IBM Support

QRadar Support Newsletter - June/July Wrap-up 2017

News


Abstract

QRadar Support Newsletter, a wrap-up of activities for June/July 2017. This newsletter covers QRadar troubleshooting, news, announcements, and how-to articles for IBM QRadar users and administrators.

Content


QRadar Support Newsletter - June/July 2017 Wrap-up


IBM Security QRadar Community,

Thank you for taking the time to review the QRadar Support Newsletter. The purpose of this newsletter is to provide a summary of activity related to QRadar, support information, news, "how-to" articles, tips for IBM Security QRadar SIEM and other associated QRadar products directly to QRadar users and administrators. Our goal is to provide knowledge and solutions to help security specialists complete their day-to-day activities.


1. Open Mic Event for August 23rd, 2017


On August 23rd, QRadar Support and Development is hosting an open webcast to discuss application development and troubleshooting. We will be providing an overview to development of applications and common troubleshooting and questions that users have with apps and QRadar. An invitation will be provided to users as a reminder with a calendar entry. This event is open to all interested users and developers.

August Open Mic
  • Title: Let's Talk About QRadar Apps: Development & Troubleshooting
  • Date and time: Wednesday, August 23rd, 2017 11:00 am EDT
  • Attendee URL: http://ibm.biz/JoinQRadarOpenMic
  • Event Number: 666 126 052



2. QRadar Flash Notice for Windows Events


A flash notice was issued to administrators on Aug. 1st for an issue related to username parsing from Windows events from QRadar auto updates. This flash notified administrators that installing an older version of the RPM could resolve the issue. An amendment to the flash notice has been posted as corrected RPM is now available, so a rollback to an older version is no longer required. The latest version of the Microsoft Windows Security Event Log DSM can be downloaded and installed from IBM Fix Central. The corrected version is also available in this week's QRadar Automatic Update posted last weekend (Aug 5th).



3. QRadar Software Releases


Recent QRadar software releases and important information for administrators.

June/July Software 7.3.x Update Releases
  1. QRadar 7.3.0 Patch 3
  2. QRadar 7.3.0 Patch 2
June/July Software 7.2.x Update Releases
  1. QRadar 7.2.8 Patch 9
  2. QRadar 7.2.8 Patch 8 Interim Fix 01
  3. QRadar 7.2.8 Patch 8
  4. QRadar 7.2.8 Patch 7

Important information for 7.2.8 Patch 7 and above
  • TLSv1 is disabled in QRadar 7.2.8 Patch 7. This change was originally completed in QRadar 7.3.0 and has been ported to the QRadar 7.2.8 software stream as of Patch 7. This means that Tomcat will no longer listen and actively refuse browser connections using TLSv1.0 after updating to QRadar 7.2.8 Patch 7. Browsers will be required to use TLSv1.1 or TLSv1.2 to authenticate to QRadar SIEM. This should only impact users with older or legacy browsers.
  • The Master Console v0.10.0 or v0.11.0 is not supported on QRadar 7.2.8 Patch 7, QRadar 7.2.8 Patch 8, or QRadar 7.2.8 Patch 9 due to changes made with Java 8 and TLSv1.0 connections as described above. Administrators who require the Master Console should not upgrade to a version above QRadar 7.2.8 Patch 6.
  • The installation of QRadar 7.2.8 Patch 7 updates the Java version to Java 8.
Important information for 7.2.8 Patch 8 and above
  • A security change has been implemented that can affect how administrators log in to QRadar using external authentication, such as LDAP, Active Directory, or Radius. External authentication that is not available due to network issues now allows the 'admin' user to login to fall back to the stored local authentication password. Alternate administrator accounts cannot fall back to their local QRadar password when external authentication is unavailable without a configuration change to nva.conf. For more information, see: http://www.ibm.com/support/docview.wss?uid=swg22007092.


4. QRadar and SMBv1 on Windows Hosts


QRadar protocols for Microsoft IIS, Microsoft Exchange, Microsoft DHCP, and SMB Tail require an intermediate Linux server to remotely collect events until an SMBv2+ protocol update can be made available. For more information, see: Microsoft Windows Log Sources and Support for SMBv1 and SMBv2+.

QRadar Vulnerability Manager authenticated scans for Microsoft Windows assets fail to complete the scan due to an authentication issue if SMBv1 is disabled on the Windows host. If SMBv1 is disabled, authenticated scans for Windows hosts display an orange warning icon for assets where authentication failed in the Scan Results section of the Vulnerabilities tab. A workaround is available for customers in the following technical note: Authenticated Scans Fail on Microsoft Windows Assets if the SMBv1 Protocol is Disabled.



5. Support Tip: Migrate QRadar Data Using syncAriel.sh


A new utility has been released as part of the Console migration technical note that allows administrators to move QRadar data more easily. This utility moves data in /store/ for events and flows on disk month by month to any QRadar host with a single command. The utility uses rsync and records files moved in case a disconnect occurs so admins can more easily move data to new QRadar installations. For more information, see the attachment in Step 7: http://www.ibm.com/support/docview.wss?uid=swg21984607#dataxfer



6. Important API Changes in the Ariel Endpoint for QRadar 7.3.1


Administrators, users, or business partners working to develop applications that integrate with QRadar should be aware of an important API change coming in QRadar 7.3.1. QRadar applications can be affected by this future API update, so we are alerting developers to the change.

In existing QRadar releases (7.2.8 and 7.3.0), data returned in the JSON response for /ariel/searches/{search_id]/results always displayed as "string" values disregarding the actual JSON data type. For example in the QRadar API v7.1 or v8.0, JSON results for numeric values and booleans were always returned in double quotes, such as "starttime": "1502316123888", "sourceport": "80", "qid": "38750003", or Booleans ("true" / "false"). After an administrator updates the QRadar deployment to version 7.3.1 the API will return proper JSON types in the search results, such as, "starttime": 1467049610019, "qid": 20034, "sourceport": 80, "value": true.

If you have questions about this change, ask us in the QRadar app development forums.



7. QRadar Advisor Information for Administrators


Heard about QRadar Advisor with Watson app and curious to see how it works? Explore our solution brief to learn how Watson for Cyber Security and QRadar Advisor can help you qualify incidents and identify root cause during an investigation. Take it a step further and try it yourself by downloading our free 30-day trial from the IBM App Exchange. Check out our support community if you need help installing and configuring the application.



8. Did you know?


Did you know that in the QRadar Auto Updates interface that you can view a description for each DSM, Scanner, or Protocol installed in QRadar? In the past, this information was only available by viewing the hover text abstract section from the IBM Fix Central website. Next time you have a question about what was changed in a in a DSM, Scanner, or Protocol you can use the Check for Updates or View Update History interface to view the description. A brief description of the RPM change is written for administrators to understand the changes made to RPMs provided in weekly auto updates. These descriptions can also be useful for Log Activity troubleshooting or reviewing pending updates for issues reported by the SOC team, users, or analysts.

Figure 1: The Description field highlights the change history for each installed DSM, scanner, and protocol.



9. QRadar Forum Changes and Updates


During June and July, we worked on a number of reported issues in the forums that impacted users. These issues included browser cache problems, navigation issues, posts being lost after authentication, and page display issues. We heard your feedback and have made a number of changes to stabilize and update the forums. To combat these reported problems, forum users will notice that the interface no longer allows participants to start a new question or start typing an answer to a question without first authenticating to the forums. This change is to ensure that answers or long questions are not lost due to cache issue when authentication occurs.

New users who might be unaware of the forums can sign up for an IBM id (free) and ask a question using the QRadar tag. This link has been created to direct all users to the 'qradar' tag in the forums. http://ibm.biz/qradarforums.




10. What's new on the IBM Security App Exchange


New extensions and applications that are available on the IBM Security App Exchange. This list contains all new extensions and applications since the last newsletter was published.



11. Device and integration updates


Here is a list of releases and updates since our last newsletter.

    DSMs
      - Coming soon: SAP Enterprise Threat Detection (ETD)
      - Coming soon: Cisco Stealthwatch
      - New: Centrify Server Suite (July 25)
      - Updated: SIM Generic (July 25)
      - Updated: Cisco Wireless LAN Controllers (July 25)
      - Updated: Arbor Networks Peakflow SP (July 25)
      - Updated: EMC VMware (July 25)
      - Updated: Symantec Endpoint Protection (July 25)
      - Updated: Cisco Aironet (July 25)
      - Updated: Juniper Junos OS Platform (July 24)
      - Updated: Oracle RDBMS Audit Record (July 21)
      - Updated: Cisco Call Manager (July 13)
      - Updated: DSM Common (July 13)
      - Updated: Foundry FastIron (July 13)
      - Updated: Palo Alto PA Series (July 13)
      - Updated: Solaris Operating System Sendmail Logs (July 13)
      - Updated: Microsoft DNS Debug (July 7)
      - Updated: Fortinet FortiGate Security Gateway (July 7)
      - Updated: Nortel Switched Firewall 5100 (June 28)
      - Updated: Blue Coat Web Security Service (June 28)
      - Updated: Cisco Firewall Devices (June 28)
      - Updated: F5 Networks BIG-IP LTM (June 28)
      - Updated: IBM i (June 19)
      - Updated: VMware vCenter (June 13)
      - Updated: Carbon Black Protection (June 13)
      - Updated: Blue Coat SG Appliance (June 1)
      - Updated: Radware AppWall (June 1)
      - Updated: PostFix Mail Transfer Agent (June 1)
      - Updated: Aruba ClearPass Policy Manager (June 1)


    Protocols
      - Updated: IBM Security Identity Manager JDBC Protocol (July 22)
      - Updated : JDBC Protocol (July 21)
      - Updated: IMQ JMS Protocol (July 13)
      - Updated: TLS Syslog Protocol (July 13)
      - Updated: Netskope Active REST API Protocol (June 28)
      - Updated: Blue Coat Web Security Service REST API (June 28)
      - Updated: Office365 REST API Protocol (June 19)
      - Updated: Syslog Redirect Protocol (June 1)
      - Updated: SNMP Protocol (June 1)


    Scanners
      - Updated: Nmap Scanner (July 25)
      - Updated: AXIS Scanner (June 13)



12. Support articles and useful information for QRadar




We are on Twitter


IBM Security QRadar announcements, articles, and information are also delivered through @AskIBMSecurity. If you use Twitter, you can follow us by using the following link: https://twitter.com/AskIBMSecurity.


More to come


In the next month we will deliver another support newsletter with information relevant to IBM Security QRadar. In the future we plan to address questions, provide more articles, support tips, and also cover new and existing features in support videos. If you have suggestions, please visit our IBM Customer Forum for QRadar and let us know.


Subscription information


You are receiving this invitation because you have contacted IBM Support in the past.
  • To subscribe to this list, send an email to isssprt@us.ibm.com with: snl subscribe SecIntel in the subject line.
  • To unsubscribe to this list, send an email to isssprt@us.ibm.com with: snl unsubscribe SecIntel in the subject line.

Document information

More support for: IBM QRadar SIEM

Component: Newsletters

Software version: 7.2, 7.3

Operating system(s): Linux, Windows

Software edition: All Editions

Reference #: 2006984

Modified date: 10 May 2019