QRadar 101

A one-stop experience to help you navigate through content available for supporting QRadar.

News and Notices

Master Skills University 2022

Registration open: Master Skills University 2022 is back with an upcoming live event on 12-15 September! Join QRadar development, support, and experts to sharpen your skills and deepening your knowledge of IBM Security solutions, through demos, lectures, and labs. Register today to sign up for either the QRadar basic or advanced skills track.

Register for MSU 2022

QRadar console-only disaster failover documentation

3 August 2022: New documentation is available for administrators with a disaster failover consoles. Administrators with a console that include a special DR license can use the updated procedures to switch control from the main site to the destination and back again. This documentation only applies to QRadar SIEM administrators with a second console that has a DR license applied.

QRadar console-only disaster failover procedures

QRadar 7.3.x end of life

1 August 2022: QRadar 7.3.x versions are going end of life on 30 September 2022. Administrators on QRadar 7.3.x versions need to start planning an upgrade from 7.3.3 to 7.4.3 or 7.5.0. QRadar Support recently published a technical note to notify administrators of these upcoming changes.

QRadar 7.3.x end of support QRadar Lifecycle

QRadar 7.4.3 Amazon Machine Image

28 July 2022: A new Amazon Marketplace Image is available to download for QRadar version 7.4.3. This image is a single install file that can be used to easily install an all-in-one Console or create a distributed deployment with a Console appliance, Event Collectors, Event Processors, App Host, Data Nodes, Network Insights, and more.

Installation information Download

Cisco Secure Email

21 July 2022: A new application is available for Cisco Secure Email on the IBM X-Force App Exchange to provide mail summaries to administrators. The application provides new reports to allow adaministrators to easily visualize email threat reports and message tracking details to assist email admins when searching for message with criteria.

Cisco Secure Email app

Microsoft Defender

15 July 2022: The QRadar development team recently updated the QRadar Custom Properties for Microsoft 365 Defender content pack to include Alert IDs and update regex parsing performance for the Process ID custom property. Administrators who monitor endpoints and collect Microsoft Defender events should install or update their content pack to the latest available version.

Microsoft 365 Defender content pack

News and Notices

Master Skills University 2022
QRadar console-only disaster failover
QRadar 7.3.x end of life
QRadar 7.4.3 Amazon Machine Image
Cisco Secure Email
Microsoft Defender

Support Top Technotes

Auto Updates

Current: 23 July 2022

View More Updates

Resolves an issue where AlertInfo events categorized as ‘Stored’ when the payload contains ‘Title:’ in front of the event message. The change allows events to successfully parse, but some Microsoft Defender can still categorize as unknown when alerts are sent from outside services to Microsoft Defender. To further assist users with confusion around unsupported service events, an enhancement to the event category now displays outside source names as ‘Unknown [Service Source] Alert’, such as ‘Unknown Microsoft Cloud App Security Alert’. Administrators who experience events from outside services must map these unknown events in the DSM Editor.

Resolves multiple issues in the Linux OS DSM: 1. Added parsing support for authentication events that can be sent with a new event format. 2. Updated parsing performance for authentication failure events. 3. Enhanced the Linux OS DSM to add parsing support for system-d core dump events. 4. Resolves an issue where username values that include curly brackets, such as ‘${username’ did not capture the full username, only the dollar-sign value. 5. An event parsing dependency exists between the Linux OS DSM RPM and DSM Common. If you manually install RPM files from IBM Fix Central, you must install the latest version of DSM Common on the Console appliance, then install the Linux OS DSM.

Resolves multiple issues in the Palo Alto Networks PA Series DSM: 1. Resolves an issue where the DSM can parse events as ‘Stored’ when they contained x7c in the LEEF payload. 2. Enhanced the DSM to add a category for unknown PA Series Threat events, such as ‘Unknown PA Series Threat – Spyware’. The purpose of this change is to identify and differentiate between Palo Alto unknown threat events and events where the DSM parses and sets the EventID value as unknown. 3. Enhanced the parsing for ‘PA Series Threat’ events to ensure the DSM successfully parses events and assigns categories when the thread_ID value is not provided in brackets in the payload.

Resolved an issue in the Cisco CatOS for Catalyst Switches DSM to properly capture usernames encapsulated in single quotes.

Enhanced the DSM Common framework with several updates: 1. Support changes in the Linux OS DSM for authentication event format changes, parsing performance improvements, and username parsing patterns. 2. Support parsing changes in the Palo Alto PA Series DSM. Note: A parsing dependency exists between the Linux OS and Palo Alto PA Series DSM and the DSM Common framework. If you manually install RPM files from IBM Fix Central, you must install the latest version of DSM Common on the Console appliance, then install the Linux OS DSM to ensure all parsing changes are applied.

What’s New in QRadar v7.5.0?


Operational improvements
  • Operating system updated to Red Hat® Enterprise Linux® version 7.9.
  • Local Only authentication allows administrators to prevent unintended access to users with accounts in external authentication systems.
  • Use secure boot to ensure that only trusted kernels and kernel modules are loaded
  • Two new offense rule tests: ‘when an offense is closed’ and ‘when an offense is modified’
  • A new AQL OFFENSE_TIME function to increase the speed of your offense queries
  • A new AQL DISTINCTCOUNT function to return the unique count of the value in an aggregate
  • Encryption of managed hosts enabled by default
Flow Improvements
  • Support for IPFIX bidirectional flows
  • Multi-threaded processing for external flow sources
  • Sequence number verification
  • Support for Network Address Translation fields from IPFIX and NetFlow v9
  • New application determination algorithms
  • Support for more fields from AWS VPC flow logs
  • Alias Autodetection field is renamed to DNS lookup for Alias Autodetection
  • Flow direction algorithms are now applied at the beginning of the flow parsing process
  • You can no longer delete the ‘Uncategorized’ category for tagged flow fields from your system
  • Only relevant IPFIX fields are encoded into the payload and extra fieds are added as TLV elements
What is Changed or Removed?

The hashing algorithm default is changed to SHA-512 for all Ariel hashing. Several algorithms, such as MD-2, MD-5, HMAC-MD5 are removed.

QRadar Network Insights

  • Network inspection performance
  • Performance improvements for the QRadar Network Insights 6500 appliance
  • Modified process for identifying file types
  • More integration with IBM X-Force
  • Improved application detection
  • Data aggregation and segmentation improvements
  • Some inspectors are no longer supported, such as web domain, Myspace protocol, and SPDY.

QRadar Incident Forensics

During the upgrade to QRadar Incident Forensics 7.5.0, case data is exported and then imported back into the QRadar Incident Forensics managed host. As a result, the upgrade process takes longer to complete than in previous releases.

QRadar Vulnerability Mgr and Risk Manager

Vulnerability data scores and metric values are returned as CVSS version 3.0 or 3.1.

Upgrade release notes New installation release notes Upgrade Guide What’s new

What’s New in QRadar v7.4.3?

Operational Efficiency

The operational efficiency improvements in QRadar 7.4.3 include adjusting the Asset Cleanup Batch Size Threshold.

Flow Improvements

  • Support for ICMPv6 ICMP messages
  • New inspector for Kerberos
  • New inspector for TFTP
  • New “Flow Source Types” field
  • Support for more fields from AWS Flow Logs
  • New API for managing flow applications
  • New API for managing common destination ports
  • Improvements to the Ariel Tagged Fields API

What is Changed or Removed?

  • You can now set your own password for encrypted log files
  • Any authorized services with the “System Administrator” permission are expired, unless they are assigned to the “Admin” security profile
  • Several custom properties were either renamed or merged together

QRadar Network Insights

  • Simplified installation process
  • Deprecation notice for some inspectors

QRadar Incident Forensics

  • A new Kerberos inspector is available to parse Kerberos traffic that is sent to trusted third-party authentication providers.
  • A new inspector for Trivial File Transfer Protocol (TFTP) network traffic.

SFS Release notes ISO Release notes Upgrade Guide What’s new

What’s New in QRadar v7.4.2?

Operational Efficiency

Adjusting the number of MAC addresses allowed for an asset

DSM Editor Enhancements

Generating regex for parsing event properties

Flow Improvements

  • MAC address support
  • Accumulated byte and packet counters
  • New “Common Destination Port” flow direction algorithms

What is Changed or Removed?

  • User authentication with Active Directory (AD) is no longer supported
  • GlusterFS no longer supported

QRadar Network Insights

  • Support for 40 Gbps connectivity
  • QRadar Network Insights 1940 appliance stacking
  • Content flows are more easily identified
  • New TCP flow direction algorithms
  • Easily determine the direction of a content flow
  • More descriptive entity alerts

SFS Release notes ISO Release notes Upgrade Guide What’s new

What’s New in QRadar v7.4.1?

DSM Editor Enhancements

  • Parsing status is color coded in the user interface to display unparsed and unmapped data
  • An Override Delimiter option allows users to parse multiline event payloads more easily in the DSM Editor
  • Event ID and Event Category fields copied to Event Mapping

Workflow Enhancements

  • IBM QRadar Use Case Manager app installed by default
  • QRadar Analyst Workflow to help you investigate offenses

Security Enhancements

  • The core Operating System is updated to Red Hat Enterprise Linux® V7.7

Flow Sources Improvements

  • Support for the flow ID field in NetFlow V9 flow records
  • Support for 40 Gbps Napatech card

SFS Release notes ISO Release notes Upgrade Guide What’s new

What’s New in QRadar v7.4.0?

Performance Enhancements

  • Enhanced parsing support for XML events in the DSM Editor
  • Combined IPv4 & IPv6 columns to allow for more performant APIs and UIs
  • Added support for DSM Parameters in the DSM Editor
  • New event details provide extra context to how events are processed.

Application & Framework Enhancements

  • Apps can now run in multi-tenanted environments
  • Log Source Management app, now multi-tenanted
  • QRadar Assistant app can now manage installed applications
  • Pulse Dashboard V2.2 is now multi-tenanted and supports dashboard sharing

Security Enhancements

  • QRadar 7.4 is upgraded to Red Hat Enterprise Linux V7.6
  • SSH tunnel between two managed hosts can now be initiated from the remote host instead of the local host
  • A secure email server update allows you to send alerts, reports, or notifications with SMTP authentication and TLS

API & Core Improvements

  • Content Management Export API expands the ability to export Custom Rules, Custom Searches, Reports, and required dependencies
  • Dynamic Search API allows users to complete advanced queries using a selection of fields available in the Offenses Rest API
  • Offense related searches possible in the Dynamic Search API
  • QRadar V7.4.0 introduces API V13.0 and marks V11.0 endpoints as deprecated

Release notes Upgrade Guide What’s new

What’s New in QRadar v7.3.3?

Performance Enhancements

  • Enhanced parsing support for Name Value Pair events in the DSM Editor
  • Enhanced parsing support for Generic List events
  • Removing reference data when you uninstall a content extension
  • Export content faster in the DSM Editor

Security Enhancements

Inactivity timeout for user accounts

As an administrator, if you have users who require longer periods of inactivity before they are logged out of the system, you can configure their inactivity timeout threshold individually. The default is 30 minutes.

Flow Improvements

  • A new Flow Aggregation Count field displays a total number for each flow that contributed.
  • VXLAN flow information now available
  • Flow ID enhancements now give unique values to the flow session

QRadar Network Insights

  • New inspector for Remote Desktop Protocol (RDP)
  • New inspector for Berkeley remote commands
  • Protocol name and version information is now available
  • TLS inspector now extracts more data

Release notes Upgrade Guide What’s new


QRadar events and webinars

Events and webinars are hosted by QRadar experts to discuss technical topics or present content teams feel is beneficial to users and administrators.


Open mic events are hosted by QRadar Support to discuss technical topics or present content we feel is beneficial to users. Join an open mic to learn about a topic, ask questions from panelists and learn about QRadar.

IBM prides itself on delivering world class software support with highly skilled, customer-focused people. QRadar Support is available 24×7 for all high severity issues. For QRadar resources, technical help, guidance, and information, see our QRadar Support 101 pages.

Contact Support

Find your regional support contact

Give Feedback