This week we released QRadar 7.5, which includes new features and security updates and introduces a new support lifecycle for releases going forward. In this blog we’ll cover what’s new in 7.5, recent updates from the end of 2021, and share an update on the support lifecycle changes.
What’s New in 7.5?
QRadar 7.5 includes updates both to the core SIEM offering, as well as to QRadar Network Insights (QNI). Core SIEM enhancements include:
- New AQL functions to help improve search speed and performance when querying Offenses and retrieving unique count values
- Performance improvements that enable the system to better handle EPS bursts above the license threshold, as well as improve utilization of hardware appliances
- New policy that enables encryption by default for all newly added Managed Hosts to better ensure security of the deployment
- App Framework improvements enable admins to more efficiently control the memory setting for each individual application
- Upgrade to the Red Hat Enterprise Linux v7.9
Beyond the core SIEM, QNI 7.5 now includes the Protocol Analysis Module that was previously developed and used by the IBM XGS intrusion prevention solution. This new module brings a number of enhancements to QNI, including:
- Improved application identification and new application determination algorithms
- New Suspect Content descriptions for X-Force signatures
- Greater breadth of visibility into applications and protocols, adding support for an addition 300 application protocols
- Major performance improvements, especially when running in Basic or Enriched Mode, with improved hardware utilization to get more value out of your hardware investments
New suspect content descriptions for X-Force signatures
In Case You Missed It: Recent Updates Prior to QRadar 7.5
Analyst Workflow 2.x: Analyst Workflow v2.0, includes a new Visual Builder that enables you to build and run basic and advanced queries without needing to know or use AQL. Instead, you can easily use drop down lists to select which fields to search, and you can type in or copy/paste values into the search fields. Don’t worry – for those of you who prefer AQL, you can still use AQL in the Advanced Builder and easily toggle between the Visual and Advanced views to see how your GUI-based search translates to AQL.
Following Analyst Workflow 2.0, we’ve also had three additional patch releases that include major performance enhancements to significantly improve responsiveness of the UI. Additional bug fixes also help ensure that flow data is available via the main Analyst Workflow UI and its slide-out panels.
Visual query builder with column customization in Analyst Workflow.
Data Synchronization 3.0: The newest version of Data Synchronization includes updates to improve how Domains and Tenants are restored, and with the upcoming release of 7.5 FP 1, Data Synchronization 3.0 will be able to support deployments that include QNI. Note that in order to use Data Sync with QNI in your deployment, you will need to be running both 7.5 FP1 (targeted for release in February) and Data Sync 3.0.
QRadar Data Synchronization provides a warm standby option to improve resilience.
Event and Flow Exporter: This app takes a lighter weight approach to reporting, and enables you to save, run and schedule queries. Query results can be automatically sent you and/or other team members via email in csv, json, pdf or xml formats.
Ability to save and schedule queries using the Event and Flow Exporter.
New Integrations: Over the last few months, we’ve released a number of new pre-built integrations, including: Suricata, AWS Rout 53 Resolver DNS Firewall, Palo Alto PanOS (via Cortex Data Lake), Palo Alto Prisma Access, IBM Cloud Activity Tracker, AWS Custom VPC Flows, and Microsoft 365 Defender.
Changes to the Support Lifecycle
With the release of QRadar 7.5, the QRadar Security Intelligence product family is moving to a Continuous Delivery model, under which all fixes and updates will be delivered on the next patch or version. That said, as we transition to this new model, we will continue to issue security fixes for 7.3.3 and 7.4.3 through their respective end of life dates. As a reminder, 7.3.3 will be supported through November 30, 2022, and in accordance with this week’s announcement, 7.4.3 will be supported through April 28, 2023.
As you upgrade to 7.5, which will follow a Continuous Delivery support model, updates will be released as Update Packages (UPs). To help you plan ahead, our goal is to release one UP per quarter, during the middle of the second month of each quarter (eg. Q1 release is estimated around February 15, 2022; Q2 release is estimate around May 17, 2022; etc). These dates may change with unexpected circumstances.
As always, we'd love your feedback and welcome the opportunity share previews of upcoming plans. Don't hesitate to reach out with questions and/or submit RFEs with new ideas.