Soon (the first quarter of 2019), we can expect a new version of QRadar. This is a sneak peek at QRadar 7.3.2, which runs on RHEL 7.5. New version introducing so many improvements, that I could not list all of them at once. In this article, I describe only the most significant changes for me, which I noticed on the first sight. More improvements described, you will find in the second part of this article in the near future.
Performance of rule visualized in the configuration window
Now, when you have performance degradation on ecs-ep (by misconfigured Rules) affects your system, you can easily find out, which exactly rule is responsible for the problem. With the system of colour bars, (1 bar-red, 2 bars-orange, 3 bars-green) you have visualised the expensive custom rules in the QRadar pipeline. In earlier releases, you could find similar information in logs and notifications, but definitely, graphical interpretation is a better solution for any user. You can also sort all rules by performance because it has the column in Rules configuration window. The only glitch is that this feature is not available out of the box. I spent some time to find out how does this actually work.
First of all, you need to turn this feature on in System Settings. Then, you need to wait for another Performance Degradation. Rules analysis and print of colour bars occur only if there is a problem in your system with CRE. I believe this could work in a different way and red bar displayed should stop a customer from enabling expensive rule. Nevertheless, in some really messed systems, this feature can be really helpful.
Admin tab is back!
In the previous version, access to Admin tab expected at least two mouse clicks. Now, in QRadar 7.3.2, just mark the admin tab as a favourite and again you have convenient access to the item. Thank you, IBM 🙂
New managed host for apps
With IBM QRadar 7.3.2, we have a new appliance introduced, type 4000, called the App Host, which is designed specifically to store and manage your applications. This new appliance replaces the existing solution called App Node based on CentOS. Having dedicated appliance in managed deployment for more and more resources greedy apps is a good move from IBM. What is more important customers will be able conveniently to migrate apps from console to App Host with just a few clicks. Moreover, it will be possible to migrate back to the console, too!
Enhanced parsing support for CEF and LEEF events.
Using the DSM Editor, we see a new feature added for Expression Type, not only Regex and JSON as it was, but from now also CEF and LEEF format. Many products generate events in CEF and LEEF format and with DSM Editor you can easily parse these events. You can also create custom Log Source and handle all CEF and LEEF events in QRadar. You can also add Custom Properties to the system from the payload. Previously, you could have parsed this kind of events using Regex, but now it is much quicker for any QRadar admin.
Expired Reference Data elements cleared quicker.
Now, you can set the quicker time for clearing elements from Reference Sets. In the previous version, you could set Time To Live (TTL) of the item, but despite that expired elements stay in Reference Set and clear occurs every 5 minutes. In busy environments, where the number of elements kept in Reference Set changing dynamically, it could make some issues. This problem was described in APAR IV97831. Now, you can reduce this time to 1 minute. And again, find it in System Settings first, because the default value is set to 5 minutes as it was before.