In case you missed a release, review a list of features from previous versions of QRadar Use Case Manager.
Moved the MITRE-mapping capabilities into the app
The MITRE-mapping capabilities were moved to QRadar Use Case Manager. This streamlines the process of editing rule MITRE mappings. The Cyber Adversary Framework Mapping app is no longer included in the QRadar Use Case Manager installation package. If the Cyber Adversary Framework Mapping app is already installed, QRadar Use Case Manager gathers any existing mappings during installation. Afterward, you can delete the Cyber Adversary Framework Mapping app and use QRadar Use Case Manager instead to help ensure that all your rule mappings are up to date in the app.
Reduced memory requirement
Reduced the memory requirement of the app to 500 MB.
Edit rule MITRE mappings
Save time and effort by selecting several rules and editing the MITRE mappings for all of them at once. If needed, you can also export the selected mappings that you edited.
Enhanced exporting capabilities
Added options to export only the MITRE mappings for the rules in the current report view or export all the rule mappings in the app. Share the JSON file with your other instances of QRadar Use Case Manager.
Rules Explorer enhancements
New MITRE Tactic ID and MITRE Technique ID columns are now available as options in the rule report to provide more context.
Select multiple rules and open them in the Rule Wizard for simultaneous investigation.
Rule visualization enhancement
Added options to show related reference sets, custom properties, and log source types.
Fixed an issue where the SNMP Trap was not visible in the rule details page when SNMP Trap was selected as a rule response attribute on the rule details page.
You can now see which MITRE ATT&CK tactics and techniques were detected in your environment in a specific time period. A heat map and flexible reports show the detected tactics and techniques and related rules and offenses. For more information, see Visualizing MITRE Tactics and Techniques that are Detected in a Specific Timeframe.
ATT&CK options are now more visible in the Rule Explorer
An ATT&CK Actions menu makes it easier to access the heat maps to see rule coverage and detected tactics and techniques. A switch for the coverage heat map filters the table coloring based on only the rule mappings in the current report or by all the rules in your environment.
MITRE tactics table header stays fixed for easier scrolling
The tactics header in the heat map is now in a fixed state while you scroll down the table, making it easier to track the tactics and techniques that you're reviewing.
Rule Explorer enhancements
Domains are now represented by the rule test filters. The domain filter group lists all the domains in a multi-domain environment. For more information, see Filtering Rules by their Properties.
A new Rule Response: Event Description column is available as an option in the rule report to provide more context.
Rule wizard enhancement
A MITRE tag in the rule details screen of the rule wizard now shows the source BB or rule from where the mapping originates. This information also displays as a column in the rule report.
Problems related to renaming system rules when either old name or duplicate name shows up in Rule Explorer
Problems in early patches of QRadar 7.3.1 where QRadar Use Case Manager 2.1.0 didn't work.
Added an option to group related data properties in the report table. For more information, see Rule Report Presentation.
Create custom templates in the Rules Explorer from existing templates or create new ones. For more information, see Customizing Report Content Templates.
Added a "Select all" option to the rules attribute filter to make it easier to select all the groups in the list.
Added a Notes filter to the Rule Attributes page to search for specific rules with notes.
The app now detects when newer versions are available to download on the IBM Security App Exchange.
Implemented the following usability improvements that are related to MITRE ATT&CK:
Added an exploratory icon link to the MITRE documentation for each tactic and technique in the technique coverage heat map.
Added a Mapping enabled column to the filters and the report, which indicates that the mapping between Cyber Adversary Framework Mapping app and QRadar is turned on. Mappings that are disabled are not added to the technique coverage heat map.
Added capabilities to the rule wizard to open the rule directly in the Cyber Adversary Framework Mapping app for editing.
Re-calibrated the heat map formula to use only enabled rules to calculate the heat map colors.
Added a tooltip to the MITRE ATT&CK filter page to remind users to set an authentication token for the Cyber Adversary Framework Mapping app.
Added a column selection option for Tactic (at rule level) and Technique (at rule level) to show only values that are mapped directly to the rule.
Fixed an issue where the way QRadar handles incomplete rules causes some APIs in some product versions to fail, and causes data inconsistencies in QRadar Use Case Manager.
Fixed an issue where the log source type filter doesn't have any values in cases where there are more than 50,000 log sources.
Added a rule explorer to filter rules by different properties, such as attributes, rule tests, and MITRE ATT&CK tactics and techniques. Use filters to ensure that the rules are defined and working as intended, including log source coverage. Determine which rules you might need to edit in QRadar or investigate further in QRadar Use Case Manager.
Added the Cyber Adversary Framework Mapping app. With the Cyber Adversary Framework Mapping app, you can map your custom rules and building blocks to MITRE ATT&CK tactics and techniques and override the QRadar default rule mappings.
Added MITRE ATT&CK tactics visualization and the ability to customize your mappings with the Cyber Adversary Framework Mapping app.
Made the following minor UI improvements:
Added a wrench icon to any links and buttons that lead to the investigation wizard.
Added links for reference sets to open in QRadar.
Automatically download rules in IBM QRadar 7.3.2 or later.
Added the ability to edit IP addresses of reference sets in the IPs & Ports tab of the Host definitions page. Supported in IBM QRadar 7.3.1 or later.
Added the ability to edit ports of building blocks and rules in the IPs & Ports tab of the Host definitions page. Supported in IBM QRadar 7.3.2 or later.
upload limit to 50 MB.
Tune most active rules
Tune most active rules based on the CRE event report
Review network hierarchy
Review building blocks
In this early access version, you need to run a script on the QRadar Console to generate a rules data file and then upload it to the app. This temporary step might not be required in later releases.