Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

What's New in QRadar Use Case Manager

 

Stay up to date with the new features that are available in IBM QRadar Use Case Manager so that you get the most out of your use case management experience.

Version 3.0.0

Work more effectively

Customizable user preferences include the option to use a light or dark theme and an option to reduce or increase table row height of the rule report. The default row height is now smaller than before to save space. For more information, see Customizing User Preferences.

Support for multiple languages was added based on QRadar user preferences. Supported languages include English, Simplified Chinese, Traditional Chinese, French, German, Korean, Portuguese, Russian, Spanish, Italian, and Japanese.

You can expand the relationship graph and MITRE coverage heat maps to fit the whole window, and zoom in or out to focus on details. Any filtering that you apply in the expanded pane is kept when you return to the Use Case Explorer page.

You can also further customize the table groupings in the rule report by choosing to show child rows or only the count of child rows in the grouped mode of the report. Click the arrow in the tree structure icon. Then, select from the groupable columns that are currently displayed or show only the number of child rows in the report instead of the actual rows. After you have the number of items in the report column, click the number to see the list of actual child items. For more information, see Rule Report Presentation.

Save time and effort from creating new rules by duplicating existing rules. Then, you can customize the duplicated rules to meet the needs of your environment. For more information, see Duplicating Rules for Further Customization.

Visualize MITRE coverage in new ways

The MITRE Coverage Summary and MITRE Coverage Trend reports provide new ways of visualizing MITRE ATT&CK coverage. In the coverage summary report, you can check the current number and percentage to see where you're lacking in rule coverage, and plan to increase coverage for some tactics. The trend report shows the total rule coverage trend over time. For more information, see Visualizing MITRE Tactic and Technique Coverage in Your Environment.

On MITRE coverage heat maps, you can identify techniques that are used by groups or software that is identified by MITRE. You can also filter out (hide) techniques in the chart that are not related to the techniques currently selected in filter for report. For more information, see Visualizing MITRE Tactic and Technique Coverage in Your Environment.

Improve your rule coverage by adding content extensions from the IBM Security App Exchange

Content awareness capabilities help you see from which content extension the rules originate. Filter by content extensions for installed rules and uninstalled rules available in content extensions on IBM Security App Exchange. Link from content extension names in the report to the corresponding dialog in QRadar Assistant app for easier installation or updating. New predefined templates recommend content extensions from IBM Security App Exchange based on increased log source and MITRE coverage.

New charts show an overview of log source coverage and MITRE coverage by currently installed rules and uninstalled rules that can be installed from IBM Security App Exchange. For more information, see Identifying Gaps in QRadar Rule Coverage from Content Extensions.

Apply rule and building block filters more easily

Previously, the Apply button was visible at the bottom of the pane, but it was often difficult to realize that you had to click it to apply the filters. Now, it appears only when you select at least one filter in the pane. As you select filters, they appear in a different color in the filter row, but they change color after you click Apply Filters.

A new search filter in the log source rule test facilitates filtering when the list contains many log sources. You can also filter rules that are related to only used log sources types or unused log source types.

Rule wizard contains more data and is easier to read

The following enhancements were made to improve tuning in the rule wizard:

  • Added all parts of rule action and rule response to rule details page. Also added two new columns: Rule attribute: Rule action details and Rule attribute: Rule response details that contain complete rule action and rule response information.

  • Added the rule scope information before the test definition section to indicate whether the rule is global or local.

  • The log source type section is now sorted and includes the number of log source types.

  • Rule details are now refreshed automatically after you edit MITRE mappings for the rule.

  • Improved layout of rule details page by rearranging sections and expanding some sections by default.

Configure a proxy

You can now configure a proxy so that QRadar Use Case Manager can access the IBM Security App Exchange to get up-to-date information about non-installed content extensions and MITRE mappings for all content extensions. If you don't configure the proxy, you can still see the information in the app, but be aware that it can become out of date.