Content







IBM Security QRadar Community,

Thank you for taking the time to review the QRadar Support Newsletter. The purpose of this newsletter is to provide a summary of activity related to QRadar, support information, news, "how-to" articles, tips for IBM Security QRadar and other associated QRadar products directly to QRadar users and administrators. Our goal is to provide knowledge and solutions to help security specialists complete their day-to-day activities.







1. QRadar software release information

Recent QRadar software releases and important information for administrators. For a list of all QRadar software versions and release notes, see: http://ibm.biz/qradarsoftware



Recent software releases

QRadar 7.3.1 Patch 3 Release Notes



Coming soon

QRadar 7.2.8 Patch 12







2. Think 2018 QRadar Video Replays

Title: QRadar 7.3.1 Feature Discussion (Session 8865)

QRadar 7.3.1 Feature Discussion (Session 8865) Video replay : https://www.youtube.com/watch?v=9KrU2PPsg-Q





: Title: Sizing and Scoping Your QRadar SIEM Deployment (Session 8947)

Sizing and Scoping Your QRadar SIEM Deployment (Session 8947) Video replay : https://www.youtube.com/watch?v=W6VcETzSrSc





: Title: Meet the Experts: QRadar (Session 8962)

Meet the Experts: QRadar (Session 8962) Video replay: https://www.youtube.com/watch?v=RA8_6_CoYxo

3. Master Skills University - May 14th to 18th

4. QRadar Support Tip of the Month

5. QRadar Survey Feedback

6. User Behavior Analytics v2.6.0 is Released

Extended machine learning algorithms to analyze anomalies based on Defined Peer Groups in LDAP/AD.

The machine learning "Peer Group" analytic was renamed to "Learned Peer Group".

Added use case: UBA : Process Executed Outside Gold Disk Whitelist (Windows / Linux)

Added use case: UBA : Ransomware Behavior Detected

Added use case: UBA : Netcat Process Detection (Windows / Linux)

Added use case: UBA : Multiple VPN Accounts Failed Login from Single IP

Added use case: UBA : Volume Shadow Copy Created

Added use case: UBA : Detect Insecure Or Non-Standard Protocol

Added use case: UBA : Malware Activity - Registry Modified In Bulk

Added use case: UBA : Internet Settings Modified

Added use case: UBA : Multiple VPN Accounts Logged In from Single IP

Added use case: UBA : Suspicious PowerShell Activity (Asset)

Added use case: UBA : Suspicious PowerShell Activity

Added use case: UBA : Suspicious Command shell Activity

Added use case: UBA : Malicious Process Detected

7. QRadar 7.3.0 Auto Updates with Proxies (IJ00621)

8. QRadar Pulse App v2.1.0 is Available

Import and export dashboards to share with colleagues

Scale the screen resolution for dashboards and dashboard items for easier visibility

Improved performance

Accessibility compliant

9. New X-Force & QRadar Functionality: Am I Affected?

In March, the QRadar team hosted several live discussions at Think 2018. For those users who were unable to attend, we have posted the video replays on the IBM Security Support YouTube channel. If you want to discuss any of the presentations, feel free to ask a question in our forums or make a comment in the video on YouTube.IBM Security Master Skills University offers a unique week of collaborative deep-dive education sessions, cross-product learning opportunities, and networking events - exclusively for experienced users of IBM Security products. The May event is taking place in Lake Buena Vista, Florida and offers 6 separate product tracks in one location. For more information or to sign-up for this event, see: http://www.ibm.com/support/docview.wss?uid=swg22015381 Did you know that QRadar 7.3.1 includes a license change for routing rules that drop events?In previous QRadar versions, routing rules that drop events would credit the appliance license at a rate of 60% of events that you drop, up to a maximum of 2,000 events per second (EPS). This feature was introduced in QRadar 7.2.6 to allow administrators to drop events and not lose license capacity for events that have no security value; however, there was a license give back limit enforced on each appliance for a maximum of 2,000 EPS. In QRadar 7.3.1, a change was made to allow routing rules that drop events to credit the license at 100%, up to the maximum EPS of the QRadar appliance license. This change simplifies routing rules that drop events for administrators to provide 100% of the license capacity back to the appliance where the dropped event occurred. For any questions about this change or how routing rules function in QRadar, ask in our forums: https://ibm.biz/qradarsupport In QRadar 7.2.8 and in QRadar 7.3.1 versions, IBM implemented a dashboard survey to collect QRadar product feedback from end users. All feedback is reviewed and we appreciate all of your comments as your input helps us improve QRadar. We have heard your concerns in our forums and in the survey results about this dashboard notification and we are working to disable this pop-up survey in an upcoming release.We apologize for any inconvenience or frustration that this survey implementation has caused. Further information will be posted in the QRadar forums to notify users when the software version to disable the survey pop-up is published to IBM Fix Central.On March 28th, a new version of the User Behavior Analytics (UBA) application for QRadar was released to the IBM X-Force App Exchange. This release updates machine learning algorithms for Learned Peer Groups and adds a number of new use cases for user behavior assessment and risk. To download this application, you can use the QRadar Assistant App or download the latest version of UBA from the IBM X-Force App Exchange Administrators on QRadar v7.3.0 (any patch level) who use a proxy in their environment can experience 'Could not contact the update server - 500 SSL negotiation failed: Could not download manifest list' error messages when you attempt to connect to the QRadar auto update server. A script is available on IBM Fix Central to resolve this issue for QRadar 7.3.0 Console appliances. QRadar Support recommends that administrators on QRadar 7.3.0 (any patch level) with proxies who use auto update install the released script to resolve this issue. For more information and a link to download the utility, see the Auto Update Proxy Fix Pack for QRadar 7.3 (IJ00621) An updated version of the QRadar Pulse dashboard application is available for download from the IBM X-Force App Exchange. The Pulse application for QRadar v7.3.0+ helps Security Operations Center (SOC) analysts visualize incident data and associated events in a 3D display. Users can leverage the Pulse app to watch offenses in real-time, create AQL driven dashboards for data visualization, customize and resize dashboards, and share dashboards between users. For more information, see the X-Force App Exchange: QRadar Pulse for QRadar v7.3.0 and above The X-Force Exchange 'Am I Affected' option helps users quickly determine whether they are affected by zero-day attacks, such as Petya or WannaCry. The architecture cross-references QRadar log activities to determine if events and flows are related to any IOCs that are captured within a XFE public or private Collection. Users can assess the impact via graphical and tabular reporting, with quick pivoting back to QRadar. This service is entirely browser-based, so it does not cache QRadar data or send QRadar data to the X-Force Exchange server, and no QRadar data is stored on X-Force Exchange. To enable this integration, QRadar administrators must provide the Console IP Address and an authentication token into the X-Force Exchange using. The 'Am I Affected' button is free to all QRadar users.

10. What's new on the IBM Security App Exchange

11. Device and integration updates

DSMs

Protocols

12. Support articles and useful information

We are on Twitter

More to come