The latest version of IBM QRadar SIEM, The V 7.3.3 is the pre-release release of the expected 7.4 by the end of the first quarter of 2020. It includes improvements in performance, analyst workflow, product security, and essentially user experience. The upgrade is simple, through an IBM-provided script that from the console updates the deployment set.
Here are some elements, which in our opinion make it interesting to update to this version while the long-term 7.4 is released in the coming months.
Support for key and value pairs in the DSM editor.
Until now, when creating a log source manually, we needed to use regular expressions to extract each of the fields. Starting with version 7.3.3 it is possible to use simple delimiters for key – value attributes. This goes a step further than the improvement in event processing in QRadar 7.3.2 CEF and LEEF format, which allowed for the first time to automatically detect new properties. In addition, users with permissions can register that “custom properties” directly from the DSM editor, saving time and facilitating the whole process. Finally, an option has been implemented to export configurations from new log sources from the same editor.
Flow improvements (flows)
This release detects vxLAN information that is present in packets that are sent to QFlow (via Azure vTap, Technocrat
or monitoring card, or NIC) is extracted and added to the QRadar flow logs.
What’s new in Network Insights
Network Insights has improved the module that inspects RDP connections by detecting the type of encryption used and added a module to detect rsh, rexec, and rlogin connections. Another interesting improvement is that from now on all protocols: NFS , POP, SSL, TSL, HTTP, SSH, RDP, etc are detected accompanied by their version, as shown in this table.
What awaits us in version 7.4?
The release of the QRadar 7.4 is planned for the first quarter of 2020 and will include major improvements. This release will be based on Red Hat Enterprise Linux 7.7. It is expected to support Python 3.X and, as a curiosity, it is not clear that it is compatible in Internet Explorer browsers. It is important to note that this is a major update, with changes to the base version of the operating system. This involves additional tasks and additional precautions.
If you serve multiple customers from your SOC and use QRadar, you are in luck. There are plenty of hope that we’ll finally see significant improvements to the graphical interface along with a larger update to the Application Framework that provides full multi-tenancy support. However, the applications will have to be updated to be fully compatible. It is known that the UBA development team is already working on an update that, using these functions, allows to segment user behavior data by customer and domain.
In fact, it will be the companies that provide virtual or remote SOC services in multi-client environments that will benefit the most from the new features of version 7.4. In another post we will talk more about this and how to integrate QRadar into semi-automated incident response environments through different SOAR solutions like Resilient IRP. The future of SOCs will be to continue integrating tools and automating processes,as has been done for years in distributed environments with the implementation of DevOps & SysOpsmethodologies.
If you want to know more about this solution, at Sixe we offer training, consulting and technical support services for IBM QRadar SIEM. We also sell and deploy, migrate and integrate QRadar for all types of environments and customers. Contact us if you need our help :)