IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

What's New in QRadar 7.4.2

By Sophia Sampath posted Tue December 15, 2020 11:54 AM

  

Core Platform Updates

Operational Efficiency


Easily adjust the number of MAC addresses that are allowed for a single asset!

For users that log in from multiple wireless access points, or multiple users that log in remotely through a VPN, you can set the number of MAC addresses that are allowed for the asset in the same way that you can for IP addresses



DSM Editor Enhancements


Generating regex for parsing event properties

  • Highlight the payload text that you want to capture and in the Properties tab, click Suggest Regex. The suggested expression appears in the Expression field.
  • Alternatively, you can click the Regex button in the Workspace and select the property that you want to write an expression for. If QRadar is unable to generate a suitable regex for your data sample, a system message appears.

Note: The regex generator works best for fields in well-structured event payloads. If your payload consists of complex data from natural language or unstructured events, the regex generator might not be able to parse it and does not return a result



Introducing QRadar Network Insights - 40gbps Napatech Stacking


What’s new:

  • You can stack the new QRadar Network Insights 1940 appliances (appliance type 6600) to scale performance by balancing the network packet data load across multiple appliances
  • Stacked appliances can help you handle higher data volumes and improve flow throughput performance at the highest inspection levels
  • In a stacked configuration, the QRadar Network Insights 1940 appliances provide one port for incoming traffic and one port for outgoing traffic
  • Note: Stacks of different appliance types are not supported. i.e., 1920s cannot be stacked with 1940s


QRadar Network Insights Enhancements


What’s New:
  • Content flows are more easily identified

    • All Content Flows will now consistently appear in the same direction orientation as their Data Flow counterpart

      QRadar 7.4.2 makes it easier to identify content flows that are received from QRadar Network Insights:
      • In the Flow Information window, the Flow Type field shows Standard Flow (Content Flow).
      • On the Network Activity tab, the tooltip for the Flow Type icon shows Standard Flow (Content Flow).
  • New TCP Flow Direction algorithms

    • New flow direction algorithms that can be observed from QNI, including:

      • QNI TCP Handshake Observed (unaltered)
      • QNI TCP Handshake Observed (reversed)

  • Easily determine the direction of content flow
    • The direction of the content flow is indicated by one of the following annotations:
      • Unknown (0)
      • Default Direction (1)
      • Source to Destination (2)
      • Destination to Source (3)

  • More descriptive entity alerts

    • The entity alert includes more information about the type of suspicious content that was found so that you can triage each type of entity alert separately.
      The following entity alerts are new in QRadar Network Insights 7.4.2:

      • entity alert - IP address
      • entity alert - MAC address
      • entity alert - Phone number
      • entity alert - Credit Card Number
      • entity alert - Email Address
      • entity alert - Social Security Number
      • entity alert - UK NINO
      • entity alert - UK postal code
      • entity alert - Zip Code

QRadar Flow Enhancements



What’s New:

  • Accumulated byte and packet counters
    • Easily see the total number of bytes and packets that accumulated over the duration of the flow session. The byte and packet counters for each 1-minute interval that the flow is observed are also preserved.

    • You can view the accumulated counters by including the following fields in your search results. Accumulated source bytes

      • Accumulated source packets
      • Accumulated destination bytes
      • Accumulated destination packets
    • Benefits:

      • You can view the accumulated counters by including the following fields in your search results. 

        • Accumulated destination bytes
        • Accumulated destination packets
        • Accumulated source packets
        • Accumulated source bytes

  • New “Common Destination Port” flow direction algorithms
    • Introducing two new common destination port algorithms for use when the flow matches the criteria, but the flow direction is unchanged:
      • Single common destination port (unaltered) (5)
      • Both common destination ports, RFC 1700 preferred (unaltered) (6)
    • Benefits:

      • Now, the only flows that show the Arrival time annotation in the Flow Direction Algorithm field are the flows that do not match the criteria for any other flow direction algorithm.


  • MAC address support
    • You can now receive MAC address information from IPFIX and NetFlow V9 exporters
    •  Benefits:

      • The following MAC address fields are supported in QRadar 7.4.2:

        • sourceMacAddress (IANA Element ID 56)
        • postDestinationMacAddress (IANA Element ID 57)
        • destinationMacAddress (IANA Element ID 80)
        • postSourceMacAddress (IANA Element ID 81)



#Featured-area-2
#Featured-area-2-home
#Highlights
#Highlights-home
#QRadar
1 comment
929 views

Permalink

https://community.ibm.com/community/user/blogs/sophia-sampath1/2020/12/15/whats-new-in-qradar-742

Comments

Tapan Jatakia
Tue December 29, 2020 10:29 AM

Thanks, @Sophia Sampath, for this Informational Post. The MAC Address is a very important Update that benefits SOC Analysts in Triaging and reducing FPs quite a lot.