• DT455580: Offense searches using description fail in UP14.

• DT443433: Data aggregation fails in UP12 when a global view includes a deleted non-string custom property.

• Data Nodes: Tiered storage settings for fast access (Hot Data Nodes), which can automatically migrate to slower storage (Warm Data Nodes) based on your data migration policy
• Performance: Improved performance in the pipelines (Parsing, CRE) to reduce data that routes to storage
• Performance: Improved event/flow burst handling capability on services startup
• Performance: Ariel Database Writer performance improved for more appliance types
• Disk: Enabled LVM expansion for appliance installations
• UI: Improvements for Custom AQL Queries in Managed Search Results
• UI: Managed Search Results include visual indicators for low performing searches
• Flows: QFlow can automatically populate ASN information from flow data
• Rules: Version history for rules and visibility to rule modication
• Rules: Rule test filter can now set a magnitude value for offenses
• and more…

• DT448933: Offense rule email will not work in UP13 because of duplicate common-lang3 jar in ecs-ep pipeline
• DT447357: Forwarding events over TLS may cause an error after upgrading to UP12: SelectiveForwarding can trigger ‘too many open files’ errors and events are not forwarded
• DT446281: Data Sync App – Software Install setup: Apps Restore functionality showing validation and Failover is not getting initiated in the new DSApp v3.2.2
• DT444845: Known_hosts file on managed hosts is being cleared
• DT443486: Ariel out of memory due to map failed
• DT442680: Risk Manager rule counting for Check Point not working
• DT444714: QRadar UP12 Java 11 warning messages on accumulator_rollup
• DT439080: Connection lost from EC to EP: Channel key IO Error
• DT435875: AppFW health check time attributes in nva.conf are not honored
• DT439591: JSON property extraction does not work with stringify nested objects
• DT436082: Applications that uses CentOs and Python2.x base image will not work on QRadar
• DT423736: Deployment Configuration option can be inadvertently disabled in config restore page
• DT423733: Config restore page checkboxes are not being checked automatically
• DT400332: QFlow always consumes a full CPU, even when not doing any work
• DT423480: Missing entry in /etc/hosts since change to podman causes unnecessary dns requests
• DT394273: QRadar GUI is displaying wrong time on console using Africa/Cairo timezone
• DT269861: DSM Editor not parsing if JSON Keys have ‘\’ (backslash) for escape characters
• DT252085: Administrators cannot change the day Auto Update runs when the schedule is monthly (IJ49388)
• DT252130: Assets Details UI can display multiple instances of the same IPv6 address (IJ48908)
• DT252037: Restoring a Nightly Configuration backup fails as deselecting license incorrectly unchecks deployment configuration (IJ46413)
• DT217529: Auto Updates can generate ‘Could not apply qidmap update with serial xxxxxxxxx’ errors (IJ46414)
• DT242579: Field Extraction Based Custom Properties only extracts the last part of the value when a space exists in value (IJ44464)
• DT195808: System Monitoring dashboard EPS/FPM graphs might not display as expected due to a ‘Multikeycreatorexpression predicate exception’ (IJ42551)

• DT448933: Offense rule email will not work in UP13 because of duplicate common-lang3 jar in ecs-ep pipeline
• DT252130: Assets Details UI can display multiple instances of the same IPv6 address
• DT217529: Auto Updates can generate ‘Could not apply qidmap update with serial xxxxxxxxx’ errors

• DT394273: QRadar GUI is displaying wrong time on console using Africa/Cairo timezone
• DT195808: System monitoring dashboard EPS/FPM graphs might not display as expected due to a ‘multikeycreatorexpression predicate’ exception
• DT444845: Known_hosts file on managed hosts is being cleared

• DR: Console-only failover improvements and optimized backup validation time
• Offenses: Infograhic-based visual insights on Offense tab for: Timeline views of offenses, Magnitude-based ranking, or Host-based categorization
• Admin: Unified Store & Forward, domain management, centrialized credentials, and resource restriction interfaces.
• DR: Console-only app failover improvements
• Regex Custom Properties: Use multiple capture groups and literals in custom properties
• Monitoring: Added SNMPv3 and snmpwalk polling for hosts
• Search: Enhanced partial search result visibility in UI
• DSM Editor: Improved suggested regex, auto-population of Event ID and Event Category, and event parsing for several core DSM types
• Flows: ERSPAN support
• Flows: MAC addresses added to QFlow, SFlow, and Packeteer for improved visibility of assets
• API: Asset API endpoints now include a Delete option and adds extended GET option to identify the asset type in API results

• DT397715: If the “qradar” postgresql database is in use during a configuration restore, it can cause the restore to fail, invalidating the database.
• DT423482: podman_apps_registry_restore.sh stuck when registry keystore is broken.
• DT435262: Reference set “does not exist in any/all of” filters return incorrect search results.
• DT433453: Ariel queries with a criteria involving indexed properties open data files in cases where it should not, reducing search speed.
• DT098936 ‘Accumulator falling behind’ notifications after default global views for event rate and flow rate have been recreated.
• DT435224: Warning message ” /opt/qradar/bin/setComponentThreadSchedulerPolicy.sh: failed to set scheduler.
• DT443486: Ariel out of memory due to map failed 
• DT211814:  F5 networks big-ip apm events can display ‘parsed but not mapped’ in DSM Editor 
• DT208415: Linux OS and McAfee ePolicy Orchestrator, TLS Syslog, some events parsing correctly in log activity but display as unknown in the DSM Editor 
• DT259062: VMWare VCenter events show parsed but not mapped in DSM editor 
• DT393964: The Event Id and Event Category values are not automatically populated in the ‘Create a New Event Mapping’ dialog box for some DSMs
• DT431870: Suggest Regex feature in DSM Editor does not work unless the user role is set to Admin 
• DT257046: High Availability setup may fail on systems with very large drives
• DT258339: High availability setup can fail or take an excessive amount of time to complete on hosts with large /store filesystems
• DT386499: QRadar Trend Micro Deep Discovery Director and Inspector event mapping issue
• DT389459: QRadar hosts installed using a RHEL8-based ISO and legacy BIOS cannot reinstall using the recovery ISO
• DT423351: Parallel Patch -l option (limit bandwidth) not applied
• DT425142: qradarca-monitor restarts services every hour when expiring cert is skipped for regeneration
• DT425543: Upgrading QRadar environment on appliance installs in High Availability to 7.5.0 Update Package 11 can cause the secondary to fail
• DT435327 UP11 : Export as Building Block is not visible in rule wizard in light mode
• DT435505 QRadar: Search Parameter section in Edit or New Search has buttons covering items in some cases in Dark Mode.
• DT438885 QRadar: CEP (Custom property) cache issues when a system has over 1000 properties.
• DT439079: Header text is not visible in Offenses -> Rules table for Dark theme
• DT439093: Some appliance are now getting a timebomb license with a month expiration
• DT439346: License is over allocated after patching to UP11 with software ECs with QVM Scanners
• DT440166: Backup failing after upgrade to UP12 or UP12 IF01
• DT131234: IJ38812: TIME_SYNC.SH CAN FAIL TO COMPLETE SUCCESSFULLY IF SOCAT TAKES LONGER THAN 0.5 SECONDS TO CONNECT
• DT211483 IJ46412: FRENCH LANGUAGE SYMANTEC ENDPOINT PROTECTION EVENTS DO NOT DISPLAY AS EXPECTED IN THE DSM EDITOR
• DT252109 IJ47681: REPORT WIZARD CAN UNEXPECTED SELECT THE CSV FORMAT WHEN USERS CLICK THE BACK BUTTON

• DT446222: Hostcontext error visible in the logs when creating backup on the ui on backup and recovery
• DT446199: SAML IdP server metadata generator page is not getting Open from Browser URL for QRadar IPV6 environment
• DT446281: Data Sync App – Software Install setup : Apps Restore functionality showing validation and Failover is not getting initiated in the new DSApp v3.2.2

• DT437590: Any firewall rules set through the Custom UI will be overridden by the rules defined in the console.default file.

• DT435262: Reference set “does not exist in any/all of” filters return incorrect search results.
• DT439079: Header text is not visible in Offenses->Rules table for Dark theme.
• DT440166: Backup failing after upgrade to UP12 or UP12 IF01.

• DT438885: Custom Property (CEP) cache issues when a system has over 1000 properties

• Enhanced Search Progress Visualization
• Search Performance Improvement in Multi-Tenant Deployments with Reference Set Filters
• Enhanced Log Search by Event Collector Name
• Data Node improved scattering with absolute space thresholds
• Updated protocols to ensure compatibility with Java 11
• Updated the Auto Update version to 9.21
• Add Creation Date to the offense summary page and the offense search page

• DT149076: Add Host fails if an entry exists for the host in known_hosts file and that entry is invalid
• DT396625: Ingress restarted during full deploy not prompting user
• DT418741: Upgrading to 7.5.0 UP10 fails with: Error running 14: /media/updates/scripts/QRADAR-20338.install
• DT400995: qradarca-monitor restarts services every hour when expiring cert is skipped for regeneration
• DT423580: Asset is not getting updated or deleted and creates duplicate assets
• DT424536: The “Show AQL” generates incorrect AQL with missing parentheses ‘(‘ , ‘)’

• DT438885: CEP (Custom property) cache issues when a system has over 1000 properties

• DT425142: qradarca-monitor restarts services every hour when expiring cert is skipped for regeneration
• DT425376: The allocated EPS and FPM limits are displayed as zero in the System and License Management UI for all Managed Hosts.
• DT433687: Log Activity, Network Activity, and Offenses Tab table width have changed and are no longer visible in a single view.
• DT425543: Upgrading QRadar environment to 7.5.0 Update Package 11 on appliance installs in High Availability can cause the secondary to fail.
• DT423974: The UI can freeze and become nonresponsive after upgrading to UP9 in the Rule Wizard while adding Log Sources based conditions.

• No reported known issues.

• DT418183: Event Forwarding is not sending the correct Alias of Custom Event Property.

• No reported known issues.

• DT424320: Admin > Extension Management > Light theme > Help Icon is not visible.

• X-Force: To use X-Force in queries or custom rules, configure a proxy server. To enable a proxy, and for more information, see QRadar: X-Force Frequently Asked Questions.

• DT396625: Ingress restarts during full deployment without prompting the user.
• DT396457: Asset is not getting updated or deleted and creates duplicate assets.

• Assets: Due to an upgrade in the operation of Postgres, a duplicate asset is created when you attempt to update an asset that is created by OS discovery before the upgrade to Update Package 11. The original assets created by OS discovery and the duplicate assets can not be updated or deleted. For more information, see DT423580
• Upgrade: The QRadar 7.5.0 Update Package 11 Interim Fix 01 patch hangs on appliance installs during the cliniq check on grub files, and the following message is displayed: “File not found: /etc/grub.d/00_tuned”. For more information, see DT423724.
• X-Force: To use X-Force in queries or custom rules, configure a proxy server. To enable a proxy, and for more information, see QRadar: X-Force Frequently Asked Questions.

• Updates to the operating system to RHEL V8.10
• Postgres update to V16.2
• Note: An updated code signing tool is available for UP11 software to validate the software download.

• DT421290: Test_tomcat_connection.sh fails during qchange_netsetup when hostname is changed in Console.
• DT419580: Incorrect Japanese translation under user theme selection form/wizard.
• DT418747: QRadar 7.5.0 UP10 running qchange_netsetup on a console will hang while committing changes.
• DT400995: Tomcat/hostcontext will fail after patching to UP10 if ARIEL_FREE_TEXT_*_INDEX is set to yes.
• DT419866: Inefficient synchronization in ReferenceDataCache causing a performance degradation in CRE, Parsing, Routing rules etc.
• DT398931: Offense tab consistently sorts offences in ascending order, regardless of the sorting order specified in the saved search.
• DT398593: HA SelfRepair.sh script fails to run to repair ha when in a failed state.
• DT398675: Patch fails on an MH with Tomcat enabled before the patch.
• DT391513: AQL properties do not parse and report ‘N/A’ in Log Activity.
• DT397036: TCP syslog log sources goes into an error state after a full deployment when changing the advanced setting ‘Max Number of TCP Syslog Connections’.
• DT417402: Upgrade stuck with incorrect status report in Parallel patch menu.
• DT396457: Event Start time shows “N/A” after upgrade.
• DT244813: Log File protocol configured to connect with SFTP can stop collecting events unexpectedly in 7.5.0 UP7.
• DT395212: NPE when calling GEO::LOOKUP function.
• DT394567: QRadar – Multiline log messages in Bandwidth Manager’s qradar.log seen as stored events in log activity.
• DT393769: Offense filter “Assigned to user is Unassigned” does not work in UP9.
• DT396561: Viewing Events Associated With an Offense May Show Incomplete Results.
• DT394013: Host address value is empty for online forwarded events.
• DT392098: The REFERENCEMAPSETCONTAINS used in AQL does not respect ALNIC type of reference object.
• DT391457: REFERENCEMAP functions do not return correct results in Log Activity when used twice in same expression with Group By.
• DT390330: Error – No certificate was found with friendly name [friendly_name].
• DT381380: Quick Filter doesn’t auto-update results after filter change/removal.
• DT393659: QRadar appliance installation fails on systems with Secure Boot enabled.
• DT381852: Search results in application error if the special characters in filters exceed the 255 handle_name limit.
• DT378765: JSON CEPs handle backslashes as escapes.
• DT378773: Sentry Engine doesn’t reflect data from all hosts.
• DT378759: Deleting a domain can cause Reference Set element count in the UI to report incorrectly.
• DT258972: Search results aren’t removed from /transient when the cursor has a ‘ . ‘.
• DT392621: Cisco unknown events are incorrectly mapped in the DSM Editor to another known event %ASA-7-718088.
• DT252114: Alphanumeric ignore case (ALNIC) data type does not work for reference table keys.
• DT256896: SourceMonitor Reporting incorrect high EPS rates for time windows over 5 seconds.
• DT252077: ADE rules created from searches using a reference set filter causes socket leak in the accumulator.
• DT394515: Can not Delete a Group in Group-Based LDAP.
• DT252032: Ariel restart slows down because searches order by date format creates garbage folders in /store/transient/ariel_proxy_server/data.
• DT149096: Ariel.dataloader may cause a Nullpointerexception error while fetching the name of the sensor device type for ID 0.
• DT108131: QRadar user interface may become unavailable when navigating in the extension management window.
• DT251744: Unable to delete saved searches.
• DT420540: UCM 4.0.0 crashes when a user tries to add or edit an MITRE mapping.

• WinCollect: WinCollect 7.3.1-43 upgrade fails. The WinCollect RPM validation is out of date and causes the upgrade to fail. To resolve the issue, and for more information, see WinCollect 7.3.1-43 upgrade fails due to “[CRITICAL] Transaction failed.
• X-Force: You can not access X-Force servers directly from a QRadar IPv6 box. To use X-Force in queries or custom rules, configure a proxy server. To enable a proxy, and for more information, see QRadar: X-Force Frequently Asked Questions.
• Upgrading: In QRadar version 7.3.0 or earlier, appliances were built with smaller partition sizes that can cause issues when you upgrade to RHEL-8. Depending on the appliance type, you can save the SFS file in a different directory or rebuild the system at Update Package 8 or later, and then add it to the deployment. can experience an issue where events routing to storage unexpectedly; however, the EPS rate is not yet hitting the maximum capability of the appliance.
• Upgrade: Upgrade patch pretest fails on dual stack. After you upgrade to 7.5.0 Update Package 9, the RHEL-8 upgrade pretest fails after the system reboot.
• Apps: After you upgrade some apps remain in an “error” state on deployments with 30+ apps. Restart the apps by using the qappmanager: /opt/qradar/support/qappmanager. For more information, see About the qappmanager support utility.
• Admin :Admin password does not set correctly on auto-install. In some instances of QRadar installations using the auto-install method, the Admin password is not being set properly. To resolve this issues, manually update the Admin password in the QRadar host CLI. For more information, see DT258627.
• Autoupdates: After upgrading to QRadar 7.5.0 or later, older autoupdate versions may revert and fail to update RPMs properly. To check your autoupdate version, use the command: /opt/qradar/bin/UpdateConfs.pl -v. Review the issue and the resolution section for your auto update version in the following technical note, Common issues and troubleshooting for auto update version 9.11.
• For the full list of known issues, see the release notes.
• For the full list of known issues, see the release notes.

• DT251744: Unable to delete saved searches.
• DT396457: Event Start time shows “N/A” after upgrade.
• DT394013: Host address value is empty for online forwarded events.
• DT149096: Ariel.dataloader may cause a NullPointerException error while fetching the name of the sensor device type for ID 0.

• X-Force: You can not access X-Force servers directly from a QRadar IPv6 box. To use X-Force in queries or custom rules, configure a proxy server. To enable a proxy, and for more information, see QRadar: X-Force Frequently Asked Questions.
• Apps: After you upgrade some apps remain in an “error” state on deployments with 30+ apps. Restart the apps by using the qappmanager: /opt/qradar/support/qappmanager. For more information, see About the qappmanager support utility.
• Apps: Duplicate app entries on Traefik when QRadar console if you power off your QRadar console in VSphere and power it on again. Duplicate entires of apps exist on the Traefik UI. To resolve this issue, restart the Traefik service.
• Data Nodes: When you attempt to add a Data Node to a cluster, they must either all be encrypted, or all be unencrypted. You cannot add both encrypted and unencrypted Data Nodes to the same cluster.

• X-Force: You can not access X-Force servers directly from a QRadar IPv6 box. To use X-Force in queries or custom rules, configure a proxy server. To enable a proxy, and for more information, see QRadar: X-Force Frequently Asked Questions.
• Upgrading: In QRadar version 7.3.0 or earlier, appliances were built with smaller partition sizes that can cause issues when you upgrade to RHEL-8. Depending on the appliance type, you can save the SFS file in a different directory or rebuild the system at Update Package 8 or later, and then add it to the deployment. can experience an issue where events routing to storage unexpectedly; however, the EPS rate is not yet hitting the maximum capability of the appliance.
• Apps: After you upgrade some apps remain in an “error” state on deployments with 30+ apps. Restart the apps by using the qappmanager: /opt/qradar/support/qappmanager. For more information, see About the qappmanager support utility.
• Admin :Admin password does not set correctly on auto-install. In some instances of QRadar installations using the auto-install method, the Admin password is not being set properly. To resolve this issues, manually update the Admin password in the QRadar host CLI. For more information, see DT258627.
• Autoupdates: After upgrading to QRadar 7.5.0 or later, older autoupdate versions may revert and fail to update RPMs properly. To check your autoupdate version, use the command: /opt/qradar/bin/UpdateConfs.pl -v. Review the issue and the resolution section for your auto update version in the following technical note, Common issues and troubleshooting for auto update version 9.11.
• For the full list of known issues, see the release notes.

• Light mode theme enabled as a user preference to switch from dark to light mode.
• New parallel patching feature allows admins to see status of hosts as they upgrade and stage patch files in advance.
• Federal Information Security Modernization Act (FISMA) support adds IPv6 integrations and features to QRadar across rules, searches, right-click filters, integrations, and more.
• Performance enhancements for event and flow searches.
  • Improved event and flow search stability and performance for large deployments, high query concurrency, and complex datasets by managing memory more effectively.
  • Event and flow searches that interact with IPv6 addresses are up to 200 times faster.
• WinCollect includes a new WinCollectHealthCheck.sh support script to update iptables after the UP10 upgrade.
• Disabled 24 Java ciphers

• DT394105: Performance degradation in 7.5.0 UP9 IF1 when you transition events between ecs-ec and ecs-ep components.
• DT393397: Log Activity tab Add Filter button can display text highlights that are difficult to view in Dark Mode
• DT390721: After you upgrade from QRadar 7.5.0 UP 7 to QRadar 7.5.0 UP 9, the Pulse App does not have the proper permissions to run.
• DT389402: Geographic rule test fails location match when IP is present in Network Hierarchy.
• DT387724: Logrotate can fail in QRadar 7.5.0 UP8 due to a configuration conflict.
• DT389204: Event Collectors with encryption enabled that drop connections to the Event Processor might experience event loss.
• DT389245: User Account Deleted event doesn’t contain information about the user who performed the action.
• DT387114: The Notes in the Offense Summary CSV export are not in the correct order.
• DT386337: Offline forwarding events fail with TCP over TLS when the event processor has no direct Internet access.
• DT386288: Imported LDAP users are unable to receive emails due to the empty email field in users.conf.
• DT381632: Blank page when adding an Ariel filter condition in a custom rule if the value ends with a backslash “\”.
• DT382083: In Log Activity right click filters won’t display if the Source Address is IPv6.
• DT378758: XML Expressions are unable to extract properties containing data after “&”.
• DT365810: After changing the server time on the command line of a QRadar console, tomcat can get stuck on reading report templates and fail to fully start.
• DT364304: QRadar HA secondary hosts can go into a failed state after deploying changes.
• DT386044: Missing some fields for CRE Rule Modified SIM audit event.
• DT269915: QRadar GUI can become unresponsive during a login attempt if the LDAP server is unresponsive.
• DT270362: Custom AQL Queries are removed from Manage Search Results after a Full Deploy.
• DT252121: Custom property deletion checker can incorrectly identify rule dependencies.
• DT252137: Report summary displays the “Run this report when wizard is complete” option incorrectly on the report wizard.
• DT208622: Deployments with multiple encrypted data nodes do not rebalance between each other as expected after an upgrade to QRadar 7.5.0 UP3.
• DT121375: Changes made to the time series chat dashboard layout can fail to persist after logout.
• DT145254: “AADSTS75011” error when you use Windows Hello by X509 without the auth context.
• DT398172: QRadar: Correlation Rules and Building blocks owned by disabled users do not execute in UP9. No errors reported.
• DT390627: Background deployment tasks triggered by LDAP user synchronization can block deploys initiated from the UI.

• WinCollect: WinCollect 7.3.1-43 upgrade fails. The WinCollect RPM validation is out of date and causes the upgrade to fail. To resolve the issue, and for more information, see WinCollect 7.3.1-43 upgrade fails due to “[CRITICAL] Transaction failed.
• X-Force: You can not access X-Force servers directly from a QRadar IPv6 box. To use X-Force in queries or custom rules, configure a proxy server. To enable a proxy, and for more information, see QRadar: X-Force Frequently Asked Questions.
• Upgrading: In QRadar version 7.3.0 or earlier, appliances were built with smaller partition sizes that can cause issues when you upgrade to RHEL-8. Depending on the appliance type, you can save the SFS file in a different directory or rebuild the system at Update Package 8 or later, and then add it to the deployment. can experience an issue where events routing to storage unexpectedly; however, the EPS rate is not yet hitting the maximum capability of the appliance.
• Upgrade: Upgrade patch pretest fails on dual stack. After you upgrade to 7.5.0 Update Package 9, the RHEL-8 upgrade pretest fails after the system reboot.
• Apps: After you upgrade some apps remain in an “error” state on deployments with 30+ apps. Restart the apps by using the qappmanager: /opt/qradar/support/qappmanager. For more information, see About the qappmanager support utility.
• Admin :Admin password does not set correctly on auto-install. In some instances of QRadar installations using the auto-install method, the Admin password is not being set properly. To resolve this issues, manually update the Admin password in the QRadar host CLI. For more information, see DT258627.
• Autoupdates: After upgrading to QRadar 7.5.0 or later, older autoupdate versions may revert and fail to update RPMs properly. To check your autoupdate version, use the command: /opt/qradar/bin/UpdateConfs.pl -v. Review the issue and the resolution section for your auto update version in the following technical note, Common issues and troubleshooting for auto update version 9.11.
• For the full list of known issues, see the release notes.
• For the full list of known issues, see the release notes.

• WinCollect: WinCollect 7.3.1-43 upgrade fails. The WinCollect RPM validation is out of date and causes the upgrade to fail. To resolve the issue, and for more information, see WinCollect 7.3.1-43 upgrade fails due to “[CRITICAL] Transaction failed.
• Upgrading: In QRadar version 7.3.0 or earlier, appliances were built with smaller partition sizes that can cause issues when you upgrade to RHEL-8. Depending on the appliance type, you can save the SFS file in a different directory or rebuild the system at Update Package 8 or later, and then add it to the deployment. can experience an issue where events routing to storage unexpectedly; however, the EPS rate is not yet hitting the maximum capability of the appliance.
• Upgrade: Upgrade patch pretest fails on dual stack. After you upgrade to 7.5.0 Update Package 9, the RHEL-8 upgrade pretest fails after the system reboot.
• Apps: After you upgrade some apps remain in an “error” state on deployments with 30+ apps. Restart the apps by using the qappmanager: /opt/qradar/support/qappmanager. For more information, see About the qappmanager support utility.
• Admin :Admin password does not set correctly on auto-install. In some instances of QRadar installations using the auto-install method, the Admin password is not being set properly. To resolve this issues, manually update the Admin password in the QRadar host CLI. For more information, see DT258627.
• Autoupdates: After upgrading to QRadar 7.5.0 or later, older autoupdate versions may revert and fail to update RPMs properly. To check your autoupdate version, use the command: /opt/qradar/bin/UpdateConfs.pl -v. Review the issue and the resolution section for your auto update version in the following technical note, Common issues and troubleshooting for auto update version 9.11.
• For the full list of known issues, see the release notes.

• WinCollect: WinCollect 7.3.1-43 upgrade fails. The WinCollect RPM validation is out of date and causes the upgrade to fail. To resolve the issue, and for more information, see WinCollect 7.3.1-43 upgrade fails due to “[CRITICAL] Transaction failed.
• Upgrading: In QRadar version 7.3.0 or earlier, appliances were built with smaller partition sizes that can cause issues when you upgrade to RHEL-8. Depending on the appliance type, you can save the SFS file in a different directory or rebuild the system at Update Package 8 or later, and then add it to the deployment. can experience an issue where events routing to storage unexpectedly; however, the EPS rate is not yet hitting the maximum capability of the appliance.
• Upgrade: Upgrade patch pretest fails on dual stack. After you upgrade to 7.5.0 Update Package 9, the RHEL-8 upgrade pretest fails after the system reboot.
• Apps: After you upgrade some apps remain in an “error” state on deployments with 30+ apps. Restart the apps by using the qappmanager: /opt/qradar/support/qappmanager. For more information, see About the qappmanager support utility.
• Admin :Admin password does not set correctly on auto-install. In some instances of QRadar installations using the auto-install method, the Admin password is not being set properly. To resolve this issues, manually update the Admin password in the QRadar host CLI. For more information, see DT258627.
• Autoupdates: After upgrading to QRadar 7.5.0 or later, older autoupdate versions may revert and fail to update RPMs properly. To check your autoupdate version, use the command: /opt/qradar/bin/UpdateConfs.pl -v. Review the issue and the resolution section for your auto update version in the following technical note, Common issues and troubleshooting for auto update version 9.11.
• For the full list of known issues, see the release notes.

• WinCollect: The WinCollect RPM validation is out of date and causes the upgrade to fail for UP8 or UP9. For more information see, WinCollect 7.3.1-43 upgrade fails due to “[CRITICAL] Transaction failed”
• Disk Space: In QRadar version 7.3.0 or earlier, appliances were built with smaller partition sizes that can cause issues when you upgrade to RHEL-8. Depending on the appliance type, you can save the SFS file in a different directory or rebuild the system at Update Package 8 or later, and then add it to the deployment.
• WinCollect: If you upgrade to QRadar 7.5.0 Update Package 9 and have WinCollect 7.x agents deployed in managed mode, you must install the WinCollect 7.3.1-43 SFS file as outlined in the WinCollect 7.3.1-43 release notes.
• Upgrade: Upgrade patch pretest fails on dual stack.
• Data Nodes: When adding a Data Node to a cluster, they must either all be encrypted, or all be unencrypted. You cannot add both encrypted and unencrypted Data Nodes to the same cluster.
• Apps: Duplicate app entries on Traefik when QRadar console is powered off and on again.
• For the full list of known issues, see the release notes.

• Dark theme enabled across QRadar
• CIDR data type in reference sets
• RegexMonitor adds a monitor-only mode for expensive properties without auto disabling
• Performance enhancements for Data Nodes and Offline forwarding
• Conole-only DR for Data Synchronization app

• DT256898: eps60s value is not set to 0 when the log source stops receiving events
• DT256900: CEP cannot be toggled for force parsing If a custom rule’s name starts with a CEP name and it is used by another rule
• DT257068: Users cannot configure a test parameter for a rule when using a Reference Table
• DT258372: When deleting rules from API the username is truncated in audit log if the username include a period (.)
• DT258746: The “Assigned to User” filter has been removed when editing “My Offense”
• DT258826: An application error is observed when clicking a link in the “Top Category Types” dashboard widget
• DT259594: Assign offense menu showing as blank when trying to assign offense without log source access
• DT259793: Use case manager rules can be inconsistent with rules in the rule tab
• DT259763: AQL Custom Function Table Replication Issue in Data Gateway
• DT261799: False Positive flags do not reflect correctly in the rules
• DT261802: Customer with local language set as Simplified Chinese would run into offence page freeze
• DT261851: Modifying system rule leads CRE to throw NPE when reading dependant rules
• DT269186: Users who log in to QRadar can receive an Error “Invalid license key” when the license is valid
• DT270141: Group Based LDAP Authentication does not preserve tenant assignment in User Details interface
• DT270299: Scheduled reports that contains more than three columns throws “Array index out of range” exception
• DT277116: Apps are in a failed state after upgrading to QRadar 7.5.0 Update Package 7 IF06 on a FIPS enabled system
• DT364307: Failed to add HA on console when iscsi configured on UP8 install – not live
• DT364450: Failed to add HA on a QRadar 7.5.0 UP8 console when an NFS mount is configured
• DT365145: HA synchronization status in 7.5.0 UP8 is not displayed in System and License Management
• DT365203: UP8 patch installer “–leapp-only” option does not support HA secondaries
• DT365204: UP8 patch installer option “–leapp-only” will not run successfully on fresh UP7 installations
• DT365205: Patching a QIF host to 7.5.0 UP7 or UP8 may result in services failing to start
• DT365206: UP8 patch installer is unable to run “–leapp-only” option on a detached Console HA host
• DT365574: Events that bypass parsing will not have the correct collectorid
• DT365799: Cannot send udp syslog to QRADAR_CONSOLE_IP from app container on Apphost
• DT365964: UserDomainPermission_Test still impacts CRE performance after fix for DT212087
• DT366125: A boot loop can occur while patching to 7.5.0 UP8 due to incorrect grub configuration
• DT378245: Cliniq failure on MH after RHEL8 migration causes patch to fail – not live
• DT378557: LDAP Authentication module can generate an ‘Application Error’ when saving changes in 7.5.0 UP7
• DT378590: Natted deployments will fail to patch as Installer does not look at public IPs for checking if leapp-only was run
• DT378682: When patching to 7.5.0 UP8, the RHEL8 Leapp migration script fails to remove the mptbase kernel module on VMware hosts
• DT378761: Expired user sessions preventing new logins
• DT378774: Change in QRADAR-17670 for CONFIGSERVICE_URL to fqdn causes replication to try public IP first – not live
• DT378823: Service scaserver is unable to start after migrating to RHEL 8 due to incorrect lib file
• DT378980: Patching to QRadar 7.5.0 UP8 can hang in environments using network address translation (NAT)
• DT380809: QRadar consoles running high availability with NFS mounts configured can fail “–leapp-only” tests when patching to 7.5.0 UP8
• DT380966: Upgrades to QRadar 7.5.0 UP8 can fail if /storetmp does not have enough available disk space
• DT381206: Upgrades to UP8 IF01 might cause applications not to start due to podman-client-registry keystore corruption
• DT381391: 3148 AIO Console could have a CRE performance bottle neck
• DT382094: Custom actions scripts no longer work due to permission issues
• DT382313: Upgrading to QRadar 7.5.0 UP8 will fail on virtual hosts using an e1000 NIC adapter
• DT386246: A kernel defect is causing a significant search performance degradation issue in QRadar 7.5.0 UP8 IF02
• DT386356: A deploy while HA is syncing will invalidate store and cause/restart a full sync – not live
• DT386462: When upgrading QRadar to 7.5.0 UP8, if an HA secondary host fails to reboot during the RHEL8 migration, the patch installer on the primary host will hang indefinitely
• DT386559: Missing langpacks in UP8 cause API errors – not live
• DT386964: Services broken when Patched UP8 host failover to Fresh UP8 host due to UID changes in RHEL8 – not live
• DT139510: Log sources can sometimes display a status of error or not available when they are working as expected
• DT251817: Non-admin user cannot edit the group of log sources using the API when the security profile is set to all log source groups
• DT251857: QRadar apps can randomly disappear from the QRadar user interface
• DT160982: The “Not” operator used with the log source API does not properly filter results as expected
• DT134169: 7.5.0 UP1 deployments with QNI appliances can fail to deploy if the connection to QNI is unavailable
• DT145570: Modifying the rule “Multiple login failures for single username” might cause a NPE error when QRadar is reading the rule
• DT252005: install-ssl-cert.sh unable to install certificate signed by intermediate certificate authority
• DT196807: QRadar filter “Source Network” displays an empty list in locales other than english
• DT197404: Destination IP/Source IP search parameter does not work with multiple IPs separated by comma in the Offenses tab
• DT252050: Apps can take longer than the default 90 seconds to start when 20 or more apps are installed
• DT253292: Timestamps on the Manage Vulnerabilities -> By Vulnerability Instances screen are incorrect – not live
• DT253294: Timestamps in a scan results (excel) report are displayed in the GMT timezone
• DT215947: Log sources status column might not update as expected, leading to stale or outdates status information
• DT253091: QRadar Risk Manager: Unable to create a topology model
• DT252110: Offense tab columns do not sort as expected when search is set to default
• DT244446: Custom rules: Match count rules do not trigger as expectedly when used with coalescing log sources
• DT252111: Offenses created from flows rule does not show the first event in search result count
• DT252084: QRadar non-administrator users cannot save changed to log source groups in the Log Source Management (LSM) app
• DT252141: Reports fail to generate when files other than images exist in /store/reporting/reports/logos
• DT252113: Admin tab can display an application error when assistant app cannot determine
• DT252086: Quick filter flow interface values can be duplicated for admins in the user interface when domains are configured
• DT252142: Data obfuscation can experience performance issues due to empty or null string checking
• DT252099: Bytes sent sorting for numeric custom property is filtered in the user interface as alphabetic

• Pulse app: Users with the Pulse app 2.2.14 or HA pairs can experience a permission error that prevents the application from running as expected after upgrading to 7.5.0 UP9. Users on Pulse 2.2.13 do not experience this issue. If possible, upgrade the Pulse app after you upgrade to UP9. Known issue: DT390721.
• Upgrade: You must ensure that your deployment does not include hosts with LUKS encrypted partitions to successfully upgrade your system. For more information see, DT390721.
• WinCollect: The WinCollect RPM validation is out of date and causes the upgrade to fail for UP8 or UP9. For more information see, WinCollect 7.3.1-43 upgrade fails due to “[CRITICAL] Transaction failed”
• Disk space: Leapp pretests fail to ensure if the /storetmp directory has sufficient disk space to store the upgrade cache directory. You must ensure that all appliances have at minimum 10GB of space available in the /storetmp directory before you upgrade to 7.5.0 Update Package 9.
• Network: Bonded NICs renamed during RHEL7 to RHEL8 migration cause network outage on host, seeDT391410.
• WinCollect: If you upgrade to QRadar 7.5.0 Update Package 9 and have WinCollect 7.x agents deployed in managed mode, you must install the WinCollect 7.3.1-43 SFS file as outlined in the WinCollect 7.3.1-43 release notes.
• Upgrade: Upgrade patch pretest fails on dual stack.
• HA: High availability upgrades to QRadar 7.5.0 Update Package 9 require a full DRBD re-sync after the upgrade completes.
• Data Nodes: When adding a Data Node to a cluster, they must either all be encrypted, or all be unencrypted. You cannot add both encrypted and unencrypted Data Nodes to the same cluster.
• Network: The e1000 network driver is not supported in Red Hat Enterprise Linux 8. For more information, see DT382313.
• For the full list of known issues, see the release notes.

• Upgrade: Upgrade patch pretest fails on dual stack (IPv4 and IPv6) appliances. After you upgrade to 7.5.0 Update Package 8, the RHEL-8 upgrade pretest fails after the system reboot.
• Applications: After you upgrade some apps remain in an “error” state on deployments with 30+ apps. Restart the apps by using the qappmanager: /opt/qradar/support/qappmanager utility.
• Applications: After you install QRadar 7.5.0, your applications might go down temporarily while they are being upgraded to the latest base image.
• Upgrade: Admin password does not set correctly on auto-install. To resolve this issues, manually update the Admin password in the QRadar host CLI. For more information, see DT258627.>/li>
• WinCollect: If you upgrade to QRadar 7.5.0 Update Package 8 and have WinCollect 7.x agents deployed in managed mode, you must install the WinCollect 7.3.1-43 SFS file as outlined in the WinCollect 7.3.1 P3 release notes.
• For the full list of known issues, see the release notes.

• Encryption: Upgrading to RHEL-8 on systems with LUKS encrypted partitions is not supported. For more information see, Hosts with LUKS encryption cannot be upgraded to 7.5.0 Update Pack 8
• Disk space: Leapp pretests fail to ensure if the /storetmp directory has sufficient disk space to store the upgrade cache directory. You must ensure that all appliances have at minimum 10GB of space available in the /storetmp directory before you upgrade to 7.5.0 Update Package 8. For more information, see the QRadar 7.5.0 Update Package 8 release notes.
• HA – Required: Administrators with High Availability (HA) appliances in their deployment must complete a post-installation step that is new in QRadar 7.5.0 Update Package 8. After the update completes, you must complete the procedure outlined in DT365145.
• WinCollect: QRadar 7.5.0 Update Package 8 users with WinCollect 7 must update to the latest version. If you upgrade to QRadar 7.5.0 Update Package 8 and have WinCollect 7.x agents deployed in managed mode, you must install the WinCollect 7.3.1-43 SFS file as outlined in the WinCollect 7.3.1 P3 release notes.
• Apps : Apps might go down during the base image update.
• Data Nodes: When adding a Data Node to a cluster, they must either all be encrypted, or all be unencrypted. You cannot add both encrypted and unencrypted Data Nodes to the same cluster.
• Upgrade: If you are planning to upgrade from any version of QRadar 7.4.2 Fix Pack 2 through to QRadar 7.4.3 Fix Pack 2, contact support. For more information, see IJ44385.
• For the full list of known issues, see the release notes.

• DT257036: Unbound-anchor.service is reaching out publicly to DNS root servers
• DT258217: False-positive offenses are produced after the restart of ecs-ep process
• DT258235: Null Pointer Exception in Regex Monitor causes perfromance issues in event parsing
• DT258345: Re-adding a managed host can appear to be hung at the final step in the ‘Host is Being Added to Deployment’ window
• DT258961: False Positive offenses produced where rules use reference set not conditions
• DT259134: Unknown offense created on destination QRadar when forwarding normalized data from Source QRadar
• DT259571: Dropped events in log source protocol queue after upgrade to QRadar 7.5.0 Up 7
• DT259793: CRE Rule seems to be affecting the parsing of ADE AQL Properties
• DT084375: The managed search results page can be slow to load in QRadar environments with a large amount of Ariel query handles
• DT133052: QRadar – High availability crossover enable fails with ssh StrictHostKeyChecking
• DT256838: 7.5.0 UP7 IF03 Java change causes Amazon Web Service Log Source Type to stop working
• DT251945: Retain option available on freshly installed High Availability (HA) systems from factory reinstall
• DT251920: Time server set during initial installation reset after running qchange
• DT252014: HA Setup fails with “failed to change group ownership error”
• DT252073: QRadar tunnel-monitor service incorrectly attempts to create connections from HA standby appliances
• DT252127: Common rule test ‘Event or flow processed by custom rules engine’ can display a Number Format Exception
• DT252102: When AQL properties created before 7.4.3 exist in the forwarding profile, offline forwarding is slow
• DT252089: Invalid byte sequence for encoding “UTF8” while accessing reference data API or UBA import user
• DT252090: Historical correlation offense summary page can display a ‘file access error’ when viewing grouped events
• DT245546: STIG hardening on QRadar 7.5.0 Update Package 7 might not set a boot password, forcing a reinstall
• DT241221: HA Secondary disk space issues can occur when files for older versions of ECS are not removed
• DT244451: Hostcontext can exceed the default 256MB allocation, leading to out of memory issues on hosts
• DT244446: Custom rules: Match count rules do not trigger as expectedly when used with coalescing log sources
• DT244729: Log File protocol configured to connect with SFTP can stop collecting events unexpectedly in 7.5.0 UP7
• DT252131: Rule Wizard displays a blank pop up for the ‘Name of the flow source is one of these sources’ test
• DT252139: Asset details window does not display the latest email address when changed
• DT252100: Reference Table value incorrectly displayed in the rule responses of the Rule Wizard when edited
• DT259368: QRadar Applications failing to install/update after upgrading to QRadar 7.5.0 UP6
• DT224076: Rule Wizard displays ‘The response count must be 0 or greater’ when enabling response limiters with non-english UI locales
• DT238257: Nightly backups fail if applications are in error status
• DT251980: Rule “Source/Destination asset weight is low” can trigger when weight is higher than the defined parameter

• Encryption: Upgrading to RHEL-8 on systems with LUKS encrypted partitions is not supported. For more information see, Hosts with LUKS encryption cannot be upgraded to 7.5.0 Update Pack 8
• Disk space: Leapp pretests fail to ensure if the /storetmp directory has sufficient disk space to store the upgrade cache directory. You must ensure that all appliances have at minimum 10GB of space available in the /storetmp directory before you upgrade to 7.5.0 Update Package 8. For more information, see the QRadar 7.5.0 Update Package 8 release notes.
• HA – Required: Administrators with High Availability (HA) appliances in their deployment must complete a post-installation step that is new in QRadar 7.5.0 Update Package 8. After the update completes, you must complete the procedure outlined in DT365145.
• WinCollect: QRadar 7.5.0 Update Package 8 users with WinCollect 7 must update to the latest version. If you upgrade to QRadar 7.5.0 Update Package 8 and have WinCollect 7.x agents deployed in managed mode, you must install the WinCollect 7.3.1-43 SFS file as outlined in the WinCollect 7.3.1 P3 release notes.
• Apps : Apps might go down during the base image update.
• Data Nodes: When adding a Data Node to a cluster, they must either all be encrypted, or all be unencrypted. You cannot add both encrypted and unencrypted Data Nodes to the same cluster.
• Upgrade: If you are planning to upgrade from any version of QRadar 7.4.2 Fix Pack 2 through to QRadar 7.4.3 Fix Pack 2, contact support. For more information, see IJ44385.
• For the full list of known issues, see the release notes.

• DT258961: False Positive offenses produced where rules use reference set not conditions.
• DT259571: Dropped events in log source protocol queue after upgrade to QRadar 7.5.0 UP 7.
• DT261291: Qualys and Nessus scans won’t run after installing 7.5.0 UP 7 IF03.

• New: Managed WinCollect 7 agents cannot receive updates from encrypted QRadar Managed Hosts with QRadar 7.5.0 Update Package 7 Interim Fix 05 or later. For more information, see DT269649
• WinCollect: WinCollect 7.x managed agents must upgrade to WinCollect 7.3.1-28 to resolve APAR IJ45285 where new agents or configuration changes cannot be applied without the new version.
• Auto update: Use UpdateConfs.pl -v to confirm your auto update version after you upgrade as it is possible to revert to a previous AU version and experience errors when attempting to update.
• Apps: Before you upgrade, confirm your ftype configuration for Docker services.
• Apps : Apps might go down during the base image update.
• Upgrade: If you are planning to upgrade from any version of QRadar 7.4.2 Fix Pack 2 through to QRadar 7.4.3 Fix Pack 2, contact support. For more information, see IJ44385.
• Secure boot: Hosts with EFI firmware and Secure Boot enabled may become unresponsive. To avoid this problem, you must import the IBM public key contained on the SFS into the system keyring before patching. For more information, see Updating a Secure Boot enabled system

• DT258217: False-positive offenses are produced after the restart of ecs-ep process.
• DT258345: Re-adding host does not close dialog and does not allow remapping components.
• DT259793: CRE Rule seems to be affecting the parsing of ADE AQL Properties.

• WinCollect: WinCollect 7.x managed agents must upgrade to WinCollect 7.3.1-28 to resolve APAR IJ45285 where new agents or configuration changes cannot be applied without the new version.
• Auto update: Use UpdateConfs.pl -v to confirm your auto update version after you upgrade as it is possible to revert to a previous AU version and experience errors when attempting to update.
• Apps: Before you upgrade, confirm your ftype configuration for Docker services.
• Apps : Apps might go down during the base image update.
• Upgrade: If you are planning to upgrade from any version of QRadar 7.4.2 Fix Pack 2 through to QRadar 7.4.3 Fix Pack 2, contact support. For more information, see IJ44385.
• Secure boot: Hosts with EFI firmware and Secure Boot enabled may become unresponsive. To avoid this problem, you must import the IBM public key contained on the SFS into the system keyring before patching. For more information, see Updating a Secure Boot enabled system

• DT252100 | IJ49409: Reference table value incorrectly displayed in the rule responses of the rule wizard when edited
• DT256838: 7.5.0 UP7 IF03 Java change causes Amazon Web Service Log Source Type to stop working

• WinCollect: WinCollect 7.x managed agents must upgrade to WinCollect 7.3.1-28 to resolve APAR IJ45285 where new agents or configuration changes cannot be applied without the new version.
• Auto update: Use UpdateConfs.pl -v to confirm your auto update version after you upgrade as it is possible to revert to a previous AU version and experience errors when attempting to update.
• Apps: Before you upgrade, confirm your ftype configuration for Docker services.
• Apps : Apps might go down during the base image update.
• Upgrade: If you are planning to upgrade from any version of QRadar 7.4.2 Fix Pack 2 through to QRadar 7.4.3 Fix Pack 2, contact support. For more information, see IJ44385.
• Secure boot: Hosts with EFI firmware and Secure Boot enabled may become unresponsive. To avoid this problem, you must import the IBM public key contained on the SFS into the system keyring before patching. For more information, see Updating a Secure Boot enabled system

• IJ48955: Log file protocol configured to connect with sftp can stop collecting events unexpectedly in 7.5.0 UP7.

• WinCollect: WinCollect 7.x managed agents must upgrade to WinCollect 7.3.1-28 to resolve APAR IJ45285 where new agents or configuration changes cannot be applied without the new version.
• Auto update: Use UpdateConfs.pl -v to confirm your auto update version after you upgrade as it is possible to revert to a previous AU version and experience errors when attempting to update.
• Apps: Before you upgrade, confirm your ftype configuration for Docker services.
• Apps : Apps might go down during the base image update.
• Data Nodes: When adding a Data Node to a cluster, they must either all be encrypted, or all be unencrypted. You cannot add both encrypted and unencrypted Data Nodes to the same cluster.
• Upgrade: If you are planning to upgrade from any version of QRadar 7.4.2 Fix Pack 2 through to QRadar 7.4.3 Fix Pack 2, contact support. For more information, see IJ44385.

• IJ48883: Hostcontext can exceed the default 256MB allocation, leading to out of memory issues on hosts.

• WinCollect: WinCollect 7.x managed agents must upgrade to WinCollect 7.3.1-28 to resolve APAR IJ45285 where new agents or configuration changes cannot be applied without the new version.
• Auto update: Use UpdateConfs.pl -v to confirm your auto update version after you upgrade as it is possible to revert to a previous AU version and experience errors when attmpting to update.
• Apps: Before you upgrade, confirm your ftype configuration for Docker services.
• Apps : Apps might go down during the base image update.
• Data Nodes: When adding a Data Node to a cluster, they must either all be encrypted, or all be unencrypted. You cannot add both encrypted and unencrypted Data Nodes to the same cluster.
• Upgrade: If you are planning to upgrade from any version of QRadar 7.4.2 Fix Pack 2 through to QRadar 7.4.3 Fix Pack 2, contact support. For more information, see IJ44385.

• IJ46232: QRadar tunnel-monitor service incorrectly attempts to create connections from HA standby appliances.
• IJ48710: QRadar appliances configured with STIG hardening who upgrade to UP7 must remove a file before you reboot and run the harden utility is resolved in 7.5.0 UP7 IF1.

• WinCollect: WinCollect 7.x managed agents must upgrade to WinCollect 7.3.1-28 to resolve APAR IJ45285 where new agents or configuration changes cannot be applied without the new version.
• Auto update: Use UpdateConfs.pl -v to confirm your auto update version after you upgrade as it is possible to revert to a previous AU version and experience errors when attmpting to update.
• Apps: Before you upgrade, confirm your ftype configuration for Docker services.
• Apps : Apps might go down during the base image update.
• Data Nodes: When adding a Data Node to a cluster, they must either all be encrypted, or all be unencrypted. You cannot add both encrypted and unencrypted Data Nodes to the same cluster.
• Upgrade: If you are planning to upgrade from any version of QRadar 7.4.2 Fix Pack 2 through to QRadar 7.4.3 Fix Pack 2, contact support. For more information, see IJ44385.

• IJ16414: Reports generate with incorrect chart data and column name with some advanced searches (AQL)
• IJ24182: The tzdata DST rules for America/Santiago are out of date and have the incorrect date for switchover to DST.
• IJ29030: Log sources deleted from within log source groups can still appear in the QRadar user interface.
• IJ30347: “There was a problem saving the log source type configuration” after clicking save on the DSM editor page.
• IJ30863: QRadar content pack can cause offenses to be triggered off of source IP instead of custom event property configured in rule.
• IJ35845: Reports can be sent to user addresses in “multiple reports” option when “single report option” is selected.
• IJ35951: Benign error in patches.log file can be observed during or after a QRadar patch or upgrade.
• IJ36270: QRadar patching can fail due to disk space requirements when adequate space is available.
• IJ39393: Routing rule displays a blank page when the install is a software appliance on 7.5.0 UP1.
• IJ39620: Performance issues can occur when QRadar attempts a reload of sensor devices when log sources exceed 2 million.
• IJ39771: Scheduled weekly or monthly reports display “no data for chart” after upgrading to 7.5.0 UP5.
• IJ41206: App install fails during docker build with “an exception occurred while waiting for task to complete” error.
• IJ43426: Sorting by column in the offenses tab removes search filters.
• IJ43432: Tomcat might go out of memory during deployments when the user has millions of log sources.
• IJ43805: System notification displays incorrect message when the tomcat certificate is due to expire.
• IJ43957: Poor scalability in referencedata cache resulting in degrading search performance when using filters and tests.
• IJ44269: Users unable to export license information from QRadar Console GUI.
• IJ44724: QRadar asset creation events can display a generic identity:0 in the created by field for asset profiler events.
• IJ44868: Upgrade can complete and display an error about a custompropertiesscript trying to insert or update a table.
• IJ45396: Offense search can add unexpected filters to the current search parameters after closing an offense.
• IJ45679: Services can experience out of memory issues due to large certificate revocation lists (CLRS).
• IJ45735: Reports tab can display as blank if the template file for a removed user is missing.
• IJ45829: Rule wizard cannot transition to the next page properly when rule response updates a reference table.
• IJ45914: QRadar system anomaly detection engine (ADE) rules can generate extra rules when modified multiple times.
• IJ45926: Anomaly rule enabling “test the [this accumulated property] value of each log source separately” displays application error.
• IJ46116: Offense summary for match count rules does not return all results for the event/flow count field.
• IJ46159: Rule tests with multiple reference set values can display “an error has occurred saving your rule”.
• IJ46184: QFlow collectors and processors in different domains can experience connection issues.
• IJ46231: Upgrading a detached app host appliance fails as the upgrade is waiting on docker and conman services.
• IJ46298: Standby HA appliances can run keystore certificate validator on inactive hosts causing benign log messages.
• IJ46916: Log activity tab can display event ID and category as N/A when the payloads are parsed and mapped correctly.
• IJ46986: Users cannot open the rules wizard from the offenses tab on QRadar 7.5.0 Update Package 6.
• IJ47011: Applications might fail to restart after apphost upgraded from UP5 to UP6.
• IJ47032: Unknown or stored events can route incorrectly to the sim generic log source in QRadar 750 UP4 and later.
• IJ47046: Reference data import fails with numberformatexception due to invalid number converter.
• IJ47049: Risks tab might not load after an upgrade to QRadar 7.5.0 UP6.
• IJ47129: Events can stop processing when pipelinediskmonitor detects the disk spillover threshold is crossed.
• IJ47194: Reports that use the “include date in email subject only” does not behave as expected.
• IJ47404: Ariel processes might not allocate enough memory for memory-heavy operations, causing slower searches.
• IJ47468: Advanced searches (AQL) that use the “in” operator do not use indexes as expected.
• IJ47587: Rule wizard for ADE rules does not preserve the state of the “test separately” check box.
• IJ47623: Completing a pretest with the installer -T command can cause Network Insights forensics issues.
• IJ47894: Scheduled daily reports do not generate on a weekend as expected.
• IJ45775: QRadar cannot log in while the LDAP server is unresponsive, which can lead to tomcat errors.
• IJ46702: PCAP data not stored in ariel or displayed after an upgrade to QRadar 7.5.0 update package 2 or later.
• IJ46928: QRadar applications can get stuck in an error state after an upgrade to 7.5.0 update package 6.
• IJ48422: QFlow services can experience service start or restart issues due to libpcap update for older avx2 processors.
• IJ48423: User management window does not display as expected from the Admin tab when the language preference is non-English

• IMPORTANT: Administrators need to confirm their managed hosts are encrypted before you upgrade to QRadar 7.5.0 Update Package 7 to prevent a known issue with deploys documented as IJ49176/DT247083.
• IMPORTANT: QRadar appliances configured with STIG hardening who upgrade to UP7 must remove a file before you reboot and run the harden utility.
• WinCollect: WinCollect 7.x managed agents must upgrade to WinCollect 7.3.1-28 to resolve APAR IJ45285 where new agents or configuration changes cannot be applied without the new version.
• Auto update: Use UpdateConfs.pl -v to confirm your auto update version after you upgrade as it is possible to revert to a previous AU version and experience errors when attmpting to update.
• Apps: Before you upgrade, confirm your ftype configuration for Docker services.
• Apps : Apps might go down during the base image update.
• Data Nodes: When adding a Data Node to a cluster, they must either all be encrypted, or all be unencrypted. You cannot add both encrypted and unencrypted Data Nodes to the same cluster.
• Upgrade: If you are planning to upgrade from any version of QRadar 7.4.2 Fix Pack 2 through to QRadar 7.4.3 Fix Pack 2, contact support. For more information, see IJ44385.

• IJ46184: QFlow collectors and processors in different domains can experience connection issues
• IJ47032: Unknown or stored events can route incorrectly to the SIM generic log source in QRadar 7.5.0 UP4 and later
• IJ43957: Poor scalability in referencedata cache resulting in degrading search performance when using filters and tests

• Upgrade: Upgrades to QRadar 7.5.0 UP6 might take an extended amount of time to complete due to glusterfs file cleanup. You must allow the upgrade to continue uninterrupted.
• WinCollect: WinCollect 7.x managed agents must upgrade to WinCollect 7.3.1-28 to resolve APAR IJ45285 where new agents or configuration changes cannot be applied without the new version.
• Auto update: Use UpdateConfs.pl -v to confirm your auto update version after you upgrade as it is possible to revert to a previous AU version and experience errors when attmpting to update.
• Apps: Before you upgrade, confirm your ftype configuration for Docker services.
• Apps might go down during the base image update.
• When adding a Data Node to a cluster, they must either all be encrypted, or all be unencrypted. You cannot add both encrypted and unencrypted Data Nodes to the same cluster.
• If you are planning to upgrade from any version of QRadar 7.4.2 Fix Pack 2 through to QRadar 7.4.3 Fix Pack 2, contact support. For more information, see IJ44385.

• IJ47468: Advanced searches (AQL) that use the “IN” operator do not use indexes as expected.
• IJ45926: Anomaly rule enabling “Test the [this accumulated property] value of each log source separately” displays application error.
• IJ45829: Rule wizard cannot transition to the next page properly when rule response updates a reference table.
• IJ47587: ADE rule “Test Separately” checkbox setting not preserved when reopening the rule.

• Upgrade: Upgrades to QRadar 7.5.0 UP5 might take an extended amount of time to complete due to glusterfs file cleanup. You must allow the upgrade to continue uninterrupted.
• WinCollect: WinCollect 7.x managed agents must upgrade to WinCollect 7.3.1-28 to resolve APAR IJ45285 where new agents or configuration changes cannot be applied without the new version.
• Auto update: Use UpdateConfs.pl -v to confirm your auto update version after you upgrade as it is possible to revert to a previous AU version and experience errors when attmpting to update.
• Apps: Before you upgrade, confirm your ftype configuration for Docker services.
• Apps might go down during the base image update.
• When adding a Data Node to a cluster, they must either all be encrypted, or all be unencrypted. You cannot add both encrypted and unencrypted Data Nodes to the same cluster.
• If you are planning to upgrade from any version of QRadar 7.4.2 Fix Pack 2 through to QRadar 7.4.3 Fix Pack 2, contact support. For more information, see IJ44385.

• IJ47049: Risks tab might not load after an upgrade to QRadar 7.5.0 Update Package 6.

• WinCollect: WinCollect 7.x managed agents must upgrade to WinCollect 7.3.1-28 to resolve APAR IJ45285 where new agents or configuration changes cannot be applied without the new version.
• Auto update: Use UpdateConfs.pl -v to confirm your auto update version after you upgrade as it is possible to revert to a previous AU version and experience errors when attmpting to update.
• Apps: Before you upgrade, confirm your ftype configuration for Docker services.
• Apps might go down during the base image update.
• When adding a Data Node to a cluster, they must either all be encrypted, or all be unencrypted. You cannot add both encrypted and unencrypted Data Nodes to the same cluster.
• If you are planning to upgrade from any version of QRadar 7.4.2 Fix Pack 2 through to QRadar 7.4.3 Fix Pack 2, contact support. For more information, see IJ44385.

Other notices
• Precheck added for postgresql 11 migration.
• Fixing browser certificate warnings. In QRadar 7.5.0 Update Package 5, vault has been replaced by QRadar Certificate Authority (CA) and intermediate CA.
• Upgrading SOAR app might be required.
• You can now add QNI hosts to the Data Synchronization app.

• IJ29153: The /var/log partition can fill up due to the tomcat2.log file not being rotated.
• IJ30091: Editing a managed host in a NAT group generates message “IP for host already exists in deployment”.
• IJ30703: Removing a failed QRadar app upgrade by using extensions management also removes the existing running installation.
• IJ31092: QRadar patching can fail due to a free space check that fails.
• IJ33166: Aggregated searches are showing the wrong flag for some IP addresses.
• IJ34647: Upgrading to QRadar 7.4.3 results in a list of deprecated custom event properties being displayed.
• IJ35016: Overridden identity properties can fail to display as expected in the log activity tab.
• IJ35774: Out of memory for decapper on QRadar Network Insights host can occur in advanced inspection level.
• IJ39771: Scheduled reports can run on raw data causing them to fail or take longer than expected to complete.
• IJ39814: Postgresql uninstalled after hostservices restarts on standby high availability managed host.
• IJ40522: Anomaly issues in 7.5.0 UP2 prevent rules wizard from launching and effects offense creation.
• IJ41830: Truncated NVA configuration file can cause failures on deployed managed hosts.
• IJ42465: Applications can time out or fail to load due to conman-mks secret encryption performance.
• IJ43771: Offense emails might not send when custom properties in the agent-config.xml template use curly quotations.
• IJ43779: High availability setup can fail when primary and secondary IP addresses are too similar.
• IJ44076: After upgrading to 7.5.0, known_hosts keys can be removed unexpectedly causing SSH errors.
• IJ44383: A user custom event property (CEP) can incorrectly display the owner as admin in the user interface.
• IJ44384: Copying a custom property can incorrectly assign the original CEP owner (admin) to a new user.
• IJ44435: QRoC SAASADMIN role unable to list all users associated with an asset.
• IJ44580: QRadar apps fail to start or stop after editing an app host setting to disable encryption.
• IJ44597: Application-related issues might occur due to docker keystore error.
• IJ44637: Domain permission checks can impact performance in the CRE and might send events to store.
• IJ44654: “Exception reading CRE rules” error in rules used in cause and effect tests due to NullPointerException.
• IJ44655: Last 30 days in saved search AQL query is searching for information for 5 years.
• IJ44661: QRadar namevaluepairparser can experience errors when the last value contains pair separator.
• IJ44726: “Top category type” dashboard can cause performance issues, leading to Tomcat (UI) instability.
• IJ45127: Radius authentication fails in 7.5.0 UP4 due to invalid attributes in configuration file.
• IJ45153: QNI suspect content descriptions for cert flows can be “certificate invalid” if message header timestamp is invalid.
• IJ45353: Console configuration changes in deployment actions can cause global rule issues.
• IJ45383: Rule wizard interface refreshes unexpectedly when there is a valid QVM license but no assigned QVM component.
• IJ45452: Daily reports run out of schedule and can ignore the wizards settings.
• IJ45552: Inconsistent JSON custom property parsing for optimized payloads with double backslash characters.
• IJ45660: Rule changes from the console might be rejected by the managed host when IMQ message queue is full.
• IJ45736: QRadar unparsed logs incorrectly go to the consoles SIM generic log source.
• IJ45778: Optimized JSON custom event properties with backslashes parse as N/A in the user interface.
• IJ45878: QRadar upgrades to 7.5.0 Update Package 5 can take an extended amount of time to complete.
• IJ45913: Custom event property definition window displays empty “field type” when creating new CEP.
• IJ46246: File names from SMTP email traffic attachments are not reported in QNI 7.5.0.
• IJ46357: Geographic data rules cause search and event pipeline issues when the location cache exceeds the spillover threshold.
• IJ46418: Tuning changes can slow ecs-ec components resulting in delays and events routing to storage.
• IJ46619: Enabled geographic data indexes can cause performance issues in QRadar 7.5.0 UP5.

• CVE-2020-35491, CVE-2018-7489, CVE-2020-35490, CVE-2020-36518, CVE-2020-11971, CVE-2020-13955, CVE-2022-39135.
• CVE-2023-26276.
• CVE-2023-26273.
• CVE-2023-26274.
• CVE-2022-34352.

• Upgrade: QRadar Risk Manager Risks tab might not load after an upgrade to QRadar 7.5.0 Update Package 6.
• Upgrade: Upgrades to QRadar 7.5.0 UP6 might take longer to complete due to glusterfs file cleanup
• WinCollect: WinCollect 7.x managed agents must upgrade to WinCollect 7.3.1-28 to resolve APAR IJ45285 where new agents or configuration changes cannot be applied without the new version.
• Auto update: Use UpdateConfs.pl -v to confirm your auto update version after you upgrade as it is possible to revert to a previous AU version and experience errors when attmpting to update.
• Apps: Before you upgrade, confirm your ftype configuration for Docker services.
• Apps : Apps might go down during the base image update.
• Data Nodes: When adding a Data Node to a cluster, they must either all be encrypted, or all be unencrypted. You cannot add both encrypted and unencrypted Data Nodes to the same cluster.
• Upgrade: If you are planning to upgrade from any version of QRadar 7.4.2 Fix Pack 2 through to QRadar 7.4.3 Fix Pack 2, contact support. For more information, see IJ44385.

• IJ45736: QRadar unparsed logs incorrectly go to the consoles SIM generic log source.
• IJ46357: Geographic data rules cause search and event pipeline issues when the location cache exceeds the spillover threshold.
• IJ46418: Tuning changes can slow ecs-ec components resulting in delays and events routing to storage.
• IJ46619: Enabled geographic data indexes can cause performance issues in QRadar 7.5.0 UP5

• Upgrade: Upgrades to QRadar 7.5.0 UP5 might take an extended amount of time to complete due to glusterfs file cleanup. You must allow the upgrade to continue uninterrupted.
• WinCollect: WinCollect 7.x managed agents must upgrade to WinCollect 7.3.1-28 to resolve APAR IJ45285 where new agents or configuration changes cannot be applied without the new version.
• Auto update: Use UpdateConfs.pl -v to confirm your auto update version after you upgrade as it is possible to revert to a previous AU version and experience errors when attmpting to update.
• Apps: Before you upgrade, confirm your ftype configuration for Docker services.
• Apps might go down during the base image update.
• When adding a Data Node to a cluster, they must either all be encrypted, or all be unencrypted. You cannot add both encrypted and unencrypted Data Nodes to the same cluster.
• If you are planning to upgrade from any version of QRadar 7.4.2 Fix Pack 2 through to QRadar 7.4.3 Fix Pack 2, contact support. For more information, see IJ44385.

• IJ29512: High Availability (HA) restore process allows a primary to be rebuilt as a secondary 500 appliance
• IJ43705: QRadar.jsp call to licensekeymanager.arelicensesvalid() causes a delay on login for customers having multiple managed hosts
• IJ43767: Users patching from QRadar 7.3.2 or 7.4.3 to QRadar 7.5.0 might experience longer patch times than expected
• IJ44257: Reference data API source response does not reflect the requested API source value
• IJ44481: Use case manager exports fail while session was in an open transaction state
• IJ45191: Offense summary page event/flow count field does not match the event count in log activity

Note: These issues were closed in 7.5.0 Upgrade Pack 5 and backported to 7.4.3 Fix Pack 9.

• WinCollect: WinCollect 7.x managed agents must upgrade to WinCollect 7.3.1-28 to resolve APAR IJ45285 where new agents or configuration changes cannot be applied without the new version.
• Apps: A flash notice exists for this issue that impacts Docker services. Users must confirm ftype configuration before you upgrade.
• Auto updates: Verify your auto update version after you upgrade as some users reported the version can be reverted to a version prior to 9.16 (latest), leading to auto update problems.
• App Host cannot commnicate to Console when connection is firewalled.
• Apps might go down during base image.
• When adding a Data Node to a cluster, they must either all be encrypted, or all be unencrypted. You cannot add both encrypted and unencrypted Data Nodes to the same cluster.
• Kernel crash can affect UEFI systems in QRadar 7.4.2 Fix Pack 2 through to QRadar 7.4.3 Fix Pack 2. If you are planning to upgrade from any version of QRadar 7.4.2 Fix Pack 2 through to QRadar 7.4.3 Fix Pack 2, contact support or see IJ44385.

Other notices
• Precheck added for postgresql 11 migration.
• Fixing browser certificate warnings. In QRadar 7.5.0 Update Package 5, vault has been replaced by QRadar Certificate Authority (CA) and intermediate CA.
• Upgrading SOAR app might be required.
• You can now add QNI hosts to the Data Synchronization app.

• IJ44481: USE CASE MANAGER EXPORTS FAIL WHILE SESSION WAS IN AN OPEN TRANSACTION STATE
• IJ44535: APPLICATIONS MIGHT FAIL TO INSTALL BECAUSE THE APPLICATION START TIME EXCEED 500 SECONDS
• IJ45191: OFFENSE SUMMARY PAGE EVENT/FLOW COUNT FIELD DOES NOT MATCH THE EVENT COUNT IN LOG ACTIVITY

• Important: A flash notice exists for this issue that impacts Docker services. Users must confirm ftype configuration before you upgrade.
• Important: Use UpdateConfs.pl -v to confirm your auto update version after you upgrade as it is possible to revert to a previous AU version and experience errors when attmpting to update.
• App Host cannot commnicate to Console when connection is firewalled.
• Apps might go down during base image.
• When adding a Data Node to a cluster, they must either all be encrypted, or all be unencrypted. You cannot add both encrypted and unencrypted Data Nodes to the same cluster.

Known issues
• Precheck added for postgresql 11 migration.
• New certificate files to fix browser security warning.
• Upgrading SOAR app might be required.
• Adding QNI hosts to the Data Synchronization app.

• IJ41613: TIMEZONE CANNOT BE CHANGED FROM UI AND SYSTEM TIME SETTINGS UI TAB MIGHT FAIL TO LOAD
• IJ41234: DEPLOY CHANGES CAN ERROR OUT IF THE SERVER TABLE HAS A NON FULLY QUALIFIED DOMAIN NAME
• IJ29592: ‘APPLICATION ERROR’ OCCURS AFTER AN EXTENDED PERIOD OF TIME WHEN ATTEMPTING TO LOAD THE OFFENSE PAGE
• IJ29374: OFFENSE RULE USING ‘AND WHEN THE DESTINATION LIST INCLUDES ANY OF THE FOLLOWING A.B.C.D/E’ TEST WITH PUBLIC IP DOES NOT TRIGGER
• IJ39549: QRADAR RISK MANAGER: /QRM/SRM_UPDATE_1138.SQL CAN CAUSE 7.5.0 UP1 UPGRADE TO FAIL ON HOSTS WHERE REQUIRED INDEX DOESN’T EXIST
• IJ39256: BIND CREDENTIAL FOR LDAP REPOS CLEARS IF SAVED WITHOUT SUCCESSFUL CONNECTION TEST

Note: These issues were closed in 7.5.0 Upgrade Pack 4 and backported to 7.4.3 Fix Pack 8.

• IBM QRADAR SIEM INCLUDES MULTIPLE COMPONENTS WITH KNOWN VULNERABILITIES
• IBM QRADAR SIEM IS VULNERABLE TO INFORMATION EXPOSURE (CVE-2022-34351)
• IBM QRADAR SIEM IS VULNERABLE TO POSSIBLE INFORMATION DISCLOSURE (CVE-2023-22875)

• ErrorStream log messages (IJ33650)
• Kernel crash can affect UEFI systems in 7.4.2 FP2 to 7.4.3 FP2 and might require support assistance (IJ44385)

• IBM QRADAR SIEM INCLUDES MULTIPLE COMPONENTS WITH KNOWN VULNERABILITIES
• IBM QRADAR SIEM IS VULNERABLE TO INFORMATION EXPOSURE (CVE-2022-34351)

• Important: Flash Notice: After upgrading to 7.5.0 UP4, WinCollect 7.x agents can experience management or configuration change errors (IJ45284)
• Important: Flash Notice: Before upgrading users must confirm ftype configuration to prevent a potential Docker service issue.
• Important: Use UpdateConfs.pl -v to confirm your auto update version after you upgrade as it is possible to revert to a previous AU version and experience errors when attmpting to update.
• App Host cannot commnicate to Console when connection is firewalled.
• Apps might go down during base image.
• When adding a Data Node to a cluster, they must either all be encrypted, or all be unencrypted. You cannot add both encrypted and unencrypted Data Nodes to the same cluster.

Known issues
• Precheck added for postgresql 11 migration.
• New certificate files to fix browser security warning.
• Upgrading SOAR app might be required.
• Adding QNI hosts to the Data Synchronization app.

• Important: A flash notice exists for this issue that impacts Docker services as APAR IJ41796. Users must confirm ftype configuration before you upgrade.
• An upgrade precheck added for postgresql 11 migration to confirm disk space.
• New certificate files to fix browser security warning.
• Upgrading SOAR app might be required.
• Adding QNI hosts to the Data Synchronization app.

Known issues
• App Host cannot commnicate to Console when connection is firewalled.
• Apps might go down during base image.

• Important: A flash notice exists for this issue that impacts Docker services as APAR IJ41796. Users must confirm ftype configuration before you upgrade.
• An upgrade precheck added for postgresql 11 migration to confirm disk space.
• New certificate files to fix browser security warning.
• Upgrading SOAR app might be required.
• Adding QNI hosts to the Data Synchronization app.

Known issues
• App Host cannot commnicate to Console when connection is firewalled.
• Apps might go down during base image.

• Important: A flash notice exists for this issue that impacts Docker services. Users must confirm ftype configuration before you upgrade.
• Precheck added for postgresql 11 migration.
• New certificate files to fix browser security warning.
• Upgrading SOAR app might be required.
• Adding QNI hosts to the Data Synchronization app.

Known issues
• App Host cannot commnicate to Console when connection is firewalled.
• Apps might go down during base image.

• Important: A flash notice exists for this issue that impacts Docker services. Users must confirm ftype configuration before you upgrade.
• Precheck added for postgresql 11 migration.
• New certificate files to fix browser security warning.
• Upgrading SOAR app might be required.
• Adding QNI hosts to the Data Synchronization app.

Known issues
• App Host cannot commnicate to Console when connection is firewalled.
• Apps might go down during base image.

• Precheck added for postgresql 11 migration.
• New certificate files to fix browser security warning.
• Upgrading SOAR app might be required.
• Adding QNI hosts to the Data Synchronization app.

Known issues
• App Host cannot commnicate to Console when connection is firewalled.
• Apps might go down during base image.

• QRadar 7.3.3 Fix Pack 11 runs on Red Hat® Enterprise Linux® version 7.9.
• QIF deployments must upgrade to QRadar 7.3.1 or later.
• The Offenses API is updated to include two new fields: first_persisted_time & last_persisted_time.
• Active Directory module changes.

• Precheck added for postgresql 11 migration.
• New certificate files to fix browser security warning.
• Upgrading SOAR app might be required.
• Adding QNI hosts to the Data Synchronization app.

Known issues
• App Host cannot commnicate to Console when connection is firewalled.
• Apps might go down during base image.

This is a icon-only