Support for Tiered Storage

QRadar 7.5.0 Update Package 14

Support for Tiered Storage
A new approach to managing QRadar (Ariel) data improves search performance and cost of ownership and includes.

• Hot and Warm Tiers - Newly ingested data is stored in the Hot tier for fast access and is automatically migrated to the Warm tier as it ages, based on a defined data migration policy.
• Improved Performance and Efficiency - By keeping recent data readily accessible and moving older data to more cost-effective storage, Tiered Storage helps to balance search speed, cost, and deployment footprint.

Improved performance in the pipelines (Parsing, CRE) to reduce routing to storage
QRadar now makes routing-to-storage decisions in the data processing pipeline by accounting for the processing utilization of the Parsing and CRE thread pools. This enhancement significantly reduces false-positive routing to storage and strengthens the security posture by minimizing unparsed and uncorrelated events.

Improved event or flow burst handling capability on services startup
The QRadar data processing pipeline services now allocate process memory on startup, improving performance and stability of those real-time processes. This
improves handling of event spikes after services startup.

Performance tuning for Pipeline Scheduling
The Ariel Database Writer performance is improved in additional configurations, improving the events and flows writing speed and performance of data processing pipeline. The original work that is introduced in QRadar UP11 applied only to the 1629, 1648, 1729, and 1748 appliance types when using the appliance installation. QRadar UP14 work further expands the scope of the improvements to include all 31xx, 16xx, 17xx, 18xx, and 14xx hosts with at least 32 C Pus.

LVM Phase 2
This release introduces enhancements that are focused on improving the management of Logical Volume Management (LVM) on appliance-installed systems. The key areas of improvements are enabling LVM expansion for appliance installations.

Enhanced visibility and user experience for Custom AQL Queries in Managed Search Results
In previous QRadar versions, custom AQL searches on the Managed Search Results screen were labeled generically as "Custom AQL Query", with no visibility into the actual query logic until the user clicked into the search. This enhancement improves usability by:

• Replacing the generic name, "Custom AQL Query", with the actual AQL query string for custom AQL searches
• Displaying the full AQL query in a tooltip on hover
• Adding a Copy to Clipboard button for quick and reuse.
  These improvements streamline the user experience and makes custom AQL
  searches more efficient.

Managed Search Results enhancements
The Managed Search Results screen now includes visual indicators for searches that might be slow, expensive, and degrade system efficiency and includes:

• Non-Indexed Fields - Searches that do not use indexed fields are flagged to highlight potential performance bottlenecks.
• Pattern matching usage without extra filters - Searches by using the "payload contains" or "payload matches" operations are flagged due to their inefficiency and potential high resource consumption.
  These indicators help users identify and revise inefficient queries, promoting good practices for building performant searches.

Version history for rules
This enhancement gives you the flexibility to revert changes to any previous version of a rule not just the original to manage updates and recover from mistakes. You can now see who made changes, what was changed, and when, giving your team full visibility into rule modifications. Authors can add a note that explains the reason for each change, helping everyone stay aligned and informed. These updates are automatically tracked and displayed, so you don't need to modify your existing notes. This release brings greater transparency, accountability, and control to how your rules change over time.

Offence enhancements
You can now set magnitude thresholds when you create rule tests. This enhancement helps you prioritize offenses based on their criticality to focus on the most important threats and respond faster.

Enhanced Offences tracking
This update tracks only the most recent time that an offense was assigned to a user along with the assignment timestamp.

QRadar (QFlow) - Autonomous System Number (ASN) information
QFlow now automatically enriches network flows with Autonomous System Number (ASN) information. The ASN field is now populated, increasing an analyst’s ability to determine the origin of IP traffic. Now, QRadar automatically performs ASN lookups, providing valuable context such as the network or ISP associated with each IP address. The feature provides the following advantages:

• Gain immediate visibility into the ownership and origin of IP traffic
• Quickly identify traffic from suspicious or high-risk networks
• Eliminate the need for manual ASN enrichment
• Enhance correlation rules and threat detection with enriched flow metadata
  This improvement helps security teams respond faster, improve triage accuracy, and align with modern SIEM expectations for enriched, actionable data.

QRadar Risk Manager (QRM) supports Check Point HTTPS integration
QRadar Risk Manager now receives firewall rule event logs directly from Check Point Security Management Servers (SMS). This enhancement enables real-time monitoring of firewall rule event counts, helping customers manage and optimize the effectiveness of their firewall rule policies across all managed devices. The benefits are as follows:

• Identify most and least used Checkpoint HTTPS firewall rules
• Detect rules that might unnecessarily block network access
• Highlight frequently triggered rules that might impact performance
• View detailed rule event data for analysis
• Schedule reports to improve policy management and visibility
  This feature helps users to monitor and optimize Check Point firewall rules in real time for improved security and network efficiency.