprise Linux version 7.3, which supports logical volume manager so thatyou can create and resize partitions and aggregate clusters of storage together.

For example, you have a QRadar All-In-One on a Virtual Machine and you need more local disk space sothat you can store the events for a longer period of time. You can add another disk to extend the /storepartition.

Also, in Red Hat Enterprise Linux version 7.3, the service command is replaced with the systemctlcommand. Administrators who use scripts to manage their QRadar deployments must review and updatethe scripts.

For example, update scripts to replace the old command, service <service_name> start|stop|restart,with the new command, systemctl start|stop|restart <service_name>.

For more information about using the systemctl command, see the Red Hat Enterprise Linux version 7documentation.

Security updates

QRadar V7.3.0 uses TLS 1.2 (Transport Layer Security) for secure communications. The Secure SocketLayer (SSL) and TLS 1.1 protocols are not supported.

There's a small change to the steps for updating the default CA certificate when automatic updates gothrough a proxy server.

Tenant users can create custom properties

Tenant users can create custom properties to extract or calculate important information from the event orflow payload without assistance from a Managed Security Service Provider (MSSP) administrator. Withthis capability, tenant users can view and search on data that QRadar does not typically normalize anddisplay.

As an MSSP administrator, you have write permissions to all custom properties that are created by tenantusers. To improve search performance, you can optimize a tenant's custom properties when the propertiesare used frequently in rules and reports. Tenant users cannot optimize properties that they create.

For information about working with custom event and flow properties, see the IBM Security QRadar UserGuide.

Tenant users can create reference data collections

In QRadar V7.2.8, tenant users can view reference data that is created by their MSSP Administrator. Now,in V7.3.0, tenant users who have the Delegated Administration > Manage Reference Data user role cancreate and manage their own reference data collections, without assistance from an MSSP Administrator.

With this capability, tenant users can track business data or data from external sources, and they can referto the data in QRadar searches, filters, rule test conditions, and rule responses. For example, a referenceset that contains the user IDs of terminated employees can be used to prevent employees from logging into the network.

For more information about working with reference data collections, see the IBM Security QRadarAdministration Guide.


Master Console and Deployment Editor removed

Although Master Console isn't installed with QRadar V7.3.0, you can use Master Console V0.11.0 thatwas released with QRadar V7.2.8 to monitor a QRadar V7.3.0 deployment.

For more information about installing Master Console, see the IBM Security QRadar Master Console Guide.

System and License Management, which doesn't rely on Java™, replaces Deployment Editor.

For more information about managing your QRadar deployment, see the System Management chapter inthe IBM Security QRadar Administration Guide.

High Availability (HA)IBM Security QRadar V7.3.0 introduces a technology that minimizes downtime when applying softwarefixes to High Availability Event Collectors.

Reduced downtime when applying software fixes to High Availability EventCollectors

When you apply a software fix to a High Availability pair of Event Collectors, new clustering technologyis used that reduces downtime. This clustering technology minimizes the impact to the data collectionprocess.

AppliancesIBM Security QRadar V7.3.0 introduces a high-performance appliance, an appliance that is dedicated tonetwork packet capture, and an appliance that reconstructs network sessions in real-time, providing moredetailed threat visibility.

QRadar xx29

The IBM Security QRadar xx29 (MTM 4412-Q2A) appliance is the M5 version of any xx28 appliance. Forexample, you can use the QRadar xx29 as a QRadar Event Processor 1629, a QRadar Flow Processor 1729,a QRadar 3129 (All-in-One), and so on.

For more information, see the QRadar Hardware Guide.

QRadar xx48

The IBM Security QRadar xx48 (MTM 4412-Q3B) captures larger traffic volumes for enterprise clients thatrequire higher levels of performance. With the faster data processing, faster availability of data forsearching and analysis, and the capacity to support more IP-enabled devices, of the QRadar xx48, you usefewer appliances, saving rack space.


QRadar Network Packet Capture

The IBM Security QRadar Network Packet Capture (MTM 4412-F2C) provides more storage capacity toenable users to store more packet data for a longer period of time, and improved performance. TheQRadar Network Packet Capture appliance also provides more capture ports and extra configurationflexibility to support a wide range of deployment options.



QRadar Network Insights 1920

The IBM Security QRadar Network Insights 1920 (MTM 4412-F3F) appliance can provide detailedanalysis of network flows to extend the threat detection capabilities of QRadar. QRadar Network Insights1920 reconstructs network sessions in real-time, gathering high-value indicators, and analyzing metadataand content.


RESTful APIsIBM Security QRadar V7.3.0 introduces version 8.0 of the API endpoints.

New endpoints

QRadar V7.3.0 introduces many new categories of API endpoints and updates to existing endpoints in thefollowing categories:

Analytics API endpointsBuilding blocks

Custom rules

Configuration API endpointsHosts

License pool

Remote networks

Remote services

GUI App Framework endpointsNamed services

Staged configuration API endpointsLicense pool

Remote networks

Remote services

Services endpointsDNS lookups

DIG lookups

WHOIS lookups

For more information, see the IBM Security QRadar API Guide.

Ariel Query Language (AQL)IBM Security QRadar introduces new AQL functions and enhancements.

Group related events for better visibility into network and user activities

Use new AQL transactional sessions, to easily track network and user activity.

You can group events that are contextually related into your own unique sessions by using AQLtransactional sequences. These sessions show you event sequences and the subsequent outcomes. Forexample, you can see how long someone is logged in, or whether any unauthorized login attempts weremade.


For more information, see the IBM Security QRadar Ariel Query Language Guide.

Separate network addresses from host addresses to enhance the filteringcapability of your search

Use bitwise operators for AQL to mask IP addresses and to refine the IP address search criteria.

You can return all IP addresses for specific network segments or devices with specific IP addresses. Youcan filter your search on any or all four octets of an IP address octet. For example, you can use thebitwise AND operator to search for all IP addresses that match xxx.100.xxx.xxx to look at a specific set ofIP addresses. You can use the LONG function to convert your IP addresses into long integers, which canbe used in bitwise operations.

For more information, see the IBM Security QRadar Ariel Query Language Guide.

QRadar appsIn IBM Security QRadar V7.3.0, improve the performance of your apps by using an App Node appliance,where your apps have access to more memory and storage space.

Customers, developers, and Business Partners use the IBM Security App Exchange to share security appand content extensions to enhance IBM Security products.

Improved processing power for apps

In previous releases, when you set up the GUI Application Framework, apps ran on the QRadar Consoleand resource restrictions affected every app that you deployed. In QRadar V7.3.0, you can deploy adedicated App Node on your own computer hardware, to offload system resources that QRadar needs torun apps.

For more information about configuring an app node, see the IBM Security QRadar Administration Guide.

Communication between apps for better threat detection and insights

By publishing its API, an app enables a different app to use the intelligence and value that it provides foraugmented and enhanced security.

For example, when an app that provides threat intelligence feeds publishes its API, a malware detectionengine app can use the threat intelligence feed data in its app.

Optimized back up and recovery process for applications

Application configurations can now be backed up and restored separate from the application data.

Application configurations are backed up as part of the nightly configuration backup. The configurationbackup includes apps that are installed on the QRadar Console and on an App Node. You can restore theapplication configuration by selecting the Installed Applications Configuration option when you restorea backup.

Application data is backed up separate from the application configuration by using an easy-to-use scriptthat runs nightly. You can also use the script to restore the app data, and to configure backup times anddata retention periods.

For more information about backing up apps and app data, see the IBM Security QRadar AdministrationGuide.


QRadar Vulnerability Manager and QRadar Risk ManagerIn IBM Security QRadar Vulnerability Manager V7.3.0, you can optimize the speed and accuracy at whichservices are discovered on your assets.

Performance improvements for service discovery on your assets

To improve performance and accuracy for service discovery on your assets, you can now configureparameters, such as timeouts and retries, to suit your network speed and infrastructure.

Manage Vulnerabilities performance improvement

SQL queries and search filters are tuned to deliver improved performance in the Manage VulnerabilitiesBy Instance, By Vulnerability, and By Asset screens. The improvement is especially noticeable whenthere are many assets and vulnerabilities, giving much better scalability and usability.

QRadar Incident ForensicsIBM Security QRadar Incident Forensics V7.3.0 introduces advanced recovery options and IBM QRadarNetwork Packet Capture troubleshooting information to help you resolve common issues.

PCAP device selection available for a QRadar Incident Forensics recovery

To see only traffic from the PCAP devices on your deployment when you run a QRadar IncidentForensics recovery, choose a Custom Capture Device.

For more information, see the IBM Security QRadar Incident Forensics User Guide.

More troubleshooting information available to help you identify and fix issuesquickly

Includes how to configure the date and time, alongside additional information to configure acceleratorport settings in QRadar Network Packet Capture, and new Python streaming and chunking APIexamples.

For more information, see the IBM QRadar Network Packet Capture Administration Guide and the IBMQRadar Network Packet Capture API Guide.

QRadar Network InsightsIBM QRadar Network Insights V7.3.0 introduces support for TLV (type-length-value) format.

TLV option available for QRadar Network Insights

Use QFlow Collectors to export data to the QFlow Processor in TLV (type-length-value) format. For newIBM Security QRadar installations, or QRadar upgrades that don't have a QRadar Network Insightsappliance as part of their deployment, choose the TLV format from the QFlow format menu.

For more information, see the IBM Security QRadar Incident Forensics Administration Guide.


Notices

This information was developed for products and services offered in the U.S.A.

IBM may not offer the products, services, or features discussed in this document in other countries.Consult your local IBM representative for information on the products and services currently available inyour area. Any reference to an IBM product, program, or service is not intended to state or imply thatonly that IBM product, program, or service may be used. Any functionally equivalent product, program,or service that does not infringe any IBM intellectual property right may be used instead. However, it isthe user's responsibility to evaluate and verify the operation of any non-IBM product, program, orservice.

IBM may have patents or pending patent applications covering subject matter described in thisdocument. The furnishing of this document does not grant you any license to these patents. You can sendlicense inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785 U.S.A.

For license inquiries regarding double-byte character set (DBCS) information, contact the IBM IntellectualProperty Department in your country or send inquiries, in writing, to:

Intellectual Property LicensingLegal and Intellectual Property LawIBM Japan Ltd.19-21, Nihonbashi-Hakozakicho, Chuo-kuTokyo 103-8510, Japan

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS"WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOTLIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY ORFITNESS FOR A PARTICULAR PURPOSE. Some jurisdictions do not allow disclaimer of express orimplied warranties in certain transactions, therefore, this statement may not apply to you.

This information could include technical inaccuracies or typographical errors. Changes are periodicallymade to the information herein; these changes will be incorporated in new editions of the publication.IBM may make improvements and/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM websites are provided for convenience only and do not inany manner serve as an endorsement of those websites. The materials at those websites are not part ofthe materials for this IBM product and use of those websites is at your own risk.

IBM may use or distribute any of the information you provide in any way it believes appropriate withoutincurring any obligation to you.

Licensees of this program who wish to have information about it for the purpose of enabling: (i) theexchange of information between independently created programs and other programs (including thisone) and (ii) the mutual use of the information which has been exchanged, should contact:


IBM Director of LicensingIBM CorporationNorth Castle Drive, MD-NC119Armonk, NY 10504-1785US

Such information may be available, subject to appropriate terms and conditions, including in some cases,payment of a fee.

The licensed program described in this document and all licensed material available for it are providedby IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement orany equivalent agreement between us.

The performance data and client examples cited are presented for illustrative purposes only. Actualperformance results may vary depending on specific configurations and operating conditions..

Information concerning non-IBM products was obtained from the suppliers of those products, theirpublished announcements or other publicly available sources. IBM has not tested those products andcannot confirm the accuracy of performance, compatibility or any other claims related to non-IBMproducts. Questions on the capabilities of non-IBM products should be addressed to the suppliers ofthose products.

Statements regarding IBM's future direction or intent are subject to change or withdrawal without notice,and represent goals and objectives only.

All IBM prices shown are IBM's suggested retail prices, are current and are subject to change withoutnotice. Dealer prices may vary.

This information contains examples of data and reports used in daily business operations. To illustratethem as completely as possible, the examples include the names of individuals, companies, brands, andproducts. All of these names are fictitious and any similarity to actual people or business enterprises isentirely coincidental.

TrademarksIBM, the IBM logo, and ibm.com® are trademarks or registered trademarks of International BusinessMachines Corp., registered in many jurisdictions worldwide. Other product and service names might betrademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at"Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.

Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both.

UNIX is a registered trademark of The Open Group in the United States and other countries.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in theUnited States, other countries, or both.

Terms and conditions for product documentationPermissions for the use of these publications are granted subject to the following terms and conditions.

Applicability

These terms and conditions are in addition to any terms of use for the IBM website.


http://www.ibm.com/legal/copytrade.shtml

Personal use

You may reproduce these publications for your personal, noncommercial use provided that allproprietary notices are preserved. You may not distribute, display or make derivative work of thesepublications, or any portion thereof, without the express consent of IBM.

Commercial use

You may reproduce, distribute and display these publications solely within your enterprise provided thatall proprietary notices are preserved. You may not make derivative works of these publications, orreproduce, distribute or display these publications or any portion thereof outside your enterprise, withoutthe express consent of IBM.

Rights

Except as expressly granted in this permission, no other permissions, licenses or rights are granted, eitherexpress or implied, to the publications or any information, data, software or other intellectual propertycontained therein.

IBM reserves the right to withdraw the permissions granted herein whenever, in its discretion, the use ofthe publications is detrimental to its interest or, as determined by IBM, the above instructions are notbeing properly followed.

You may not download, export or re-export this information except in full compliance with all applicablelaws and regulations, including all United States export laws and regulations.

IBM MAKES NO GUARANTEE ABOUT THE CONTENT OF THESE PUBLICATIONS. THEPUBLICATIONS ARE PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OFMERCHANTABILITY, NON-INFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE.

IBM Online Privacy StatementIBM Software products, including software as a service solutions, (“Software Offerings”) may use cookiesor other technologies to collect product usage information, to help improve the end user experience, totailor interactions with the end user or for other purposes. In many cases no personally identifiableinformation is collected by the Software Offerings. Some of our Software Offerings can help enable you tocollect personally identifiable information. If this Software Offering uses cookies to collect personallyidentifiable information, specific information about this offering’s use of cookies is set forth below.

Depending upon the configurations deployed, this Software Offering may use session cookies that collecteach user’s session id for purposes of session management and authentication. These cookies can bedisabled, but disabling them will also eliminate the functionality they enable.

If the configurations deployed for this Software Offering provide you as customer the ability to collectpersonally identifiable information from end users via cookies and other technologies, you should seekyour own legal advice about any laws applicable to such data collection, including any requirements fornotice and consent.

For more information about the use of various technologies, including cookies, for these purposes, SeeIBM’s Privacy Policy at http://www.ibm.com/privacy and IBM’s Online Privacy Statement athttp://www.ibm.com/privacy/details the section entitled “Cookies, Web Beacons and OtherTechnologies” and the “IBM Software Products and Software-as-a-Service Privacy Statement” athttp://www.ibm.com/software/info/product-privacy.

Notices 19

http://www.ibm.com/privacy

http://www.ibm.com/privacy/details/us/en/

http://www.ibm.com/software/info/product-privacy


IBM®

Printed in USA

Date post:	25-Jun-2018
Category:	Documents
Upload:	ngohuong
View:	214 times
Download:	0 times

© Copyright IBM Corporation 2017. Product information o access the settings that wer e on the Admin...

Documents