QRadar: What is the difference between "Deploy Changes" and "Deploy Full Configuration"?

What is a "Deploy" in QRadar?

When a QRadar Console detects changes that are required to be pushed out to managed hosts, it shows in the Admin tab as banner stating that changes need to be deployed:

Changes are pushed out from the "staging" area of QRadar to the "deployed" area and the Hostcontext service restarts the appropriate components. If a component does not have changes then there are no changes to deploy, then a restart of that service might not be required.

The Event Collection Server/Service (ECS) is made up of two processes: ecs-ec and ecs-ep

• The ecs-ec process is responsible for event and flow collection. This includes event parsing, traffic analysis, coalescing, and event forwarding. The ecs-ec process can exist on Consoles, Event Processors, Flow Processors, Event Collectors, and Flow Collectors.
• The ecs-ep process is responsible for the Custom Rules Engine (CRE), event and flow streaming, and storage. The ecs-ep process can exist on Consoles, Event Processors, and Flow Processors, but does not exist on Flow Collectors. The Magistrate is also part of the ecs-ep process and exists on the Console only. The Magistrate is responsible for offense rules, offense management, and offense storage.

What is the difference between "Deploy Changes" and "Deploy Full Configuration"?

After you perform a "Deploy changes", only services that need updates are restarted on the appliances. Data collection and processing continues as normal because the ECS does not restart. A Deploy Changes does not impact the QRadar event pipeline (collection, processing, rules, or offenses).

A "Deploy Full Configuration" from the Admin tab sends a request to rebuild all configuration file sets. Each individual appliance contains its own configuration files, which then restarts services to ensure that the new configuration is loaded. All processes that process QRadar data restart, and an interruption of services occurs.

Since QRadar 7.3.1, an ecs-ec-ingress service was introduced that spools events as all other QRadar services are restarted. The ecs-ec-ingress service is NOT be restarted as a result of a deploy and continues to collect data. All searches, reports, and other QRadar functions are not available while the full deploy is running. The events are not processed until the full deploy completes.

Anytime a service interruption is expected on a Deploy, a warning dialog message is shown to an Admin user. This allows the Admin user to cancel a deploy and to defer to a later time:

Examples of QRadar changes that require Deploy Full Configuration:

• Adding or removing a host in the deployment editor that has an EC, EP, or MPC component.

• Adding, removing, or editing the values on an EC/EP component or offsite source or target component in the deployment editor.

• Adding or updating a license that changes the EPS or FPM (flows per minute) values (Not valid in QRadar 7.3).

• Enabling or disabling encryption (Tunneling) on a "managed host".

Examples of QRadar changes that require a Deploy Changes:

• Adding or editing a new user or user role.

• Adding or updating network hierarchy.

• Adding a new security profile.

• Creating a new authorized service token.

• Adding a centralized credential (security descriptor)

• Adding a new log source.

• Setting a password for another user.

• User changing their own password.

• Change a users' user role and/or security profile.

Note: The list above might change in future releases as QRadar is moving toward having less interruption and downtime.