QRadar 101

A one-stop experience to help you navigate through content available for supporting QRadar.

News and Notices

QRadar 7.5.0 Update Package 7 is released

25 Sept: New software is available for QRadar users with the release of QRadar 7.5.0 Update Package 7. This release resolved 48 reported issues. An SFS for upgrades and an ISO for new appliance installs are available for users to download. IMPORTANT: QRadar appliances configured with STIG hardening who upgrade to UP7 must remove a file before you reboot and run the harden utility.

QRadar Software 101

WinCollect 10.1.7 is released

30 Aug: Administrators with stand-alone WinCollect agents can upgrade to the latest released version, which is 10.1.7. This release resolved five important issues for adminsitrators, such as virtual account install issues on Domain Controllers and non-English operating systems, an AD lookup configuration problem, issues collecting logs for ‘restricted group’ policies, and an installation issues for non-C drive installations.

Download WinCollect 10.1.7 Release notes

QRadar 7.5.0 Update Package 6 IF4 is released

24 Aug: QRadar 7.5.0 Update Package 6 Interim Fix 4 is released for users. This update pack fixes three important issues for QRadar, such as a Traffic Analysis issue that can send events to SIM Generic unexpectedly, a performance issue around scalability of large reference sets, and a QFlow connection issue where Flow Processor appliances are in a different domain.

Note: For users on QRadar 7.5.0 Update Package 6, Intimer Fix 1, or Interim Fix 2, there was no IF3 release posted to IBM Fix Central. The IF3 version number was skipped for a new build and released as IF4.

See QRadar Software 101 for more information

New code signing tool released

23 July: A new version of the QRadar code signing tool is released for users on QRadar 7.5.0 Update Package 6 and later. A version 1.0.1 is posted to IBM Fix Central for users to verify that software downloaded through IBM Fix Central is signed by IBM Development before you install an update. The code signing utility includes a certificate bundle and verify_signature tool that can be used to validate the downloaded file matches the public signature posted on IBM Fix Central.

Read more 1.0.1 for 7.5.0 UP6 and later 1.0.0 for 7.5.0 UP5 and earlier

WinCollect 10.1.6 posted to Fix Central

13 July: WinCollect 10.1.6 is posted to IBM Fix Central to resolve an upgrade issue reported in APAR IJ47572. Users reported an installation issue with WinCollect 10.1.5 for the first time on a Windows host or when upgrading from 10.1.3 or earlier directly to 10.1.5. Users who downloaded WinCollect 10.1.5 can get the latest version from IBM Fix Central to avoid upgrade errors.

Download WinCollect 10.1.6 Release Notes APAR IJ47572

Now available: QRadar 7.5.0 UP6 and Interim Fix 2

10 July: An update was published a few days after QRadar 7.5.0 Update Package 6 to release Interim Fix 2. The Interim Fix resolves four important issues for QRadar to add on to the 41 resolved issues for users and security updates resolved in 7.5.0 UP6. You must have QRadar 7.5.0 Update Package 6 installed to be able to apply Interim Fix 2 to your deployment. Interim fixes are cumulative, if you did not install 7.5.0 UP6 IF1, when you install IF2, you get both the latest updates, plus any changes packaged in IF1. There is no need to install both interim fixes, only the latest.

Software 101 page

News and Notices

QRadar 7.5.0 Update Package 7 is released
WinCollect 10.1.7 is released
QRadar 7.5.0 Update Package 6 IF4 is released
New code signing tool released
WinCollect 10.1.6 posted to Fix Central
Now available: QRadar 7.5.0 UP6 and Interim Fix 2

Support Top Technotes

Auto Updates

Current: 26 September 2023

View More Updates

26 Sept: Enhanced the Microsoft Azure Active Directory DSM to update the produce name per vendor request to Microsoft Entra ID. This RPM release does not include parsing changes or QID map updates and is a product name change only.

19 Sept: Resolved a reported issue in the Cisco Nexus DSM where a port suspended F0600 system event incorrectly categorizes as a ‘Disk usage is high’ event. This RPM release updates parsing to add extra logic to ensure the event is identifies correctly.

19 Sept: Resolved an issue in the Linux OS DSM where Uncomplicated Firewall (UWF Block) events did not parse the Source IP or Destination IP address as expected from the event payload. This RPM release includes a parsing update to correctly extract the Source IP and Destination IP address from the event payload and includes a QID map update to ensure the UFW Block event categories correctly, instead of displaying ‘Parsed, but unknown’ in the DSM Editor.

12 Sept: Enhanced the Microsoft Exchange Server DSM to add parsing support for events from Microsoft Exchange 2019 where users reported the events parsed as ‘Unknown Microsoft Exchange’. This update adds parsing and QID map updates for Exchange 2019 events and adds documentation on how to configure the ‘OWA Log Folder Path’ to collect Outlook Web Access (OWA) events.

12 Sept: Resolved an issue in the Office 365 Message Trace REST API protocol where 500 errors returned by the API from Microsoft can cause the log source to enter the ERROR state, stopping polling for new events. This RPM release adds error handling for 500 errors to ensure that ‘Internal Server’ errors retry to connect and do not force the administrator to manually stop and restart the log source.

Software Versions

Features and what’s new

What’s New in QRadar v7.5.0?


Operational improvements
  • Operating system updated to Red Hat® Enterprise Linux® version 7.9.
  • Local Only authentication allows administrators to prevent unintended access to users with accounts in external authentication systems.
  • Use secure boot to ensure that only trusted kernels and kernel modules are loaded
  • Two new offense rule tests: ‘when an offense is closed’ and ‘when an offense is modified’
  • A new AQL OFFENSE_TIME function to increase the speed of your offense queries
  • A new AQL DISTINCTCOUNT function to return the unique count of the value in an aggregate
  • Encryption of managed hosts enabled by default
Flow Improvements
  • Support for IPFIX bidirectional flows
  • Multi-threaded processing for external flow sources
  • Sequence number verification
  • Support for Network Address Translation fields from IPFIX and NetFlow v9
  • New application determination algorithms
  • Support for more fields from AWS VPC flow logs
  • Alias Autodetection field is renamed to DNS lookup for Alias Autodetection
  • Flow direction algorithms are now applied at the beginning of the flow parsing process
  • You can no longer delete the ‘Uncategorized’ category for tagged flow fields from your system
  • Only relevant IPFIX fields are encoded into the payload and extra fieds are added as TLV elements
What is Changed or Removed?

The hashing algorithm default is changed to SHA-512 for all Ariel hashing. Several algorithms, such as MD-2, MD-5, HMAC-MD5 are removed.

QRadar Network Insights

  • Network inspection performance
  • Performance improvements for the QRadar Network Insights 6500 appliance
  • Modified process for identifying file types
  • More integration with IBM X-Force
  • Improved application detection
  • Data aggregation and segmentation improvements
  • Some inspectors are no longer supported, such as web domain, Myspace protocol, and SPDY.

QRadar Incident Forensics

During the upgrade to QRadar Incident Forensics 7.5.0, case data is exported and then imported back into the QRadar Incident Forensics managed host. As a result, the upgrade process takes longer to complete than in previous releases.

QRadar Vulnerability Mgr and Risk Manager

Vulnerability data scores and metric values are returned as CVSS version 3.0 or 3.1.

Upgrade release notes New installation release notes Upgrade Guide What’s new

What’s New in QRadar v7.4.3?

Operational Efficiency

The operational efficiency improvements in QRadar 7.4.3 include adjusting the Asset Cleanup Batch Size Threshold.

Flow Improvements

  • Support for ICMPv6 ICMP messages
  • New inspector for Kerberos
  • New inspector for TFTP
  • New “Flow Source Types” field
  • Support for more fields from AWS Flow Logs
  • New API for managing flow applications
  • New API for managing common destination ports
  • Improvements to the Ariel Tagged Fields API

What is Changed or Removed?

  • You can now set your own password for encrypted log files
  • Any authorized services with the “System Administrator” permission are expired, unless they are assigned to the “Admin” security profile
  • Several custom properties were either renamed or merged together

QRadar Network Insights

  • Simplified installation process
  • Deprecation notice for some inspectors

QRadar Incident Forensics

  • A new Kerberos inspector is available to parse Kerberos traffic that is sent to trusted third-party authentication providers.
  • A new inspector for Trivial File Transfer Protocol (TFTP) network traffic.

SFS Release notes ISO Release notes Upgrade Guide What’s new

What’s New in QRadar v7.4.2?

Operational Efficiency

Adjusting the number of MAC addresses allowed for an asset

DSM Editor Enhancements

Generating regex for parsing event properties

Flow Improvements

  • MAC address support
  • Accumulated byte and packet counters
  • New “Common Destination Port” flow direction algorithms

What is Changed or Removed?

  • User authentication with Active Directory (AD) is no longer supported
  • GlusterFS no longer supported

QRadar Network Insights

  • Support for 40 Gbps connectivity
  • QRadar Network Insights 1940 appliance stacking
  • Content flows are more easily identified
  • New TCP flow direction algorithms
  • Easily determine the direction of a content flow
  • More descriptive entity alerts

SFS Release notes ISO Release notes Upgrade Guide What’s new

What’s New in QRadar v7.4.1?

DSM Editor Enhancements

  • Parsing status is color coded in the user interface to display unparsed and unmapped data
  • An Override Delimiter option allows users to parse multiline event payloads more easily in the DSM Editor
  • Event ID and Event Category fields copied to Event Mapping

Workflow Enhancements

  • IBM QRadar Use Case Manager app installed by default
  • QRadar Analyst Workflow to help you investigate offenses

Security Enhancements

  • The core Operating System is updated to Red Hat Enterprise Linux® V7.7

Flow Sources Improvements

  • Support for the flow ID field in NetFlow V9 flow records
  • Support for 40 Gbps Napatech card

SFS Release notes ISO Release notes Upgrade Guide What’s new

What’s New in QRadar v7.4.0?

Performance Enhancements

  • Enhanced parsing support for XML events in the DSM Editor
  • Combined IPv4 & IPv6 columns to allow for more performant APIs and UIs
  • Added support for DSM Parameters in the DSM Editor
  • New event details provide extra context to how events are processed.

Application & Framework Enhancements

  • Apps can now run in multi-tenanted environments
  • Log Source Management app, now multi-tenanted
  • QRadar Assistant app can now manage installed applications
  • Pulse Dashboard V2.2 is now multi-tenanted and supports dashboard sharing

Security Enhancements

  • QRadar 7.4 is upgraded to Red Hat Enterprise Linux V7.6
  • SSH tunnel between two managed hosts can now be initiated from the remote host instead of the local host
  • A secure email server update allows you to send alerts, reports, or notifications with SMTP authentication and TLS

API & Core Improvements

  • Content Management Export API expands the ability to export Custom Rules, Custom Searches, Reports, and required dependencies
  • Dynamic Search API allows users to complete advanced queries using a selection of fields available in the Offenses Rest API
  • Offense related searches possible in the Dynamic Search API
  • QRadar V7.4.0 introduces API V13.0 and marks V11.0 endpoints as deprecated

Release notes Upgrade Guide What’s new


QRadar events and webinars

Events and webinars are hosted by QRadar experts to discuss technical topics or present content teams feel is beneficial to users and administrators.


Events and webinars are hosted by QRadar experts to discuss technical topics or present content teams feel is beneficial to users and administrators.

IBM prides itself on delivering world class software support with highly skilled, customer-focused people. QRadar Support is available 24×7 for all high severity issues. For QRadar resources, technical help, guidance, and information, see our QRadar Support 101 pages.

Contact Support

Find your regional support contact

Give Feedback