Super User Group 2023

QRadar SIEM Roadmap

QRadar SIEM & The Next Generation in QRadar Threat Analysis

Olga Hout
Product Manager, QRadar Integrations

Amber Borgersen
PM, QRadar Go-To-Market Strategy

IBM Security / © 2023 IBM Corporation 1

 Legal notes and disclaimer
Copyright © 2023 by International Business Machines Corporation (IBM). No It is the customer’s responsibility to insure its own compliance with legal
part of this document may be reproduced or transmitted in any form without requirements and to obtain advice of competent legal counsel as to the
written permission from IBM. identification and interpretation of any relevant laws and regulatory
U.S. Government Users Restricted Rights – Use, duplication or disclosure requirements that may affect the customer’s business and any actions the
customer may need to take to comply with such laws. IBM does not provide
restricted by GSA ADP Schedule Contract with IBM.
legal advice or represent or warrant that its services or products will ensure
Information in these presentations (including information relating to products that the customer is in compliance with any law.
that have not yet been announced by IBM) has been reviewed for accuracy as
Information concerning non-IBM products was obtained from the suppliers of
of the date of initial publication and could include unintentional technical or
typographical errors. IBM shall have no responsibility to update this those products, their published announcements or other publicly available
sources. IBM has not tested those products in connection with this publication
information. THIS document is distributed "AS IS" without any warranty, either
and cannot confirm the accuracy of performance, compatibility or any other
express or implied. In no event shall IBM be liable for any damage arising from
claims related to non-IBM products. Questions on the capabilities of non-IBM
the use of this information, including but not limited to, loss of data, business
products should be addressed to the suppliers of those products. IBM does
interruption, loss of profit or loss of opportunity.
not warrant the quality of any third-party products, or the ability of any such
third-party products to interoperate with IBM’s products. IBM EXPRESSLY
IBM products and services are warranted according to the terms and
DISCLAIMS ALL WARRANTIES, EXPRESSED OR IMPLIED,
conditions of the agreements under which they are provided.
INCLUDING BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
Any statements regarding IBM’s future direction, intent or product plans are MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
subject to change or withdrawal without notice. Performance data contained
The provision of the information contained herein is not intended to, and does
herein was generally obtained in a controlled, isolated environments.
not, grant any right or license under any IBM patents, copyrights, trademarks
Customer examples are presented as illustrations of how those customers
or other intellectual property right.
have used IBM products and the results they may have achieved. Actual
performance, cost, savings or other results in other operating environments Other company, product, or service names may be trademarks or service
may vary. References in this document to IBM products, programs, or services marks of others. A current list of IBM trademarks is available at “Copyright
does not imply that IBM intends to make such products, programs or services and trademark information” www.ibm.com/legal/copytrade.shtml
available in all countries in which IBM operates or does business.
Workshops, sessions and associated materials may have been prepared by
independent session speakers, and do not necessarily reflect the views of
IBM. All materials and discussions are provided for informational purposes
only, and are neither intended to, nor shall constitute legal or other guidance
orSecurity
IBM advice / ©to any
2023 IBMindividual
Corporation participant or their specific situation. 2
Discussion Topics:

• IBM QRadar SIEM Roadmap

• Introducing QRadar
• QRadar SIEM | QRadar Log Insight

• Q&A Panel

IBM Security / © 2023 IBM Corporation

3
QRadar SIEM is a Leader for 13
consecutive years

Gartner’s Key Findings

✓ Strong analytics and customization

✓ Large security business and presence

✓ Multiple security product offerings

IBM Security / © 2022 IBM Corporation

QRadar
SIEM
What’s New

IBM Security / © 2023 IBM Corporation * product name not yet finalized 5
QRadar 7.5.0 moves to Continuous Delivery
What is Continuous Delivery?
• A modern software development approach enabling frequent releases
• 7.5.0 upgrade packs are released approximately every 8 to 12 weeks
• Interim fixes can be released more frequently if needed

What are the benefits?

• Features can be released as soon as they are ready
(no need to wait for all features to go in one big QRadar release)
• Packs are smaller and cumulative, so upgrades are quicker
• Vulnerabilities and defects can be addressed faster

IBM Security / © 2022 IBM Corporation

 ML Detection with Network Threat Analytics (NTA)
NTA 1.2 available on the App Exchange
• NTA adds second tier of analytics
• Continual analysis of related network activity
• False positive reduction
• MITRE ATT&CK sub-technique mapping
• Event generation
• Events generated as new network behaviors observed
or anomalies detected
• NTA events can be used in rules, searches and other
QRadar analytics
• New UI
• Visualize all of your network communications and their
analytics scores
• Drill down into NTA tiered analytics
• Filter and pivot across your network data and analytics
during investigations or threat hunting

IBM Security / © IBM Corporation 2021

 What’s new in Security Content
• Custom properties and Content for Reaqta and Randori
• New CEPs
• New Rules
• Attack Surface Management Dashboard
• Blog: https://ibm.biz/BdPhBL

• Partnership with Tidal

• Visualize the QRadar Att&ck mapping against
techniques used by threats and threat actors
• Blog: https://ibm.biz/BdPhBk

• Custom Properties for Microsoft Defender 365

• 44 CEPs parsing the new format

• Endpoint monitoring
• New content for Turla (MD5, SHA1 and SHA256
Hashes, Filenames, URLs, IPs)
• Advanced Turla behaviour content coming soon

IBM Security / © IBM Corporation 2021

Additional App Updates
Analyst Workflow V2.31.7
IBM QRadar Analyst Workflow simplifies and expedites the offense
investigation and search experience.
New in v2.31.7:
• Ability to pre -populate the visual builder and navigate to search
• Export of saved search results
• Users can now s to re search results
• Users can now s to re search criteria for easier reusability
• Users can now manage and cancel long running searches
IBM Security / © 2020 IBM Corporation
Pulse V2.2.10
Visualize offenses, network data, threats, malicious user behavior, and cloud
environments from around the world in geographical maps, and auto updating
charts.
New in V2.2.10:
• Widget query refresh times 10 and 15 minute refresh times are now available
• Drill down in geographic charts: you can drill down to external URL, such as to
search for IP addresses in IBM X- Force® Exchange
• Dy n amic query parameters: Now you can add query parameters for different
fields such as user names.
• Updated widget query in the Event and flow metrics dashboard: An error has
been fixed in the widget AQL query, in the Top 10 log sources widget of the
"Event and flow metrics" dashboard
9
 Other delivery Recap
QRadar DSMs WinCollect
• Two new AQL Functions to • ReaQta Endpoint Detection & • Support for Windows 11
enhance specification and speed Response
of queries • Simplified certificate
• OFFENSE_TIME • Microsoft 365 Defender (Cloud management
• DISTINCTCOUNT Apps, Identity, O365)
• Setup issues remediation
• Encryption by default for newly • Cisco Duo – Early Access DSM improvement
added managed hosts
• Microsoft 365 Defender for
• Improved memory allocation Endpoint
through App Framework
• Google Cloud Platform: Cloud DNS

• ZScaler CloudNSS with HTTP

Receiver Protocol

• Splunk v8.24

IBM Security / © Copyright IBM Corporation 2022 10

QRadar
SIEM
What’s Next

IBM Security / © 2023 IBM Corporation * product name not yet finalized 11
QRadar SIEM Roadmap
Now
Q Radar SIEM SOAR
– Improved SIEM and SOAR Integration for a better in
product and seamless interaction
Q Radar Network Threat Analytics (NTA) v1.2
– Enhanced analytics with new geographic
visualizations of network communications and
findings
U s e Case Manager v 3.7 (formerly known as QRadar
T u ning)
– Enables users to optimally configure QRadar SIEM to
more accurately detect threats throughout the attack
chain
– Users can export flexible reports related to their pre-
defined detection rules, as well as visualize
mappings of system rules to MITRE ATT&CK
IBM Security / For IBM Internal Use Only
Next Future focus
An alyst Workflow Reference Set Management: 3Q 2023
– Additional actions through right-click functionality, stability improvements – Reference data API Enhancements
– Enhanced query building options – Support for Multi-tenancy
U s er Behavior Analytics Ar iel Search & Log Sources: 3Q 2023
– User Imports improvements – Reference data AQL performance improvements
– ML Performance fine tuning – Custom properties enhancements
– Individual timeout thresholds for LogSources, monitoring expensive
Reference Set Management Q 2/Q3 LSX
– Description for reference set functionality
Support for multiple CIDRs D is aster Recovery: 4Q 2023
– Better Disaster Recovery and Restore through Console
Gra nular Role Based Access Control – Phase 1 Q2/Q3
-Give only the permissions needed to prevent data spillage G r anular Role Based Access Control – Phase 2
- Implemented for Log Sources & Offenses -Give only the permissions needed to prevent data spillage
Ar iel Search & Log Sources G r afana Plugin
– Reference data Ariel Query Language (AQL) performance improvements – Modern Visualization with options to customize and drill down
– Custom properties enhancements
As s et Management
U s e Case Manager v 3.8 (formerly known as QRadar Tuning) – Enhancements to Assets Module to have more functionality via
– Support for all MITRE platforms, with the ability to select preferred APIs
platforms
Cer tificate Management
– Stabilize and Improve the certificate management experience to
reduce Support costs
12
Coming Soon …

IBM Security / For IBM and Business Partner Use Only 13

 Integrations
Planned

DSMs & Cloud services WinCollect 10 Security Content

• Cisco FMC eStreamer v7.x • WinCollect 10.1.5 updates • Endpoint – Turla content
• AWS (Config, Security Lake, • Support of user Remote worker
VPC Flows, Verified Access, authentication and single telemetry (event data) • Mitre coverage expansion
GuardDuty) sign-on vendor (support for a Kafka
• IBM Security Verify (PingFederate DSM) destination) • SIGMA support
• Activity Tracker for IBM • Support for Network and enhancement
Cloud Endpoint Security
• Aruba ClearPass update Vendors: (Sophos Central) • AWS Verified Custom
• IBM Guardium Insights • And updates to dozens Properties
• Azure Sentinel security and
• Alibaba Action Trail threat management • Self Monitoring dashboard
• VmWare Center and integrations improvement
• Esxi 7.0 (ProofPoint Enterprise Protec
• Microsoft Exchange tion, Oracle AuditVault,
Server 2019 Rapid7, other.

IBM Security / © Copyright IBM Corporation 2022 14

Threat Management
QRadar SIEM Integrations Roadmap
Now
Cisco FMC eStreamer DSM: (version support update)
Cisco FMC provides unified management of firewalls,
application control, intrusion prevention, URL filtering, and
advanced malware protection.
AWS Config DSM: (protocol and DSM updates). AWS
Config is a service that assess, audits & evaluates the
configurations of AWS resources. Monitors and records
configs and enables compliance auditing, security analysis
and change management.
Aruba Clearpass DSM: (version support update). Network
access control, wireless access and policy enforcement.
AWS Security Lake DSM: Security Lake can be used to
automatically centralize security data from AWS and third-
party sources into a data lake that's stored in your AWS
account.
AWS VPC Flow logs support (updates):
The IBM® QRadar® integration for Amazon VPC (Virtual
Private Cloud) Flow Logs collects VPC flow logs from
an Amazon S3 bucket by using an SQS queue.
Amazon GuardDuty DSM: Collecting
Amazon GuardDuty events from the log group of the
Amazon CloudWatch logs services.
Ac tivity Tracker for IBM Cloud DSM: Event mapping and
DSM update.
IBM Guardium Insights DSM: DSM for Guardium Insights
to automatically map its out-of-the-box policy violations.
Next Future
Alibaba ActionTrail: (protocol work) A service that • Support of new and updates to existing Microsoft
monitors and records the actions of your Alibaba Cloud security products (Azure NSG Flow Logs, Azure
account, including the access to and use of Alibaba Cloud Firewall Logs, Azure Monitor Logs
services using the Alibaba Cloud Management console,
calling API operations, or SDKs. • Support of user authentication and single sign-on
vendor (PingFederate DSM)
VMware Center and ESXIi 7.0+: (Version support
update) VMware logs are one of the most important logs • Support for Network and Endpoint Security Vendors:
when it comes business criticality. VMs are targeted by a (Sophos Central
number of threat actors to gain system access. Having the
required logs from the version in question will help teams • And updates to dozens security and threat
to create rules and monitor for any suspicious activity. management integrations (ProofPoint Enterprise
Protection, Oracle AuditVault, Rapid7, other.
Microsoft Exchange Server 2019 DSM: Exchange Server
2019 brings a new set of technologies, features, and
services to Exchange Server, the messaging platform that
provides email, scheduling, and tools for custom
collaboration and messaging service applications.
SAP ETD 2.0: (version update) To collect events from an
SAP Enterprise Threat Detection server. SAP Enterprise
Threat Detection enables real-time security intelligence
to help protect against cybersecurity threats and help
ensure data loss prevention.
Falcon Data Replicator (DSM): FDR support near real-
time event collection from endpoints and cloud workloads.
Azure Sentinel DSM: Ingestion of events/alerts from
Azure Sentinel to QRadar
IBM Security © 2023 IBM Corporation / IBM Internal & Business Partner Use only
Introducing a new

QRadar

IBM Security / © 2023 IBM Corporation *formal announcement in April 16

Introducing the next generation of

QRadar SIEM

QRadar XDR Portfolio QRadar Suite (with UAX)

SIEM QRadar SIEM

NDR QRadar Log Insights

UBA QRadar NDR
SOAR QRadar UBA
XDR-Connect QRadar SOAR
QRadar EDR

IBM Security / © 2022 IBM Corporation 17

A new approach…

The power
of Cloud

IBM Security / © 2023 IBM Corporation 18

 What SIEM Users are Asking For What IBM Security is Delivering

A solution that can… QRadar SIEM

1. Ingest telemetry, events at cloud scale with cloud

elasticity– using a cloud friendly GB/day pricing
Cloud-scale High Performing Insightful Real-Time
Elastic Ingestion Searches Visualization Analytics
2. Provide flexible retention options in hot, warm and cold
storage at a competitive price point

3. Build a highly re silient architecture to enable near zero

data loss

4. Produce lighting-fast search results to large queries and

enable real-time investigations including external 3rd party
data sets

5. Offer insightful, interactive, intuitive visualizations for

quick, at-a-glance visibility to most critical threats
Automated Investigation | Recommended Actions | Federated Search
6. Enrich, automate and prioritize alerts for quick & effective
investigation

IBM Security / © 2023 IBM Corporation

19
What’s New
Architecture
• Vertical & Horizonal Scaling • Multi-Tenancy & HA by Design • New Columnar Store • Hyper Parsers-3x Insights
• Zero downtime upgrades • Separate Tenant Pipelines • Faster Scalable Search • Zero Data Loss

Data Sources QRadar Log Insights Management Plane Unified Analyst Experience
QRadar SIEM

SaaS
QRadar Log Insights Pipeline – Per Tenant ClickHouse as a Service
KQL Queries

Data
Explorer
OnPrem Acquire Normalize Store
DC

Container DC
Storage ClickHouse DAS UDS Cases
Inbound
Queue Queue DB
Storage
Ingestion
DC Parsing
Etc

TII

Log Data Configuration Query/Enrich

What’s New
Key Highlights
ClickHouse Data Warehouse • Developed to support 25 billons
events / day
• Apache 2.0 License (2016) and
very active community (~400
What How active contributors)
• More than 1000 companies using
✓ Blazing Fast ✓ Hardware Efficient • OLAP database worldwide including some
Security vendors

✓ Linearly Scalable ✓ Fault-tolerant • Column-oriented • Challenging Elastic as the most

active open source db project
Clickhouse.com formed to
✓ Feature Rich ✓ Highly Reliable • Open-source •
provide commercial offering
• Cross-IBM team working on IBM
branch, core services and
Performance Tested enhancements

QRadar Presto Spark ClickHouse

ClickHouse has been the only
“Needle in a identified solution that delivers the
0.1s 3s 11s 0.1s
haystack” required performance/price on
scale, data ingestion, “needle in
Full data analysis 1300s 124s 144s 165s haystack” and security analytics
queries with proven global
Ingestion /core references
7k EPS 7k EPS 7k EPS 11k EPS

https://www.youtube.com/watch?v=LF_IXNdg6kY
A new approach…

The Unified
Analyst
Experience
IBM Security / © 2023 IBM Corporation 22
What’s New
Visualizations & Dashboards
More powerful dashboard experience Integrate with existing
capabilities
Native Dashboards
Plug-In for
Grafana Dashboards

n o t f i na l s o ft w a r e

n o t f i na l s o ft w a r e

OOTB plug-in for Grafana enabling non-security use cases

Out-of-the-box Dashboards & Widgets

Visualizations for both Analysts & Admins
Powerful, interactive view of threats
What’s New
Kusto Query Language
Analyst focused query language

Intuitive & Iterative

Build queries fast with simple syntax

Powerful
n o t f i na l s o ft w a r e

Create advanced and powerful queries (nested

queries, advanced calculation, string manipulation,
etc)

Observability & Simplified Troubleshooting

Turn any advanced search into a drill-down
dashboard and get the insights you need

Strong Community Prescence n o t f i na l s o ft w a r e

Community led enablement amplifies an analyst’s

knowledge on day one
IBM Security / © 2023 IBM Corporation
IBM Confidential
What’s New
Analytics
early stages

Rule Wizard Detection & Response Center

n o t f i n a l s o f t w a r e

Historical UX Initial Phase: search-based analytics

• Test as you build
Test after built • Language Flexibility

Future Phase: real-time analytics

What’s New
UAX | Threat Investigator & Cases
Included XDR Functionalities

Automated Investigation and enrichment Recommended Actions

n o t f i n a l s o f t w a r e n o t f i na l s o ft w a r e

IBM Security Threat Investigator automatically As case details are entered, IBM Security Cases provides
analyzes and investigates cases to help you make the related recommended actions, as well as forming a
more informed decisions. case response team.
What’s New
UAX | Federated Search
Included XDR Functionalities

Connect from a single place to dozens of

external environments to search for data

IBM Security Data Explorer federates data

across IBM products, third-party products
and data sources to identify sightings of n o t f i na l s o ft w a r e

indicators of compromise associated with

each threat in an environment.
QRadar Threat Detection & Response Suite Roadmap
Now
QRadar Unified Analyst Experience:
Reduce alert investigation and response
time from days to minutes via automated
investigation, root cause analytics and
mitigation recommendations
QRadar Log Insights: Cloud-scale data
ingestion, rapid search and powerful
visualizations
QRadar SOAR: Automate and
orchestrate workflows
QRadar XDR: Alert correlation, automated
investigation, and recommended responses
across EDR, SIEM, NDR, Cloud, and more.
QRadar EDR on Prem: Enables on-premise
deployment of an EDR solution to meet the
needs of regulatory requirements
Next
QRadar Unified Analyst Experience: New
attack visualizations and additional
telemetry sources for new detection use
cases
Search based Analytics & Alerting:
Provide near real-time threat detection by
creating alerts using scheduled search
queries
QRadar Log Insights for QRoC:
Enable Log Insights to be used as a Data
Lake for existing QRoC customers
Build a QRadar Log Insights adoption path
for existing QRadar SIEM customers
Support AWS Built In (ABI) data sources
and turn-key automated AWS native
deployment
QRadar Unified Analyst Experience: One-
click response actions
QRadar SIEM: Real-time and periodic
threat detection with SIGMA rules.
Leverage threat intelligence and
automatically update security content
detection with MITRE alignment
Support Behavioral Anomaly Analytics
Support Reference Data & Network
Hierarchy for efficient threat detection
Continuous asset discovery & profiling for
visibility, context, and Shadow IT detection
Later
QRadar SIEM: Leverages the scalability of
the open-source community with YARA
rules.
QRadar Suite on Prem: Release on-
premise foot-print for QRadar SIEM.
Ingest and support Network Flows for
network detection & response
Support User Behavior Analytics and ITDR
for insider threat
Executive and Compliance Reporting
Parser parity with QRadar
Thank you

Follow us on: © Copyright IBM Corporation 2022. All rights reserved. The information contained in these materials is provided for
informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of
direction represents IBM’s current intent, is subject to change or withdrawal, and represent only goals and objectives.
IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines
ibm.com/security Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks
or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through
securityintelligence.com prevention, detection and response to improper access from within and outside your enterprise. Improper access can
result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your
systems, including for use in attacks on others. No IT system or product should be considered completely secure and no

ibm.com/security/community single product, service or security measure can be completely effective in preventing improper use or access. IBM
systems, products and services are designed to be part of a lawful, comprehensive security approach, which will
necessarily involve additional operational procedures, and may require other systems, products or services to be most
effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise
xforce.ibmcloud.com immune from, the malicious or illegal conduct of any party.

@ibmsecurity

youtube.com/ibmsecurity