QRadar 7.2.7 Feature DiscussionIBM SECURITY SUPPORT OPEN MIC

Reminder: You must dial-in to the phone conference to listen to the panelists. The web cast does not include audio.

USA toll-free: 866-803-2141 USA toll: 1-203-607-0460

Participant passcode: 3744658

Slides and additional dial in numbers: http://ibm.biz/Bd4UGn

NOTICE: BY PARTICIPATING IN THIS CALL, YOU GIVE YOUR

IRREVOCABLE CONSENT TO IBM TO RECORD ANY STATEMENTS THAT

YOU MAY MAKE DURING THE CALL, AS WELL AS TO IBM’S USE OF SUCH

RECORDING IN ANY AND ALL MEDIA, INCLUDING FOR VIDEO POSTINGS ON

YOUTUBE. IF YOU OBJECT, PLEASE DO NOT CONNECT TO THIS CALL.June 22, 2016

2 IBM Security

Panelists

• Jeremy Mathers – QRadar User Interface Team Lead

• Dwight Spencer – Principal Solutions Architect & Co-founder of Q1 Labs

• Adam Frank – Principal Solutions Architect

• Jeff Rusk – Development Manager, QRadar L3 Engineering

• Jason Keirstead – QRadar Architecture Team

• Greg Davis – QRadar Architecture Team

• Joey Maher – QRadar Technical Support Team Lead

• Ellen Pit – QRadar Quality Lead

Presenter: Jonathan Pechta – Support Technical Writer / Support Content Lead

Moderator: Jack Cam – Support Manager

Announcements

4 IBM Security

QRadar 7.2.8 – Future API Changes

QRadar 7.2.8 introduces V7.0 endpoints

API 4.0 will be removed

APIs 5.0 and 5.1 will be marked as deprecated

QRadar Support Knowledgebase

A new master tech note was released that contains links to all support content currently published. As we work on new articles, this page will be refreshed to include new content.

Where?http://ibm.biz/qradarknowledge

5 IBM Security

QRadar Protocol Changes

New protocols being released by our IBM Integration team will sort certificates by protocol. New releases also include more security and restrict where administrators can keep certificates. New protocols installed make copies of existing certificates to the proper protocol directory.

For example:/opt/qradar/conf/trusted_certificates/<protocol>/opt/qradar/conf/trusted_certificates/lea

QRadar – YUM vs RPM

As of the most recent QRadar automatic update, development has added more support for YUM commands. Administrators and users will notice that our documentation examples will start using YUM commands, which are now preferred over using RPM commands to prevent patch and dependency issues.

yum install DSM-BluecoatProxySG-7.2-20160530121732.noarch.rpm

yum –y install DSM-BluecoatProxySG-7.2-20160530121732.noarch.rpm

This replaces rpm –Uvh commands

yum search WinCollect

This replaces rpm –qa | grep WinCollect

6 IBM Security

Keeping up with the latest QRadar information

Administrators and users who need to keep up with changes to QRadar should ensure they are signed up for the following information:

1. IBM My Notifications (email or RSS feeds for your IBM Products)- Go to: http://www.ibm.com/software/support/einfo.html- Click the Subscribe Now button.- In the Product lookup search field, type QRadar.- Click Subscribe next to products you want information about.- Configure your delivery preferences.

2. QRadar Support Newsletter – May newsletter: http://ibm.biz/qradarmay2016

How to sign-up for the email list:To subscribe to the QRadar Support Newsletter send an e-mail to isssprt@us.ibm.com with the subject line: snl subscribe SecIntel

To unsubscribe, send an e-mail to isssprt@us.ibm.com with the subject line: snl unsubscribe SecIntel

3. QRadar Forums - http://ibm.biz/BdR2kC

Ask us questions directly.

Agenda

8 IBM Security

QRadar 7.2.7 Feature Discussion Agenda

Upgrade Instructions

New to this version

Offense Indexing

Lazy Search Enhancement

Performance Updates

Custom Columns

Per Log Source EPS & Reporting

AQL Changes

System and License Management Changes

Reference Data Changes

API Changes

Extension / Application Framework Updates

Upgrading

10 IBM Security

Upgrade - Instructions

Software Upgrade Questions (any version)

– http://www.ibm.com/support/docview.wss?uid=swg21651118

– This article outlines the software upgrade progression to get from QRadar version x --> y. If a customer calls with upgrade questions or cannot find the proper software to upgrade, you can direct them to this article.

Patch & Upgrade Best Practices

– Run a configuration backup & download the file before upgrade

– Ensure all HA pairs have the PRIMARY system active, and the secondary is online

– place patch files in /store/patches/

– stage the patch/upgrade file out to all managed hosts, if required

– Patch console first, then all managed hosts simultaneously, not using "patch all“

Upgrades versus ISOs

– Admins use SFS files to patch/upgrade a system to QRadar 7.2.7

– New installations use ISO files.

HA Considerations

– Note, patches should not ever be run on the HA secondary, if it's the active host - you should fail back to the primary. IF the primary is offline/failed for some period of time, the upgrade for the entire deployment should be delayed.

Offense Indexing

12 IBM Security

Incident Detection and Management – Offense Indexing Uses

QRadar 7.2.7 introduces the ability to “index” or chain offenses together using any custom property. This includes all database properties including custom properties. Custom properties that use this feature must be enabled and optimized.

This expands our default 12 normalized custom properties to use any custom properties in QRadar. Values matching the custom property selected are added to the offense without extra work required from the administrator.

13 IBM Security

Incident Detection and Management – Response Limiter

New custom columns are available as a drop-down in the user interface.

14 IBM Security

Incident Detection and Management – Response Limiter

Administrators or users can also use custom properties in a response limiter to limit notifications for a reoccurring custom property. This feature ensures that null values are counted by the response limiter and do not fire notifications.

15 IBM Security

Incident Detection and Management – Deletion Framework

Custom Property Deletion

When you attempt to delete custom properties, you are now notified of any dependencies, including offenses indexed by that custom property.

Lazy Search in QRadar 7.2.7

17 IBM Security

Search Enhancements – Lazy Search - Use

Lazy Search is a new Quick Filter capability introduced in QRadar 7.2.7 that is optimized for more tactical use cases such as the threat hunting or IOC searching.

Retrieves the first (up to) 1000 results matching the filter criteria and returns those immediately to the user along with a time series graph showing the distribution of the results over the search timeframe.

Reduces impact on the deployment by restricting the search to just the indices and not the events/flows themselves. Reduces impact on the network by only return a subset of the results until the analyst make the decision that the entire result is necessary.

A Quick Filter search will utilize the Lazy Search functionality when the following conditions are met:

The only filter is the Quick Filter

The search is on a time range (not real-time or Last Minute)

Performance Changes in QRadar 7.2.7

19 IBM Security

New Disk Compression*

All QRadar 7.2.7 versions and forward utilize our new, highly efficient compression mechanism for all stored

data.

No more compress/decompress cycles

• Data is always compressed on disk and all decompression occurs in memory with no rewrite to disk.

Up to 10X faster search

• Overall reduction in IO due to data always being compressed. This means searching on compressed

data in 7.2.7 is even faster than uncompressed data in 7.2.6!

Better overall system performance

• Reduced disk reads and writes, lower CPU load leads to more consistent system resource utilization

with less spikes.

• Faster data rebalancing with Data nodes

Simplifies retention planning

• User no longer need to consider compression when setting up retention. In fact, the option is no longer

even available. Users simply decide how long to keep data and when it can be deleted

20 IBM Security

Disk Compression – Retention Interface Updates

The event and flow retention interface has been updated to remove compression options

from the user interface as new installations of QRadar 7.2.7 include continuous / always on

data compression.

21 IBM Security

A number of general performance improvements across various aspects of the platform are also included

in QRadar 7.2.7:

Hardware Optimization

• QRadar auto tunes to the hardware platform and doesn’t simply match platform to our xx05 or xx28

profile.

• QRadar can now leverage hardware even larger than our own xx28 platform

Accumulator Global Views (GVs) Increased

• QRadar can now track up to 300 global views, up from the 130 prior to 7.2.6

• Directly translates to increased anomalous and behavioral threat detection capabilities

Pipeline Stability and Performance

• 10% reduction in CPU load compared to 7.2.6

• Burst handling will no longer report false positives of event rate over license

Other performance updates to QRadar 7.2.7

Custom Columns in QRadar 7.2.7

23 IBM Security

Log & Network Activity Enhancements - Custom Columns

In 7.2.7, we have continued our efforts to optimize a number of activities performed by

our users day in and day out. In this release, we have focused on the manipulation of the

columns in both the log and flow activity screens.

• The addition of a quick access screen to add/remove columns means that users no

longer have to defer to the Search->Edit Search screens to adjust the columns present

in their search.

• The ability to save a column layout and recall it later with a single click.

Click!

24 IBM Security

Search Enhancements – Custom Columns - Use

When editing the column layout of a search, you now have the option to save the layout

25 IBM Security

Search Enhancements – Delecting Custom Columns

After saving the column layout, you can delete it by selecting the layout and clicking the “Delete Column Layout” button

EPS Per Log Source UI & Reporting in QRadar 7.2.7

27 IBM Security

Per Log Source EPS Reporting

Log Source EPS Reporting lists the average EPS for each log source on both the Log Source screen as well

as in our Log Source reports, allowing users/administrators to quickly identify “noisy” or “expensive” log

sources as well as highlight potential configuration issues with log sources that are failing to report

AQL Changes in QRadar 7.2.7

29 IBM Security

Search Enhancements – AQL - Use

Two forms of conditional logic have been added to AQL statements in QRadar 7.2.7:

- IF/THEN/ELSE- CASE

The first form, IF/THEN/ELSE, allows users to perform simple conditional evaluation based on the condition contained within the IF.

Example: User wants to query the user associated with all events but realizes that the events may not contain the necessary user information so they decide to leverage the Asset database to fill in the gaps if possible.

select sourceip, if username is NULL then ASSETUSER(sourceip) else username

as username from events group by username last 2 DAYS

The second form, CASE, allows users to perform similar logic to IF/THAN/ELSE except with more conditional comparisons.

Example: User may want to expand the response code from a set of Blue Coat Proxy Logs

select case “BCReponseCode” when 200 then ‘OK’ when 404 then ‘Not Found’

when 401 then ‘Not Authorized’ else ‘N/A’ end from events where

LOGSOURCETYPENAME(devicetype) ilike ‘%bluecoat%’ last 2 days

See Conditional logic in AQL queries for more information.

System & License Management Changes in QRadar 7.2.7

31 IBM Security

Bonded Network Interface - Use

Administrators can now perform simple interface bonding as well as provide more advanced configuration capabilities without utilizing third party tools.

Where do I find this feature?Admin tab > System and License Management > Double-click an appliance > Network Interfaces

32 IBM Security

Get logs – Collect Application Extension Logs

Getlogs now has the ability to collect log

data for our Applications.

Where?System and License Management > Actions > Collect Log Files

NOTE: Administrators who want to leverage

application extensions on their Console should be using QRadar 7.2.6 Patch 4 or later.

Reference Data Changes in QRadar 7.2.7

34 IBM Security

Remove from Reference Data Collections

Administrators can now configure a rule response to remove items from reference data collections.

Rules can be configured to delete from:

Reference Set

Reference Map

Reference Map of Sets

Reference Map of Maps

Reference Table

API Changes in QRadar 7.2.7

36 IBM Security

API Updates

7.2.7 introduces QRadar V6.0 API endpoints

The following APIs have been removed: Version 2.0, 3.0, and 3.1 endpoints.

The following APIs have been added in 7.2.7:

• Help API endpoints

• Offenses API endpoints

• QRadar Vulnerability Manager API endpoints

• System API endpoints

37 IBM Security

API Updates – Help API Endpoints

– The following APIs have been added in 7.2.7

/api/help/versionsRetrieves a list of version documentation objects currently in the system.

/api/help/versions/{version_id}Retrieves a single version documentation object.

/api/help/resourcesRetrieves a list of resource documentation objects currently in the system.

/api/help/resources/{resource_id}Retrieves a single resource documentation object.

/api/help/endpointsRetrieves a list of endpoint documentation objects that are currently in the system.

/api/help/endpoints/{endpoints_id}Retrieves a single endpoint documentation object.

– The following endpoint has been removed

/help/capabilitiesLists all QRadar API capabilities.

38 IBM Security

API Updates – Offense API Endpoints

–The following APIs have been added in 7.2.7

/api/help/versionsRetrieves a list of version documentation objects currently in the system.

/api/help/versions/{version_id}Retrieves a single version documentation object.

/api/help/resourcesRetrieves a list of resource documentation objects currently in the system.

/api/help/resources/{resource_id}Retrieves a single resource documentation object.

/api/help/endpointsRetrieves a list of endpoint documentation objects that are currently in the system.

/api/help/endpoints/{endpoints_id}Retrieves a single endpoint documentation object.

/help/capabilitiesLists all QRadar API capabilities.

39 IBM Security

API Updates - Offenses API endpoints

– The following APIs have been added in 7.2.7

/api/siem/offenses_typesRetrieves all offense types.

/api/system/servers/{server_id}/network_interfaces/EthernetRetrieves an offense type structure that describes the properties of an offense type.

– The following endpoints are updated:

/api/siem/offensesRetrieves a list of offenses currently in the system.

/api/siem/offenses/{offense_id}Updates an offense.

40 IBM Security

API Updates - QRadar Vulnerability Manager API endpoints

– The following APIs have been added in QRadar 7.2.7

/api/qvm/saved_searchesNew endpoints for working with vulnerability saved searches

/api/qvm/saved_searches/{saved_search_id}Retrieves a saved search.

/api/qvm/saved_searches/{saved_search_id}/vuln_instancesCreates the Vulnerability Instances search.

/api/qvm/saved_searches/vuln_instances/{task_id}/statusRetrieves the current status of a Vulnerability Instance present in the asset model.

/api/qvm/saved_searches/vuln_instances/{task_id}/statusRetrieves the status of a Vulnerability Instance.

/api/qvm/saved_searches/vuln_instances/{task_id}/results/vuln_instancesLists the Vulnerability Instances returned from a saved search.

/api/qvm/saved_searches/vuln_instances/{task_id}/results/assetsLists the Vulnerability Instances assets returned from the saved search.

/api/qvm/saved_searches/vuln_instances/{task_id}/results/vulnerabilitiesLists the Vulnerability Instances vulnerabilities returned from the saved search.

41 IBM Security

API Updates - System API endpoints

The following APIs have been added in 7.2.7

/api/system/servers/{server_id}/network_interfaces/bondedCreates a new bonded network interface.

/api/system/servers/{server_id}/network_interfaces/bonded/{device_name}Removes a bonded network interface.

– The following APIs have been updated in 7.2.7

/api/system/servers/{server_id}/network_interfaces/bondedRetrieves a list of the bonded network interfaces based on the supplied server ID.

/api/system/servers/{server_id}/network_interfaces/bonded/{device_name}Updates an existing bonded network interface.

/api/system/servers/{server_id}/network_interfaces/EthernetRetrieves a list of the Ethernet network interfaces based on the supplied server ID.

/api/system/servers/{server_id}/network_interfaces/ethernet/{device_name}Updates an Ethernet network interface based on the supplied server ID and device name.

42 IBM Security

API Updates - QRadar Vulnerability Manager API endpoints

– The following APIs have been removed in 7.2.7

/api/qvm/savedsearches

/api/qvm/vulninstances

43 IBM Security

API Resources

QRadar API doc link

– https:// QRADAR_CONSOLE_IP/api_doc

Developer Works Forum to discuss, share and troubleshoot APIs

– https://www.ibm.com/developerworks/community/forums/html/forum?id=b02461a3-9a70-4d73-94e8-c096abe263ca

API Samples and Examples on GitHub

– https://github.com/ibm-security-intelligence/api-samples

NOTE: Code samples for QRadar 7.2.7 are still in validation with our quality team. These API code samples are expected to be released in two weeks. As always, administrators can use the API forums to keep up-to-date on when these code samples are posted.

Code samples are published by QRadar development as a learning tool for administrators and developers to understand how to leverage features in the QRadar API.

Extension / Application Framework Updates in QRadar 7.2.7

45 IBM Security

Extension / Framework Enhancements

Resource Specification

Application writers can now specify the amount of RAM necessary for the

applications to run. The defaults from 7.2.6 will still exist but now apps can

specify higher requirements and have higher default memory allocations.

This feature is important for applications that will be performing resources

intensive operations such as advanced analytics

Automatic upgrade of apps when being deployed from the SDK

Numerous enablement updates in preparation for the SDK Application (App for

writing Apps)

© Copyright IBM Corporation 2016. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind,

express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products

and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service

marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your

enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others.

No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems,

products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products

or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.

THANK YOUhttps://www.facebook.com/IBM-Security-Support-221766828033861/

xforce.ibmcloud.com

@askibmsecurity

youtube/user/ibmsecuritysupport

FOLLOW US ON:

securityintelligence.com

QRadar Forums: https://ibm.biz/BdR2kC