page-brochureware.php

QRADAR APARS 101

QRadar information related to known issues, important alerts and problem resolutions.

What are APARs?

QRadar uses Authorized Program Analysis Reports (APARs) to track issues reported by users. These problem reports include the status of the issue for the end user, either as an ONGOING or CLOSED problem. This page is intended to help users locate known issues who have not yet subscribed to IBM My Notifications or to view alerts on APARs that QRadar Support feels are important.

Searching the APAR table

The QRadar Support team created this QRadar APARs 101 page to make APARs more searchable for users and administrators. The search field in the table below allows you to search for specific versions or keywords. Administrators who want to filter by a specific version can use a combination of keywords or use the version buttons and sort by keyword using the Search bar.


Last update: August 22, 2019. Important changes: Added 7.3.2 Patch 4 and closed 16 APARS, including a Security Bulletin for CVE-2019-10072. We are updating the FLASH NOTICE for APAR IJ18032 to list this issue as resolved. Release of Risk Manager Adapter Bundle #13.
Component Number Description Status More information Date
USER INTERFACE / PERFORMANCE IJ17018 QRADAR USER INTERFACE CAN BECOME INACCESSIBLE DUE TO AN OUT OF MEMORY OCCURING WHEN USING THE ASSET API OPEN: Reported in multiple QRadar versions No workaround available.

It has been identiifed that in some instances the Asset API can cause tomcat to experience an Out of Memory (eg. Asset integration in Watson Advisor with QRadar). When this occurs the QRadar User Interface is inaccessible until required services are working as expected.
25 June 2019
API / PERFORMANCE IJ17016 QRADAR INCIDENT FORENSICS RECOVERY HANGS WITH ‘RUNNING’ STATUS OPEN: Reported in QRadar Packet Capture 7.3.2 versions No workaround available.

It has been identified that in some instances, a timeout occurs with Incident Forensics in the backend while attempting to retrieve required PCAP data. When this issue occurs a Forensics Recovery can hang in ‘Running’ status.
05 July 2019
RULES / FLOWS IJ16995 REFERENCE SET RULE TEST DOES NOT WORK AS EXPECTED WITH SUPERFLOWS OPEN: Reported in multiple QRadar versions No workaround available.

It has been identified that Reference Set rule tests only use the first IP reflected in a Superflow.

Example with having 2 rules:
  1. The first rule evaluates the source IP of flow against a reference set to determine that the data is contained in the reference set. For example, and when any source IP is contained in {myreferenceset}.
  2. The second rule test evaluates if source IP is a specific value from the flow. The specific value is contained in the reference set. For example, and when the source IP is one of the following {x.x.x.x in the myreferenceset}.

    Results
    When the source IP is that specific value, the expected result is that both rule 1 and 2 would be matched and return results, but actual result is that the less restrictive any Source IP from rule 1 does not match the superflow.
25 June 2019
SCANNER / VIS IJ16994 VA SCANNER STAYS AT ‘PENDING’ STATE WHEN ATTEMPTING TO START IT FROM A FLOW COLLECTOR APPLIANCE OPEN: Reported in QRadar 7.3.1 Patch 7 No workaround available.

It has been identified that flow collectors are listed in the QRadar User Interface options for configuring a VA scanner, but attempting to start a scanner from a flow collector does not work as expected, and stays at ‘Pending’ state.

When attempting to start the vis service on a flow collector, a command line error similar to the following is returned:
"Job for vis.service failed because the control process exited
with error code. See "systemctl status vis.service" and
"journalctl -xe" for details.|"
Flow collectors do not have VIS components enabled, and should not have been available to select when configuring a scanner.
03 July 2019
DNS SETTINGS IJ16968 DNS SETTINGS MODIFIED ON AN EVENT COLLECTOR APPLIANCE (15XX) DO NOT PERSIST AFTER THE APPLIANCE REBOOTS OPEN: Reported in QRadar 7.3.1 Patch 7 Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that when DNS settings are modified on Event Collector appliances (15xx) do not persist after an appliance reboot. For example, using steps from support technical note QRadar: Changing DNS entries for IBM Security QRadar 7.2.x and 7.3.x appliances, the modifications do not persist and are overwritten with the old entries after a reboot of the appliance occurs.
05 July 2019
AQL / X-FORCE IJ16967 ADVANCED SEARCH (AQL) USING XFORCE_IP_CONFIDENCE FUNCTION DOES NOT WORK AS EXPECTED WHEN RUN USING QRADAR JAPANESE LOCALE OPEN: Reported in QRadar 7.3.2 versions No workaround available.

It has been identified that using the XFORCE_IP_CONFIDENCE function does not work as expected in an Advanced Search (AQL) when QRadar is configured to use the Japanese locale.
05 July 2019
INSTALL / QRADAR PACKET CAPTURE IJ16966 QRADAR PACKET CAPTURE: /ROOT/RESET_INTERFACES.SH SCRIPT ON PCAP APPLIANCES DOES NOT WORK AS EXPECTED OPEN: Reported in QRadar Network Packet Capture 7.3.2 Patch 1 Contact Support for a possible workaround that might address this issue in some instances.

The /root/Reset_Interfaces.sh script on PCAP appliances was introduced to correct issues that incorrect udev naming can sometimes cause. It has been observed that the script does not perform all expected tasks but does complete, then prompts for a reboot.
05 July 2019
DASHBOARDS IJ16962 UNABLE TO ADD THE ‘EVENTS BY SEVERITY’ DASHBOARD INTO THE QRADAR USER INTERFACE OPEN: Reported in QRadar 7.3.2 versions No workaround available.

It has been identified that attempting to add the ‘Events by Severity’ dashboard into the QRadar User Interface (UI) fails and does not provide any error or feedback in the UI.
26 June 2019
UPGRADE / PRETEST IJ16960 THE QRADAR PATCH PRETEST FAILS WHEN A BACKUP IS IN ‘MISSING’ STATE IN THE DATABASE OPEN: Reported in QRadar 7.3.2 versions Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that the QRadar patch pretest /media/updates/pretests/check_backup.sh checks for and expects a backup status of “SUCCESS” or “FAILED” but the pretest fails when a backup has a status of “MISSING” in the QRadar database.
26 June 2019
API IJ16954 THE REST API FOR ‘USERS’ INCORRECTLY CHECKS USER NAMES FOR VALIDATION WHEN UPDATING FIELDS OPEN: Reported in QRadar 7.3.2 versions No workaround available.

It has been identified that the REST API for ‘users’ in QRadar incorrectly checks user names for validation when updating fields. API response messages similar to the following can be observed when usernames with invalid characters (created using LDAP) exist:
{"http_response":{"code":500,"message":"Unexpected internal
server error"},"code":12,"description":"","details":{},"message" :
"Endpoint invocation returned an unexpected error"}

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[tomcat.tomcat] [admin@127.0.0.1 (942)
/console/restapi/api/staged_config/access/users/3]
com.q1labs.restapi.servlet.apidelegate.APIDelegate: 
[ERROR] [-/- -]Request Exception
[tomcat.tomcat] [admin@127.0.0.1 (942)
/console/restapi/api/staged_config/access/users/3]
com.q1labs.restapi_annotations.content.exceptions.APIMappedExcep
tion: Endpoint invocation returned an unexpected error
[tomcat.tomcat] [admin@127.0.0.1 (942)
/console/restapi/api/staged_config/access/users/3]    at
com.q1labs.restapi.exceptionmapper.ExceptionMapper.mapException(
ExceptionMapper.java)
[tomcat.tomcat] [admin@127.0.0.1 (942)
/console/restapi/api/staged_config/access/users/3]    at
com.q1labs.restapi.servlet.utilities.APIRequestHandler.processEn
dpointException(APIRequestHandler.java)
18 June 2019
SIMULATION / QRADAR RISK MANAGER (QRM) IJ16947 WHEN ‘USE CONNECTION DATA’ IS CONFIGURED THE SIMULATION DOES NOT COMPLETE AND GENERATES AN ILLEGALARGUMENTEXCEPTION OPEN: Reported in QRadar 7.3.2 versions Workaround: Do not use the selection ‘Use Connection Data’ in the simulation.

It has been identified that a Risk Manager simulation can fail to complete when ‘Use Connection Data’ is selected. The Configuration Monitor screen displays “No Results” in the Results column. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[tomcat-rm.tomcat-rm] [SimulationRunner-10001-Test]
com.q1labs.simulator.simulation.SimulationRunner: 
[ERROR] [-/- -]Error executing simulation 10001:Points below 
the dimension's min value are not allowed 
(using + PortRangeEnumerator enumerator)
[tomcat-rm.tomcat-rm] [SimulationRunner-10001-Test]
java.lang.IllegalArgumentException: Points below the
dimension's min value are not allowed (using +
PortRangeEnumerator enumerator)
[tomcat-rm.tomcat-rm] [SimulationRunner-10001-Test]    at
com.q1labs.simulator.topology.MultiRange.__createFromPoints(Mult
iRange.java:723)
[tomcat-rm.tomcat-rm] [SimulationRunner-10001-Test]    at
com.q1labs.simulator.topology.MultiRange.createFromPoints(MultiR
ange.java:682)
[tomcat-rm.tomcat-rm] [SimulationRunner-10001-Test]    at
com.q1labs.simulator.iag.impl.InferredAccessGraph$ArcProcessor.g
etPortResults(InferredAccessGraph.java:1151)
[tomcat-rm.tomcat-rm] [SimulationRunner-10001-Test]    at
com.q1labs.simulator.iag.impl.InferredAccessGraph.findReachable(
InferredAccessGraph.java:1231)
17 June 2019
INSTALL / QRADAR NETWORK INSIGHTS IJ18213 QRADAR NETWORK INSIGHTS 1920 INSTALL MENU DOES NOT DISPLAY THE OPTION FOR A QNI 6200 APPLIANCE OPEN: Reported in QRadar 7.3.2 Patch 2 Workaround: Review IBM QRadar Network Insights: Install Menu does not Display a Select Option for QNI 6200 Appliances (APAR IJ18213) for additional installation instructions.

It has been identified that the QRadar Network Insights (QNI) install menu on a fresh install of QRadar 7.3.2 patch 2 displays the options for a 6000 and 6100 appliance type, but not a QNI 6200 appliance. If you continue to experience issues, Contact Support for additional assistance.
16 August 2019
AUTHENTICATION / SYSTEM SETTINGS IJ16944 QRADAR USER INTERFACE LOGIN MESSAGE LINE FORMATTING IS NOT WORKING AS EXPECTED OPEN: Reported in QRadar 7.3.2 versions No workaround available.

It has been identified that when a line break is entered into a QRadar User Interface ‘Login Message’ it is converted into the line feed symbol (\n). When the request is made to generate the console login page, the new line characters remains in the html as is and no new lines are created.

To replicate or validate this reported issue:
  1. Click the Admin tab.
  2. In the System Configuration section, click System Settings.
  3. Click Authentication Settings.
  4. To edit the login message, click Edit in the Login Message field.
  5. Create a login message that includes newline or line feed (\n) characters.
  6. Save and deploy the changes.
  7. Log out of QRadar.

  8. Results
    The line breaks are not being detected.
25 June 2019
SCANNER / TENABLE IJ17829 TENABLE SECURITY SCANNER IMPORT FAILS DUE TO CHANGES IN THE ALLOWED CIPHER SUITES ON THE TENABLE SERVER CLOSED The fix for this issue is released in the following RPM package update: VIS-TenableSecurityCenter-7.3-20190725180412.noarch.rpm. Administrators who require an immediate resolution to this issue should ensure they have installed the latest version of the VIS-TenableSecurityCenter rpm file on their Console from IBM Fix Central using the command:
yum -y install 7.3.0-QRADAR-VIS-TenableSecurityCenter-7.3-20190725180412.noarch.rpm


This update will be delivered in the next QRadar weekly auto update, but is available on IBM Fix Central now.

It has been identified that Tenable Security scan imports can fail. This is caused by changes in the list of allowed Cipher Suites on the Tenable Server.
22 August 2019
RULES / PERMISSIONS IJ16943 QRADAR USER CAN ACCESS CUSTOM RULE INFORMATION WHEN NOT GIVEN ACCESS TO ‘VIEW CUSTOM RULES’ AND ‘MAINTAIN CUSTOM RULES’ OPEN: Reported in QRadar 7.3.1 Patch 6 Interim Fix 02 It has been identified that QRadar users can access custom rules even when their access has not been granted to ‘View Custom Rules’ and ‘Maintain Custom Rules’.

To replicate or validate this reported issue:
  1. Log in to the QRadar Console.
  2. Click the User Roles icon.
  3. Create a user with following user role permissions disabled:
    • View Custom Rules
    • Maintain Custom Rules
  4. Save the changes.
  5. Click Deploy Changes from the Admin tab.
  6. Login with that user.
  7. Navigate to the Offense tab.
  8. Click Offense search.

  9. Results
    The User cannot open the rules definitions or view the rules summary page but the user can view all the rule Groups and list all available rules on the system. The names of the rules can be quite informative and specific for a particular domain and tenancy and should not be exposed to a user with this specific role settings.
18 June 2019
AUTHENTICATION / USER ROLES IJ16851 USER LOGIN FAILURE AFTER DELETING A QRADAR USER ROLE OR SECURITY PROFILE WHEN LDAP GROUP AUTH IS ACTIVE OPEN: Reported in QRadar 7.3.2 versions Workaround: From the Admin tab > Authentication window, open each affected LDAP Repository for editing, and immediately save. A deploy changes is required for the changes to take effect.

It has been identified that user login failure can occur after deleting a QRadar user role or security profile when LDAP group authorization is active.
14 June 2019
PERFORMANCE / SERVICES IJ16824 ARIEL_QUERY_SERVER PROCESS OUT OF MEMORY CAN OCCUR DUE TO LARGE NUMBER OF CONCURREN TPOOL OBJECTS IN JMX MBEAN OPEN: Reported in QRadar 7.3.1 Patch 7 No workaround available.

It has been identified that the ariel_query_server process on a QRadar appliance can run out of memory due to a memory leak caused by a large number of remaining ConcurrentPool objects in JMX mbean server.

NOTE: In order to correctly identify that this issue is the cause of an ariel_query_server process out of memory occurrence, administrators can open a Support Case with the affected appliance’s get_logs output and the /store/jheap/ariel.ariel_query_server/ariel.ariel_query_server.system.dmp file that is created when the out of memory occurs. Only after the system dump files are examined by Support can the exact cause of the ariel_query_server process out of memory occurrence be correctly identified.
13 June 2019
SYSTEM SETTINGS IJ18436 UNABLE TO SAVE CHANGES MADE TO QRADAR SYSTEM SETTINGS AND ‘INTERNAL ERROR: SAVE FAILED” MESSAGE IS DISPLAYED OPEN: Reported in QRadar 7.3.2 versions Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that an Auto Update action script can change the owernship of nva.conf in the staging directory to root during a Deploy function. When ownership of nva.conf is changed, administrators can experience a user interface issue when they attempt to save changes made to some parameters in System Settings. The QRadar User Interface can fail to save System Settings with the error message:‘Internal Error: save failed’

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
Unable to write system settings:
java.io.IOException: Failed to write
nva.conf/store/configservices/staging/globalconfig/nva.conf
(Permission denied)
19 August 2019
FLOWS / DEPLOY CHANGES IJ16823 UNABLE TO CONFIGURE DTLS FOR QRADAR NETWORK INSIGHTS (QNI) FLOW CONFIGURATION WHEN FLOW SOURCE IS FROM THE CONSOLE OPEN: Reported in QRadar 7.3.2 versions Workaround: From a command line interface (SSH), connect to the QRadar Console appliance as the root user and type the following command:
chown -R nobody:nobody /opt/qradar/conf/dtls
After you have set the ownership, you can successfully complete a Deploy Changes from the Admin tab.

Description: It has been identified that attempting to enable DTLS on QRadar Network insights (QNI) flow configuration can cause the required Deploy Changes to fail when flow source is from the Console appliance. Administrators can attempt to verify this issue by changing the Console’s default netflow to use a Linking Protocol = DTLS. For example:
  1. Click the Admin tab.
  2. Click the Flow Sources icon.
  3. Update the QNI connection to use the Console and default netflow as the flow source.
  4. Save the changes.
  5. From the Admin tab, click Deploy Changes.

    Results
    The deploy function fails and the QNI appliance is unable to send the flows to Console. See the workaround above to asssit with this issue.
08 July 2019
UPGRADE IJ16821 QRADAR PATCH FAILS TO COMPLETE SUCCESSFFULLY WHEN A HTTP_PROXY ENVIRONMENT VARIABLE IS CONFIGURED OPEN: Reported in QRadar 7.3.2 versions Workaround: Prior to attempting the QRadar patching process, unset the environment variable http_proxy before running patch. Ensure sure that it is not being set in the root users profile when logging in. If a QRadar patch has already failed, roll back the patch to prior 7.3.x version, unset http_proxy, and re-run the patch.

It has been identified that QRadar patching can fail to complete successfully when there is a http_proxy configured in /etc/environment Messages similar to the following might be visible when this issue occurs:
[WARN](patchmode) time="2019-03-07T22:20:47+04:00" level=fatal
msg="Error checking for blob
sha256:fbbe1dc3535f2e4cfd3606016df4b075ae74e3bf39f8490cdbc073d93 
at destination: pinging docker registry returned: Get
https://xxxxxxxxxxx.localdeployment:5000/v2/:Forbidden"
[DEBUG](patchmode) WARN: Failed to deliver images to the registry
[DEBUG](patchmode) ERROR: Failed to push images to the registry.
14 June 2019
RULES / RULE TEST IJ16820 RULE CONDITION ‘WHEN THE EVENT MATCHES DESTINATION GEOGRAPHIC COUNTRY/REGION’ IS NOT WORKING CORRECTLY FOR TURKEY OPEN: Reported in QRadar 7.3.2 Patch 1 No workaround available.

It has been identified that the Rule Condition when the event matches Destination Geographic Country/Region is not working correctly for the country of Turkey. This can cause unexpected rule responses and or Offense behavior.

For example: When events have Destination IP addess within Turkey the events match rules that include the rule condition: when the event matches Destination Geographic Country/Region is not Turkey.
14 June 2019
OFFENSES IJ16819 OFFENSES CAN FAIL TO GENERATE AND OR UPDATE WHEN USERNAME OR HOSTNAME IN ASSET EXCEEDS 255 CHARACTERS OPEN: Reported in multiple QRadar versions. Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that Offenses can fail to generate and or Offense data can fail to update when a username or hostname in an asset exceeds 255 characters. When this issue is occuring, the magistrate (MPC) continuously attempts to recover and repeatedly experiences a TX Sentry reported in /var/log/qradar.log with entries similar to:
'Multiple (101) TX's found, attempting recovery'
Messages similar to the following might be visible in
qradar-sql.log when this issue is occuring:
postgres[49684]: [3-1] ERROR:  value too long for type
character varying(255)
postgres[49684]: [3-2] CONTEXT: SQL statement "INSERT into
offense_target_link (offense_id, target_id, add_time,
macaddress, hostname, username)
postgres[49684]: [3-3] values (p_offense,
v_target, extract (epoch from now())::int8, substring
(v_identity.macaddress from 1 for 17), v_identity.hostname,
v_identity.username)"
postgres[49684]: [3-4]   PL/pgSQL function
link_offense_targets(bigint,character varying,integer) line 34
at SQL statement
postgres[49684]: [3-5] STATEMENT:  select * from
link_offense_targets($1,$2, $3, $4)  as result
14 June 2019
LOG SOURCE MANAGEMENT APP IJ17859 USING THE ‘DON’T SHOW ME AGAIN’ BUTTON ON THE LOG SOURCE MANAGEMENT APP BANNER DOES NOT WORK AS EXPECTED CLOSED Closed as a suggestion for future release.

It has been identified that the “Don’t Show Me Again” button that can be displayed on a Log Source Management (LSM) app banner message does not work as expected. The banner message that was selected for ‘Don’t Show Me Again’ is displayed when the web browser used for the QRadar User Interface is restarted.
16 August 2019
HIGH AVILABILITY (HA) / EVENT COLLECTOR IJ16785 POSTGRESQL DATABASE ON QRADAR COLLECTOR APPLIANCE (15XX) CAN BE OUT OF SYNC ON STANDBY APPLIANCE CAUSING ISSUES AFTER FAILOVER OPEN: Reported in multiple QRadar versions Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that after a failover occurs from an active to a standby Event Collector appliance (15XX), the QRadar postgresql database can be out of sync in some instances and requests a FULL replication transaction. This can lead to various issues within QRadar occuring after an appliance failover, such as incorrect EPS license setting to ecs-ec-ingress, incorrect Log Source configurations, or missing routing rules.
14 June 2019
API IJ16784 RESTAPI WITH BASIC AUTHENTICATION CAN FAIL TO GET USER CAPABILITIES WHEN USING LDAP AUTH ‘LOCAL AUTHORIZATION’ OPEN: Reported in QRadar 7.3.1 Patch 3 No workaround available.

It has been identified that using RESTAPI to get endpoint resources with basic authentication fails to get user capabilities when using LDAP authentication with local authorization. A message similar to the following is returned:
{"http_response":{"code":403,"message":"Your account is not
authorized to access the requested resource"},"code":26,
"description":"","details":{},"message":
"User has insufficient capabilities to access this endpoint resource"}


Messages similar to the following might also be visible in /var/log/qradar.log when this issue occurs:
[tomcat.tomcat] [ou=People,dc=my-domain,dc=com\ldapuser1@127.0.0.1 (189)
/console/restapi/api/reference_data/tables]
com.q1labs.core.shared.capabilities.CapabilityConfiguration:
[INFO] [-/- -]user ou=People,dc=my-domain,dc=com\ldapuser1 
does not exist. Returning false
[tomcat.tomcat]
[ou=People,dc=my-domain,dc=com\ldapuser1@127.0.0.1 (189)
/console/restapi/api/reference_data/tables]
com.q1labs.core.shared.capabilities.CapabilityConfiguration:
[INFO] [-/- -]user ou=People,dc=my-domain,dc=com\ldapuser1 
does not exist. Returning false
14 June 2019
OFFENSES IJ16742 OFFENSES CAN FAIL TO BE UPDATED AFTER A CONSOLE APPLIANCE REBOOT OPEN: Reported in multiple QRadar versions Workaround: Perform a Soft Clean SIM. See the following documentation for steps and results of performing a Soft Clean SIM, Cleaning the SIM data model.

It has been identified that in some instances, Offenses can fail to update after a Console appliance reboot has occurred (controlled or uncontrolled) due to a required file becoming corrupted and deleted. Messages similar to the following might be visble in /var/log/qrdar.error when this issue occurs:
[ecs-ep.ecs-ep] [ECS Runtime Thread]
com.q1labs.core.shared.storage.BaseStorageContext:
[ERROR] [-/- -] Error reading file /store/mpc/core/
CounterProcessor/dormant-handles-index.ser, deleting it...
[ecs-ep.ecs-ep] [ECS Runtime Thread] java.io.EOFException
[ecs-ep.ecs-ep] [ECS Runtime Thread] at java.io.ObjectInputStream
$PeekInputStream.readFully(ObjectInputStream.java)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at
java.io.ObjectInputStream$BlockDataInputStream
.readShort(ObjectInputStream.java)
 [ecs-ep.ecs-ep] [ECS Runtime Thread] at
java.io.ObjectInputStream.readStreamHeader(ObjectInputStream.java)
 [ecs-ep.ecs-ep] [ECS Runtime Thread] at
java.lang.Thread.run(Thread.java:812)
 [ecs-ep.ecs-ep] [ECS Runtime Thread]
com.q1labs.core.shared.storage.BaseStorageContext: 
[ERROR][-/- -]Error reading file /store/mpc/core/
CounterProcessor/active-handles-index.ser, deleting it...
[ecs-ep.ecs-ep] [ECS Runtime Thread] java.io.EOFException
[ecs-ep.ecs-ep] [ECS Runtime Thread] at
java.io.ObjectInputStream$PeekInputStream.readFully
(ObjectInputStream.java)
[ecs-ep.ecs-ep] [ECS Runtime Thread] at
java.io.ObjectInputStream$BlockDataInputStream.
readShort(ObjectInputStream.java)
14 June 2019
RULES / FLOW DIRECTION IJ16741 RULES DEPENDENT UPON FLOW DIRECTION CAN FIRE UNEXPECTEDLY DUE TO QRADAR NETWORK INSIGHTS (QNI) LOGGING REVERSED FLOW DIRECTION OPEN: Reported in QRadar 7.3.2 versions No workaround avaialble.

It has been identified that in instances of Content Flow generated by QRadar Network Insights, reversed flow direction with 0 byte payload lengths are observed. i.e. The flow direction is from server to client, when the server should be destination, but shows server as source. When this occurs, rules dependent on flow direction can fire in instances they should not have.
08 July 2019
AUTHENTICATION / ACTIVE DIRECTORY (AD) IJ16739 ACTIVE DIRECTORY REPOSITORY SETUP PAGE FIELD NAME ‘LOGIN DN’ CAN CAUSE CONFUSION AS TO IT’S PROPER USE OPEN: Reported in QRadar 7.3.2 versions Workaround: Use a Windows account name (also known as sAMAccountName) in the ‘Login DN’ field.

It has been identified that on the Admin tab > Authentication > Active Directory setup page, the field ‘Login DN’ can be confused as to its proper usage (connection testing). When setting up an Active Directory repository, entering a full Distinguished Name (DN) in the “Login DN” field causes the test connection to fail. Both the ‘Login DN’ field and associated password field are directly tied to the “Test connection” button and are not used at any other time.
14 June 2019
OFFENSES / DOMAIN MANAGEMENT IJ16738 USERS ASSIGNED TO A DOMAIN DO NOT HAVE ACCESS TO OFFENSES WHERE THE TARGET IS FROM THE NETWORK “OTHER” OPEN: Reported in QRadar 7.3.2 versions No workarond available.

It has been identified that when a user is assigned to a Domain, that user cannot view an Offense where the target is from the Network “Other”.
14 June 2019
USER INTERFACE / QRADAR VULNERABILITY MANAGER IJ16670 ‘CRITICAL’ IS NOT AN OPTION IN RISK LIST OF VULNERABILITY MANAGER’S ‘REMEDIATION TIMES’ WINDOW OPEN: Reported in QRadar 7.3.1 Patch 6 No workarond available.

It has been identified that the use of ‘Critical’ is inconsistent within the QRadar Vulnerabiulity Manager user interface windows and options. For Example: ‘Critical’ is not listed on the ‘Remediation Times’ window in Vulnerability Manager.
17 June 2019
POLICY MONITOR / QRADAR RISK MANAGER IJ16610 QRADAR RISK MANAGER (QRM) POLICY QUESTION DOES NOT RETURN ALL MATCHING RULES FOR CONDITION SPECIFIED OPEN: Reported in QRadar 7.3.1 Patch 6 No workarond available.

It has been identified that a Risk Manager Policy Monitor question with a return type of Device/Rules and a condition “allow connections to the following IP addresses” does not find a rule that should match this condition if the rule uses an object group to reference the IP addresses.
18 June 2019
MANAGE VULNERABILITIES / QRADAR VULNERABILITY MANAGER IJ16602 EXCEPTIONED VULNERABILITIES REAPPEAR IN MANAGE VULNERABILITIES TAB AFTER RESCANNING IN QRADAR VULNERABILITY MANAGER (QVM) OPEN: Reported in QRadar 7.3.1 Patch 7 Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that vulnerabilities that have been exceptions= rules applied under Actions > Exception can reappear in the Manage Vulnerabilities tab after rescanning an asset.
14 June 2019
RISK FACTOR / QRADAR VULNERABILITY MANAGER IJ16594 ASSET PROFILER EXCEPTION CAUSED BY NEW ‘CRITICAL RISK FACTOR’ CLASSIFICATION IN QRADAR VULNERABILITY MANAGER (QVM) OPEN: Reported in QRadar 7.3.1 Patch 7 Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that the new PCI Severity and Risk Factor classification ‘Critical’ causes the asset profiler to throw an Invalid RiskFactor Exception in QRadar logging when a vulnerability is assigned a Critical Risk Factor. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[tomcat.tomcat] [pool-1-thread-6] com.q1labs.assetprofile.
api.vulninstance.common.VulninstancesAPITask: 
[ERROR][-/- -]An unhandled exception was thrown during the 
execution of task: 258
[tomcat.tomcat] [pool-1-thread-6]
java.lang.IllegalArgumentException: 
Invalid RiskFactor name: Critical
[tomcat.tomcat] [pool-1-thread-6] at
com.q1labs.assetprofile.api.r1_2017.pojo.RiskFactorDTO.forName
(RiskFactorDTO.java)
[tomcat.tomcat] [pool-1-thread-6] at
com.q1labs.assetprofile.api.r1_2017.R1_2017VulnInstanceDTOAdapte
r.doConvert(R1_2017VulnInstanceDTOAdapter.java)
07 June 2019
FLOWS / FLOW SOURCE ALIAS IJ18233 A MANUALLY ADDED OR EDITED FLOW SOURCE ALIAS DOES NOT WORK AS EXPECTED OPEN: Reported in QRadar 7.3.0 and 7.3.1 versions Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that a manually added or edited Flow Source alias does not work as expected. When a flow source alias is manually created or edited, the flow collector component is not being properly populated on the associated managed host and the edited alias is not listed in the search filter for the flow interface. Associated flows are not received when this issue is occurring.
19 August 2019
DOMAIN MANAGEMENT IJ18345 LOG SOURCES WITHIN A LOG SOURCE GROUP DO NOT INHERIT DOMAIN MEMBERSHIP WHEN THE LOG SOURCE GROUP IS ADDED TO A DOMAIN CLOSED Resolved in:
QRadar 7.3.1 Patch 7 (7.3.1.20181123182336)
QRadar 7.3.2 (7.3.2.20190201201121)

Workaround: From the Admin tab, open Domain Management interface to select the Log Sources you would like to add, then manually add the log soures.

It has been identified that adding Log Source Groups to a Domain does not cause the log sources contained inside the Log Source Group or it’s Sub Groups to inherit that Domain membership, even if the Log Source is not within another Domain.
15 August 2019
SECURITY BULLETIN CVE-2019-10072 APACHE TOMCAT AS USED IN IBM QRADAR SIEM IS VULNERABLE TO A DENIAL OF SERVICE CLOSED Resolved in QRadar 7.3.2 Patch 4 (7.3.2.20190803012943) 15 August 2019
BACKUP / RECOVERY IJ18357 CHANGE TO FILE PERMISSION ON GEOLITE2-CITY.MMDB CAN OCCUR AFTER A CONFIG RESTORE AND DEPLOY IS SUCCESSFULLY PERFORMED OPEN: Reported in QRadar 7.3.2 Patch 4 Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that in some instances, the file permissions for /store/configservices/deployed/globalconfig/GeoLite2-City.mmdb can be changed from “nobody nobody” to “root root” after a successful Configuration Restore and a Deploy Changes has been performed. When this issue occurs, permission errors can be observed in the logs when users attempt to save changes from the Admin > System Settings window in QRadar. Messages similar to the following might be visible in /var/log/qradar.log:
[tomcat.tomcat][LocationUtils_Timer] 
com.q1labs.core.shared.location.LocationUtils: 
[ERROR][-/- -]Error occurred while reloading the LocationUtils database
[tomcat.tomcat] [LocationUtils_Timer] java.io.IOException: Destination 
'/store/configservices/deployed/globalconfig/GeoLite2-City.mmdb' exists 
but is read-only
[tomcat.tomcat] [LocationUtils_Timer] at org.apache.commons.io.
   FileUtils.copyFile(FileUtils.java)
[tomcat.tomcat] [LocationUtils_Timer] at org.apache.commons.io.
   FileUtils.copyFile(FileUtils.java)
[tomcat.tomcat] [LocationUtils_Timer] at com.q1labs.core.shared.
   location.LocationUtils.getCorrectCurrentGeoLiteFile(LocationUtils.java)
[tomcat.tomcat] [LocationUtils_Timer] at com.q1labs.core.shared.location.
   LocationUtils.reload(LocationUtils.java)
[tomcat.tomcat] [LocationUtils_Timer] at com.q1labs.core.shared.location.
   LocationUtils$LocationUtilsReloadTask.run(LocationUtils.java)
[tomcat.tomcat] [LocationUtils_Timer] at 
   java.util.TimerThread.mainLoop(Timer.java)
[tomcat.tomcat] [LocationUtils_Timer] at 
   java.util.TimerThread.run(Timer.java)
15 August 2019
VULNERABILITY DETAILS / USER INTERFACE IJ16571 VULNERABILITY HISTORY LIST DATE ORDERING IS INCORRECT OPEN: Reported in multiple QRadar 7.3.1 Patch 7 No workaround available.

It has been identified that when viewing vulnerability history lists in QRadar Vulnerability Manager (QVM) the ordering by date is incorrect. In QRadar 7.3.1 versions an error similar to the following is written to QRadar logging when this occurs:
[tomcat.tomcat] [admin@127.0.0.1 (9556)
/console/JSON-RPC/QVM.getVulnerabilityHistoryList
QVM.getVulnerabilityHistoryList]
com.q1labs.assetprofile.service.ui.UIVulnerabilityService:
[ERROR] [-/- -]Unparseable date: "25 May 2019, 17:05:13"
[tomcat.tomcat] [admin@127.0.0.1 (9556)
/console/JSON-RPC/QVM.getVulnerabilityHistoryList
QVM.getVulnerabilityHistoryList]
com.q1labs.assetprofile.service.ui.UIVulnerabilityService:
[ERROR][-/- -]Unparseable date: "25 May 2019, 13:09:37"

NOTE: In QRadar 7.3.2 versions, the ordering by date is also incorrect, but the error is not present in QRadar logging.
14 June 2019
SCAN RESULTS IJ16518 QRADAR VULNERABILITY MANAGER (QVM) SCAN RESULT RECORDS LISTED IN THE USER INTERFACE ARE NEVER PURGED OPEN: Reported in multiple QRadar versions No workaround available.

It has been identified that vulnerability scan results records that are listed in the User Interface continue to be displayed after the ‘Purge Scan Results After Period’ purges the backed data.
31 May 2019
OFFENSES IJ16941 OFFENSES CAN FAIL TO GENERATE WHEN EXPECTED, WHEN SPILLOVER FROM MEMORY TO DISK DURING CACHING OCCURS CLOSED Resolved in QRadar 7.3.2 Patch 4 (7.3.2.20190803012943)

It has been identified that Offenses can be slow to generate or fail to generate when expected when QRadar experiences a cache spillover from memory to disk. Messages similar to the following might be visible in /var/log/qradar.log when this specifc issue occurs:
[ecs-ep.ecs-ep] [MPC/PersisterThread@0000050540]
com.q1labs.frameworks.cache.ChainAppendCache: 
[WARN][-/- -]TargetIPtoID is experiencing heavy COLLISIONS 
exceeding configured threshold (this may have negative 
performance impact) threshold = 5.0
average collisions = 7.0
[ecs-ep.ecs-ep] [MPC/PersisterThread@0000050540]
com.q1labs.frameworks.cache.ChainAppendCache: 
[WARN][-/- -]LightTarget is experiencing heavy COLLISIONS 
exceeding configured threshold (this may have negative 
performance impact) threshold = 5.0
average collisions = 6.0
19 June 2019
TUNNELS / DEPLOY CHANGES IJ00025 DEPLOY FUNCTION CAN SOMETIMES FAIL DUE TO TUNNELS NOT STARTING CORRECTLY WHEN ENCRYPTION IS ENABLED CLOSED Resolved in QRadar 7.3.2 Patch 4 (7.3.2.20190803012943)

It has been identified that on encrypted managed hosts with QRadar 7.3.0.x versions that the generate_tunnel_environment.sh script can sometimes fail to start tunnels correctly. When this occurs, there is no connectivity between QRadar Managed Hosts and the Console causing deploys and all traffic between the Console and the encrypted Managed Hosts to fail.
02 April 2018
CUSTOM PROPERTIES / PARSE IN ADVANCE IJ16411 QRADAR DEPENDENCY CHECKER CAN FAIL WHEN USERS WITH NO LOCALE CONFIGURED ATTEMPTS TO MODIFY A CUSTOM EVENT PROPERTY CLOSED Resolved in QRadar 7.3.2 Patch 4 (7.3.2.20190803012943)

Workaround: Have the user configure a user locale and retry the “un-select” for the Custom Event Property.

It has been identified that the QRadar dependency checker can launch when “Parse in advance for rules, reports and searches’ check box is cleared from the Property Definition section in the user interface and can generate an error message “1.Found Custom Rules: 0” or “2. Error occured while finding Ariel Indexing”. This issue can occur in cases where the QRadar user who created the custom property has no locale configured. Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs:
[tomcat.tomcat] [pool-1-thread-10]
com.q1labs.core.shared.datadeletion.task.FindDependentsTask:
[ERROR][-/- -]Error trying to find Dependents 
for id: [347902bb-f6c0-4b07-9791-f3a8b0a94f17],
and type: EVENT_REGEX_PROPERTY_DEPENDENCY
[tomcat.tomcat] [pool-1-thread-10]
java.lang.NullPointerException
[tomcat.tomcat] [pool-1-thread-10] at
java.util.Locale.(Locale.java)
[tomcat.tomcat] [pool-1-thread-10] at
java.util.Locale.(Locale.java)
[tomcat.tomcat] [pool-1-thread-10] at
com.q1labs.core.shared.datadependency.CustomPropertyDependency.g
etArielIndexingByPropertyId(CustomPropertyDependency.java)
[tomcat.tomcat] [pool-1-thread-10] at
com.q1labs.core.shared.datadependency.CustomPropertyDependency.g
etUsage(CustomPropertyDependency.java)
28 May 2019
EPS GRAPH DATA / PIPELINE IJ12103 STAT FILTER INTERVAL PEAK VALUES CAN BE INCORRECT CAUSING INACCURATE EVENT PER SECOND (EPS) RATES TO BE REPORTED CLOSED Resolved in QRadar 7.3.2 Patch 4 (7.3.2.20190803012943)

It has been identified that Stat Filter data values can sometimes be inaccurate on interval peak value. When this occurs, EPS values reported in QRadar can be incorrect or inconsistent with actual event counts.
31 December 2018
FLOWS / SIGNATURES IJ17359 MANUAL CHANGES MADE TO SIGNATURES.XML ARE OVERWRITTEN DURING AN AUTOUPDATE FUNCTION CLOSED Closed as a documentation issue.

Users who include custom signature values for source and destination ports to identify flow traffic should ensure that they have a signature ID (sigid) defined in their signatures.xml file to prevent the auto update from discarding the change. Customers can use a sigid value of 3000 or above to denote custom changes to the signatures.xml file. Including the sigid value will prevent xmldiff from merging signature.xml changes with the autoupdate version of the signatures.xml file when updates occur. For an example on including new source and destination ports for signature detection, see this technical note: QRadar: Detecting SMB1 & SMBv2 Traffic with QFlow (Updated)

Issue: It has been identified that when manual changes are made to signatures.xml using the Technote documented methods to preserve the changes, an AutoUpdate function overwrites the manual changes anyway.
09 August 2019
REPORTS IJ16290 A REPORT RUN ON RAW DATA CAN FAIL WITH ‘STRING INCOMPATIBLE WITH COM.Q1LABS.FRAMEWORKS.NIO.COMPOSITEKEY’ IN LOGGING OPEN: Reported in multiple QRadar versions No workaround available.

It has been identified that performing a “Run Report on RAW data’ can fail and output an error to /var/log/qradar.log similar to the following:
[report_runner] [main] com.q1labs.cve.aggregation.
props.AggregatedRecordKeyProperty:
[ERROR][-/- -]About to cast key = IPADDRESS.hostname.lab:ecs-ec/EC/Processor2 to CompositeKey
[report_runner] [main] com.q1labs.reporting.ReportServices:
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]java.lang.String
incompatible with com.q1labs.frameworks.nio.CompositeKey
[report_runner] [main] java.lang.ClassCastException:
java.lang.String incompatible with com.q1labs.frameworks.nio.CompositeKey
[report_runner] [main] at
com.q1labs.cve.aggregation.props.AggregatedRecordKeyProperty.cre
ateKey(AggregatedRecordKeyProperty.java)
[report_runner] [main] at
com.q1labs.cve.aggregation.props.AggregatedRecordKeyProperty.cre
ateKey(AggregatedRecordKeyProperty.java)
[report_runner] [main] at
com.q1labs.cve.resultset.CVEResultSet.getObject(CVEResultSet.java)
[report_runner] [main] at
com.q1labs.cve.resultset.CVEResultSet.getLong(CVEResultSet.java)
[report_runner] [main] at
com.q1labs.cve.resultset.CVEResultSet.getLong(CVEResultSet.java)
[report_runner] [main] at
com.q1labs.dal.charts.SQLChart.getChartDataForTimeSeries(SQLChar
t.java)
[report_runner] [main] at
com.q1labs.dal.charts.SQLChart.getChartData(SQLChart.java)
[report_runner] [main] at
com.q1labs.dal.charts.AbstractChart.createChart(AbstractChart.java)
[report_runner] [main] at com.q1labs.dal.charts.SQLChart(SQLChart.java)
[report_runner] [main] at com.q1labs.dal.charts.SQLChart(SQLChart.java)
[report_runner] [main] at
com.q1labs.reporting.charts.ArielChart.processResultSet(ArielCha
rt.java)
[report_runner] [main] at
com.q1labs.reporting.charts.ArielChart.getData(ArielChart.java)
[report_runner] [main] at com.q1labs.reporting.Chart.getXML(Chart.java)
[report_runner] [main] at com.q1labs.reporting.Report.createData(Report.java)
[report_runner] [main] at
com.q1labs.reporting.Report.process(Report.java)
[report_runner] [main] at
com.q1labs.reporting.ReportRunner.main(ReportRunner.java)
15 May 2019
RULES / NETWORK HIERARCHY IJ16173 IPV6 NETWORK HIERARCHY GENERATES A NULLPOINTEREXCEPTION WHEN A RULE IS BASED OFF A NETWORK DEFINED IN REMOTENET.CONF OPEN: Reported in QRadar 7.3.2 No workaround available.

It has been identified that a IPv6 Network Hierarchy can sometimes throw NullPointerException errors in QRadar logging when a rule is based off a network defined in remotenet.conf. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[ecs-ep.ecs-ep] [CRE Processor [0]]
com.q1labs.semsources.cre.CustomRule: 
[ERROR][-/- -]Exception in rule 1496 -
Connection to a Remote Proxy or Anonymization Service
(Outbound): null
[ecs-ep.ecs-ep] [CRE Processor [0]]
java.lang.NullPointerException
[ecs-ep.ecs-ep] [CRE Processor [0]] at
com.q1labs.semsources.cre.tests.NetworkViewAny.match(NetworkViewAny.java)
[ecs-ep.ecs-ep] [CRE Processor [0]] at
com.q1labs.semsources.cre.tests.NetworkView.testAny(NetworkView.java)
[ecs-ep.ecs-ep] [CRE Processor [0]] at
com.q1labs.semsources.cre.tests.gen.NetworkView_AnyAny.test(Netw
orkView_AnyAny.java)
[ecs-ep.ecs-ep] [CRE Processor [0]] at
com.q1labs.semsources.cre.tests.NetworkView_Test.test(NetworkVie
w_Test.java:56)
[ecs-ep.ecs-ep] [CRE Processor [0]] at
com.q1labs.semsources.cre.gen.TestExecutor_0_4.test(TestExecutor
_0_4.java)
[ecs-ep.ecs-ep] [CRE Processor [0]] at
com.q1labs.semsources.cre.CustomRule.test(CustomRule.java)
[ecs-ep.ecs-ep] [CRE Processor [0]] at
com.q1labs.semsources.cre.CustomRule.test(CustomRule.java)
[ecs-ep.ecs-ep] [CRE Processor [0]] at
com.q1labs.semsources.cre.CustomRuleSetExecutor.testRule(CustomR
uleSetExecutor.java)
[ecs-ep.ecs-ep] [CRE Processor [0]] at
com.q1labs.semsources.cre.CustomRuleSetExecutor.test(CustomRuleS
etExecutor.java)
[ecs-ep.ecs-ep] [CRE Processor [0]] at
com.q1labs.semsources.cre.LocalRuleExecutor.processEventInProper
tyMode(LocalRuleExecutor.java)
[ecs-ep.ecs-ep] [CRE Processor [0]] at
com.q1labs.semsources.cre.LocalRuleExecutor.processEvent(LocalRu
leExecutor.java)
[ecs-ep.ecs-ep] [CRE Processor [0]] at
com.q1labs.semsources.cre.CREEventProcessor.processEvent(CustomR
uleEngine.java)
[ecs-ep.ecs-ep] [CRE Processor [0]] at
com.q1labs.semsources.cre.CREEventProcessor.run(CustomRuleEngine.java)
15 May 2019
LOG SOURCES / USER INTERFACE IJ16162 QRADAR USER INTERFACE BECOMES UNRESPONSIVE DURING BULK CHANGES MADE TO A LARGE NUMBER OF LOG SOURCES USING THE API OPEN: Reported in QRadar 7.3.1 Patch 8 No workaround available.

It has been identified that the QRadar User Interface can sometimes become unresponsive due to a session leak caused during a large amount of bulk changes made to Log Sources using the QRadar Log Source Management App (API) in QRadar environments with hundreds of thousands of Log Sources. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[tomcat.tomcat] [LogSourceServices_PersisterTimer]
com.q1labs.rpcservices.LogSourceServices: 
[ERROR][-/- -]Unable to get session context to update device last seen times
[tomcat.tomcat] [LogSourceServices_PersisterTimer]
java.util.ConcurrentModificationException
[tomcat.tomcat] [LogSourceServices_PersisterTimer] at
gnu.trove.impl.hash.THashIterator.nextIndex(THashIterator.java)
[tomcat.tomcat] [LogSourceServices_PersisterTimer] at
gnu.trove.impl.hash.THashIterator.hasNext(THashIterator.java)
[tomcat.tomcat] [LogSourceServices_PersisterTimer] at
java.lang.Iterable.forEach(Iterable.java)
[tomcat.tomcat] [LogSourceServices_PersisterTimer] at
com.q1labs.rpcservices.LogSourceUpdate.closePreparedStatements(L
ogSourceUpdate.java)
[tomcat.tomcat] [LogSourceServices_PersisterTimer] at
com.q1labs.rpcservices.LogSourceServices$PersistLogSourceUpdateT
ask.persistLogSourceUpdates(LogSourceServices.java)
[tomcat.tomcat] [LogSourceServices_PersisterTimer] at
com.q1labs.rpcservices.LogSourceServices$PersistLogSourceUpdateT
ask.run(LogSourceServices.java)
[tomcat.tomcat] [LogSourceServices_PersisterTimer] at
java.util.TimerThread.mainLoop(Timer.java)
[tomcat.tomcat] [LogSourceServices_PersisterTimer] at
java.util.TimerThread.run(Timer.java)
[tomcat.tomcat] [LogSourceServices_PersisterTimer]
com.q1labs.frameworks.session.SessionContext: 
[ERROR][-/- -]28012 leak(s) detected in session context: 
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxx
[tomcat.tomcat] [LogSourceServices_PersisterTimer]
com.q1labs.frameworks.session.SessionContext: 
[ERROR][-/- -]java.sql.PreparedStatement
leak detected. Object created in following code path
[tomcat.tomcat] [LogSourceServices_PersisterTimer]
java.lang.Exception
[tomcat.tomcat] [LogSourceServices_PersisterTimer] at
com.q1labs.frameworks.session.BaseWrapper.(BaseWrapper.java)
[tomcat.tomcat] [LogSourceServices_PersisterTimer] at
com.q1labs.frameworks.session.PreparedStatementWrapper.(Pr
eparedStatementWrapper.java)
[tomcat.tomcat] [LogSourceServices_PersisterTimer] at
com.q1labs.frameworks.session.ConnectionWrapper.prepareStatement
(ConnectionWrapper.java)
[tomcat.tomcat] [LogSourceServices_PersisterTimer] at
com.q1labs.rpcservices.LogSourceUpdate.getPreparedStatement(LogS
ourceUpdate.java:81)
[tomcat.tomcat] [LogSourceServices_PersisterTimer] at
com.q1labs.rpcservices.LogSourceServices$PersistLogSourceUpdateT
ask.persistLogSourceUpdates(LogSourceServices.java)
[tomcat.tomcat] [LogSourceServices_PersisterTimer] at
com.q1labs.rpcservices.LogSourceServices$PersistLogSourceUpdateT
ask.run(LogSourceServices.java)
[tomcat.tomcat] [LogSourceServices_PersisterTimer] at
java.util.TimerThread.mainLoop(Timer.java)
[tomcat.tomcat] [LogSourceServices_PersisterTimer] at
java.util.TimerThread.run(Timer.java)
15 May 2019
LOG SOURCE MANAGEMENT APP / USER INTERFACE IJ16160 TOMCAT OUT OF MEMORY CAN OCCUR WHEN ASSIGNING LOG SOURCES TO GROUPS IN SYSTEMS WITH VERY LARGE NUMBER OF LOG SOURCES OPEN: Reported in QRadar 7.3.1 Patch 8 No workaround available.

It has been identified that a Tomcat process out of memory can sometimes occur in QRadar environments with hundreds of thousands of Log Sources when assigning Log Sources to Log Source Groups using the Log Source Management App. When a Tomcat out of memory occurs, the QRadar User Interface becomes unavailable until all related services are running as expected.
15 May 2019
UPGRADE IJ16080 PATCHING QRADAR PACKET CAPTURE TO 7.3.1B322 CAN FAIL TO MOUNT /DEV/SDB1 PARTITION AFTER REBOOT OPEN: Reported in QRadar Packet Capture 7.3.1b322 Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that after patching QRadar Packet Capture appliance to 7.3.1b322, the /dev/sdb1 partition does not mount after reboot.
16 May 2019
DATABASE / DATA IJ16063 QRADAR PACKET CAPTURE APPLIANCE NOT STORING NETWORK DATA AS EXPECTED DUE TO MONGODB PROCESS FAILURE OPEN: Reported in QRadar Packet Capture 7.3.1b322 No workaround available.

It has been identified that in some instances a PCAP appliance appears to be storing network data, but any attempt to do a PCAP search (natively or as a Forensics Recovery) shows 0 results.

The required mongod process can coredump and sometimes fails to restart due to a pid/lock file issue. Messages similar to the following might be visible in /var/log/messages when this particular issue occurs:
abrt[5377]: Saved core dump of pid 5277
(/usr/local/mongodb-linux-x86_64-3.4.1/bin/mongod) to
/var/spool/abrt/ccpp-2019-02-28-16:28:41-5277 (215597056 bytes)
abrtd: Directory 'ccpp-2019-02-28-16:28:41-5277' creation detected
abrtd: Executable '/usr/local/mongodb-linux-x86_64-3.4.1/bin/mongod' 
doesn't belong to any package and ProcessUnpackaged is set to 'no'
abrtd: 'post-create' on'/var/spool/abrt/ccpp-2019-02-28-16:28:41-5277' exited with 1
abrtd: Deleting problem directory '/var/spool/abrt/ccpp-2019-02-28-16:28:41-5277'
16 May 2019
LICENSE IJ16043 PCAP LICENSE REPORTS AS “EVALUATION” ON INSTALLATIONS OF VERSION 730B307+ THAT ARE PATCHED UP TO 731B322 OPEN: Reported in QRadar Packet Capture 7.3.1b322 No workaround available.

It has been identified that when a valid PCAP license is applied to PCAP version 730b307+ that has been patched up to 731b322, the license that was displaying as “permanent” at the earlier veersion, changes to displaying as “evaluation”.
16 May 2019
PCAP EXPORT / PERMISSIONS IJ16042 QRADAR INCIDENT FORENSICS USER WITH SYSTEM ADMIN ROLE THAT IS NOT THE ‘ADMIN’ USER CANNOT PERFORM DOWNLOAD OF A PCAP FROM THE USER INTERFACE CLOSED Resolved in QRadar 7.3.2 Patch 4 (7.3.2.20190803012943)

Workaround: Create another user without “System Admin” role. Login with the newly created user to complete the recovery and download the pcap file.

It has been identified that a QRadar user that has the “System Admin” role but is not the user “admin” cannot successfully perform a PCAP download. A message similar to the following is displayed when the download is attempted:
Error "Failed to load resource; the server responded with a
status of 400 (Bad Request)" or "...404 (Not Found)".
24 May 2019
UPGRADE / INSTALL IJ16041 QRADAR INSTALLATION HANGS WHEN USING COMPRESSED IPV6 ADDRESS OPEN: Reported in QRadar 7.3.2 versions No workaround available.

It has been identified that when using compressed IPv6 on a QRadar installation, the installation hangs during the local CA generation.
15 May 2019
DOMAINS / MULTITENANCY IJ16001 INCONSISTENT BEHAVIOR IN DOMAIN ENVIRONMENTS WITH HOW DISPATCHED EVENTS AND OFFENSES ARE OCCURRING CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been identified that in a domain environment, there is an inconsistency in how dispatched events and offenses are tagged and handled. For example:
  • The dispatched events, networks, and offenses are generated in the Default Domain.
  • The dispatched events, networks, offenses are in the same domain as the original domain events.
19 AUGUST 2019
LICENSE / USER INTERFACE IJ15970 QRADAR VULNERABILITY MANAGER (QVM) LICENSE WARNING BANNER CAN DISPLAY WHEN IT SHOULD NOT OPEN: Reported in QRadar Vulnerability Manager 7.3.1 Patch 7 No workaround available.

It has been identified that a QRadar Vulnerability Manager (QVM) license warning banner can be displayed when interfaces have been added to assets that have not been scanned by QVM. The asset count incorrectly includes the assets. The message in the user interface appears similar to the following:
WARNING: You have scanned {number} assets but are only 
licensed to scan {number} assets. License Update Required!
08 May 2019
FLOWS IJ15964 QFLOW CAN SOMETIMES PARSE NETFLOW/JFLOW INCORRECTLY OPEN: Reported in QRadar 7.3.1 Patch 4 No workaround available.

It has been identified that in some instances invalid IP data or other incorrect data can be observed for flows that are received/parsed in the Network Activity tab. When this issue occurs, the following might be displayed in the user interface when viewing NETFLOW or JFLOW records:

  • IP addresses for flows might be displayed as 0.x.x.x addresses
  • Source bytes for the flow is only 10 bytes, but there are over 4 million packets.
13 May 2019
LOGS IJ15784 ‘NO JESSIONID PASSED WITH COOKIE’ MESSAGES IN QRADAR LOGS OPEN: Reported in QRadar 7.3.2 versions No workaround available.

It has been identified that repeated messages similar to the following might be visible in /var/log/qradar.error and qradar.log:
[hostcontext.hostcontext] [ConfigChangeObserver Timer[1]]
com.q1labs.core.shared.jsonrpc.RPC: 
[WARN][-/- -]No JSESSIONID passed with cookie.
[ecs-ec.ecs-ec] [LastEventSeenProcessor]
com.q1labs.core.shared.jsonrpc.RPC: 
[WARN][-/- -]No JSESSIONID passed with cookie.
08 May 2019
CUSTOM PROPERTIES IJ15775 REGEXMONITOR FEATURE CAN SOMETIMES DISABLE CUSTOM PROPERTIES WITHOUT ANY SYSTEM NOTIFICATION OPEN: Reported in multiple QRadar 7.3.1 versions Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that in the RegexMonitor feature that is designed to automatically disable expensive custom properties to prevent performance issues can sometimes disable inexpensive custom properties and without generating a System Notification.
01 May 2019
LOG SOURCE / SYSTEM NOTIFICATIONS IJ15665 DEVICE (+TYPE +GROUP) STOPPED SENDING EVENTS RULE TEST IS NO LONGER FIRING THE PROPER ‘DEVICE STOPPED SENDING EVENTS’ EVENT OPEN: Reported in QRadar 7.3.1 Patch 3 No workaround available.

It has been identified that QRadar is sometimes not generating the proper ‘device stopped sending events’ system notification event when the test fires (QID 38750074). A new event is generated if the “new event” response is selected, but it does not contain any identifiable information about the log source that stopped sending event data.
22 May 2019
TOPOLOGY / RISK MANAGER IJ15529 DISPLAY OF THE TOPOLOGY SCREEN IS ALWAYS BASED ON ADMIN USER SET OPEN: Reported in QRadar Risk Manager (QRM) 7.3.1 versions No workaround available.

It has been identified that when the Topology screen is selected, the displayed topology is based on the topology properties that are set by the admin user. Another user can edit and save the properties, but the displayed topology continues to use the the admin user properties.
18 April 2019
SERVICES/ SCAN IMPORT IJ15513 IMQ PROCESS CAN GO OUT OF MEMORY WHEN IMPORTING A LARGE AMOUNT OF SCAN RESULTS OPEN: Reported in multiple QRadar versions No workaround available.

It has been identified that importing a large amount of scan results can sometimes cause the imq process on a QRadar Console to experience an Out of Memory ccurrence. Messages similar to the following might be visible in /var/log.qradar.log when this issue occurs:
tomcat[31977]: 05-Feb-2019 10:58:40.758 WARNING
[configservices@127.0.0.1 (2778) /console/JSON-RPC
System.postScanResponse]
com.sun.messaging.jmq.jmsclient.ExceptionHandler.logCaughtExcept
ion [I500]: Caught JVM Exception:
com.sun.messaging.jms.JMSException: [ADD_PRODUCER_REPLY(19)]
[C4036]: A broker error occurred. :[500] Low memory
user=qradar, broker=127.0.0.1:7676(7677)
[tomcat.tomcat] [configservices@127.0.0.1 (2778)
/console/JSON-RPC System.postScanResponse]
com.q1labs.rpcservices.VisServices: 
[ERROR][-/- -]Failed to post jms message
[tomcat.tomcat] [configservices@127.0.0.1 (2778)
/console/JSON-RPC System.postScanResponse]
com.sun.messaging.jms.JMSException: [ADD_PRODUCER_REPLY(19)]
[C4036]: A broker error occurred. :[500] Low memory
user=qradar, broker=127.0.0.1:7676(7677)
[tomcat.tomcat] [configservices@127.0.0.1 (2778)
/console/JSON-RPC System.postScanResponse]    at
com.sun.messaging.jmq.jmsclient.ProtocolHandler.throwServerError
Exception(ProtocolHandler.java:4093)
[tomcat.tomcat] [configservices@127.0.0.1 (2778)
/console/JSON-RPC System.postScanResponse]    at
com.sun.messaging.jmq.jmsclient.ProtocolHandler.createMessagePro
ducer(ProtocolHandler.java:1353)
[tomcat.tomcat] [configservices@127.0.0.1 (2778)
/console/JSON-RPC System.postScanResponse]    at
com.sun.messaging.jmq.jmsclient.ProtocolHandler.createMessagePro
ducer(ProtocolHandler.java:1247)
[tomcat.tomcat] [configservices@127.0.0.1 (2778)
/console/JSON-RPC System.postScanResponse]    at
com.sun.messaging.jmq.jmsclient.ProtocolHandler.createMessagePro
ducer(ProtocolHandler.java:1241)
23 April 2019
REPORTS / AQL IJ15497 FLOW SOURCE COLUMN AND FLOW INTERFACE COLUMN CAN DISPLAY ‘HOST_NAME” INSTEAD OF THE EXPECTED HOSTNAME OPEN: Reported in QRadar 7.3.1 versions No workaround available.

It has been identified that the output in a report graph is ordered by event count instead of date as in the AQL that is used in the report. For example:
  1. Create a saved search using the following AQL query and provide a name to the search:
    Select DATEFORMAT(starttime, 'MM/dd/yyyy (E)') as "Date",
    SUM(eventcount) as "Event Count" from events WHERE qid =
    1003000005 Group by "Date" ORDER BY "Date" ASC last 7 DAYS
  2. Create a report with following settings
    • Chart type: Events/Log
    • Saved search: Type the query name created in step #1
    • Graph type: Bar
    • limit event/log to top: 50
    • Horizontal axis: Date
    • Vertical axis: Event Count
  3. Run the report.

    Results
    The report output is ordered by event count, instead of the ORDER BY “date” as defined in the advanced query (AQL).
26 April 2019
FLOWS / NETWORK ACTIVITY IJ15473 FLOW SOURCE COLUMN AND FLOW INTERFACE COLUMN CAN DISPLAY ‘HOST_NAME” INSTEAD OF THE EXPECTED HOSTNAME OPEN: Reported in QRadar 7.3.1 versions No workaround available.

It has been identified that Flow Source column and Flow Interface column in the Network Activity tab can display “HOST_NAME” instead of the expected hostname.
01 May 2019
OFFENSES / COUNTS IJ15472 EVENT COUNT NUMBERS DOESN’T MATCH IN THE OFFENSE DETAILS SCREEN ON CLICKING THE EVENT/FLOW COUNT OPEN: Reported in QRadar 7.3.1 Patch 4 No workaround available.

It has been identified that the Event count in the Offense details screen does not match with the event count displayed when clicking the event/flow count. Rules using “when at least this many events are seen with the same event properties in this many minutes condition” are not matching the Event/Flow count in an Offense versus the Ariel search list of Events/Flows.
23 April 2019
DEVICE SUPPORT MODULE (DSM) IJ15445 CISCO ASA EVENTS CAN BE MISIDENTIFIED AS A POSSIBLE SECURITY INCEDENT DUE TO FLIPPED SOURCE AND DESTINATION IP OPEN: Reported in DSM-CiscoFirewallDevices-7.3-20181220154136.noarch No workaround available.

It has been identified that Cisco ASA ‘Teardown TCP Connection’ events are being misinterpreted as a potential security incident because the source and destination IP address are being flipped by QRadar. This issue can cause Rules/Offenses to be incorrectly fired/generated.
31 July 2019
LOG SOURCES / API IJ15429 TOMCAT OUT OF MEMORY CAN OCCUR WHEN PERFORMING AN ENABLE OR DISABLE OF A LOG SOURCE OPEN: Reported in QRadar 7.3.1 Patch 6 No workaround available.

It has been identified that performing an enable or disable of a Log Source using either the API (Log Source Management App) or the legacy Log Source management page can sometimes cause a tomcat out of memory in QRadar environments with a very large number of Log Sources.
01 May 2019
DATA NODE IJ15414 OUT OF MEMORY OCCURRENCES ON DATANODE APPLIANCES CAN BE EXPERIENCED DUE TO DEFAULT JVM SETTINGS BEING USED CLOSED Resolved in QRadar 7.3.2 Patch 4 (7.3.2.20190803012943)

It has been identified that Data Node appliances can be using default JVM memory settings instead of the QRadar tuned settings. When this issue occurs, “Out of Memory” errors can sometimes be experienced on affected Data Node appliances.
13 May 2019
QRADAR VULNERABILITY MANAGER / ASSETS IJ15360 ASSET VIEW DISPLAYS DIFFERENT VULNERABILITY COUNT VS THE ASSET SUMMARY VIEW WHEN QVM EXCEPTION VULNERABILITIES IS USED OPEN: Reported in QRadar 7.3.1 Patch 7 and 7.3.2 Patch 1 No workaround available.

It has been identified that the Asset View screen displays a different Vulnerability count compared to the Asset Summary view Screen when QVM exception vulnerabilities is used. Details:
  1. The vulnerabilities count on the asset list page and the asset summary page do not match.
  2. Vulnerabilities Count on the asset view page includes exclusions/exceptioned vulnerabilties and the exceptioned vulnerabilities are not included in the asset summary page.
  3. Expected to view x number of of VULNs as displayed in the asset list page but the number appears to be low (x-vuln exclusions) inside the asset summary screen.
11 April 2019
REPORTS IJ15337 ‘APPLICATION ERROR: AN ERROR HAS OCCURED’ WHEN OPENING AN EMAIL LINK TO DOWNLOAD AN EXPORTED REPORT OPEN: Reported in QRadar 7.3.1 Patch 7 Workaround: When you receive the email, navigate to /store/exports on the QRadar Console and copy the file directly from the directory.

It has been identified that a message similar to “Application Error: an error has occurred.” can be generated when clicking on an email link to an exported report. For example:
  1. Export a QRadar search and select Notify me when complete.
  2. Users receive the following notification email:
    Your export job has completed. The file size exceeds the email attachment limit, you can download the results using the link below.
    *Note that the link is valid for one download only. https:///console/exportData?jobId=xxxx-xxxx-xxxx-xxx-xxxx
  3. When the user attempts to download the export with the provided link, an error message is generated: Application Error: an error has occurred.
26 April 2019
API / OFFENSES IJ15331 QRADAR OFFENSE API INEFFICIENCIES CAN CAUSE HIGHER THAN EXPECTED APPLIANCE SYSTEM LOAD OPEN: Reported in QRadar 7.3.1 Patch 7 No workaround available.

It has been identified that inefficiencies in the QRadar Offense API (/api/siem/offenses) endpoint around processing security permissions can cause a higher than expected CPU usage and processing time.
26 April 2019
HIGH AVAILABILITY (HA) / DISK SPACE IJ15328 HIGH AVAILABILITY APPLIANCE SHOWS AS FAILED STATE WHEN /TMP PARTITION AT 100% USAGE CAUSES CONF FILE TRUNCATION OPEN: Reported in QRadar 7.3.1 Patch 7 Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that a High Availaibility (HA) appliance can display in failed state due to the /tmp partition filling to 100% usage. When this 100% /tmp usage situation occurs, the drbd.conf and ha.conf files, needed for proper HA functionality, can become truncated.
09 April 2019
OFFENSES / ANOMALY RULE IJ15298 ANOMALLY DETECTION ENGINE (ADE) RULES FIRE 2 OFFENSES INSTEAD OF 1 WHEN DEFAULT RULE RESPONSES ARE CONFIGURED OPEN: Reported in QRadar 7.3.2 No workaround available.

It has been identified that enabled Anomally Detection Engine (ADE) rules that are configured with the default Rule Response settings can see two offenses generated instead of one from a rule being fired. For example, when this issue occurs users might see the following:
  1. The offense that is expected to be seen.
  2. A second offense that is based off the Offense Source: Anomaly – Event CRE.
11 April 2019
WINCOLLECT IJ15297 MANAGED WINCOLLECT AGENTS DO NOT RECEIVE CONFIG UPDATES WHEN USING ‘ENCRYPT HOST CONNECTIONS’ IN CONSOLE SETTINGS OPEN: Reported in WinCollect 7.2.8 Patch 2 (7.2.8-145) No workaround available.

It has been identified that Managed WinCollect agents do not receive Config Updates if “Encrypt Host Connections” is selected under the “Console” appliance settings (System and License Management).

NOTE: “Encrypt Host Connections” has no benefit when this check box is selected on the QRadar Console appliance. This setting is specific to non-Console / managed host appliances and enables SSH tunnels for communication to managed hosts for data requested by the Console.
10 May 2019
RULES / RULE WIZARD IJ15295 CUSTOM/AQL ARITHMATIC PROPERTY IS NOT AVAILABLE TO SELECT IN THE RULE STACK TEST PAGE WHEN CREATING AN ANOMALY RULE IN THE RULE WIZARD OPEN: Reported in QRadar 7.3.1 Patch 7 No workaround available.

It has been identified that the sum of two fields is not getting populated for the “Accumulated property” at the Anomaly Rule Wizard > Rule Test Stack Editor page and a message “There are parameters in the test stack which have not been specified” is displayed. To reproduce or verify this issue, see the procedure below.
  1. In Network Activity tab, run the following advanced search:
    SELECT sourceip, SUM(sourcebytes+destinationbytes) AS TotalBytes FROM flows WHERE sourceip=’IP_Address_Console’ GROUP BY sourceip ORDER BY TotalBytes
  2. Save the criteria.
  3. Click Rule > Add Anomaly Rule.
  4. At the Rule Test Stack Editor, add the rule:
    Apply The_rule_Name when time series data is being aggregated by sourceip, TotalBytes and when the average value (per interval) of this accumulated property over the last 1 min
    Is at least 40% different from the average value (per interval) of the same property over the last 24 hours.
  5. Click on this accumulated property.
  6. Select the Accumulated Property for the anomaly:
    Test:SUM(AddDouble(DestinationBytes, SourceBytes))
  7. Click Submit, then Next.

    Results
    The error message: There are parameters in the test stack which have not been specified is generated in the User Interface.

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[tomcat.tomcat] [admin@127.0.0.1 (5048)
/console/do/rulewizard/saveCustomizeConditionParameter]
com.q1labs.sem.ui.util.RuleConditionUtils: [WARN]
[-/- -]No lookup results found for user selection(s) 
SUM(SubtractDouble(SourceBytes, SourcePackets)) for method
com.q1labs.ariel.ui.RuleWizardUtils.getAggregatedSearchFields
09 April 2019
WINCOLLECT IJ15236 CYRILLIC TEXT IS DECODED INCORRECTLY WHEN WINCOLLECT FILE FORWARDING FILE CONTENT USES WINDOWS-1251 FORMATTING CLOSED Closed as unreproducible in next release. Upon further investigation for this issue as reported in WinCollect 7.2.2-2, this issue is working in a newer versions of WinCollect. WinCollect 7.2.9 was used to verify that the reported Cyrillic text issue could not be reproduced.

When configuring the File Forwarder plugin on WinCollect, switch the File Reader Encoding setting to use UTF8 (no conversion). The result was the Cyrillic characters were displayed in the payload on QRadar.
26 July 2019
ASSETS IJ15215 ASSET SAVED SEARCH CRITERIA THAT IS CONFIGURED AS DEFAULT CHANGES ON SUBSEQUENT RESULT PAGES OPEN: Reported in QRadar 7.3.1 Patch 6 No workaround available.

It has been identified that asset save search criteria which was set as default, returns to the original default values when viewing subsequent returned results pages (eg. page 2).
11 April 2019
HIGH AVAILABILITY (HA) IJ15214 HIGH AVAILABILITY FAILOVER CAN DISPLAY A GENERIC MESSAGE ‘ERROR: COULDN’T UPDATE ROUTING TABLE’ OPEN: Reported in multiple QRadar versions No workaround available.

It has been identified that a required script fails at start_routing during a High Availability failover due to missing or incorrect network configuration file content. A default message similar to the following is displayed:
ERROR: Couldn't update routing table.
15 May 2019
PROTOCOLS IJ15213 AUTOMATIC CERTIFICATE DOWNLOADER USES TLS 1.0 BY DEFAULT AND FAILS WHEN VENDOR HAS DISABLED TLS 1.0 OPEN: Reported as a Protocol Commmon RPM issue Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that the automatic certificate downloader uses TLS 1.0 to attempt to communicate by default. This fails when TLS 1.0 is disabled at the receiving end for obtaining the certificate. Using Netskop as an example of a failure as displayed in /var/log/qradar.log:
[ecs-ec-ingress.ecs-ec-ingress] [Thread-34177]
com.q1labs.semsources.sources.netskopeactiverestapi.NetskopeActi
veRESTAPIProvider: [ERROR][-/--]Unable to download certificate chain from
[example.goskope.com:443]
[ecs-ec-ingress.ecs-ec-ingress] [Thread-34177]
com.q1labs.semsources.sources.netskopeactiverestapi.NetskopeActi
veRESTAPIProvider: [ERROR][-/--]An error occured when trying to 
configure a source connection for provider class
com.q1labs.semsources.sources.netskopeactiverestapi.NetskopeActi
veRESTAPIProvider254
[ecs-ec-ingress.ecs-ec-ingress] [Thread-34177]
java.lang.Exception: Server [[example.goskope.com:443]
presented no certificate chain!
[ecs-ec-ingress.ecs-ec-ingress] [Thread-34177]  at
com.q1labs.semsources.sources.utils.certificate.CertificateDownl
oader.getCertificate(CertificateDownloader.java)
[ecs-ec-ingress.ecs-ec-ingress] [Thread-34177] at
com.q1labs.semsources.sources.utils.certificate.CertificateDownl
oader.downloadCertificates(CertificateDownloader.java)
[ecs-ec-ingress.ecs-ec-ingress] [Thread-34177] at
com.q1labs.semsources.sources.utils.certificate.CertificateDownl
oader.downloadCertificates(CertificateDownloader.java)
[ecs-ec-ingress.ecs-ec-ingress] [Thread-34177] at
com.q1labs.semsources.sources.netskopeactiverestapi.NetskopeActi
veRESTAPIProvider.checkCerts(NetskopeActiveRESTAPIProvider.java)
[ecs-ec-ingress.ecs-ec-ingress] [Thread-34177] at
com.q1labs.semsources.sources.netskopeactiverestapi.NetskopeActi
veRESTAPIProvider.preExecuteConfigure(NetskopeActiveRESTAPIProvi
der.java:53)
[ecs-ec-ingress.ecs-ec-ingress] [Thread-34177]    at
com.q1labs.semsources.sources.base.SourceProvider.run(SourceProv
ider.java:179)
[ecs-ec-ingress.ecs-ec-ingress] [Thread-34177]
com.q1labs.semsources.sources.netskopeactiverestapi.NetskopeActi
veRESTAPISource: [ERROR][-/--] There appears to be a configuration 
issue with the provider connection 'class
com.q1labs.semsources.sources.netskopeactiverestapi.NetskopeActi
veRESTAPIProvider254'.
27 May 2019
DISK SPACE / DISK MAINTENANCE IJ14984 LOGROTATE CONFIGURATION NEEDS TO BE UPDATED TO BETTER HANDLE /VAR/LOG/CRON.LOG OPEN: Reported in multiple QRadar versions No workaround available.

It has been identified that QRadar’s logrotate configuration needs to be updated to better handle rotation of the /var/log/cron.log file to prevent it from growing too large.
01 April 2019
AUTO UPDATE / PROXY IJ14781 AUTOUPDATE PROXY SETTING PASSWORD CONTAINING A ‘ # ‘ (POUND) OR ‘ ? ‘ (QUESTION MARK) SYMBOL BREAKS THE PROXY CALL OPEN: Reported in multiple QRadar versions No workaround available.

It has been identified that when the AutoUpdate proxy password contains either a # (pound) or ? (question mark) symbol, it breaks the proxy call and can result in the password being displayed in autoupdate logs.
24 May 2019
UPGRADE / OFFENSES IJ14779 REQUIRED APPLIANCE REBOOT DURING QRADAR PATCHING CAN SOMETIMES CAUSE DATA LOSS, A SOFT CLEAN SIM, OR FILE CORRUPTION OPEN: Reported in QRadar 7.3.0 and 7.3.1 versions No workaround available.

It has been identified that when a required appliance reboot occurs during QRadar patches (kernel update) there is the possibility of data loss, a corrupted offense model (forcing a Soft Clean SIM), or other file corruption. This issue can occur when QRadar processes are not allowed to shut down successfully prior to the appliance reboot occurring.
24 May 2019
UPGRADE / PRETEST IJ14475 QRADAR PATCH HANGS WHEN ONE OR MORE HOSTS IN THE DEPLOYMENT ARE UNREACHABLE CLOSED Resolved in QRadar 7.3.2 Patch 4 (7.3.2.20190803012943)

It has been identified that during a QRadar patch, the patch can hang for a longer than expected period of time when one or more Managed Hosts in the Deployment are not reachable via SSH (network issue, powered off, etc.). When this issue occurs, the following error message can be displayed:
Patch Report for {ApplianceIP}, appliance type: 3199
Patch pretest 'Validate deployment hostnames' failed. (validate_hostname.sh)
{Hostname} :  patch test failed.

Press enter to continue...
28 May 2019
SEARCH / SERVICES IJ14442 ARIEL PROXY OUT OF MEMORY OCCURRENCES CAN BE OBSERVED WHEN LARGE SEARCHES WITH AGGREGATIONS ARE PERFORMED OPEN: Reported in QRadar 7.3.1 Patch 8 No workaround available.

It has been identified that the ariel proxy service can experience Out of Memory occurrences when large searches are performed that include data aggregations (many columns, custom properties, etc.).

When ‘Out of Memory’ occurrences are experienced with the ariel proxy service, java heap dumps (/store/jheap) can be examined by Support to identify if these types of searched are the cause.
01 May 2019
HIGH AVAILABILITY (HA) / PORT SCAN IJ14440 ‘EXCEPTION NOT HANDLED. UNDEFINED BEHAVIOR’ MESSAGE IN LOGGING ON QRADAR HIGH AVAILABILITY APPLIANCES OPEN: Reported in QRadar 7.2.8 Patch 5 Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that messages similar to the following might be visilbe in /var/log/qradar.log on High Availability (HA) appliances when Qualys scanner is configured to target a wide range of ports, including port 10101:
[ha_manager] [NIOServer:10101]
com.q1labs.ha.manager.nio.NIOServer: [WARN]
[NOT:0000004000][{HA-HostIP}/- -] [-/- -]read socket
Socket[addr=/QUALYS_SCANNER,port=57459,localport=10101] returns -1
[ha_manager] [HeartbeatWorkerThread]
com.q1labs.ha.manager.HAManager: [FATAL]
[NOT:0000003000][{HA-HostIP}/- -] [-/- -]Exception not handled.
Undefined behavior
[ha_manager] [HeartbeatWorkerThread]
com.q1labs.ha.manager.protocol.ProtocolException: Unknown
protocol version -128.49
[ha_manager] [HeartbeatWorkerThread]    at
com.q1labs.ha.manager.heartbeat.HeartbeatProtocolImpl.poll(Heart
beatProtocolImpl.java:44)
[ha_manager] [HeartbeatWorkerThread]    at
com.q1labs.ha.manager.heartbeat.HeartbeatChannel.getLastRequests
(HeartbeatChannel.java:39)
[ha_manager] [HeartbeatWorkerThread]    at
com.q1labs.ha.manager.heartbeat.HeartbeatWorkerThread.process(He
artbeatWorkerThread.java:45)
[ha_manager] [HeartbeatWorkerThread]    at
com.q1labs.ha.manager.heartbeat.HeartbeatWorkerThread.run(Heartb
eatWorkerThread.java:195)
Jul 16 05:24:30 ::ffff:{HA-HostIP} [ha_manager] [HAManager]
com.q1labs.ha.manager.HAManager: [WARN]
[NOT:0000004000][/- -] [-/- -]Failed to load
/opt/qradar/ha/local.ess
Jul 16 05:24:30 ::ffff:{HA-HostIP} [ha_manager] [HAManager]
com.q1labs.ha.manager.heartbeat.HeartbeatServer: [WARN]
[NOT:0000004000][/- -] [-/- -]ESS_UPDATE not sent,
channel = null
Jul 16 05:24:32 ::ffff:{HA-HostIP} [ha_manager] [IPCWorkerThread]
com.q1labs.ha.manager.heartbeat.HeartbeatServer: [WARN]
[NOT:0000004000][{HA-HostIP}/- -] [-/- -]SA_UPDATE not sent,
channel = null
15 May 2019
LICENSE IJ14252 LARGE FLOW LICENSE CAN BE APPLIED TO QRADAR BUT ANY LICENSE AMOUNT OVER 1.2 MILLION FPM IS NOT HONORED BY QRADAR OPEN: Reported in QRadar 7.3.2 Patch 1 No workaround available.

It has been identified that applying flow licensing of larger than 1.2 million flows per minute (FPM) is not honored by QRadar. The system is capped at the 1.2 million FPM amount.
15 May 2019
DISK SPACE IJ14139 LOGROTATE CAN FAIL TO RUN WHEN PARTITION IS FULL AND "ALERT EXITED ABNORMALLY WITH [1]" IN /VAR/LOG/MESSAGES CLOSED Resolved in QRadar 7.3.2 Patch 4 (7.3.2.20190803012943)

It has been identified that logrotate can create a zero byte file in instances when the partition has filled and then subsequent logrotates fail. When this occurs, monitored partitions containing logs are more vulnerable to being filled. IMPORTANT: When disk usage of a monitored partition reaches 95% QRadar data collection and search processes are shut down to protect the file system from reaching 100%. Messages similar to the following might be visible in /var/log/messages when this issue occurs:
Feb 22 14:06:48 ip-191-172 logrotate: ALERT exited abnormally with [1]
16 May 2019
VULNERABILITY SCAN / SCAN TOOLS IJ14136 VULNERABILITY MANAGER SCANS DO NOT RESPECT CONFIGURED OPERATIONAL WINDOWS OPEN: Reported in multiple QRadar Vulnerability Manager versions It has been identified that QRadar Vulnerability Manager (QVM) scan tools that are launched within an operational window can continue to run beyond the end of the operational window. 27 February 2019
NETWORK SETUP / INTERFACES IJ14133 INCORRECT RX AND TX RING BUFFER SETTINGS CAN CAUSE PERFORMANCE ISSUES ON BOND0 OR BOND1 MANAGEMENT INTERFACES OPEN: Reported in QRadar 7.2.8, 7.3.0, and 7.3.1 versions It has been identified that using bond0 for a QRadar management interface or bond1 for a crossover interface can have ethtool incorrectly set hardware parameters for the NIC driver tx and rx ring buffers for the bond interface instead of the underlying slave interfaces. As it is the actual slave interfaces that have the hardware parameters set, and it possible to bond different NICs (Broadcom, Intel 1 GB, Intel 10Gb), etc., in some cases the hardware interfaces will default to boot up driver values. Intel NICs can sometimes default to a setting of 256 out of 4096 for both tx and rx ring buffer settings. When this situation occurs, SAR sentinel - threshold crossed messages referencing dropped packets or other performance related issues can sometimes be observed with QRadar. 15 March 2019
DEVICE SUPPORT MODULE (DSM) IJ13746 INCONSISTENT USER INTERFACE STATUS MESSAGES AND ISSUE WITH AUTO ACQUIRE CERTIFICATE USING THE OKTA RESTAPI PROTOCOL OPEN: Reported in QRadar 7.3.1 versions It has been identifed that there are inconsistent and confusing status messages that can sometimes be generated when using the Otka RESTAPI Protocol along with functionality issues with the Auto Aquire Certificate option in the user interface.
  1. In some instances Log Source which which should throw error, stay as success. Error message for an Okta Log Source recorded in qradar.error but nothing in User Interface (UI). When an error does appear for some Log Source in the UI, they can change from Error -> Success within few seconds (even when nothing is changed/refreshed for the Log source).
  2. User interface status messages can be vague. For example: "Error communicating with remote Okta API resource". This general message can appear when there is a connection Drop/Rejected, when there is a wrong proxyIP, or when there is a wrong ProxyHost.
  3. When an error appears for any Log Source in qradar.error log, the debug log for that log source displays the message "status changed from HEARTBEAT to HEARTBEAT" repeatedly. Also observed can be message "Polling time has arrived. Will now try to execute quer(y|ies)" when the Log Source shouldn't be in HEARTBEAT once it throws the error.
  4. When setting incorrect Okta IP or Hostname while configuring an Okta Log source, an error message is generated in the qradar.error log (error displayed depends on whether you are using proxy or not).
    - When using proxy: nullpointerexception
    - When not using proxy the expected error message appears in the logs: "The Okta Remote IP or Hostname provided could not be reached."
  5. Proxy. Creating a Log Source with correct proxy information, then updating it with an incorrect proxy password: No error is thrown and events are received without issue.
  6. API. There is UI validation for proxyServer, proxyUsername, and proxyPassword which restricts entering more than 255 characters. There is no restricton in API for proxyServer, proxyUsername, and proxyPassword that restricts entering more than 255 characters. Based on the sensorprotocolparameter proxyPort is required but proxy username is not required. Also proxyPassword is required, but proxy username is not required. If proxy port is required it becomes necessary to havve proxy IP as required and likewise if proxy password is required the proxy username should also be required.
26 February 2019
SCAN RESULTS IJ13700 QRADAR VULNERABILITY MANAGER (QVM) SCAN RESULT CSV FILE CAN INCORRECTLY DISPLAY IP ADDRESSES ACROSS MULTIPLE COLUMNS OPEN: Reported in QRadar 7.3.1 versions No workaround available.

It has been identified that when a scan result is exported from the Vulnerability Tab in CSV format, the generated .csv file can somtimes contain IP addresses across multiple columns and the results are incorrect. When this occurs, the scan result is not readable.
26 February 2019
AUTHENTICATION / LDAP IJ13595 LDAP LOGINS CAN FAIL IF PAGINATION IS DISABLED FOR BIND USER OPEN: Reported in QRadar 7.3.1 Patch 6 and later Workaround: Enable paging for the bind user, or change the bind user to one that has paging allowed.

It has been identified that QRadar LDAP logins can fail if pagination is disabled for bind user. In the LDAP authentication setup, test connection to the backend server succeeds. If group authentication is used, group load fails.
26 April 2019
EMAIL IJ13589 SETTING A LARGE 'MAX EMAIL ATTACHMENT SIZE' CAN PREVENT POSTFIX FROM STARTING OPEN: Reported in QRadar 7.3.1 and 7.3.2 versions Workaround: Lower the "Max Email Attachment Size" limit in the QRadar User Interface: Admin tab > System Settings.

It has been identified that Setting "Max Email Attachment Size" in QRadar "Systems Setting" to a large number can prevent postfix from being started. Postfix has mailbox_size_limit and message_size_limit configuration properties where message_size_limit can go over mailbox_size_limit. Messages similar to the following might be visible in maillog when this issue occurs:
fatal: main.cf configuration error: 
mailbox_size_limit is smaller than message_size_limit
15 May 2019
AUTHENTICATION / LDAP IJ13588 LDAP GROUP BASED AUTHENTICATION: 'SORRY, AN ERROR OCCURRED' WHEN A SECURITY PROFILE OR USER ROLE HAS AN '&' IN THE NAME OPEN: Reported in QRadar 7.3.1 and 7.3.2 versions Workaround: Change the name of the user role or security profile to use "and" instead of the '&' (ampersand) symbol.

It has been identified that when user roles or security profiles have an '&' (ampersand) in them (eg. R&D or Systems & Networking) and then LDAP based authentication is attempted to be configured, those security profiles or user roles are not visible nor are any others that come after them.
15 May 2019
HIGH AVAILABILITY (HA) IJ13486 REMOVE HA (HIGH AVAILABILTY) PROCESS CAN FAIL WHILE PERFORMING A PID CHECK ON THE HA_SETUP SCRIPT OPEN: Reported in QRadar 7.3.1 Patch 6 Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that attempting to perform a Remove HA (High Availability) from within the QRadar User Interface can sometimes fail when performing a PID check on the ha_setup script. This has been observed when a Deploy function is in progress when the Remove HA is performed. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[hostcontext.hostcontext] [Thread-1885552] ComponentOutput:
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
ha_setup.sh: Jan 29 10:35:10: [HA Setup (S-M----)] [ERROR]
Another instance of the HA setup script is already running.
[hostcontext.hostcontext]
[xxxxx-xxxx-xxxx-xxx-xxxxxxx/SequentialEventDispatcher]
com.q1labs.configservices.controller.ServerHostStatusUpdater:
[INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Sent update
status of host 127.0.0.1 to REMOVED_FAILED
15 May 2019
GEOGRAPHIC DATA IJ13413 GEOGRAPHIC RULE TESTS USING 'AND NOT WHEN THE SOURCE IS LOCATED IN OTHER' ARE NOT WORKING AS EXPECTED OPEN: Reported in QRadar 7.3.1 versions Workaround: Other geographic rule test "and when the source IP is a part of any of the following geographic network locations" works as expected.

It has been identified that Rule tests for "and NOT when the source is located in other" matches all events, regardless of whether the Network Hierarchy has the GEO defined for the IP range or not.
15 April 2019
SCAN / CENTRALIZED CREDENTIALS IJ13412 WARNING ICON DISPLAYED NEXT TO A SCAN RESULT WHEN SNMP COMMUNITY STRING IS DEFINED IN CENTRALIZED CREDENTIALS OPEN: Reported in QRadar 7.3.1 Patch 7 Workaround: Use the Additional Credentials tab rather than Centralized Credentials.

It has been identified that when using SNMP community string for scans via centralized credentials, an error (Yellow warning triangle icon) is generated next to the scan results. The results can differ from those with the SNMP community string set in the Additional Creds tab when creating a Scan Profile.
12 February 2019
HIGH AVAILABILITY (HA) IJ13410 HIGH AVAILABILITY SECONDARY APPLIANCE DEPLOY CAN FAIL WITH 'ANOTHER INSTANCE OF THE HA SETUP SCRIPT IS ALREADY RUNNING' OPEN: Reported in QRadar 7.3.0 and 7.3.1 versions No workaround available.

It has been identified that when multiple deploys occur to a QRadar High Availability (HA) Secondary appliance (can sometimes happen with Autoupdate), a message similar to "Another instance of the HA setup script is already running. Skipping HA deploy operation." and a /opt/qradar/ha/.local_ha_failed token can be generated. When this situation occurs, the HA Secondary appliance can become unresponsive.
13 May 2019
SEARCH / GEOGRAPHIC DATA IJ13408 INCONSISTENT RESULTS FROM A SAVED SEARCH RUN AGAINST GEO DATA VS A REPORT RUN OFF THAT SAME SAVED SEARCH OPEN: Reported in QRadar 7.3.1 Patch 5 Interim Fix 01 No workaround available.

It has been identified that a Saved Search run against geo data returns less data then a Report running off that same Saved Search. Some of the data correlates between the Search results and the Report results but some data entries are missing in the Search results.
12 February 2019
CUSTOM PROPERTIES IJ13320 CUSTOM PROPERTY DEFINITION WINDOW 'LOG SOURCE FILTER' CANNOT ACCESS/DISPLAY ANY LOG SOURCES OPEN: Reported in QRadar 7.3.1 Patch 7 Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that when in the Custom Property Definition window and attempting to use the Select Log Source option from within Property Expression Definition, no Log Sources are displayed. For example:
  1. Open the Admin tab.
  2. Open the "Custom Event Properties" window, and select any CEP from within the window.
  3. Click on either the Edit or Add button.
  4. In "Custom Property Definition window" -> Property Expression Definition -> Select Log Source Type (eg. "Microsoft Windows Security Event Log" or "Universal DSM").
  5. Nothing is displayed in the log source.
  6. Put a Log Source name in "Log Source Filter". Same result, nothing is displayed.
28 May 2019
LICENSE IJ13319 LICENSE POOL MANAGEMENT CAN DISPLAY "N/A" FOR THE EPS RATE FOR SOME HOSTS WITH A NULL POINTER EXCEPTION IN THE LOGS OPEN: Reported in QRadar 7.2.8 and later versions No workaround available.

It has been identifed that in some instances the EPS rate for a host can display as "N/A" in the License Pool Management window. This has most often been observed with High Availability hosts. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs. Note that the the Global View (GV) number can vary in the log messages:
{hostname}[hostcontext.hostcontext]
[xxxx-xxxx-xxx-xxx-xxxxxxxx/SequentialEventDispatcher]
com.q1labs.hostcontext.licensing.LicenseMonitor: [INFO]
[NOT:0000006000][Con.sol.eIP.20/- -] [-/- -]Following message
suppressed 1 times in 300000 milliseconds
{hostname}[hostcontext.hostcontext]
[xxxx-xxxx-xxx-xxx-xxxxxxxx/SequentialEventDispatcher]
com.q1labs.hostcontext.licensing.LicenseMonitor: [ERROR]
[NOT:0000003000][Con.sol.eIP.20/- -] [-/- -]Cannot retrieve
data for GV_10023_HOURLY
{hostname}[hostcontext.hostcontext]
[xxxx-xxxx-xxx-xxx-xxxxxxxx/SequentialEventDispatcher]
java.lang.NullPointerException
{hostname}[hostcontext.hostcontext]
[xxxx-xxxx-xxx-xxx-xxxxxxxx/SequentialEventDispatcher]
at com.q1labs.hostcontext.licensing.Statistics.getIP(Statistics.jav
a) 
{hostname}[hostcontext.hostcontext]
[xxxx-xxxx-xxx-xxx-xxxxxxxx/SequentialEventDispatcher]
at com.q1labs.hostcontext.licensing.Statistics.updateEPSorFPS(Stati
stics.java)
{hostname}[hostcontext.hostcontext]
[xxxx-xxxx-xxx-xxx-xxxxxxxx/SequentialEventDispatcher]
at com.q1labs.hostcontext.licensing.Statistics.getEpsFps(Statistics
.java)
06 February 2019
UPGRADE / HIGH AVAILABILITY (HA) IJ13316 OFFENSE INDEXING ON A CUSTOM EVENT PROPERTY (CEP) THAT HAS A UTF 0X00 (NULL) VALUE CAN CAUSE OFFENSES TO STOP GENERATING OPEN: Reported in QRadar 7.3.1 Patch 1 It has been identified that Offense generation in QRadar can stop occuring when Offenses are being indexed on a Custom Event Property (CEP) that have a utf 0x00 (null) value. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[ecs-ep.ecs-ep] [MPC/CleanupAndPersistence[1]]
com.q1labs.sem.magi.contrib.ModelPersister: [INFO]
[-/- -]Saving TX 0000035761 0.02MB
[ecs-ep.ecs-ep] [MPC/CleanupAndPersistence[1]]
com.q1labs.sem.magi.contrib.ModelPersister: [INFO]
[-/- -]Harvested 34 commands in 0:00:00.174
[ecs-ep.ecs-ep] [MPC/PersisterThread@0000035761]
com.q1labs.sem.magi.contrib.ModelPersister: [INFO]
[-/- -]Processing TX 0000035761 (1/1) 0.02MB
[ecs-ep.ecs-ep] [MPC/PersisterThread@0000035761]
com.q1labs.sem.magi.contrib.ModelPersister: [WARN]
[-/- -]Exception encounted when executing transaction 35761.
[ecs-ep.ecs-ep] [MPC/PersisterThread@0000035761]
com.q1labs.sem.magi.contrib.PersistenceException: Failed to
persist sem model
[ecs-ep.ecs-ep] [MPC/PersisterThread@0000035761] Caused by:
[ecs-ep.ecs-ep] [MPC/PersisterThread@0000035761]
org.postgresql.util.PSQLException: ERROR: invalid byte sequence
for encoding "UTF8": 0x00


Workaround:
  • Identifiy the rule that was triggered at the time the error log above (Problem Description) was generated.
  • Modify it to Index on a standard property instead of a CEP or modify the CEP so that it is not capturing null values.
A soft clean sim can be performed after the above modifications have been made for Offense generation to be corrected: Admin -> Advanced -> Clean SIM model -> Soft Clean
*NOTE: Performing a Soft Clean: Closes all offenses, but does not remove them from the system.
20 March 2019
QUICK FILTER / QVM IJ13234 QUICK SEARCH MENU BAR IN QRADAR VULNERABILITY MANAGEMENT (QVM) WINDOW DOES NOT EXIST FOR QRADAR LDAP USERS OPEN: Reported in QRadar 7.3.1 Patch 6 It has been identified that the Quick Search menu does not exist in the Vulnerability Management windows of the QRadar User Interface for users created from LDAP authentication.

  • Use a QRadar created user instead of an LDAP one.
    or
  • Contact Support for a possible workaround that might address this issue in some instances.
11 February 2019
UPGRADE / HIGH AVAILABILITY (HA) IJ12889 UPGRADE OF SECONDARY EVENT COLLECTOR CAN FAIL DUE TO PATCH_TEST_QRADAR AND PATCH_TEST_FUSIONVM OPEN: Reported in QRadar 7.3.1 Patch 1 Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that a QRadar upgrade can sometimes fail on a Secondary Event Collector when the patch_test_qradar and or patch_test_fusionvm database fails to start and then subsequent attempts fail because it already exists. Messages in the patches.log file similar to the following might be visible when this issue occurs:
2018:[DEBUG](s-ni-patchmode) isStoreMounted - yes, returning 1
2018:[DEBUG](s-ni-patchmode) Executing 'CREATE DATABASE
patch_test_qradar WITH TEMPLATE qradar OWNER qradar;' in root
single user mode for QRadar database.
Dec  6 14:03:24 2018:[DEBUG](s-ni-patchmode) read only line from
/store/postgres/data/postgresql.conf:
default_transaction_read_only = true
Dec  6 14:03:24 2018:[DEBUG](s-ni-patchmode) Running: "/bin/cp -f
/store/postgres/data/postgresql.conf
/store/postgres/data/postgresql.conf.bak"
Dec  6 14:03:24 2018:[DEBUG](s-ni-patchmode) Running: "sed -i
's/\s*\#*\s*default_transaction_read_only\s*=.*/default_transact
ion_read_only = false/g' /store/postgres/data/postgresql.conf"
Dec  6 14:03:24 2018: [DEBUG](s-ni-patchmode) Running SQL: 
echo 'CREATE DATABASEpatch_test_qradar WITH TEMPLATE qradar
OWNER qradar;' | exec su postgres -c "/usr/pgsql-9.6/bin//postgres
 --single -O -D /store/postgres/data "
Dec  6 14:03:24 2018:
[WARN](s-ni-patchmode) ERROR: database "patch_test_qradar"
already exists
Dec  6 14:03:24 2018: [WARN](s-ni-patchmode) STATEMENT: 
CREATE DATABASE patch_test_qradar WITH TEMPLATE qradar OWNER qradar;
20 March 2019
REPORTS IJ12888 REPORTS FAIL TO GENERATE AFTER A CONSOLE MIGRATION HAS BEEN PERFORMED OPEN: Reported in QRadar 7.3.1 Patch 1 Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that after a console migration, Reports can sometimes fail to generate with an error message similar to the following in /var/log/qradar.log:
[reporting_executor.reporting_executor] [Report Queue]
com.q1labs.reporting.ReportServices: [ERROR][-/- -]"Lock to templates
folder is acquired by another process, skipping templates reload."
28 January 2019
RULE RESPONSE LIMITER IJ12546 ANOMALY DETECTION THRESHOLD RULES SOMETIMES ARE NOT RESPECTING THE SETTINGS CONFIGURED FOR THE RULE RESPONSE LIMITER OPEN: Reported in QRadar 7.3.1 Patch 6 No workaround available.

It has been identified that when an Anomaly Detection (ADE) rule is configured to dispatch an event AND have the dispatched event generate an offense, the responseLimiterHostType uses the offensetype instead of attacker or target, causing offensemappertype to be null. This behavior results in any Response Limiter settings to not be respected. When an ADE rule is configured to dispatch an event only (without generating an offense), the Response Limiter works as expected.
28 January 2019
RULES IJ12545 "BB:CATEGORYDEFINITION: AUTHENTICATION FAILURES" IS SOMETIMES NOT DISPLAYED IN THE RULE WIZARD OPEN: Reported in QRadar 7.3.1 versions No workaround available.

It has been identified that in some instances, the building Block "BB:CategoryDefinition: Authentication Failures" is displayed in the list of available building blocks on the Rules page, but is not displayed as an available option in the QRadar Rules wizard.
28 January 2019
RULES IJ12545 "BB:CATEGORYDEFINITION: AUTHENTICATION FAILURES" IS SOMETIMES NOT DISPLAYED IN THE RULE WIZARD OPEN: Reported in QRadar 7.3.1 versions No workaround available.

It has been identified that in some instances, the building Block "BB:CategoryDefinition: Authentication Failures" is displayed in the list of available building blocks on the Rules page, but is not displayed as an available option in the QRadar Rules wizard.
28 January 2019
SYSTEM NOTIFICATIONS IJ13237 SAR SENTINEL THRESHOLD CROSSED SYSTEM NOTIFICATION FOR DROPPED PACKETS CAN BE CAUSED BY RHEL7 PACKET HANDLING/REPORTING OPEN: Reported in QRadar 7.3.1 versions Workaround: Disable "Dropped Receive Packets" notification from Admin -> Global System Notifications

This has most often been observed in envrironments using bonded interfaces. For more information, see: https://access.redhat.com/solutions/2073223.
It has been identified that messages similar to the following can sometimes be generated in QRadar due to RHEL7 packet drop reporting/handling methods:
[hostcontext.hostcontext] [Thread-255]
com.q1labs.hostcontext.sar.SarSentinel: [WARN]
[NOT:0150124100][127.0.0.1/- -] [-/- -]Dropped receive packets
on interface eno1 has an average of 47.7 over the past 5
intervals, and has exceeded the configured threshold of 1.0.
To resolve: If your system continues to exhibit this behavior,
please contact Customer Support.
13 May 2019
OFFENSES IJ12521 SELECTING 'SHOW INACTIVE CATEGORIES' WHEN VIEWING OFFENSE 'BY CATEGORY' DISPLAYS RESULTS AS "NONE" OR "0" OPEN: Reported in QRadar 7.3.1 Patch 7 No workaround available. It has been identified that selecting the 'Show Inactive Categories' in Offense view 'By Category' displays either "None" or "0" for results. For example:

For example:
  1. Click the Offenses tab.
  2. Select By Category.
  3. Select Show inactive Categories.

    Results
    What is displayed is either a value of "0" or "None".
28 January 2019
SERVICE / EVENT COLLECTORS IJ18032 EC CAN FAIL TO PROCESS/PARSE EVENTS AFTER PATCHING TO 7.3.2 P3 IF YOU HAVE PRE-EXISTING ROUTING RULES CONFIGURED CLOSED Resolved in QRadar 7.3.2 Patch 4 (7.3.2.20190803012943).

It has been identified that after patching to QRadar 7.3.2 Patch 3, events received by QRadar collector appliances can fail to be processed/parsed when an event forwarder or routing rule has been configured in QRadar. In these instances, the events are successfully received by the collector in the ecs-ec-ingress process, but are not sent to the ecs-ec process for parsing.

IMPORTANT UPDATE TO IJ18032
  1. It is advised that administrators who leverage Event Collector appliances (15xx) and routing rules wait for QRadar 7.3.2 Patch 4 (now released) as described in the QRadar Support Flash Notice.
  2. Administrators who have Event Collectors in their deployment with routing rules who have upgraded to QRadar 7.3.2 Patch 3 (7.3.2.20190705120852) can Contact Support for a hot fix to this issue.

The threadtop command can be run from the command line prompt on a QRadar Event Collector appliance:
/opt/qradar/support/threadTop.sh -p 7777 -e "ECS Runtime" -s -n 20


The following output from the threadtop command identifies that the QRadar Event Collector appliance is affected:
System Time: 31/07/2019 at 14:49:55.637
“ECS Runtime Thread” Id=67 in TIMED_WAITING (running in native)
at java.lang.Thread.sleep(Native Method)
at java.lang.Thread.sleep(Thread.java:942)
at com.q1labs.core.shared.ariel.ArielSearchLite.waitForArielClient(ArielSearchLite.java)
at com.q1labs.core.shared.ariel.ArielSearchLite.toQueryParams(ArielSearchLite.java)
at com.q1labs.core.shared.ariel.ArielSearchLite.toQueryParams(ArielSearchLite.java)
at com.q1labs.core.shared.ariel.ArielSearchLite.toQueryParams(ArielSearchLite.java)
at com.q1labs.core.shared.ariel.ArielSearchLite.toQueryParams(ArielSearchLite.java)
at com.q1labs.core.shared.ariel.ArielSearchLite.toQueryParams(ArielSearchLite.java)
at com.q1labs.core.shared.selectiveforwardingset.SelectiveForwardingSetCache.
   setQueryFilter(SelectiveForwardingSetCache.java)
at com.q1labs.core.shared.selectiveforwardingset.SelectiveForwardingSetCache.
   loadSearchForm(SelectiveForwardingSetCache.java)
at com.q1labs.core.shared.selectiveforwardingset.SelectiveForwardingSetCache.
   initializeSetCache(SelectiveForwardingSetCache.java)
   - locked java.lang.Object@35323b09
at com.q1labs.core.shared.selectiveforwardingset.SelectiveForwardingSetCache.
    onInit(SelectiveForwardingSetCache.java)
at com.q1labs.frameworks.naming.FrameworksNaming.initializeNewComponent
   (FrameworksNaming.java)
at com.q1labs.frameworks.naming.FrameworksNaming.getApplicationScopedComponent
   (FrameworksNaming.java) - locked com.q1labs.frameworks.naming.FrameworksNaming@1269d08c
at com.q1labs.frameworks.core.FrameworksContext.getSingletonInstance(FrameworksContext.java)
at com.q1labs.core.shared.selectiveforwardingset.SelectiveForwardingSetCache.
   getInstance(SelectiveForwardingSetCache.java)
   - locked java.lang.Object@d1bed3f
at com.q1labs.sem.selectiveforwarding.SelectiveForwardingCommunicator.
   onInit(SelectiveForwardingCommunicator.java)
at com.q1labs.frameworks.naming.FrameworksNaming.initializeNewComponent
   (FrameworksNaming.java)
at com.q1labs.frameworks.naming.FrameworksNaming.getApplicationScopedComponent
   (FrameworksNaming.java)
   - locked com.q1labs.frameworks.naming.FrameworksNaming@1269d08c
at com.q1labs.frameworks.core.FrameworksContext.getSingletonInstance(FrameworksContext.java)
31 July 2019
RULES IJ17858 RULE TEST 'WHEN ANY OF THESE EVENT PROPERTIES ARE CONTAINED IN ANY OF THESE REFERENCE SET(S)' CAN PRODUCE FALSE POSITIVE/NEGATIVE OPEN It has been identified that QRadar does not enforce proper validation for the 'when any of these event properties are contained in any of these reference set(s)' Custom Rule Engine (CRE) test. This issue can cause false positive or negative rule results.

Validation fields:
- Custom Properties can include: alphanumeric, numeric, IP, ports, or DateTime values
- Reference sets can include alphanumeric, case insensitive alpha numeric, numeric, IP, or ports

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[ecs-ep.ecs-ep] [CRE Processor [5]] com.q1labs.semsources.cre.CustomRule: 
[ERROR][127.0.0.1/- -] Exception in test: Failed to test
[ecs-ep.ecs-ep] [CRE Processor [5]] 
com.q1labs.jstl.base.exceptions.TestFailedException: Failed to test
[ecs-ep.ecs-ep] [CRE Processor [5]] at
com.q1labs.semsources.cre.tests.ReferenceSetTest.test(ReferenceSetTest.java)
[ecs-ep.ecs-ep] [CRE Processor [5]] at
com.q1labs.semsources.cre.tests.ReferenceSetTest.test(ReferenceS
etTest.java)
[ecs-ep.ecs-ep] [CRE Processor [5]] at
com.q1labs.semsources.cre.gen.TestExecutor_1_6.test(TestExecutor_1_6.java)
[ecs-ep.ecs-ep] [CRE Processor [5]] at
com.q1labs.semsources.cre.CustomRule.test(CustomRule.java)
[ecs-ep.ecs-ep] [CRE Processor [5]] at
com.q1labs.semsources.cre.CustomRuleSetExecutor.testRule(CustomRuleSetExecutor.java)
[ecs-ep.ecs-ep] [CRE Processor [5]] Caused by:
com.q1labs.frameworks.exceptions.CIDRNetworkException: Failed
to parse IP address: CUSTOM_PROPERTY_VALUE
[ecs-ep.ecs-ep] [CRE Processor [5]] at
com.q1labs.core.dao.util.Host.parseIPAddress(Host.java:207)
[ecs-ep.ecs-ep] [CRE Processor [5]] at
com.q1labs.core.dao.util.Host.fromString(Host.java:56)
[ecs-ep.ecs-ep] [CRE Processor [5]] at
com.q1labs.core.types.HostKeySerializer.keyFromString(HostKeySerializer.java:52)
[ecs-ep.ecs-ep] [CRE Processor [5]] Caused by:
java.lang.NumberFormatException: For input string: "CUSTOM_PROPERTY_VALUE"
[ecs-ep.ecs-ep] [CRE Processor [5]] at
java.lang.NumberFormatException.forInputString(NumberFormatException.java)
30 July 2019
CHECK POINT SMS HTTPS ADAPTER IJ16155 CHECK POINT HTTPS ADAPTER DOES NOT CLOSE THE API SESSION AFTER A BACKUP COMPLETES CLOSED Resolved in QRadar Risk Manager (QRM) adapters.bundle-2019.06-17062537 on IBM Fix Central.
To read adapter installation documentation, see: Installing Adapters.

It has been identified that the Check Point HTTPS adapter does not close the API session after a backup. When this occurs, sessions persist in the Check Point Smart Console user interface Sessions screen.
15 May 2019
CHECK POINT SMS HTTPS ADAPTER IJ13247 CHECK POINT HTTPS DEVICE CAN FAIL TO BACKUP WHEN INTERFACES HAVE NO IP ADDRESS CLOSED Resolved in QRadar Risk Manager (QRM) adapters.bundle-2019.06-17062537 on IBM Fix Central.
To read adapter installation documentation, see: Installing Adapters.

It has been identified that a Check Point HTTPS device backup fails if the device has interfaces without an IP address. The Device Backup log will contain the error message:
Error backing up device [Failed to parse interfaces for device [null]
FAILED : Failed to backup device

The Backup Error Detail will contain the error message:
Status:PARSE_WARNING
11 February 2019
F5 BIG-IP ADAPTER IJ10820 RISK MANAGER BACKUP FAILS FOR F5 ADAPTER WHEN THERE IS A LARGE LIST OF HOTFIXES CLOSED Resolved in QRadar Risk Manager (QRM) adapters.bundle-2019.06-17062537 on IBM Fix Central.
To read adapter installation documentation, see: Installing Adapters.

It has been identified that the backup function for an F5 adapter can fail when there is a large list of hotfixes and a subsequent timeout occurs:
2018-10-24 15:07:19 [ZipTie::SSH] ERROR: UNEXPECTED_RESPONSE encountered on the device '127.0.0.1'
2018-10-24 15:07:19 [ZipTie::SSH] [RESPONSE FROM THE DEVICE]
2018-10-24 15:07:19 [ZipTie::SSH] Timed-out after 300 seconds
(Started waiting at: Wed Oct 24 15:02:16 2018 -- Ended waiting
at: Wed Oct 24 15:07:17 2018 -- Command took 301 seconds) while
waiting to match the regular expression
'\@\(xxxxxxxxxxx\)\(cfg\-sync\
Standalone\)\(Active\)\(\/Common\)\(tmos\)\#'.
31 October 2018
JUNIPER JUNOS ADAPTER IJ12258 JUNIPER JUNOS BACKUP FAILS WHEN USING BORDER GATEWAY PROTOCOL (BGP) CLOSED Resolved in QRadar Risk Manager (QRM) adapters.bundle-2019.06-17062537 on IBM Fix Central.
To read adapter installation documentation, see: Installing Adapters.

It has been identified that a Juniper JUNOS device backup can time out if the device uses Border Gateway Protocol (BGP) and a large number of BGP routes are present.
21 December 2018
CISCO IOS ADAPTER IJ10888 BACKUP OF AN IOS DEVICE CAN FAIL WITH 'JAVA.LANG.EXCEPTION: NOT A HASH REFERENCE...' ERROR CLOSED Resolved in QRadar Risk Manager (QRM) adapters.bundle-2019.06-17062537 on IBM Fix Central.
To read adapter installation documentation, see: Installing Adapters.

It has been identified that the backup of an IOS device can fail with a "java.lang.Exception: Not a HASH reference at Parsers.pm line " error. Messages similar to the following might be visible in QRadar logs:
java.lang.Exception: Not a HASH reference at
/usr/share/ziptie-server/adapters/ziptie.adapters.cisco.ios_2018
.10.19110827/scripts/ZipTie/Adapters/Cisco/IOS/Parsers.pm line 2453.
at org.ziptie.server.job.AbstractAdapterTask.execute(AbstractAdapte
rTask.java)
at org.ziptie.server.dispatcher.Operation.execute(Operation.java)
at org.ziptie.server.dispatcher.OperationExecutor$JobThread.runJob(
OperationExecutor.java)
at org.ziptie.server.dispatcher.OperationExecutor$JobThread.run(Ope
rationExecutor.java)
Caused by: javax.xml.ws.soap.SOAPFaultException: Not a HASH
reference at
/usr/share/ziptie-server/adapters/ziptie.adapters.cisco.ios_2018
.10.19110827/scripts/ZipTie/Adapters/Cisco/IOS/Parsers.pm line
2453.
at com.sun.xml.ws.fault.SOAP11Fault.getProtocolException(SOAP11Faul
t.java)
at com.sun.xml.ws.fault.SOAPFaultBuilder.createException(SOAPFaultB
uilder.java)
31 October 2018
CISCO IOS ADAPTER IJ15701 BACKUP OF CISCO IOS DEVICE CAN FAIL WITH ERROR: "CAN'T USE STRING ("0") AS AN ARRAY REF WHILE 'STRICT REFS' IN USE" CLOSED Resolved in QRadar Risk Manager (QRM) adapters.bundle-2019.06-17062537 on IBM Fix Central.
To read adapter installation documentation, see: Installing Adapters.

It has been identified that backup of Cisco IOS devices can fail with an error message: Can't use string ("0") as an ARRAY ref while "strict refs". This occurs when a NAT source list references an Access Control List that does not exist. For example:
java.lang.Exception: Can't use string ("0") as an ARRAY ref
while "strict refs" in use at
/usr/share/ziptie-server/core/org.ziptie.adapters.common_2018.10
_03-19110827/scripts/ZipTie/Model/AddressTranslation.pm line 236.
at org.ziptie.server.job.AbstractAdapterTask.execute(AbstractAdapte
rTask.java)
at org.ziptie.server.dispatcher.Operation.execute(Operation.java)
at org.ziptie.server.dispatcher.OperationExecutor$JobThread.runJob(
OperationExecutor.java)
at org.ziptie.server.dispatcher.OperationExecutor$JobThread.run(Ope
rationExecutor.java)
Caused by: javax.xml.ws.soap.SOAPFaultException: Can't use
string ("0") as an ARRAY ref while "strict refs" in use at
/usr/share/ziptie-server/core/org.ziptie.adapters.common_2018.10
_03-19110827/scripts/ZipTie/Model/AddressTranslation.pm line
236
25 April 2019
CISCO IOS ADAPTER IJ15703 CISCO IOS DEVICE BACKUP CAN TIMEOUT WHEN THE DEVICE USES BGP AND A LARGE NUMBER OF BGP ROUTES ARE PRESENT CLOSED Resolved in QRadar Risk Manager (QRM) adapters.bundle-2019.06-17062537 on IBM Fix Central.
To read adapter installation documentation, see: Installing Adapters.

It has been identified that a Cisco IOS device backup can time out if the device uses BGP and a large number of BGP routes are present.
25 April 2019
CHECK POINT SMS HTTPS ADAPTER IJ15495 BACKUP OF CHECK POINT HTTPS DEVICE CAN FAIL WITH MESSAGE 'CAN'T USE AN UNDEFINED VALUE AS AN ARRAY REFERENCE' CLOSED Resolved in QRadar Risk Manager (QRM) adapters.bundle-2019.06-17062537 on IBM Fix Central.
To read adapter installation documentation, see: Installing Adapters.

It has been identified that a Check Point HTTPS device backup can fail with an error similar to:
java.lang.Exception: Can't use an undefined value as an ARRAY
reference at /usr/share/ziptie-server/adapters/ziptie.adapters.checkpoint.
https_2018.10.19110827/scripts/ZipTie/Adapters/CheckPoint/HTTPS/Utils.pm line 138.
at org.ziptie.server.job.AbstractAdapterTask.execute(AbstractAdapte
rTask.java)
at org.ziptie.server.dispatcher.Operation.execute(Operation.java)
at org.ziptie.server.dispatcher.OperationExecutor$JobThread.runJob(
OperationExecutor.java)
at org.ziptie.server.dispatcher.OperationExecutor$JobThread.run(Ope
rationExecutor.java)
Caused by: javax.xml.ws.soap.SOAPFaultException: Can't use an
undefined value as an ARRAY reference at
/usr/share/ziptie-server/adapters/ziptie.adapters.checkpoint.htt
ps_2018.10.19110827/scripts/ZipTie/Adapters/CheckPoint/HTTPS/Uti
ls.pm line 138.
at com.sun.xml.ws.fault.SOAP11Fault.getProtocolException(SOAP11Fault.java)
at com.sun.xml.ws.fault.SOAPFaultBuilder.createException(SOAPFaultB
uilder.java)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHan
dler.java)
at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java)
at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java)
at com.sun.proxy.$Proxy83.backup(Unknown Source)
at org.ziptie.server.job.backup.BackupTask.performTask(BackupTask.java)
at org.ziptie.server.job.AbstractAdapterTask.execute(AbstractAdapterTask.java)
16 April 2019
CHECK POINT SMS HTTPS ADAPTER IJ13701 CHECK POINT CLUSTERXL DEVICE IS UNABLE TO BACKUP SUCCESSFULLY WHEN IT HAS NO CLUSTER IP CONFIGURED CLOSED Resolved in QRadar Risk Manager (QRM) adapters.bundle-2019.06-17062537 on IBM Fix Central.
To read adapter installation documentation, see: Installing Adapters.

It has been identified in QRadar Risk Manager that a Check Point Cluster XL device discovered from Check Point SMS with Check Point HTTPS adapter fails to backup when running against a cluster IP that is not assigned to a valid interface.
21 February 2019
JUNIPER JUNOS ADAPTER IJ10745 JUNOS DEVICES WITH DHCP CONFIGURED DO NOT SUCCESSFULLY MERGE INTO THE RISK MANAGER TOPOLOGY CLOSED Resolved in QRadar Risk Manager (QRM) adapters.bundle-2019.06-17062537 on IBM Fix Central.
To read adapter installation documentation, see: Installing Adapters.

It has been identified that Juniper JUNOS devices with DHCP configured interfaces do not merge into the Risk Manager topology successfully. When this occurs the logs contain "PARSE_WARNING / No interfaces with assigned IP addresses were found".
24 October 2018
CHECK POINT SMS HTTPS ADAPTER IJ13703 CHECK POINT HTTPS ADAPTER UNABLE TO BACKUP A DEVICE WITHOUT SUPER USER PERMISSIONS CLOSED Resolved in QRadar Risk Manager (QRM) adapters.bundle-2019.06-17062537 on IBM Fix Central.
To read adapter installation documentation, see: Installing Adapters.

Workaround: Assign the user to the Super User permissions profile to complete a device configuration backup.

It has been identified that the Check Point HTTPS adapter in QRadar Risk Manager will fail to backup a device if the SMS is running R80.10 or greater and the user's permissions profile is not Super User.
27 February 2019
SEARCH IJ07013 COMPLETED SCANS OF ASSETS WITHIN QRADAR CAN AFFECT QRADAR'S SEARCH RESULTS OF THOSE ASSETS OPEN: Reported in multiple QRadar versions No workaround available. It has been identified that after assets have been scanned, subsequent searches of those assets can return incorrect/unexpected results.

Pre-conditions
A discovery, full, patch and web scan has been run against the same target (asset) and the Assets tab has been populated.

Example of steps that replicate this issue
  1. Navigate to the Assets tab.
  2. Click Search > New Search.
  3. Select 'Assets With Operating Systems', 'Does not equal' and input the OS of the target. (eg. Windows 7)
  4. Click Add Filter.
  5. Click Search.

Results
  • Expected: No Windows 7 Assets should be returned.
  • Actual: Windows 7 results are returned in the search.
12 June 2018
FORWARDED EVENTS / ROUTING RULES IV84190 EVENT/FLOW FORWARDING USING ENCRYPTED OFFSITE SOURCE AND TARGET CAN NOT BE ACCOMPLISHED SUCCESSFULLY OPEN: Reported in multiple QRadar versions Workaround: Where possible, do not use the encryption option for offsite source and target event/flow forwarding until this issue is corrected.

Forwarding normalized Events and Flows using encrypted offsite source and targets cannot be configured successfully to an event collector on a managed host. The initial configuration process succeeds in the User Interface, but the authorized_keys file in /root/.ssh are overwritten without including the offsite sources keys during the required Deploy changes function after configuration.
28 April 2016
ADVANCED SEARCH (AQL) IJ16182 AN ADVANCED SEARCH (AQL) CONTAINING 'LOGSOURCETYPENAME' CALLED ON AN INVALID LOGSOURCEID CREATES REPEATED LOGGING ERRORS OPEN: Reported as an issue in QRadar 7.3.1 Patch 7 Workaround: Function accepts the devicetype as a parameter, so use LOGSOURCETYPENAME(devicetype)

It has been identified that if an Advanced Search (AQL) uses the function LOGSOURCETYPENAME() and calls on an invalid parameter (logsourceid) it should return "{unknown:no sensor device type xxxx}" instead of throwing an error for each event. For example:
"SELECT UTF8(payload) as RawLog FROM events WHERE
LOGSOURCETYPENAME(logsourceid) IMATCHES 'Cisco adaptive
security appliance.*?' LAST 3 DAYS"

Repeated errors for "Error fetching name of sensor device type for id XXX" are logged in /var/log/qradar.error and qradar.log. This behavior can potentially cause /var/log to be filled quickly.
16 May 2019
USER INTERFACE / AUTO UPDATE IJ15646 QRADAR USER INTERFACE CAN BECOME UNRESPONSIVE DUE TO A SERVICE PASSWORD AUTHENTICATION FAILURE OPEN: Reported as an issue in QRadar 7.3.1 Patch 7 Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that the QRadar User Interface can sometimes become unresponsive after an auto update has completed. Messages similar to the following might be visible in the Tomcat catalina logs when this issue occurs:
SEVERE [localhost-startStop-1] org.apache.tomcat.util.digester.Digester.startElement 
Begin event threw exception java.lang.reflect.InvocationTargetException
Caused by: java.lang.ExceptionInInitializerError
at com.ibm.si.mks.MasterKeyStore$MasterKeyStoreHolder.(MasterKeyStore.java:34)
Caused by: com.ibm.si.mks.KeyStoreException: Failed to initialize keystore
13 May 2019
API / LOG SOURCE IJ15494 BULK EDITING/ADDING/DELETING A LARGE NUMBER OF LOG SOURCES CAN GENERATE A JVM EXCEPTION IN QRADAR LOGGING OPEN: Reported as an issue in QRadar 7.3.2 versions No workaround available.

It has been identified that when performing a bulk edit (including an add or delete) on a large number of Log Sources using the API or the Log Source Management app, a message similar to the following can sometimes be generated in /var/log/qradar.log:
tomcat[20763]: 05-Feb-2019 19:58:57.275 WARNING 
[ServerHostServices_PersisterTimer] com.sun.messaging.jmq.jmsclient.
ExceptionHandler.logCaughtException [I500]: 
Caught JVM Exception: com.sun.messaging.jms.JMSException:
[ADD_PRODUCER_REPLY(19)] [C4036]: A broker error occurr
ed. :[409] [B4183]: Producer can not be added to destination
objectChangeNotifications2 [Topic], limit of 100 producers
would be exceeded user=qradar, broker=127.0.0.1:7676(7677)
28 May 2019
ADVANCED SEARCH (AQL) IJ15467 AQL OUTPUT IS INCORRECT WHEN USING SOURCEASSETNAME FILTER BASED ON PAYLOAD OPEN: Reported as an issue in QRadar 7.3.2 versions No workaround available.

It has been identified that performing an AQL search that contains the 'sourceassetname' filter based on payload generates incorrect AQL output when the Show AQL button output is pasted into Advanced Search.
15 April 2019
QRADAR DEPLOYMENT INTELLIGENCE (QDI) IJ15357 QDI APP CAN REPORT INCORRECT STATE OF QVM SCANNERS OPEN: Reported as an issue in QRadar 7.3.1 versions No workaround available.

It has been identified that in some instances, the QRadar Deployment Intelligence (QDI) App can report the incorrect state of QRadar Vulnerability Manager (QVM) Scanners.
15 April 2019
DEVICE BACKUP / RISK MANAGER IJ15260 RISK MANAGER CAN STALL/HANG ON THE BACKUP OF A DEVICE WITH A FIREWALL_DEVICE_CONFIG THAT HAS A HIGH ROW COUNT CLOSED Resolved in QRadar 7.3.2 Patch 4 (7.3.2.20190803012943)

It has been identified that performing a QRadar Risk Manager (QRM) backup on devices with a very high row count in firewall_device_config can cause QRM to stall/hang.
05 April 2019
ASSETS IJ15248 'TECHNICAL OWNER' AND 'TECHNICAL USER' FIELDS ARE NOT POPULATED IN THE ASSET SUMMARY IN SOME INSTANCES OPEN: Reported as an issue in QRadar 7.3.1 Patch 6 IF02 No workaround available.

It has been identified that the 'Technical Owner' and 'Technical User' fields are not populated in the Asset Summary when the Saved Search option is used in the Vulnerability Assignment tab. For Example:
  1. Assets tab, with assets populated.
  2. Search -> New Search -> select "Search Parameters" Asset ID Equals one asset (eg. 1003) -> Search.
  3. Save Criteria -> Enter the name of this search "Search1", check "include in my Quick Searches", DO NOT check share with everyone -> OK.
  4. Search -> New Search ->select "Search Parameters" Asset ID Equals one asset (eg. 1004) -> Search
  5. Save Criteria -> Enter the name of this search "Search2", check BOTH "include in my Quick Searches", and "share with everyone" -> OK
  6. Vulnerabilities tab -> Vulnerability Assignment
  7. Add -> Enter Name (eg. Vuln1) and Email (valid email address), check "Asset Search" and select "Search1" in the Asset Search drop down menu -> Save.
  8. Add -> Enter Name (eg. Vuln2) and Email (valid email address), check "Asset Search" and select "Search2" in the Asset Search drop down menu -> Save.
  9. Schedule -> update owner information every 1 hour -> Update Now -> Save.


Results
  1. Click Asset 1003 -> 'Technical Owner' and 'Technical User' are NOT populated in the asset summary.
  2. Click Asset 1004 -> 'Technical Owner' and 'Technical User' are populated in the asset summary.
05 April 2019
DEPLOYMENT VIEW IJ15210 QRADAR NETWORK INSIGHTS COMPONENTS CAN BE MISSING CONNECTION ARROWS TO IT'S FLOW PROCESSOR COMPONENT OPEN: Reported as an issue in QRadar 7.3.1 Patch 6 IF02 No workaround available.

It has been identified that when viewing QRadar Network Insights (QNI) appliance in the Deployment View, the connection arrow is missing from the QNI appliance to the corresponding Flow Processor.
15 May 2019
OPERATIONS APP IJ14479 OPERATIONS APP ERROR "FAILED TO LOAD THE FOLLOWING DATA" FOR EVENT AND FLOW GRAPH OPEN: Reported as an issue in QRadar 7.3.1 Patch 6 IF02 No workaround available.

It has been identified that in some instances the Event and Flow graph can display an error similar to: >"Failed to load the following data EPS". Subsequent attempts to reload the data on the graph area can sometimes correct this issue.
15 May 2019
FLOW INSPECTOR IJ13359 QRADAR NETWORK INSIGHTS (QNI) DECAPPER 'OUT OF MEMORY' INSTANCES CAUSED BY SMB INSPECTOR OPEN: Reported as an issue in QRadar 7.3.1 Patch 6 IF02 No workaround available.

It has been identified that the SMB inspector QRadar Network Insights (QNI) component can cause QNI decapper service Out of Memory instances and a coredump file to be generated in /store/jheap on the QNI appliance. QNI cannot process flow traffic as expected while the decapper service is not running.
28 May 2019
FLOW INSPECTOR IJ13358 QRADAR NETWORK INSIGHTS (QNI) DECAPPER 'OUT OF MEMORY' INSTANCES CAUSED BY HTTP INSPECTOR OPEN: Reported as an issue in QRadar 7.3.1 Patch 6 IF02 No workaround available.

It has been identified that the HTTP inspector QRadar Network Insights (QNI) component can cause QNI decapper service Out of Memory instances and a coredump file to be generated in /store/jheap on the QNI appliance. QNI cannot process flow traffic as expected while the decapper service is not running.
28 May 2019
LICENSE IJ13317 LICENSE POOL MANAGEMENT CAN DISPLAY "N/A" FOR THE EPS RATE FOR SOME HOSTS WITH A NULL POINTER EXCEPTION IN THE LOGS OPEN: Reported as an issue in QRadar 7.3.1 Patch 6 No workaround available.

It has been identifed that in some instances the EPS rate for a host can display as "N/A" in the License Pool Management window. This has most often been observed with High Availability hosts. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs. Note that the the GV number can vary in the log instances:
[hostcontext.hostcontext][xxx-xxx-xxx-xxx/SequentialEventDispatcher]
com.q1labs.hostcontext.licensing.LicenseMonitor: 
[INFO][-/- -]Following message suppressed 1 times in 300000 milliseconds
[hostcontext.hostcontext][xxx-xxx-xxx-xxx/SequentialEventDispatcher]
com.q1labs.hostcontext.licensing.LicenseMonitor: 
[ERROR][-/- -]Cannot retrieve data for GV_10023_HOURLY 
02 May 2019
SEARCH / USER INTERFACE IJ13245 UNABLE TO SAVE A SEARCH AFTER TRIED WITH BLANK IN NAME FIELD ON THE LOG ACTIVITY PAGE OPEN: Reported as an issue in QRadar 7.3.2 Workaround: Close the dialog box and click on "Save Criteria" again.

It has been identified that the ability to save a search with a name is not immediately possible if the "Save" button has been clicked with a blank name field first. For example:
  1. Go to the Log Activity tab.
  2. Select last 5 minutes search and click save criteria, do not input any name.
  3. A message "Please enter a name for the saved search" appears. However, it is not possible to save as the Save button has been disabled and replaced with Saving button in the user interface.
02 May 2019
AUDIT EVENTS IJ13147 NOT ALL APPPLIANCE LOGIN ATTEMPTS ARE LOGGED/AUDITED THE SAME WAY WITHIN QRADAR OPEN: Reported as an issue in QRadar 7.3.1 Patch 5 Not all login attempts (success or failure) into a QRadar appliance are logged the same way into the QRadar User Interface when logging in using SSH or by using the IMM. For example:

  1. Attempt to login successfully using ssh. You see the login in secure log and you will get an event "User Login" in the UI.
  2. Attempt a failed login using ssh. You see an event "Failed Login Attempt" in the UI.
  3. Attempt a successful login using the IMM. You see the login attempt and you will get an event in the UI "User Login"
  4. Attempt a failed login using the IMM. You see the failed attempt in the secure log but you do not get an event in the UI.
13 May 2019
X-FORCE ACCESS IJ13125 XFORCE PROXY SETTINGS ARE NOT RETAINED DURING QRADAR PATCHING OPEN: Reported as an issue in QRadar 7.3.1 Patch 6 If X-Force feeds cannot update successfully after applying a QRadar patch when proxy settings are required, verify the proxy settings are still present: QRadar X-Force FAQ: How to Configure X-Force Feeds with Proxy Servers.

It has been identified that X-Force proxy settings configured in QRadar are sometimes not preserved after applying a QRadar patch.
31 January 2019
ACCESS / AD AUTHENTICATION IJ17937 LOGIN ACCCESS TO QRADAR CAN BE RESTRICTED FROM LDAP/AD ENVIRONMENTS DUE TO DIFFERENCES IN DOMAIN REALMS CLOSED Resolved in QRadar 7.3.2 Patch 4 (7.3.2.20190803012943)

To workaround this authentication issue, administrators can open the Admin tab, click the Authentication icon and edit the Domain input field in the Active Directory Authentication Module to use upper case letters.

It has been identified that LDAP users authentication for logging in to QRadar can fail after performing an update to QRadar 7.3.2 Patch 3 due to a changes in how QRadar handles AD authenticaiton when the domain name of QRadar is not matched to the domain name of the Active Directory (AD) server. This login issue can occur when the different domain for realms other than the domain in QRadar host. The Key Distribution Center (KDC) in QRadar complains that the client name is not matching. This can occur when more than one entry exists in the [realms] in the /opt/qradar/conf/kb5.conf file.
30 JULY 2019
GEOGRAPHIC DATA IJ11947 GEOGRAPHIC LOCATION IS USING IPV4 ADDRESS WHEN CONFIGURED IN RULES INSTEAD OF THE IPV6 ADDRESS OPEN: Reported as an issue in QRadar 7.3.1 Patch 6 No workaround available.

It has been identified that only IPv4 addresses are being queried for source/destination geographic location under NormalizedEventProperties.java This can cause QRadar to use the geographic location of an IPv4 address for use in rules instead of the actual expected IPv6 source address location. For example:
  1. Have events that are sending logs containing both a source IP and source IPv6 address, and the source IP having different country as the source IPv6.
  2. Create a search, adding source geographic location column.
  3. The source geographic location should be taking source IPv6 address's country by default, but it takes the source IP's country instead.
13 December 2018
LOG MESSAGES IJ12221 ARIELUTILS.JAVA REPEATEDLY WRITING UNNECESSARILY TO LOG FILES IN /VAR/LOG/ OPEN Workaround
This logging can be disabled using the mod_log4j.pl via SSH to the Console:
  1. Run /opt/qradar/support/mod_log4j.pl
  2. Enter 3 for Advanced Menu
  3. Enter 2 for 'Add a new logger'
  4. Paste the class path: com.q1labs.core.shared.ariel.ArielUtils
  5. Enter 4 for 'OFF'
  6. Enter * for 'All of the above'
  7. Press Enter
  8. Type CQ for 'Commit changes and quit this program'

It has been identified that ArielUtils.java can repeatedly be writing unnecessarily to /var/log/qradar.error and qradar.log with messages similar to the following:
[ecs-ep.ecs-ep][xxxxxxx-xxxx/SequentialEventDispatcher] com.q1labs.core.shared.ariel.ArielUtils$UnknownPropertyException: 
No property 'Account Locked Out Security ID' exists in set:
ACF2 rule key
APIContextPath
APIMethod...
09 January 2019
DEPLOY CHANGES IJ15655 DEPLOY FUNCTION CAN TIMEOUT WHEN OLDER .JAR FILES ARE BEING CLEANED UP IN SOME DIRECTORIES CLOSED This issue was addressed in the following JDBC RPM Releases:
  • PROTOCOL-JDBC-7.2-20190411081232.noarch.rpm
  • PROTOCOL-JDBC-7.3-20190411121241.noarch.rpm

It has been identified that in some instances, older .jar files can be referenced when left behind in some QRadar appliance directories. When cleanup of these old jars occurs, the Deploy function can sometimes timeout. To resolve this issue, QRadar administrators can run an auto update from Admin > Auto Update> Get updates now or review the latest available versions from IBM Fix Central to install on your QRadar Console using yum -y install {rpmname}.
09 January 2019
USER INTERFACE / RULES IJ12219 "PARSE ERROR ...SYNTAXERROR: UNDETERMINED STRING LITERAL" WHEN LOADING RULE GROUPS IN THE LOG ACTIVITY TAB OPEN: Reported in QRadar 7.3.0 Patch 6 and later No workaround available.

It has been identified that when using the Log Activity tab that adding the following filter can cause a parse error in the user interface Custom Rule equals a rule group, then a message similar to the following can sometimes be generated:
Parse Error 
The following error occurred while parsing the server response: {0}
SyntaxError: unterminated string literal
09 January 2019
DEVICE SUPPORT MODULE (DSM) IJ12129 EVENTID=4776 DOES NOT UPDATE THE CORRECT ASSET WITH THE IDENTITY INFORMATION CONTAINED IN THE EVENT OPEN: Reported in QRadar 7.3.1 versions It has been identified that the Windows DSM with Windows EventID=4776 does not update the correct Asset with the identity information contained within the event. OriginatingComputer is being used instead of the Source Workstation. Using the OriginatingComputer data to populate the Asset is incorrect as the Source Workstation's usernames associated with that Asset need to be updated.

Workaround
  1. Run an update from Admin tab > Auto Update > Get updates now or manually update DSM-MicrosoftWindows RPM to the latest version from IBM Fix Central.
  2. On Each QRadar managed host, add disableOriginatingComputerIdentity=true to /opt/qradar/conf/WindowsAuthServer.properties and then restart ecs-ec to load the properties file. Administrators must complete this procedure on each host in the deployment collecting Windows events.
13 May 2019
DISK SPACE / HA SECONDARY IJ11396 THE / PARTITION ON A HIGH AVAILABILITY (HA) SECONDARY APPLIANCE CAN HAVE RESIDUAL DOCKER FILES CAUSING DISK SPACE ISSUES OPEN: Reported in QRadar 7.3.0 and QRadar 7.3.1 versions Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that after performing an upgrade to 7.3.x the / partition on a High Availability (HA) Secondary appliance can retain old docker files in the store directory, using multiple GB of space on / partition. This can sometimes cause the disk usage threshold to be exceeded on the appliance. An outage on failover to the Secondary can occur if disk usage exceeds threshold of 95%.
31 December 2018
QRADAR RISK MANAGER (QRM) IJ09314 '[REPORTING THREAD - SIMEVENT/SIMARC BUNDLE1]...PROFILER DROPPED XXXX EVENTS' MESSAGES IN QRADAR LOGGING OPEN: Reported in QRadar 7.3.0 and later No workaround available.

It has been identified that in some instances the QRadar Risk Manager arc builder thread/queue that processes events does not remove events from the queue quickly enough to prevent the queue from filling up. Messages similar to the following can be generated in /var/log/qradar.log when this issue occurs:
[Reporting Thread - SimEvent bundle1] com.q1labs.semsources.filters.arc.NetworkModelsServices$SimEvent
sBundle: [INFO] [NOT:0000006000][-/--]Profiler stats: 
timestamp=1527102000000, numRecordsCreated=1418, numFlowsProcessed=0, 
numNormalizedEventsProcessed=3249953, numNormalizedEventsSeen=3252830, 
numFlowsSeen=0,numEventsDropped=23376
[Reporting Thread - SimEvent bundle1] com.q1labs.semsources.filters.arc.NetworkModelsServices$SimEvent
sBundle: [WARN] [NOT:0080004102][-/--]profiler dropped 23376 events in the last profiling interval
27 September 2018
QRADAR RISK MANAGER (QRM) IV93144 QRADAR RISK MANAGER DEVICE BACKUPS CAN FAIL WHEN THERE IS AN EMPTY VALUE IN AN PROTOCOL CONFIGURATION ADDRESS SET OPEN (Transitioning to closed) Resolved in QRadar 7.3.1 Patch 7 (7.3.1.20181123182336)

Workaround: Remove the empty value from the address set.
30 November 2018
ASSETS IJ09055 INCORRECT RESULTS DISPLAYED WHEN ADDING THE ASSET FILTER "OPEN SERVICE 'DOES NOT EQUAL' " OPEN: Reported in QRadar 7.2.8 and later No workaround available.

It has been identified that incorrect results are displayed when applying the 'Assets with open service': 'Does not equal' filter value from the Assets tab.

Expected behavior
  1. The 'Does not Equal' to comparison for Assets with open service should return correct values.
  2. The 'Does not Equal to any of' comparison for Assets with open service should return correct values.
Actual behavior
The 'Does not Equal to' comparison for Assets with open services does not returns values that are outside the filter parameter.
16 October 2018
BACKUP / RECOVERY IJ07678 AUTHENTICATION TOKENS CAN STOP WORKING AS EXPECTED AFTER A USERS CONFIG RESTORE HAS BEEN COMPLETED OPEN: Reported in QRadar 7.2.8 and later Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that after performing a QRadar 'users configuration' config restore, some managed hosts and/or Apps with authentication or services that use authentication tokens can stop working as expected. For example, Deploys fail to some Managed Hosts. Messages similar to the following might be visible in /var/log/qradar.log during a configuration restore when this issue occurs:
[hostcontext.hostcontext] [BackupServices_restore] com.q1labs.hostcontext.backup.BackupRecoveryEngine: [INFO]
[NOT:0000006000][127.0.0.1/- -] [-/- -]Completed extraction of files
[hostcontext.hostcontext] [BackupServices_restore]
com.q1labs.hostcontext.backup.BackupRecoveryEngine: 
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Unable read user session file
19 July 2018
QRADAR RISK MANAGER / BACKUPS IJ07676 NIGHTLY BACKUP OF RISK MANAGER DATABASE CAN CAUSE /TMP PARTITION TO RUN OUT OF FREE SPACE CLOSED Resolved in QRadar 7.3.2 Patch 4 (7.3.2.20190803012943)

It has been identified that the nightly backup of the QRadar Risk Manager (QRM) database can sometimes cause the /tmp partition to run low on available free space. When this occurs, disk utilization System Notifications are generated within QRadar and the backup of the Risk Manager database can fail.
18 July 2018
DEVICE SUPPORT MODULE (DSM) IJ07034 CISCO FIRESIGHT MANAGEMENT CENTER LOG SOURCES CAN SHOW IN ERROR STATE WHILE WORKING AS EXPECTED OPEN: Reported in QRadar 7.3.0 Patch 5 and later No workaround available.

It has been identified that Cisco FireSIGHT Management Center log sources can sometimes display in error state while they are working as expected. There is an issue with clearing the error state of log sources that are using the CiscoFirepowerEstreamer protocol. Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs:
[ecs-ec-ingress.ecs-ec-ingress] [Estreamer Connection to 127.0.0.1] at 
com.q1labs.semsources.sources.estreamer.connection. 
EstreamerExtendedRequestConnection: [ERROR] null
[ecs-ec-ingress.ecs-ec-ingress] [Estreamer Connection to 127.0.0.1] at
com.q1labs.semsources.sources.estreamer.exception.EstreamerVersionSupportException
[ecs-ec-ingress.ecs-ec-ingress] [Estreamer Connection to 127.0.0.1] at
com.q1labs.semsources.sources.estreamer.message.datamsg.record.d
atablock.RNADataBlockFactory.createDataBlock(RNADataBlockFactory.java:38)
[ecs-ec-ingress.ecs-ec-ingress] [Estreamer Connection to 127.0.0.1] at
com.q1labs.semsources.sources.estreamer.message.datamsg.record.U
serAddScanResultRecord.read(UserAddScanResultRecord.java:25)
[ecs-ec-ingress.ecs-ec-ingress] [Estreamer Connection to 127.0.0.1] at
com.q1labs.semsources.sources.estreamer.message.datamsg.record.datablock.IRNADataBlock: 
[ERROR] [127.0.0.1/- -] Encountered an Access Control Policy Rule ID Metadata Block (data block type: 15) with an empty body
22 June 2018
ADVANCED SEARCH (AQL) IJ06594 'SOURCEASSETNAME' ATTEMPTS TO USE A DEPRECATED ARIEL FUNCTION OPEN: Reported in QRadar 7.3.0 Patch 5 and later It has been identified that the "Source Asset Name" property used within QRadar attempts to use a deprecated ariel function and fails upon it's use. An Advanced Search (AQL) query trying to use sourceAssetName(ip), would return the error message No function matches the given name: 'sourceassetname' in catalog 'events' when trying to use this query:
select sourceAssetName(sourceIP) from events

Workaround: From the example above, the advanced query should be modified to be: 'assetHostName(sourceIP)'.

For example:
select assetHostName(sourceIP) from events
24 May 2018
SYSTEM NOTIFICATIONS / NETWORK ADDRESS TRANSLATION (NAT) IV96407 SYSTEM NOTIFICATION 'PROCESS MONITOR: APPLICATION HAS FAILED TO START UP MULTIPLE TIMES' AFTER REMOVING NAT FROM MANAGED HOST OPEN Contact Support for a possible workaround that might address this issue in some instances.

After removing NAT from an encrypted Managed Host, QRadar System Notifications might be generated that a process could not start. The message is similar to "Process Monitor: Application has failed to start up multiple times.". The process being referenced is a tunnel pointing to the old NAT IP address.

NOTE: The QRadar identifier (QID) for the 'Process Monitor Application has failed' system notification is 38750043. Users or administrators can search for this QID to quickly locate a history of these notifications in QRadar and view the RAW payloads to see what process is reported.
02 July 2019
USER INTERFACE / RULES IJ17357 HTTP 504 ERROR IN QRADAR USER INTERFACE WHEN SELECTING CUSTOM RULES OR WHEN OPENING RULES IN THE RULE WIZARD OPEN Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that in some instances selecting or opening a custom rule from the Rule Wizard can fail with a 504 error being generated in the QRadar User Interface window.
02 July 2019
CUSTOM PROPERTIES IJ11734 SOME SPECIFIC ARIEL CUSTOM EVENT PROPERTIES INDEXING CAN CAUSE ARIEL INDEXING AND RULE EVALUATION DEGRADATION OPEN: Reported in QRadar 7.2.8 versions No workaround available.

It has been identified that some Custom Event Properties (CEPs) indexing functions within QRadar can cause extra CPU overhead during Ariel Indexing and rule evaluation. When this occurs, QRadar performance degradation can sometimes be observed causing events to be routed directly to storage.
31 December 2018
OFFENSES / ASSET USERNAME IJ01985 SOME ASSET IDENTITY DATABASE INFORMATION IS NOT CLEANED UP AFTER ASSETS ARE UPDATED OPEN No workaround available.

It has been identified that in some instances, residual identity data associated to an Asset can be left in the QRadar database after the Asset is updated. When this occurs, incorrect identity/username information associated with an Asset can sometimes be observed in generated Offenses.

An example of this issue:
View the Offense Summary screen (Offenses -> All Offenses). When the Offense Source Summary includes a username this does not correlate to the offense detected, it is based on the what is known about the asset.

This displayed information does not represent the actual user(s) that contributed to the offense. To get the details for the username associated with the offense, on the right choose Event/Flow count -> X events, the next pop up displays the captured details.
23 March 2018
DASHBOARD IJ17814 'BLOCKING DOES NOT RESOLVE TO A SAVED SEARCH OR A KNOWN ARIEL QUERY HANDLE (AS EXPECTED)' MESSAGES IN QRADAR LOGGING OPEN: Reported in QRadar 7.3.1 Patch 6 and later No workaround available.

It has been identifed that when a User Interface dashboard loads with a graph item configured with the Time Range as "Last Interval (auto refresh)", there are messages generated in QRadar logging (/var/log/qradar.log and /var/log/qradar.error) similar to the following:
[tomcat.tomcat] [admin@127.0.0.1 (5771) /console/JSON-RPC/QRadar.updateResultsetGraphWidget QRadar.updateResultsetGraphWidget] com.q1labs.ariel.ui.UIArielServices: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/- -]searchId b4e2994e-8c2a-4c77-81e7-ecd143737c28-BLOCKING does not resolve to a saved search or a known ariel query handle (as expected).
[tomcat.tomcat] [127.0.0.1admin@127.0.0.1 (5775) /console/JSON-RPC/QRadar.getDashboardSearch QRadar.getDashboardSearch] com.q1labs.ariel.ui.UIArielServices: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/- -]searchId 2963d217-dd34-4427-bf0a-ddc69ce9da6a-BLOCKING does not resolve to a saved search or a known ariel query handle (as expected).
24 July 2019
HIGH AVAILABILITY (HA) IJ00711 HA DOES ITS OWN LOG ROTATION OUTSIDE OF THE OPERATING SYSTEM LOG ROTATION PROCESS CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

In an HA environment, if a deploy is happening and the log file /var/log/qradar-ha.log is larger than 10 MB then the deploy process will cause a log rotation outside of the Operating system internal log rotation process. This results in the creation of /var/log/qradar-ha.log.2, which may be truncated during successive deploys. The normal log rotation process would rotate the file qradar-ha.log into the /var/log/qradar.old directory.
21 November 2017
TCP SYSLOG IJ02453 INCREASING 'MAX NUMBER OF TCP SYSLOG CONNECTIONS' CAN CAUSE APPLIANCE ECS SERVICE TO FAIL WITH 'TOO MAY OPEN FILES' CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been identified that increasing the 'Max Number of TCP Syslog Connections' (located in QRadar Admin tab -> System Settings) from the default of 2500, can lead to the ecs service reporting 'Too many open files' and the ecs (collection) service fails. Messages similar to the following might be visible when this issue occurs:

[ecs-ec.ecs-ec] [LastEventSeenProcessor] com.q1labs.semsources.filters.stat.StatFilter: 
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]LastEventSeenProcessor encountered an error when attempting to update 8141 entries. Last event seen info will be stale until this issue is resolved. 
Reason: /opt/qradar/conf/host.token (Too many open files)
13 December 2017
HIGH AVAILABILITY (HA) IV92230 QRADAR PATCHING PROCESS CAN STALL/HANG AT MESSAGE 'WAITING FOR HA SETUP SCRIPT TO FINISH' CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been observed in some customer environments that the QRadar patching process can stall/hang indefinately while waiting for the HA setup script to complete. This can sometimes result in the having to kill the patch process manually. QRadar Support can assist in determining if this step is required for end users.

The message displayed on screen where the patching process can hang indefinately is similar to:
Tue Dec  20 19:38:17 GMT 2016 [HA] Host is primary and is in the active state
Tue Dec  20 19:38:17 GMT 2016 [HA] Waiting for HA Setup script to finish...
12 January 2017
API IJ11169 QRADAR API SESSIONS ARE NOT AUTOMATICALLY BEING PURGED/DELETED FROM THE DATABASE CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been identified that QRadar API sessions are not automatically being deleted/purged from the database. This behavior has been observed to cause Tomcat process Out of Memory occurrences in some instances.
13 December 2018
OFFENSES IJ01150 SORTING IN 'MY OFFENSES' DOES NOT WORK AFTER A DEFAULT SEARCH IS SAVED CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

Workaround: Remove the default search in 'All Offenses'

When you save a search in the 'All Offenses' view and set it to be the default, the sorting functionality in 'My Offenses' does not work.
04 December 2017
LOGIN / ACCESS IJ01871 UNABLE TO LOGIN TO THE QRADAR USER INTERFACE DUE TO PREVIOUS LOGIN SESSIONS NOT YET EXPIRED CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been observed in some QRadar environments that a QRadar user is unable to login to the User Interface. These particular instances have been identified as being caused by an issue with old login sessions that are not expiring properly when "Unique User Account Login" is enabled in the QRadar User Interface -> Admin tab -> System Settings. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[tomcat] [@127.0.0.1(Session)] com.q1labs.core.shared.sessionmanager.SessionManager: [WARN][-/- -]User  attempted to authenticate from host 127.0.0.1 User  is already logged in from host 127.0.0.1 rejecting login.
10 January 2018
USER INTERFACE IV84706 QRADAR USER INTERFACE SESSIONS ARE BECOMING DISCONNECTED (SESSION TIMEOUT) UNEXPECTEDLY CLOSED Resolved in:
QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)
QRadar 7.3.0 Patch 6 (7.3.0.20171107151332)

It has been observed that QRadar User Interface sessions are becoming disconnected unexpectedly (session timeout).
14 August 2017
APPS IV96428 QRADAR APPS CAN INTERMITTENTLY FAIL TO RETURN DATA CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

Workaround: Reload the App's tab in the QRadar User Interface.

Due to an intermittent API session call failure, QRadar Apps can sometimes fail to load expected data into the App's tab.
14 August 2017
USER INTERFACE IV93169 QRADAR TOMCAT SERVICE OUT OF MEMORY AND/OR API SLOWNESS CAN SOMETIMES BE CAUSED BY SESSIONMANAGER CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been observed in some instances, that the QRadar API can experience slow responsiveness and/or the Tomcat service can go Out Of Memory. The QRadar User Interface is unavailable during a Tomcat Out Of Memory occurrence until the affected services recover. These particular instances have been identified as being associated to issues occurring in the QRadar SessionManager and are to be corrected in a future QRadar release.
31 March 2017
CUSTOM PROPERTIES / APPS IJ00775 INSTALLING A CONTENT PACK CONTAINING A CUSTOM PROPERTY WITH AN ALREADY EXISTING CEP CAUSES A FOREIGN KEY VIOLATION CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

Adding a QRadar Content Pack sometimes does not install Custom Properties if there is a name collision with a custom property already on the system. When this issue occurs the following exception can be displayed in the logs:
[tomcat.tomcat] [admin@localhost] com.q1labs.core.cmt.Content: 
[ERROR] Chained SQL Exception [1/2]: 
ERROR: insert or update on table "ariel_property_expression" violates 
foreign key constraint "arielregexproperty_fkey"  Detail: Key (ap_id)=(Authorized_token)
is not present in table "ariel_regex_property". 
{prepstmnt -868634278 insert into ariel_property_expression (ap_id,creationdate,
deviceid,qid,enabled,devicetypeid,capturegroup,regex,payload,
propertybase,rank,id,category,editdate,username) values( ?, ?, ?, ?, ?, 
?, ?, ?, ?, ?, ?, ?, ?, ?, ?)}
10 April 2018
SYSTEM NOTIFICATIONS IJ06526 SAR SENTINEL NOTIFICATIONS MESSAGES 'AVERAGE TIME IN MS FOR I/O REQUESTS...' AFTER UPGRADING TO QRADAR 7.3.X CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

Workaround: SAR Sentinel messages, generated as detailed in the examples have been determined to be caused by changes in code that are included within versions 7.3.X+ of QRadar and/or the underlying Operating System. SAR Sentinel messages generated as above and containing 'Average time in ms for I/O requests for device...' are deemed to be benign and can be safely ignored.

It has been identified that after upgrading to QRadar 7.3.X, an increased occurence of QRadar 'SAR Sentinel' System Notifications referring to 'Average time in ms for I/O requests for device...' can sometimes be observed. Messages similar to the following can be visible in /var/log/qradar.log when this issue is occurring:
[hostcontext.hostcontext] [Thread-112] com.q1labs.hostcontext.sar.SarSentinel: [WARN] [-/- -] Average time in ms for I/O requests for device storerhel-store has an average of 2284.9 over the past 5 intervals, and has exceeded the configured threshold of 500.0. To resolve: If your system continues to exhibit this behavior, please contact Customer Support.
18 May 2018
HISTORICAL CORRELATION IV98246 HISTORICAL CORRELATION CAN SOMETIMES PRODUCE VARIED OFFENSE COUNT RESULTS CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been observed that Historical Correlation can sometimes fail to correctly complete searches and return all offenses when a small amount of data is returned. The identical Historical Correlation profile can be run over the same time period against the same rule and produce different numbers of offenses.
10 August 2017
ROUTING RULES IJ12885 ARIEL_TAGGED_FIELDS, ALONG WITH AQL AND QRADAR NETWORK INSIGHTS (QNI) CUSTOM PROPERTIES CANNOT BE USED IN JSON FORWARDING PROFILES CLOSED Closed as suggestion. It has been identified that AQL custom properties (in domain management) along with ariel_tagged_fields and QNI custom properties cannot be used in JSON forwarding profiles.

A suggestion APAR identifies a function/operation that is not within the product specifications, for which a fix is not planned. Implementation of this modification would be a product enhancement. This APAR is considered for any future products/releases.
18 January 2019
HIGH AVAILABILITY IJ07737 HOURLY ERROR MESSAGE WRITTEN TO QRADAR.ERROR ON HIGH AVAILABILITY (HA) PRIMARY APPLIANCE CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been identified that an error message can sometimes be written hourly to the /var/log/qradar.error log file of a High Availability (HA) primary appliance. The error message lines that are written to the /var/log/qradar.log are similar to:
stderr: cat: /etc/siemctl/ecs-ec-ingress.needs_update: No such file and directory
java.lang.Exception: Failed to run /bin/bash
/opt/qradar/bin/run_command.sh /usr/bin/ssh -F 
/opt/qradar/ha/ha_ssh_config -q -o ConnectTimeout=5  ssh  'cat /etc/siemctl/ecs-ec-ingress.needs_update'
11 July 2018
ROUTING RULES IV94377 EVENTS IN A TENANT DO NOT GET FORWARDED TO A FORWARDING DESTINATION CLOSED Closed as suggestion for future release.

It has been observed that attempting to configure events in a tenant to forward to a forwarding destination does not work. Steps that reproduce this behavior:

  1. Create a forwarding destination.
  2. Create Routing Rule and select Offline mode.
  3. Create a Tenant.
  4. Create a domain.
  5. Assign Tenant to the Domain.
  6. When configured, the affected events become stored in:
    '/store/ariel/events/records/aux/2017/...' directory instead of '/store/ariel/events/records/2017/...' and do not get forwarded.
19 July 2019
GEOGRAPHIC DATA IJ08973 THE AQL GEO::LOOKUP DOES NOT WORK AS EXPECTED WHEN MULTIPLE DOMAINS ARE CONFIGURED IN QRADAR CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been identified that the AQL GEO::LOOKUP function is unable to query the network hierarchy in a multi-tenant QRadar environment. This issue also causes QRadar Apps using this function to not work properly in regards to geolocation mapping to the Network Hierarchy when expected.
19 July 2019
FLOWS IJ12533 INCORRECT LABELS FOR FLOWS ON THE LICENSE POOL MANAGEMENT PAGE CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been identified that there are instances where the flow acromyns are incorrectly labelled on the QRadar License Pool Management user interface.
  • Allocated FPM: {value} is displayed correctly
  • Average FPM: {value} should be identified as Average FPS (flows per second)
  • Peak FPM: should be identified as FPS (flows per second)
09 January 2019
API IJ10837 QRADAR VULNERABILITY MANAGER: SAVED SEARCHES RUN WITH THE 'RISK' SEARCH PARAMETER USING THE QVM API CAN GENERATE AN 'EXCEPTION' MESSAGE CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

Workaround: Remove the 'Risk equals' search parameter from saved search.

It has been identified that when using the QVM APIs to run saved searches with the 'Risk equals' search parameter, results can fail to be returned and an 'EXCEPTION' is displayed under the status. Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs:
[tomcat.tomcat] [pool-2-thread-5] com.q1labs.core.sql.queryframework.QueryFramework: 
[ERROR] Chained SQL Exception [2/2]: ERROR: missing FROM-clause entry for table "vuln_business_data_mv" Position: 10725
[tomcat.tomcat] [pool-2-thread-5] com.q1labs.core.sql.queryframework.QueryFramework: [WARN]
[NOT:0000004000][127.0.0.1/- -] [-/--]QueryFramework.executeQuery(): Could not execute the above SQL statement.
[tomcat.tomcat] [pool-2-thread-5] org.apache.jpa.lib.jdbc.ReportingSQLException: ERROR: missing FROM-clause entry for table "vuln_business_data_mv"
31 October 2018
AQL / SHOW AQL BUTTON IJ14493 CONVERTING A SEARCH CRITERIA TO AQL USING "SHOW AQL" FUNCTIONALITY CAN GENERATE THE WRONG AQL IF A "PAYLOAD CONTAINS" FILTER EXISTS IN THE SEARCH CRITERIA CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

Workaround: Remove the additional "AND" output from the SHOW AQL results and attempt to run the query again.

It has been identified that performing an AQL search that contains a filter based on payload generates incorrect output due to the query unexpected adds an addition "AND" operator that is unexpectedly added to the SHOW AQL output.

For example:
Performing an AQL search that works as expected and then adding a filter for "payload Contains", then using SHOW AQL from the user interface adds an additional "AND" to the AQL search causing incorrect results to be output.
15 March 2019
PERFORMANCE IJ12791 AN UNREACHABLE, MOUNTED NFS SHARE CAN CAUSE QRADAR TO BECOME UNRESPONSIVE CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been identifed that if there is an NFS share mounted in QRadar and that NSF share becomes unreachable, the system load (observed by using the "top" command") continually grows higher. As the system load continues to grow, QRadar can eventually become unresponsive. During investigation of these scenarios, running a "ps-ef" displays many instances of the command "df -TP"

  1. Stop the df command using:
    killall df
  2. Either comment out the NFS share in /etc/fstab or restore connectivity to the remote file server.
  3. Contact Support if you require further assistance.
01 April 2019
VULNERABILITY SCAN IJ01153 QRADAR VULNERABILITY MANAGER: PERFORMANCE ISSUES RESULT IN SCANS BEING HELD 1 PERCENT COMPLETED CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

As a result of a large scan a table within QVM can get backed up. This causes the QVM scan to get held up at a set percentage.
02 November 2017
BACKUPS IV90362 QRADAR DATA BACKUPS ON MANAGED HOSTS CAN FAIL IF COMMUNICATION TO THE CONSOLE IS UNAVAILABLE CLOSED Resolved in QRadar 7.3.2 Patch 2 (7.3.2.20190522204210)

Data backups that are configured to run on QRadar Managed Hosts can fail when the backup process is unable to communicate to the QRadar Console for a required database write. Messages similar to the following might be visible in /var/log/qradar.log on the Managed Host when this issue is occurring:
[hostcontext.hostcontext] [Backup] com.q1labs.hostcontext.backup.core.BackupUtils: [ERROR] [127.0.0.1/- -] [-/- -] Cannot syncronize Console and managed host transaction (timeout):backup_,{UUID}
[hostcontext.hostcontext] [Backup] com.q1labs.hostcontext.backup.BackupRecoveryEngine: [ERROR][127.0.0.1/- -] [-/- -]Unable to process backup
02 November 2017
EXTERNAL SCAN IV97671 QRADAR VULNERABILITY MANAGER: EXTERNAL SCAN DOES NOT CONTINUE PAST 1% COMPLETED CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

Scan jobs that use the IBM external scanner can fail to run or stop at 1% completed after the following has occured in the QRadar deployment:
  1. A QVM scanner is added to, and then removed from, a managed host.
  2. The QVM processor is moved to the same managed host and the IBM external scanner is added.
  3. The IBM external scanner is selected within a scan profile.
03 July 2017
GEOGRAPHIC DATA IJ13502 SOURCE OR DESTINATION IP ADDRESS BEGINNING WITH 195.212.X.X CAN SOMETIMES DISPLAY AS 'NULL' IN THE QRADAR USER INTERFACE CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been identified that any IP address with the source IP beginning with 195.212.X.X does not show up a country or region in the Log Activity "Source Geographic Country/Region" column.

For example:
  1. Navigate to the Log Activity tab.
  2. Go to Search-> New search -> Add Source Geographic Country/Region, Destination Geographic Country/ Region and Geographic Continent Columns -> search
  3. Have known events that have IP 195.212.x.x and as a source or destination IP
  4. Observe that the Source Geographic Country/Region, or Destination Geographic Country/ Region and Geographic Continent Columns displays null.
16 May 2019
ERROR LOGS IJ14484 REPEATED 'CONTAINER@XXXXXXX.SERVICE FAILED' MESSAGES CAN BE OBSERVED IN /VAR/LOG/MESSAGES CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been identified that repeated messages similar to the following can sometimes be observed in /var/log/messages:
systemd[1]: Failed to load environment files: No such file or directory
systemd[1]: container@12143549859522470615.service failed to run 
'start-pre' task: No such file or directory
systemd[1]: Failed to start Container created and managed by the conman service.
systemd[1]: Unit container@12143549859522470615.service entered failed state.
systemd[1]: container@12143549859522470615.service failed.
systemd[1]: Starting Container created and managed by the conman service...
systemd[1]: Failed to load environment files: No such file or directory
08 May 2019
AQL IJ15627 AQL CASE AND IF STATEMENTS WITH 'AND' / 'OR' KEYWORDS FAIL WITH 'GENERAL FAILURE. PLEASE TRY AGAIN' NULLPOINTEREXCEPTION CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been identified that Advanced Search (AQL) - CASE and IF statements with 'and' / 'or' keywords fail in QRadar 7.3.2. An error "General failure. Please try again. A java.lang.NullPointerException:null" is generated and messages similar to the following might be visible in /var/log/qradar.error:
[ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:50568] com.q1labs.ariel.ql.parser.Parser: 
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/--]java.lang.NullPointerException:null
16 May 2019
OFFENSES IJ12887 "APPLICATION ERROR" WHEN NAVIGATING TO AN OFFENSES "EVENT DETAILS" WHEN AQL FUNCTIONS USED IN ANOMALY RULES CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

Workaround: Correct the AQL query to remove functions from the search before using in an Anomaly rule.

It has been identified that when using an Anomaly Threshold Rule with an AQL search containing AQL functions, an "Application Error" can sometimes occur when navigating to an associated Offense's "Event Details" window in the QRadar User Interface if the AQL query fails to parse correctly. A message similar to the following is visible in the QRadar UI:
"An error has occured. Return and attempt the action again. If the problem persists, please contact customer support for assistance"
28 January 2019
NETWORK ACTIVITY / FLOWS IJ14443 NO FLOWS ARE DISPLAYED IN THE NETWORK ACTIVITY TAB IF AN EVENT PROCESSOR'S ID MATCHES A FLOW PROCESSOR IN THE DEPLOYMENT CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been identified that filtering on Event Processor in the Network Activity tab can fail to display any flows if there is an Event Processor whose ID in the Deployment matches that of a Flow Processor managed host.
28 May 2019
OFFENSES IJ13367 LONG RUNNING TRANSACTION CAN CAUSE THE MAGISTRATE TO NOT SHUTDOWN PROPERLY AND OFFENSES CAN STOP GENERATING CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been identified that a long running transaction can cause the Magistrate to not shutdown cleanly (during a Deploy function for example). When this occurs, Offenses can stop being generated if the Magistrate is unable to start up as expected after the unclean shutdown.
28 May 2019
APPS IJ17793 QRADAR APPS CAN STOP RUNNING ON AN APP HOST AFTER IT IS SETUP WITH HIGH AVAILABILITY (HA) OPEN Contact Support for a possible workaround that might address this issue in some instances. 28 May 2019
SECURITY BULLETIN CVE-2019-4212 IBM QRADAR SIEM IS VULNERABLE TO CSRF ATTACK CLOSED Resolved in:
QRadar 7.2.8 Patch 16 (7.2.8.20190703194519)
QRadar 7.3.2 Patch 2 (7.3.2.20190522204210)
22 July 2019
SCHEDULED SCAN IV98896 VULNERABILITY SCANS CAN APPEAR TO NEVER COMPLETE AND/OR SOMETIMES TAKE LONGER THAN EXPECTED TO COMPLETE CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

These particular instances of long duration scans have been attributed to a "build reports" agent process that can cause qvmprocessor out of memory occurrences. Messages similar to following might be visible in /var/log/qradar.log when this issue is occurring:
Line 173170: Jun  5 00:42:29  OutOfMemoryMonitor[10929]: Discovered out-of-memory error for qvmprocessor process.
10 August 2017
DATA NODES IJ04179 DATA NODE REBALANCING CAN SOMETIMES CREATE AN UNBALANCED CLUSTER WHEN WITHIN 5% OF BEING IN BALANCE CLOSED Closed as a suggestion for a future release.

It has been identified that Data Node rebalancing can sometimes create an unbalanced cluster under certain conditions.

This has been observed primarily in instances where the data "source" is much larger in size than the "destination" and the nodes start to rebalance when within 5% of being in balance. It could also occur when rebalancing is interrupted (communication failures, deploys, restarting tunnels, etc).
30 November 2018
LOG SOURCES IJ17197 TRAFFIC ANALYSIS IN QRADAR 7.3.2 INCORRECTLY IDENTIFIES EVENTS LEADING TO INCORRECTLY GENERATED LOG SOURCES CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been identified that in QRadar 7.3.2, Traffic Analysis can incorrectly identify incoming events more often than expected. When this event misidentification occurs, new Log Sources can be incorrectly created.
26 June 2019
DEPLOY CHANGES IJ16921 PERFORMING REPEATED 'DEPLOY' CHANGES PRIOR TO BACKEND DEPLOY TASKS COMPLETING CAN CAUSE A SIM RESET TO OCCUR CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been identified that a SIM reset can occur when the Deploy changes has been repeatedly performed prior to all backend Deploy changes functions completing successfully. It is possible that the Magistrate can fail to shutdown cleanly in these instances leading to the SIM reset.

Messages similar to the following might be visible in /var/log/qradar.log when this issue is occurring:
[ecs-ep.ecs-ep] [ECS Runtime Thread] com.q1labs.sem.magi.OffenseManagerDelegate: [WARN]
[NOT:0180003000][127.0.0.1/- -] [-/- -]Magistrate was not shutdown cleanly, repairing database tables and files to be logged.
[hostcontext.hostcontext] [reset_sim] com.q1labs.hostcontext.core.executor.BaseHostExecutor: [INFO]
[NOT:0000006000][127.0.0.1/- -] [-/- -]Invoking ResetSim request NOTE - A Support case is required to fully investigate and identify if this issue is the exact cause of a particular SIM reset occurence.
18 June 2019
REPORTS IJ12530 "NEXT" BUTTON DOES NOT WORK IN THE REPORT WIZARD 'REPORT FORMAT PAGE' WHEN ONLY CSV IS SELECTED CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been identified that the "Next" button on the "Report format page" in the Report Wizard does not respond (it's greyed out) when only CSV is selected. This occurs during report template editing and also during a new report template creation.
07 January 2019
ASSETS IJ14994 PERFORMING A 'DELETE LISTED' ON ASSETS SCREEN, IT DELETES ALL ASSETS IN ASSET MODEL WHEN USING SPECIFIED FILTERED ASSET CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been identified that when assets are displayed in the Asset Model using search filters, and then the option for Delete Listed is used, all assets in the Asset Model are deleted instead of only the assets that were displayed.
26 March 2019
FORWARDING IJ16946 FORWARDING USING TCP OVER SSL CAN FAIL AND NOT ATTEMPT RECONNECT CAUSING FOWARDING TO STOP UNEXPECTEDLY CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been identified that when QRadar event/offense is configured to use TCP over SSL, forwarding can stop occuring when an exception is experienced and it does not automatically recover as expected. Messages similar to the following might be visible in /var/log/qradar.log when this issue is occurring:

[ecs-ep.ecs-ep] [SelectiveForwardingCommunictorThread_104] com.q1labs.sem.forwarding.network.ForwardingTCPoverSSLConnector:
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]An error occured while writing to the socket.
19 June 2019
DEVICE SUPPORT MODULE (DSM) IJ08963 ASSET UPDATES CAN STOP OCCURRING WHEN INVALID IPV6 VALUES ARE SENT TO THE ASSETPROFILER FROM A LOG SOURCE EXTENSION (LSX) CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been identified that when a Log Source Extension (LSX) is created and returns invalid IPv6 addresses, they are sent forward from the DSM extension to the assetprofiler. When this occurs, asset updates can stop.
16 October 2018
UPGRADE IJ14482 PATCHING ERROR MESSAGE ' "ASSET_REPORTING.VULNINSTANCE_XXXXX" DOES NOT EXIST' AND A PATCH ROLLBACK THEN OCCURS CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been identified that a message similar to the following can occur during the QRadar patching/update process:
'ERROR: relation "asset_reporting.vulninstance_weekly" does not exist  : patch rolled back.'
[ERROR] Failed to apply patch on console (). Exiting patch installer. An error was encountered attempting to process patches. Please contact customer support for further assistance. This issue can be observed with these three table descriptions:
asset_reporting.vulninstance_daily asset_reporting.vulninstance_weekly asset_reporting.vulninstance_monthly
11 March 2019
RULES IJ11173 QRADAR RULES CAN LOAD WHEN ONE OR MORE OF ITS TESTS FAIL LEADING TO FALSE POSITIVE RULE FIRING AND OFFENSES CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been identified that QRadar rules can still load when one or more of its rule tests fail. When this situation occurs within the QRadar rule engine, false positive rule firing can sometimes be observed and lead to invalid Offense creation.
24 May 2019
QUALYS SCANNER IJ16409 NIGHTLY VULNERABILITY SCAN USER INTERFACE STATUS MESSAGE DOES NOT GET UPDATED IF ONLY A SINGLE REPORT IS IMPORTED CLOSED An updated version of the Qualys Scanner rpm resolves APAR IJ16409. The RPM update for QualysQualysGuard-7.3-20190531123001.noarch.rpm (or later) is included in the July 25th QRadar weekly auto update. Most users will receive this update automatically. Administrators with Console appliances that do not have access to the Internet to get the automatic update can download the latest Auto Update bundle QRADAR-QRAUTO-1564067294 (or later) from IBM Fix Central. See this page for instructions on how to manually install an auto update bundle.

Issue: It has been identified that a nightly vulnerability scan status message in the User Interface does not get updated when there is only one scan file to download and parse. The scanUpdate message only gets updated at the beginning of a "for" loop when processing reports. When this issue occurs, it incorrectly appears in the User Interface that the scan continuously runs (even though it completes) until another scan using the same scanner is kicked off.
28 May 2019
PROTOCOL IJ15400 AKAMAI KONA REST API PROTOCOL FAILS WITH NULLPOINTEREXCEPTION IN QRADAR LOGGING CLOSED Resolves an issue in the Akamai Kona Rest API protocol to prevent a Null Pointer Exception that could cause event collection to stop. The release of this protocol update closes APAR IJ15400 and resolves the workaround where users needed to disable and enable their Akamai Kona log sources. Most users can wait for the QRadar weekly auto update to receive the protocol changes; however, administrators with Akamai Kona log sources can manually download and install the RPMs from IBM Fix Central. Issue resolved with the following RPM releases:

  • PROTOCOL-AkamaiKonaRESTAPI-7.2-20190226111026.noarch.rpm or later
  • PROTOCOL-AkamaiKonaRESTAPI-7.3-20190226161019 or later

  • Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:

    [ecs-ec-ingress.ecs-ec-ingress] [Akamai Kona REST API Protocol Provider Thread: class com.q1labs.semsources.sources.akamaikonarestapi.AkamaiKonaRESTAPIProvider] java.lang.NullPointerException
    [ecs-ec-ingress.ecs-ec-ingress] [Akamai Kona REST API Protocol Provider Thread: class com.q1labs.semsources.sources.akamaikonarestapi.AkamaiKonaRESTAPIProvider] com.q1labs.semsources.sources.akamaikonarestapi.AkamaiKonaRESTAPISource: [ERROR] [NOT:0000003000][IP ADDRESS/- -] [-/- -]There appears to have been a run-time issue with the provider connection 'class com.q1labs.semsources.sources.akamaikonarestapi.AkamaiKonaRESTAPIProvider'
18 JULY 2019
DEVICE SUPPORT MODULE (DSM) IJ17406 CHANGES IN VCENTER AND COMMON DSM CAN CAUSE TLS SYSLOG LOG SOURCE LEGACY CONFIGURATION UI PAGE TO NOT LOAD CORRECTLY CLOSED This release resolves a problem where the VMware vCenter DSM or DSM Common framework RPM could impact what was protocol options were displayed to users creating new log sources. Several users reported that TLS Syslog was missing from the Protocol drop-down list when creating non-VMware log sources as described in APAR IJ17406. Users who do not have the VMware vCenter DSM installed or do selective DSM installs can also get this fix by updating to the latest version of DSM Common to resolve APAR IJ17406. This issue was only observed by users of the default log source user interface, not by users of the Log Source Management app.

Local fix: The next QRadar weekly auto update will resolve this issue. QRadar 7.3.x users can manually install the updated RPMs from IBM Fix Central.
18 JULY 2019
SYSTEM NOTIFICATIONS IJ16822 INTERMITTENT FALSE POSITIVE NOTIFICATION MESSAGES 'A CRE PROCESSOR THREAD GOT SHUT DOWN UNEXPECTEDLY...' OPEN: Reported in QRadar 7.3.2 versions. No workaround available. These System Notifications can be ignored. 14 JUNE 2019
SERVICE IJ16824 ARIEL_QUERY_SERVER PROCESS OUT OF MEMORY CAN OCCUR DUE TO LARGE NUMBER OF CONCURRENTPOOL OBJECTS IN JMX MBEAN OPEN: Reported in QRadar 7.3.2 versions It has been identified that the ariel_query_server process on a QRadar appliance can run out of memory due to a memory leak caused by a large number of remaining ConcurrentPool objects in JMX mbean server.

Contact Support for a possible workaround that might address this issue in some instances.


CASE REQUIREMENTS
In order to correctly identify that this issue is the cause of an ariel_query_server process out of memory occurrence create a Support case with the affected appliance's get_logs output and the /store/jheap/ariel.ariel_query_server/ariel.ariel_query_server.system.dmp file that is created when the out of memory occurs. Only after these are examined by Support can the exact cause of the ariel_query_server process out of memory occurrence be correclty identified.
10 June 2019
USERS IJ16672 UNABLE TO CREATE USERNAMES CONTAINING WHITESPACE CHARACTERS AND AN INCORRECT WARNING MESSAGE IS DISPLAYED WHEN ATTEMPTED OPEN: Reported in QRadar 7.3.2 versions No workaround available.

It has been identified that attempting to create usernames containing whitespace(s) no longer works as expected and the error message displayed when attempted does not clearly identify that is the reason for the failure to create. The message generated is similar to:
Username must not contain any of the following non-whitespace characters: / ' \ "
10 June 2019
RULES IJ16698 NEW CUSTOM RULE ENGINE (CRE) THREAD THAT LOADS AFTER A THREAD FAILURE DOES NOT LOAD RULES CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been identified that when impacted by APAR IJ04898 it is possible that the CRE threads load without rule configuration. When this occurs, expected rule correlation of events and offense firing can fail to work as expected.

Messages similar to the following might be visible in the QRadar System Notifications (QID 38750163): 'A CRE Processor thread got shut down abruptly, but a replacement one was created' and the following errors are displayed in /var/log/qradar.log indicating this scenario exists in your QRadar environment:
[WARN] [NOT:0000004000][127.0.0.1/- -] [-/- -]CRE Thread CRE Processor [x] shut down unexpectedly. CRE Processor [9]] com.q1labs.semsources.cre.CREEventProcessor:
[INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Starting CRE Processor [27] on EP [212] with rule set [PROPERTY]

Workaround: A manual restart of the ecs-ep process from a command line interface connection corrects this condition on affected appliances. For example:
systemctl ecs-ep stop && systemctl start ecs-ep
27 June 2019
SEARCH IJ16592 ENABLING UNIQUE COUNTS FOR SAVED SEARCHES DOES NOT WORK AS EXPECTED OPEN: Reported in QRadar 7.3.1 Patch 5 IF01 (7.3.1.20180720020816) It has been identified that attempting to enable unique counts on a search in Log Activity does not work as expected. Enable unique counts on a search, navigate off of the search, and then back to the search. The unique counts reverts to disabled. For example:
  1. Create a new saved search.
  2. Create a basic report associated with saved search to enable the data accumulation for the saved search.
  3. Allow time to accumulate data for the search.
  4. Edit the saved search, enable unique counters.
  5. Run the search (search returns expected results).
  6. Edit the saved search.
Results: Observe that unique counts are disabled on the search.
10 June 2019
RULES IJ16618 USING A CIDR IN 'COMMON' RULES FAILS AND GENERATES 'CIDRNETWORKEXCEPTION' IN QRADAR LOGGING OPEN: Reported in QRadar 7.3.2 versions It has been identified that attempting to use a CIDR in Common rules generates a CIDRNetworkException similar to the following in /var/log/qradar.log:

[tomcat] [user@127.0.0.1 (8388) /console/do/rulewizard/saveCustomizeConditionParameter] com.q1labs.sem.ui.util.RuleConditionUtils: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]Failed to get test parameter option text
[tomcat] [user@127.0.0.1 (8388) /console/do/rulewizard/saveCustomizeConditionParameter] Caused by: /console/do/rulewizard/saveCustomizeConditionParameter]
com.q1labs.frameworks.exceptions.CIDRNetworkException: Failed to parse IP address: 1.2.3.0/24
10 June 2019
UPGRADE / APP FRAMEWORK IJ16653 DUAL STACK NETWORK CONFIGURATION CAN CAUSE THE APP FRAMEWORK TO FAIL TO START SUCCESSFULLY AFTER PATCHING OPEN: Reported in QRadar 7.3.2 versions It is possible that the Application Framework fails to start due to none of the services being able to communicate with each other after patching QRadar in environments with an IPv6 and an IPv4 network interface configured.

The following error messages might be visible in /var/log/qradar.log when this issue occurs:
[21598]: time="2019-06-20T10:55:45-05:00" level=error msg="Provider connection error Get https://127.0.0.1:2376/v1.21/version: x509: certificate is valid for , not 127.0.0.1 
[21598]: error during connect
10 June 2019
DEPLOY CHANGES IJ16640 QRADAR DEPLOY FUNCTIONS CAN TIMEOUT WHEN THE CERTIFICATE VALIDATOR FAILS DUE TO EMPTY CERTIFICATES BEING PRESENT OPEN: Reported in mulltiple QRadar verisions It has been identified that test_tomcat_connection.sh can take a longer than expected time to complete when empty certificates are present in /opt/qradar/trusted_certificates/. When this occurs, the Certificate Validator does not work and can lead to QRadar deploy functions timing out.

The following error message be visible in /var/log/qradar.log when this issue occurrs:
[tomcat.tomcat] [localhost-startStop-1]
java.security.cert.CertificateException: Unable to initialize,
java.io.IOException: Short read of DER length


Workaround: Remove the empty certificates from /opt/qradar/trusted_certificates and try to deploy changes. Contact Support if assistance is required with this task.
05 June 2019
AMAZON AWS CLOUDTRAIL IJ16038 AMAZON AWS S3 REST API PROTOCOL CAN GET INTO A STATE OF AN INFINITE LOOP CAUSING THE LOG SOURCE TO FAIL TO RECEIVE LOGS OPEN: Reported in QRadar 7.3.1 Patch 5 IF01 (7.3.1.20180720020816) and later It has been identified that Log Sources using the Amazon AWS S3 Rest API Protocol can get into a state of an infinite loop in the error handling and show as being in "Success" state, but not be receiving any logs. Administrators who experience this issue should report the problem to QRadar Support in a case.

Workaround: The administrator can disable, then enable the affected Log Source to temporarily get the Log Source to function again as expected.
05 June 2019
REPORTS IJ16414 SCHEDULED REPORTS GENERATE WITH INCORRECT CHART DATA AND COLUMN NAME WITH SOME ADVANCED SEARCHES (AQL) OPEN: Reported in QRadar 7.3.2 versions It has been identified that when an aggregate function along with a mathematical operation is used in an Advanced Search (AQL), a separate column for every aggregate function is displayed in the report based on the search. In the following example, two columns with the same column name (as specified in the Alias) are displayed and both the columns contain different values which belong to the particular aggregate function.

Workaround: Run the report immediately from in the Report Wizard so the report runs against raw data. On the Report Wizard page select "Yes - Run this report when the wizard is complete" check box.
29 May 2019
JDBC PROTOCOL IJ16291 JDBC MSDE LOG SOURCES IN WARN STATUS WITH MESSAGE 'THERE IS A PROBLEM WITH THE SELECTED DATABASE DRIVER' OPEN: Reported in QRadar 7.3.2 versions No workaround available.

It has been identified that after patching to QRadar 7.3.2, JDBC MSDE Log Sources can stop receiving events and be in WARN status with a message similar to "There is a problem with the selected database driver".
29 May 2019
AQL / GEOLOCATION IJ16434 ADVANCED SEARCH (AQL QUERY) CONTAINING GEO::LOOKUP RETURNS AN EMPTY JSON STRING FOR 'CITY' VARIABLE OPEN: Reported in QRadar 7.3.2 versions No workaround available.

It has been identified that performing an Advanced Search (AQL Query) using the GEO::LOOKUP can return no data for 'city' where the graph can display records. The 'city' variable returns only an empty JSON string in the table below the graph. QRadar 7.3.2 users can use the following advanced search to validate this reported issue:
select GEO::LOOKUP(','city') as City,
GEO::LOOKUP('','city_name') as CityName from events
limit 1
29 May 2019
UPGRADE IJ15652 APPS NOT DISPLAYING AFTER UPGRADING TO VERSION 7.3.2 OF QRADAR CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been identified that after upgrading to QRadar 7.3.2, previously installed or newly installed applications can sometimes fail to display in the QRadar User Interface due to a certificate issue where the Local CA could not determine the domain name properly.
29 May 2019
REPORTS IJ15667 REPORTS WITH ONLY ONE OUTPUT COLUMN FAIL TO GENERATE IN XLS FORMAT OPEN: Reported in QRadar 7.3.1 (20171206222136) and later. No workaround available.

It has been identified that reports that only have one column when created, fail to generate in XLS format. CSV and PDF reports with one column are created without issue. Messages similar to the following might be visible in /var/log/qradar.log when this issue is occurring:
[report_runner] [main] com.q1labs.reporting.ReportServices: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]REPORT
[MANUAL#^#user#$#xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx]: An error was encountered rendering the XLS version of the report
29 May 2019
DEPLOYMENT IJ16391 ADDING A MANAGED HOST TO A DEPLOYMENT FAILS IF IT HAD BEEN REMOVED FROM THE DEPLOYMENT WHILE BEING INACCESSIBLE OPEN: Reported in QRadar 7.2.8, 7.3.1, and 7.3.2 versions. It has been identified that a Managed Host fails to successfully be added to a Deployment if that Managed Host was in the Deployment previously, but was inaccessible (eg. powered off) when it had been removed.

Contact Support for a possible workaround that might address this issue in some instances.
29 May 2019
AQL IJ16172 ADVANCED SEARCH (AQL) FAILS WHEN USING THE LABELS OF A CUSTOM EVENT PROPERTY FIELDS IN A GROUP BY OPEN: Reported in QRadar 7.3.1 Patch 6 IF01 (7.3.1.20181002221547) and later. No workaround available.

It has been identified that an Advanced Search (AQL) fails when using the labels (alias) of Custom Event Properties in a 'group by'.
29 May 2019
RULES IJ15514 QRADAR RULES PAGE CAN TAKE LONGER THAN EXPECTED TO LOAD OPEN: Reported in QRadar 7.2.8, 7.3.1, and 7.3.2 versions. No workaround available.

It has been identified that the QRadar Rules page in the User Interface can take longer than expected to load in instances where thousands of rules exist. Timeouts can sometimes occur while the Rules are being gathered by QRadar backend processes.

NOTE: A duplicate APAR IJ15515 was also created and sent via IBM My Notifications. Users who received this notice should refer to IJ15514 and subscribe to track this issue.
29 May 2019
SEARCH / INDEXES IJ16415 /OPT/QRADAR/BIN/ARIEL_OFFLINE_INDEXER.SH CAN SOMETIMES FAIL TO CREATE SUPER INDEX DUE TO MAXIMUM FILE ULIMIT VALUE OPEN: Reported in QRadar 7.3.1 Patch 7 (7.3.1.20181123182336) and later. It has been identifed that in some instances, the current default number of usable file limits per process is too low a value (1024). When the file value ulimit is hit, the ariel_offline_indexer.sh script can fail to successfully create a super index. Contact Support for a possible workaround that might address this issue in some instances.

Messages similar to the following might be visible in /var/log/qradar.log when the ulimit is reached:
[main] java.io.FileNotFoundException: /store/ariel/events/records/2019/06/30/22/super/Q1Tmpxxxxxx-xxxx-xxxx-xxxx-8e9792bb1a49 (Too many open files)
29 May 2019
UPGRADE IJ15560 UNABLE TO CONFIGURE BONDED MANAGEMENT INTERFACE USING QCHANGE AFTER MOVING FROM A 8028 TO 3128 APPLIANCE TYPE OPEN: Reported in QRadar 7.3.1 Patch 1 (7.3.1.20171206222136) and later Contact Support for a possible workaround that might address this issue in some instances. 29 May 2019
LOG SOURCE / USER INTERFACE IJ16422 CUSTOM DSM REMAINS LISTED IN AVAILABLE "LOG SOURCE TYPES" AFTER BEING DELETED OPEN: Reported in QRadar 7.3.1 Patch 5 (7.3.1.20180720020816) and later No workaround available.

It has been identified that after a search is performed in "Log Activity" and a "Log Source Type" filter is added, any deleted Custom DSM's remain in the list of available Log Source Types.
29 May 2019
EVENTS IJ15965 QRADAR LOG SOURCES CAN BE IN A SUCCESS STATE BUT NOT RECEIVING LOGS DUE TO A PROTOCOL FAILURE CAUSED BY A MISSING JAR FILE CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been identified that in some instances, the file opencsv-1.8.jar is missing from appropriate locations on a QRadar Console or Managed Host appliance. When this occurs, multiple QRadar Protocols that require the jar file can fail. Log Sources can be in "Success" state, but not receiving any event data for the Log Source.
29 May 2019
RULES IJ15968 MODIFIED SYSTEM RULES CANNOT BE DELETED DUE TO INFORMATION STORED BY THE DEPENDENCY CHECKER CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been identified that System Rules (Building Blocks) that have been modified cannot be deleted due to information stored and used by the rule deletion dependency checker in QRadar.
29 May 2019
DATA NODE IJ16438 DATA NODES ADDED TO AN EVENT PROCESSOR IN PROCESSING ONLY MODE SHOW AS REBALANCING COMPLETED WITHOUT REBALANCE OCCURRING OPEN: Reported in multiple QRadar versions Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that after adding a Data Node to an Event Processor that is in 'Processing Only' mode, rebalancing appears to complete quickly, but rebalancing of data to the new Data Node did not occur.
28 May 2019
RIGHT-CLICK IJ10925 RIGHT-CLICK FUNCTIONALITY FOR 'ADD TO BLACKLIST' FAILS WITH 'REFERENCESETUTIL CAUGHT AN ERROR...' MESSAGE CLOSED Closed as a documentation error.

Manually run the ReferenceSetUtil.sh script via an SSH session to the QRadar console with arguments. Example:
/opt/qradar/bin/ReferenceSetUtil.sh add Blacklist 
11 June 2019
UPGRADE IJ15626 QRADAR PATCH FAILS 'ERROR: FAILED TO VERIFY THAT VAULT-QRD SERVICE IS CORECTLY CONFIGURED AND RUNNING' CLOSED Resolved in QRadar 7.3.2 Patch 4 (7.3.2.20190803012943) 28 May 2019
SERVICE IJ14988 ARIEL_QUERY_SERVER PROCESS IS ALLOWED TO BE STARTED ON THE QRADAR CONSOLE WHEN IT SHOULD NOT CLOSED Resolved in QRadar 7.3.2 Patch 4 (7.3.2.20190803012943) 28 May 2019
SERVICE IJ15446 ARIEL_QUERY_SERVER CAN BE MANUALLY STARTED ON A QRADAR CONSOLE CLOSED: Duplicate of IJ14988 APAR IJ14988 is closed with the release of QRadar 7.3.2 Patch 4 (7.3.2.20190803012943) 28 May 2019
UPGRADE / CONTENT IJ15334 EXTENSION MANAGEMENT UNINSTALLS CAN SOMETIMES CORRUPT RULES CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been identified that in some instances when Extension Management uninstalls are performed, rule corruption can occur due to a Content Management Tool issue. Extension Managment uninstalls are performed when Apps are uninstalled. When rule corruption has occured, false positives and/or false negatives can be experienced. An 'Application Error' can also sometimes occur when attempting to modify affected rules.
26 April 2019
RULES IJ16392 USERS WITHOUT 'MAINTAIN CUSTOM RULES' DO NOT SEE THE LOW-LEVEL CATEGORY OF THE DISPATCHED EVENT FROM RULE WIZARD OPEN No workaround available.
It has been identified that QRadar users without "Maintain Custom Rules" in user role do not see the Low-level category of the dispatched event from the Rule Wizard when viewing the rule summary.
28 May 2019
RULES IJ17437 LOW-LOWEL CATEGORY VALUE IN RULE SUMMARY IS BLANK FOR USERS WITH NON-ADMIN USER ROLE CLOSED: Duplicate of IJ16392. Subscribe to APAR IJ16392 to be alerted to status changes for this APAR. 28 May 2019
INSTALL IJ17438 INSTALLATION OF QRADAR CAN FAIL DUE TO INCORRECT DETECTION OF BIOS CONFIGURATION OPEN It has been identified that with some Lenovo System Xseries M4 and M5 appliances, the QRadar installation can fail to properly detect that the BIOS configuration "Legacy Mode" is set.

Workaround: Toggle the BIOS boot mode.
  1. During a reboot of the appliance, press F12 to display the BIOS boot mode.
  2. Select the Boot Manager and scroll down the screen.
  3. Toggle the Boot Mode setting to any option, then select Legacy.
  4. Save the BIOS changes and proceed with the QRadar installation.
08 July 2019
SECURITY BULLETIN CVE-2018-3180 A VULNERABILITY IN IBM JAVA SDK AND IBM JAVA RUNTIME AFFECTS IBM QRADAR SIEM CLOSED Resolved in:
QRadar 7.2.8 Patch 16 (7.2.8.20190703194519)
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)
QRadar 7.3.2 Patch 1 (7.3.2.20190410024210)
10 July 2019
SECURITY BULLETIN CVE-2018-2022 IBM QRADAR SIEM IS VULNERABLE TO AN INFORMATION EXPOSURE CLOSED Resolved in:
QRadar 7.2.8 Patch 16 (7.2.8.20190703194519)
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)
QRadar 7.3.2 Patch 1 (7.3.2.20190410024210)
10 July 2019
SECURITY BULLETIN CVE-2018-2021 IBM QRADAR INCIDENT FORENSICS IS VULNERABLE TO A PUBLICLY DISCLOSED VULNERABILITY IN APACHE TIKA CLOSED Resolved in:
QRadar 7.2.8 Patch 16 (7.2.8.20190703194519)
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)
QRadar 7.3.2 Patch 1 (7.3.2.20190410024210)
10 July 2019
SECURITY BULLETIN CVE-2018-17197 IBM QRADAR INCIDENT FORENSICS IS VULNERABLE TO A PUBLICLY DISCLOSED VULNERABILITY IN APACHE TIKA CLOSED Resolved in:
QRadar 7.2.8 Patch 16 (7.2.8.20190703194519)
QRadar 7.3.2 Patch 2 (7.3.2.20190522204210)
10 July 2019
SECURITY BULLETIN CVE-2019-4054 IBM QRADAR SIEM IS VULNERABLE TO AN INFORMATION EXPOSURE CLOSED Resolved in:
QRadar 7.2.8 Patch 16 (7.2.8.20190703194519)
QRadar 7.3.2 Patch 2 (7.3.2.20190522204210)
10 July 2019
SECURITY BULLETIN CVE-2018-15756 IBM QRADAR SIEM IS VULNERABLE TO A PUBLICLY DISCLOSED VULNERABILITY IN SPRING FRAMEWORK CLOSED Resolved in:
QRadar 7.2.8 Patch 16 (7.2.8.20190703194519)
QRadar 7.3.2 Patch 2 (7.3.2.20190522204210)
10 July 2019
SECURITY BULLETIN CVE-2018-11212
CVE-2018-12547
CVE-2019-2426
MULTIPLE VULNERABILITIES IN IBM JAVA SDK AND IBM JAVA RUNTIME AFFECT IBM QRADAR SIEM CLOSED Resolved in:
QRadar 7.2.8 Patch 16 (7.2.8.20190703194519)
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)
QRadar 7.3.2 Patch 1 (7.3.2.20190410024210)
10 July 2019
SECURITY BULLETIN CVE-2019-4211 IBM QRADAR SIEM IS VULNERABLE TO CROSS SITE SCRIPTING (XSS) CLOSED Resolved in:
QRadar 7.2.8 Patch 16 (7.2.8.20190703194519)
QRadar 7.3.2 Patch 2 (7.3.2.20190522204210)
10 July 2019
SECURITY BULLETIN CVE-2018-11761
CVE-2018-11762
CVE-2018-8017
CVE-2018-11796
IBM QRADAR INCIDENT FORENSICS IS VULNERABLE TO PUBLICLY DISCLOSED VULNERABILITIES FROM APACHE TIKA CLOSED Resolved in:
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)
QRadar 7.2.8 Patch 16 (7.2.8.20190703194519)
QRadar 7.3.2 Patch 1 (7.3.2.20190410024210)
10 July 2019
UPGRADE IJ16945 QRADAR PATCHING CAN FAIL WHEN /BOOT PARTITION DOES NOT HAVE ENOUGH FREE SPACE AVAILALBLE CLOSED Resolved in QRadar 7.2.8 Patch 16 (7.2.8.20190703194519).

Error message for users who experience this update issue:
'At least MB more space needed on the /boot filesystem'.
20 June 2019
SEARCH IJ15905 USING THE 'UPDATE' BUTTON ON A LOG ACTIVITY SEARCH PAGE THE DAY OF A DST (TIME) CHANGE MOVES THE START/END TIME ONE HOUR Transitioning to closed Resolved in QRadar 7.3.1 Patch 8 Interim Fix 03 (7.3.1.20190612151858) 06 May 2019
USER INTERFACE IJ16435 SENSORPROTOCOLSTATUS AND SENSORPROTOCOLSTATUSSENTRY DATABASE TABLES BLOAT AND SOMETIMES CAUSE USER INTERFACE OUTAGES Transitioning to closed Resolved in:
QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)
QRadar 7.3.2 Patch 2 Interim Fix 01 (7.3.2.20190617171807)
QRadar 7.3.1 Patch 8 Interim Fix 03 (7.3.1.20190612151858)

It has been identified that the QRadar User Interface can sometimes become unresponsive in instances where the sensorprotocolstatus and sensorprotocolstatusentry database tables bloat
28 May 2019
WINCOLLECT IJ17394 WINCOLLECT UNABLE TO REGISTER NEW AGENTS "...INVALID TOKEN ROLE" IN QRADAR LOGGING AFTER APPLYING QRADAR 7.3.2 PATCH 2 CLOSED Resolved in:
QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)
QRadar 7.3.2 Patch 2 Interim Fix 02 (7.3.2.20190710135412)
03 JULY 2019
SERVICE / DEPLOY IJ15699 NAPATECH SERVICE ON THE QRADAR NETWORK INSIGHTS (QNI) APPLIANCE CAN SOMETIMES FAIL TO START AFTER A PERFORMING A DEPLOY FULL CONFIGURATION CLOSED Resolved in:
QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)
QRadar 7.3.2 Patch 2 Interim Fix 01 (7.3.2.20190617171807)
30 APRIL 2019
CUSTOM EVENT PROPERTIES (CEP) IJ16423 JSON CUSTOM EVENT PROPERTY DISPLAYS "N/A" WHEN A BACKSLASH EXISTS IN THE EXTRACTED STRING FROM A PAYLOAD OPEN: Reported in QRadar 7.3.2 versions Workaround: If the "Enable this Property for use in Rules and Search Indexing" box is un-checked then the JSON Expression works as expected. 29 MAY 2019
INSTALL IJ16494 NEW ISO INSTALLATION/BUILD OF 7.3.2 PATCH 2 HAS BACKLEVEL VERSION OF SOME FORENSICS/QNI APPLIANCE RPMS CLOSED Resolved in:
QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)
QRadar 7.3.2 Patch 2 Interim Fix 01 (7.3.2.20190617171807)

It has been identified that when performing a fresh appliance install of QRadar 7.3.2 Patch 2 from the ISO file, QRadar Incident Forensics (QIF) and QRadar Network Insights (QNI) appliance installs are incorrectly identified as QRadar type appliances. When this occurs, newer RPMs that are included within the ISO for QIF and QNI are not installed as expected. The QRadar 7.3.2 Patch 2 IF01 update resolves this issue.
29 MAY 2019
OFENSES IJ17329 RIGHT-CLICK OPTION FOR NAVIGATE VIEW SOURCE SUMMARY AND VIEW DESTINATION SUMMARY IS SOMETIMES GREYED OUT OPEN: Reported in QRadar 7.3.1 Patch 5 No workaround available.

It has been identified that the Navigate right-click menu from the Offense view has the 'View Source Summary' and 'View Destination Summary' options greyed out when IP and Log Source both belong to a domain other than "default Domain".
28 JUNE 2019
UPGRADE / SERVICES IJ17204 ECS-EP PROCESS FAILS TO START AFTER PATCHING TO QRADAR 7.3.2 WHEN CUSTOM SNMP TRAP EVENTS WERE CONFIGURED OPEN: Reported after users upgrade to QRadar 7.3.2 versions. No workaround available.

The following error messages might be visible in /var/log/qradar.log when this issue occurrs:
[ecs-ep.ecs-ep] [ECS Runtime Thread] Caused by: java.io.FileNotFoundException:
/opt/ibm/si/services/ecs-ep/current/frameworks_conf/customCRE.snmp.xml (No such file or directory)
26 JUNE 2019
RULES / UI IJ17330 ‘ARE YOU SURE YOU WISH TO ENABLE +1?’ MESSAGE WHEN ENABLING RULE PERFORMANCE CLOSED Resolved in QRadar 7.3.2 Patch 1 (7.3.2.20190410024210) 28 JUNE 2019
DEPLOY CHANGES IJ00919 QRADAR DEPLOY FUNCTION CAN TIMEOUT WITH 'FAILED TO REPORT HOST CAPABILITIES AFTER X ATTEMPTS' EXCEPTION IN THE LOGS CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

Example error message from /var/log/qradar.error:
[hostcontext.hostcontext] [Thread-27]com.q1labs.hostcontext.capabilities.
CapabilitiesReporter:
[ERROR][-/- -] Report capabilities thread: failed to report host capabilities after X attempts
06 NOVEMBER 2017
OPERATING SYSTEM / KERNEL IJ16696 UNEXPECTED REBOOT CAN OCCUR WITH 3.10.0-957.10.1.EL7.X86_64 RHEL KERNEL WHEN RUNNING CONCURRENT SEARCHES CANCELLED APAR IJ16696 has been cancelled. It has been determined that the RHEL Kernel issue does NOT apply to QRadar 7.3.2 Patch 2 and the APAR has been removed from the 'Known issues' list in the release notes. No impact to QRadar 7.3.2 Patch 2 (7.3.2.20190522204210). 07 JUNE 2019
FLOW SOURCES IJ07715 PCI NETWORK INTERFACES ARE NOT DISPLAYED IN FLOW SOURCE DROPDOWN FOR DELL APPLIANCES AFTER QRADAR 7.3.1 UPGRADE CLOSED Resolved in QRadar 7.3.2 Patch 2 (7.3.2.20190522204210). 03 JUNE 2019
LOG ACTIVITY / NETWORK ACTIVITY IJ09157 [LOG NETWORK ACTIVITY PAGE] QRADAR EVENT DETAILS SCREEN IS BLANK, 'APPLICATION ERROR' MESSAGE DISPLAYED CLOSED Resolved in QRadar 7.3.2 Patch 2 (7.3.2.20190522204210).

It had been identified in QRadar 7.2.8 that attempts to view the Event details page can sometimes fail to display any content and generate an 'Application Error' due to an exception to be displayed in the following situations:
  1. A custom property owner was deleted from QRadar or never existed (importing content bundles created by users that don't exist on the target system)
  2. A calculated custom property uses other custom properties that are disabled or deleted Messages in /var/log/qradar.error with "No property 'BytesSent' exists in set" might be visible when this issue is occurring.
03 JUNE 2019
REFERENCE SETS IJ10643 SOME QRADAR USERS ARE UNABLE TO VIEW VALUES COLUMN IN REFERENCE SETS CLOSED Resolved in QRadar 7.3.2 Patch 2 (7.3.2.20190522204210).

NOTE: This issue was intially reported in QRadar 7.3.1 Patch 5 and later. Administrators should consider an update to QRadar 7.3.2 to resolve the issue described in the APAR. For notes on upgrading, see https://ibm.biz/qradarchecklist.
03 JUNE 2019
OFFENSES / USER INTERFACE IJ10694 OFFENSE PAGES IN THE QRADAR USER INTERFACE CAN BE SLOW TO LOAD WHEN LARGE NETWORK HIERARCHIES EXIST CLOSED Resolved in QRadar 7.3.2 Patch 2 (7.3.2.20190522204210). 31 MAY 2019
ASSETS IJ10889 OUT OF MEMORY IN ASSETPROFILER WHEN IMPORTING SCAN DATA CLOSED Resolved in QRadar 7.3.2 Patch 2 (7.3.2.20190522204210). 03 JUNE 2019
QRADAR NETWORK INSIGHTS / SUPERFLOWS IJ12275 FLOWS RECEIVED FROM QRADAR NETWORK INSIGHTS (QNI) DO NOT GENERATE SUPERFLOWS CLOSED Resolved in QRadar 7.3.2 Patch 2 (7.3.2.20190522204210). 31 MAY 2019
CUSTOM RULES ENGINE / FLOW DETAILS IJ13215 RULE WIZARD DOES NOT DISPLAY WHILE IN AN ASSOCIATED FLOW FROM WITHIN AN OFFENSE CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

Return to the main QRadar interface to open the Rule Wizard. For example, Log Activity > Actions > Rules.
06 FEBRUARY 2019
SYSTEM NOTIFICATIONS / QFLOW IJ13246 "QFLOWXXX HAS FAILED TO START FOR X INTERVALS" NOTIFICATIONS WHEN RECEIVING IPFIX PACKETS WITH A LARGE AMOUNT OF FIELDS CLOSED Resolved in QRadar 7.3.2 Patch 2 (7.3.2.20190522204210). 03 JUNE 2019
ADVANCED SEARCH / AQL IJ13446 INVALID AQL SAVED SEARCHES CAN CAUSE SEVERAL USER INTERFACE SCREENS TO FAIL TO LOAD CLOSED Resolved in QRadar 7.3.2 Patch 2 (7.3.2.20190522204210)

Log error message:
qRuleWizardUtils: [ERROR] Could not retrieve aggregated search result fields with UI Ariel Services.
31 MAY 2019
QRADAR INCIDENT FORENSICS / PCAP UPLOAD IJ13905 UNABLE TO UPLOAD PCAP FILES USING THE ADMIN/FORENSICS/CASE MANAGEMENT TOOL: 'ERROR: EMPTY FILE UPLOAD RESULT' CLOSED Resolved in QRadar 7.3.2 Patch 2 (7.3.2.20190522204210). 15 FEBRUARY 2019
TIME SERIES GRAPH / SEARCH IJ14209 TIME SERIES DATA ERROR GENERATED WHEN FILTERING ON AN AGGREGATED CUSTOM PROPERTY USING MAXIMUM OR MINUMUM IN LOG ACTIVITY OR NETWORK ACTIVITY CLOSED Resolved in QRadar 7.3.2 Patch 2 (7.3.2.20190522204210). 05 MAY 2019
LOG ACTIVITY IJ14472 LOG ACTIVITY PAGE SEARCH RESULTS ARE ONLY DISPLAYED WHEN THE SEARCH COMPLETES INSTEAD OF STREAMING DURING SEARCHES CLOSED Resolved in QRadar 7.3.2 Patch 2 (7.3.2.20190522204210). 13 March 2019
OPERATING SYSTEM / KERNEL IJ14841 HOSTS CAN REBOOT SPONTANEOUSLY AND FILL /VAR/CRASH/ PARTITION DUE TO RED HAT ENTERPRISE LINUX KERNEL PANICS ISSUE CLOSED Resolved in: QRadar 7.3.2 Patch 2 (7.3.2.20190522204210)
QRadar 7.3.1 Patch 8 IF01 (7.3.1.20181217203039)

NOTE: Administrators who cannot update can disable the userspace hardening by adding the following parameter to the kernel command line:
hardened_usercopy=off
01 April 2019
QFLOW IJ14855 IPFIX FIELDS FOR QFLOW HAVE A LENGTH OF 0 WHEN USING "PAYLOAD" OPTION IN SYSTEM SETTINGS -> QFLOW SETTINGS CLOSED Resolved in QRadar 7.3.2 Patch 2 (7.3.2.20190522204210)

NOTE: Administrators who cannot update can use the setting "TLV" works as expected and "TLV" is the default mode for QRadar version 7.3.0 AND LATER VERSIONS.
26 April 2019
RULES / RULE PERFORMANCE IJ14856 RULE AND BUILDING BLOCK DEPENDENCY CHECK NOT WORKING AS EXPECTED WHEN 'RULE PERFORMANCE ANALYSIS' IS DISABLED CLOSED Resolved in QRadar 7.3.2 Patch 2 (7.3.2.20190522204210)< 26 March 2019
ADVANCED SEARCH (AQL) IJ15591 THE 'IS NOT' OPERATOR DOES NOT WORK CORRECTLY WHEN USED IN THE 'SELECT' PART OF AN ADVANCED SEARCH (AQL) CLOSED Resolved in QRadar 7.3.2 Patch 2 (7.3.2.20190522204210) 01 May 2019
DEPLOY CHANGES IJ15735 HAVING AN ENCRYPTED MANAGED HOST WITHIN A DIFFERENT NAT GROUP THAN THE CONSOLE CAUSES DEPLOYS TO FAIL IN QRADAR 7.3.2 PATCH 1 AND LATER VERSIONS CLOSED Resolved in QRadar 7.3.2 Patch 2 (7.3.2.20190522204210) 01 May 2019
OPERATING SYSTEM IJ15781 REDHAT ENTERPRISE LINUX KERNEL ISSUE CAN CAUSE DATA GATEWAY ADD PROCESS TO HANG FOR AZURE ON HYPER-V INSTALLATIONS OPEN Contact Support for a possible workaround that might address this issue in some instances. 22 May 2019
LOG SOURCES IJ16039 LOG SOURCES REQUIRING A PASSWORD CAN STOP WORKING AFTER MODIFYING OTHER LOG SOURCE FIELDS CLOSED Resolved in:
QRadar 7.3.2 Patch 2 (7.3.2.20190522204210)
QRadar 7.3.1 Patch 8 IF01 (7.3.1.20181217203039)
03 June 2019
DATA NODE IJ16159 OFFLINE FORWARDING FROM A MANAGED HOST WITH ATTACHED DATA NODE(S) FAILS TO FORWARD EVENTS FROM THE DATA NODE CLOSED Resolved in QRadar 7.3.2 Patch 2 (7.3.2.20190522204210) 15 May 2019
LOG SOURCE MANAGEMENT IJ16388 LOG SOURCE PARSING ORDER PAGE CAN FAIL TO LOAD CLOSED Resolved in QRadar 7.3.2 Patch 2 (7.3.2.20190522204210) 23 May 2019
QFLOW / SERVICE IJ16389 NAPATECH3 AND QFLOW PROCESS CAN FAIL TO START CLOSED Resolved in:
QRadar 7.3.1 Patch 8 IF02 (7.3.1.20190524193053)
QRadar 7.3.2 Patch 2 (7.3.2.20190522204210).
23 May 2019
USER INTERFACE IJ16167 QRADAR USER INTERFACE CAN BECOME UNAVAILABLE DUE TO TXSENTRY CAUSED BY A DEADLOCK IN USERMANAGER Transitioning to closed Resolved in:
QRadar 7.3.2 (7.3.2.20190201201121)
QRadar 7.3.1 Patch 8 IF02 (7.3.1.20190524193053)
15 May 2019
GEOLOCATION / LOCALIZATION IJ16183 SOME COUNTRIES AS DISPLAYED WITHIN AREAS OF THE QRADAR USER INTERFACE (NETWORK HIERARCHY) ARE NOT CORRECTLY LOCALIZED OPEN: Reported in QRadar 7.3.1 versions No workaround available. Incorrectly localized countries:
Hong Kong -> Hong Kong S.A.R of China
Macau -> Macao S.A.R of China
Korea -> South Korea
Korea -> North Korea
Macedonia -> North Macedonia
Cote D'Ivoire -> Côte d'Ivoire.


Missing localizations:
BouvetIsland, Western Sahara, Congo-Kinshasa, Congo-Brazzaville
16 May 2019
ENCRYPTED HOSTS / TUNNELS IJ16082 ATTACHING AN EVENT COLLECTOR TO A DIFFERENT EVENT PROCESSOR (EP) LEAVES OLD TUNNEL CONNECTIONS TO THE ORIGINAL EP OPEN: Reported in QRadar 7.3.1 Patch 6 IF01 Contact Support for a possible workaround that might address this issue in some instances. 16 May 2019
QRADAR NETWORK INSIGHTS / DISK SPACE IJ15644 /TMP PARTITION FILLING WITH APACHE-TIKA-XXXXX.TMP FILES ON QRADAR NETWORK INSIGHTS APPLIANCES CLOSED Resolved in QRadar 7.3.2 Patch 4 (7.3.2.20190803012943) 16 May 2019
PERFORMANCE / OFFENSES VIEW IJ16002 THE OFFENSE PAGE IN THE QRADAR USER INTERFACE CAN BE SLOW TO DISPLAY AFTER PATCHING TO QRADAR 7.3.2 OPEN: Reported in QRadar 7.3.2 Contact Support for a possible workaround that might address this issue in some instances. 16 May 2019
CUSTOM EVENT PROPERTY IJ15399 AN AQL BASED CUSTOM EVENT PROPERTY THAT HAS BEEN DISABLED CONTINUES TO BE DISPLAYED WITHIN SUBSEQUENT EVENTS OPEN: Reported in QRadar 7.3.1 Patch 7 and QRadar 7.3.2 No workaround available. 16 May 2019
CUSTOM ACTION SCRIPTS IJ15444 EDITING THE CUSTOM FIXED PARAMETERS IN A CUSTOM ACTION SCRIPT CHANGES THE ORDER OF DATA OUTPUT WHEN THE SCRIPT IS RUN OPEN: Reported in multiple QRadar versions Remove all the parameters and add them in the desired (original) order. You can also change the script variables order to match the required parameters. 16 May 2019
OFFENSES IJ15593 OFFENSE SOURCE SUMMARY INFORMATION THAT IS PULLING ASSET DATA IS NOT DOMAIN AWARE FOR OFFENSES INDEXED BY USERNAME, MAC ADDRESS, OR HOSTNAME OPEN: Reported in multiple QRadar versions No workaround available. 16 May 2019
DEPLOY CHANGES IJ15811 DEPLOY FULL CONFIGURATION DOES NOT COMPLETE (TIME OUT) WHEN THE FILE HOSTCONTEXT.NODOWNLOAD IS PRESENT OPEN Remove the file /opt/qradar/conf/hostcontext.NODOWNLOAD on any affected host that times out from the user interface and attempt the Deploy Full Configuration again. 16 May 2019
NETWORK HIERARCHY / RULES IJ15969 FALSE POSITIVE RULE FIRING CAN OCCUR CAUSED BY NETWORK HIERARCHY IN DOMAIN ENVIRONMENTS OPEN: Reproducible in QRadar 7.3.1 Patch 6 and 7.3.1 Patch 7 versions No workaround available. 16 May 2019
DEPLOY CHANGES IJ15630 DEPLOY FUNCTION TIMEOUT CAUSED BY INCORRECT DEPLOYMENT.XML COMPONENT DATA AFTER A QFLOW SOURCE IS REMOVED WITH CONNECTIONS TO QRADAR NETWORK INSIGHTS (QNI) OPEN: Reported in QRadar 7.3.2 Contact Support for a possible workaround that might address this issue in some instances.

It has been identified that QRadar 'Deploy' function can fail (timeout) after removing a qflow source that has connections to QRadar Network Insights (QNI) in Deployment.xml. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[tomcat.tomcat] [user@127.0.0.1 (9488) /console/JSON-RPC/QRadar.scheduleDeployment
QRadar.scheduleDeployment] at java.lang.Thread.run(Thread.java:812)
[tomcat.tomcat] [user@127.0.0.1  (9488) /console/JSON-RPC/QRadar.scheduleDeploymentQRadar.scheduleDeployment] 
Caused by: [tomcat.tomcat] [user@127.0.0.1 (9488) /console/JSON-RPC/QRadar.scheduleDeployment 
QRadar.scheduleDeployment] java.lang.NullPointerException
[tomcat.tomcat] [user@127.0.0.1 9488) /console/JSON-RPC/QRadar.scheduleDeployment
QRadar.scheduleDeployment] at com.q1labs.configservices.util.forensics.QniDtlsHelper.
getQflowDtlsConnectionsList(QniDtlsHelper.java:250)
[tomcat.tomcat] [user@127.0.0.1  (9488) /console/JSON-RPC/QRadar.scheduleDeploymentQRadar.scheduleDeployment] 
at com.q1labs.configservices.config.  
globalset.forensics.QniDtlsConfigurationTransformer.configureDtlsConnections(QniDtlsConfigurationTransformer.java:141)
16 May 2019
CUSTOM ACTION SCRIPTS IJ15568 CUSTOMACTIONUSER FUNCTION WITHIN CUSTOM ACTION SCRIPTS CANNOT PERFORM DNS LOOKUPS OPEN: Reported in QRadar 7.3.2 Contact Support for a possible workaround that might address this issue in some instances. 16 May 2019
ASSETS / RULES IJ14001 IDENTITY EXCLUSION RULES ARE NOT LOADED WHEN THE FILTER CONTAINS A REFERENCE DATA RELATED SEARCH OPEN: Reported in QRadar 7.3.1 Patch 6 No workaround available. 16 May 2019
OFFENSES IJ15648 UNEXPECTED DUPLICATE ATTACKER NETWORKS GENERATED FOR OFFENSES DUE TO THE ADDITION OF IPV6 FIELD OPEN: Reported in QRadar 7.3.1 versions No workaround available. 16 May 2019
DEPLOY CHANGES IJ15527 DEPLOY FUNCTION CAN TIMEOUT WHEN A REQUIRED PROCESS IS UNABLE TO CONNECT TO QRADAR APPS OPEN No workaround available.
Service impacted: Hostcontext.
Keywords: Failed to execute db app sync post deploy action.
16 May 2019
DEPLOY CHANGES IV95108 DEPLOY CHANGES FUNCTION CAN TIMEOUT TO SOME MANAGED HOSTS AFTER PATCHING QRADAR DUE TO AN OPENJPA ERROR CLOSED Resolved in QRadar 7.3.2 (7.3.2.20190201201121). 14 May 2019
SERVICE / POSTGRES IV94508 POSTGRES DEADLOCKS CAN SOMETIMES LEAD TO SEARCH DATA RESULT INCONSISTENCY CLOSED Resolved in:
QRadar 7.3.1 Patch 8
QRadar 7.3.2 (7.3.2.20190201201121)
14 May 2019
SEARCH / QUICK FILTER IV91639 RULE RESPONSE LIMITER DOES NOT ALWAYS LIMIT RESPONSES AS CONFIGURED CLOSED Resolved in QRadar 7.3.2 (7.3.2.20190201201121) 14 May 2019
SEARCH / QUICK FILTER IJ07900 QUICK FILTER SEARCHES RUN AGAINST RECENT EVENTS CAN SOMETIMES APPEAR HUNG/STALLED CLOSED Resolved in QRadar 7.3.2 (7.3.2.20190201201121) 14 May 2019
SEARCH / NETWORK GROUP IJ06618 SEARCH WITH GROUP BY CONFIGURED AS 'SOURCE NETWORK GROUP' OR 'DESTINATION NETWORK GROUP' DISPLAYS 'N/A' IN COLUMN RESULTS CLOSED Resolved in QRadar 7.3.2 (7.3.2.20190201201121) 14 May 2019
REPORTS IJ06087 REPORTS AUTHORED BY NON-ADMIN USER AND SHARED TO OTHER NON-ADMIN USER ARE NOT VISIBLE AFTER AUTHOR DELETED CLOSED Resolved in QRadar 7.3.2 (7.3.2.20190201201121) 14 May 2019
APPS / HIGH-AVAILABILITY (HA) IJ04177 QRADAR APPS CAN FAIL TO LOAD AFTER A HIGH AVAILABILITY (HA) FAILOVER HAS OCCURRED CLOSED Resolved in QRadar 7.3.2 (7.3.2.20190201201121) 14 May 2019
CUSTOM EVENT PROPERTIES / JSON IJ15251 'APPLICATION ERROR' IN THE CUSTOM EVENT PROPERTIES WINDOW WHEN USING JSON KEYPATH EXTRACTION Transitioning to closed Resolved in QRadar 7.3.1 Patch 8 IF01. 06 February 2019
QRADAR VULNERABILITY MANAGER / EMAIL IJ13364 VULNERABILITY SCAN 'EMAIL ASSET OWNER' EMAILS FOR START AND STOP OF SCANS NOT BEING SENT Transitioning to closed Resolved in QRadar 7.3.1 Patch 8 IF01. 11 February 2019
WINCOLLECT IJ12255 EVENT ID FILTERS ENABLED WITHIN THE LOG SOURCE MANAGEMENT APP ARE NOT WORKING AS EXPECTED Transitioning to closed Resolved in WinCollect 7.2.9 14 February 2019
WINCOLLECT IJ07257 WINCOLLECT AGENTS INSTALLED ON OR POLLING FROM WINDOWS 10 VERSION 1803 (APRIL 2018 UPDATE) STOP RECEIVING SECURITY EVENTS Transitioning to closed Resolved in WinCollect 7.2.9. Users who cannot update can see the local workaround to use XPATH or MSEVEN6 in your log sources to resolve this issue until you can update your agents. 03 December 2018
WINCOLLECT IV99860 'ERROR 1720' WHEN INSTALLING WINCOLLECT STANDALONE PATCH FILE TO WINCOLLECT 7.2.5 CLOSED Unreproducible in the WinCollect 7.2.9 release. 09 January 2019
LOG ACTIVITY / NETWORK ACTIVITY IJ14209 TIME SERIES DATA ERROR GENERATED WHEN FILTERING ON AN AGGREGATED CUSTOM PROPERTY USING MAXIMUM OR MINUMUM OPEN: REPORTED IN QRADAR 7.3.1 VERSIONS No workaround available. Log error message:
Unable to create TopN cursor.
06 May 2019
SYSTEM NOTIFICATIONS IJ14249 NOTIFICATION OF DROPPED FLOWS IS NOT OCCURRING IN QRADAR SYSTEM NOTIFICATIONS OPEN No workaround available.

It has been identified that in instances where flows are being dropped by a QRadar appliance, there are notifications written into QRadar logging, but no System Notification message is generated in the QRadar User Interface. Messages similar to the following might be visible in /var/log/qradar.log when flows are being dropped:
[QRADAR] [16664] qflow: [WARNING] Unable to stream 
flows fast enough to {ip_address}:32010. Dropped 4393 flows.
28 May 2019
API IJ13407 INTERNAL SERVER ERROR 500 OCCURS WHEN ATTEMPTING TO CREATE OR EDIT A LOG SOURCE WITH CUSTOM VALIDATION FROM USING API CLOSED Resolved in QRadar 7.3.2 (7.3.2.20190201201121). 28 March 2019
LOGS IJ16032 QRADAR LOGS FILLING WITH REPEATED MESSAGES SIMILAR TO " [PID]: RECEIVED " CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been identifed that repeated log messages can fill QRadar logs. Repeated messages similar to the following might be visible in /var/log/qradar.error and .log when this issue is occurring:
 tomcat[14144]: Received 210593
 tomcat[14144]: Received 210594
 tomcat[14144]: Received 210599
 ecs-ep[21513]: Received 480
 ecs-ep[21513]: Received 478
 ecs-ep[21513]: Received 481

Note: By default, the QRadar disk sentry check runs every 60 seconds and looks for high disk usage across monitored partitions (including /var/log). If the partition fills to 95%, it will stop the QRadar critical services.
31 December 2018
OFFENSE SEARCH - ASSIGNED TO USER IJ11954 ASSIGNING USERNAME THAT CONTAINS @ CHARACTER TO THE PARAMETER "ASSIGNED TO USER" IN OFFENSE SEARCH RESETS TO DEFAULT (ALL) CLOSED Resolved in QRadar 7.3.2 Patch 1 (7.3.2.20190410024210) 31 December 2018
QVM - SCAN EXPORTS IJ10677 IN QRADAR VULNERABILITY MANAGER, SCAN RESULT EXPORTS CAN BE MISSING SOME VULNERABILITY DATA CLOSED Resolved in QRadar 7.3.2 Patch 1 (7.3.2.20190410024210) 23 October 2018
QVM - SCAN PROFILE IJ10592 IN QRADAR VULNERABILITY MANAGER SCAN PROFILES, VULNERABILITY SCAN DAYS ARE DISPLAYED DIFFERENTLY THAN CONFIGURED CLOSED Resolved in QRadar 7.3.2 Patch 1 (7.3.2.20190410024210) 22 October 2018
QUICK SEARCH IV91635 QUICK SEARCHES CANNOT BE REMOVED FROM THE QUICK SEARCH LIST CLOSED Resolved in:
QRadar 7.3.2 Patch 1 (7.3.2.20190410024210)
QRadar 7.3.1 Patch 3 (7.3.1.20180327211425)
QRadar 7.2.8 Patch 4 (7.2.8.20170224202650)
4 April 2018
INSTALL IJ01116 QRADAR 7.3.0 DURING INSTALLATION, MAY NOT ALLOW ROOT PASSWORD TO USE SPECIAL CHARACTERS CLOSED Resolved in QRadar 7.3.2 Patch 1 (7.3.2.20190410024210). 26 April 2018
UPGRADE IJ14473 'DETECT CONFLICTING HOSTNAMES ON SYSTEM' FAILED." DURING QRADAR PATCHING CLOSED Resolved in QRadar 7.3.2 Patch 1 (7.3.2.20190410024210). 09 January 2019
AQL - ASSETHOSTNAME IJ12225 AQL QUERIES FOR ASSETHOSTNAME RETURN PREVIOUS HOSTNAME INSTEAD OF CURRENT HOSTNAME TRANSITIONING TO CLOSED, OPEN FOR 7.3.1 VERSIONS Resolved in QRadar 7.3.2 Patch 1 (7.3.2.20190410024210). 09 January 2019
ASSET TAB - DELETE ASSET IJ13341 'APPLICATION ERROR' CAN OCCUR WHEN DELETING AN ASSET IN PENDING STATE CLOSED Resolved in QRadar 7.3.2 Patch 1 (7.3.2.20190410024210). 13 February 2019
API / APP PERFORMANCE IJ14947 QRADAR USER INTERFACE CAN BECOME UNRESPONSIVE DUE TO TOMCAT RUNNING OUT OF USABLE FILE HANDLES CLOSED Resolved in:
QRadar 7.3.2 Patch 1 (7.3.2.20190410024210)
QRadar 7.3.2 Interim Fix 01 (7.3.2.20190322185336)
22 March 2019
OFFENSE SEARCH IV92376 ASSIGNING USERNAME THAT CONTAINS @ CHARACTER TO THE PARAMETER "ASSIGNED TO USER" IN OFFENSE SEARCH RESETS TO DEFAULT (ALL) CLOSED Resolved in QRadar 7.3.1 Patch 8 (7.3.1.20190228154648). 31 December 2018
SERVICES IJ13340 EVENTS CAN SOMETIMES BE DROPPED DUE TO A CONNECTION ISSUE BETWEEN ECS-EC-INGRESS AND TCP_TO_EC QUEUE CLOSED Resolved in QRadar 7.3.1 Patch 8 21 February 2019
VULNERABILITY SEARCH IJ13324 'APPLICATION ERROR' IS GENERATED WHEN SOME SPECIAL CHARACTERS ARE ENTERED INTO A "MY ASSIGNED VULNERABILITIES" SEARCH CLOSED Resolved in QRadar 7.3.1 Patch 8 11 February 2019
OFFENSE STATUS IJ12883 SIM RESET CAUSING OFFENSES TO BECOME INACTIVE CAN SOMETIMES OCCUR WHEN MULTIPLE DEPLOY FUNCTIONS ARE PERFORMED CLOSED Resolved in:
QRadar 7.3.2 Patch 1 (7.3.2.20190410024210)
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)
28 January 2019
FIREWALL RULE COUNTS IJ12122 QRADAR RISK MANAGER - COUNTING FAILS FOR NON-CISCO FIREWALLS WHERE EVENTS HAVE NO ASSOCIATED RULE ID CLOSED Resolved in QRadar 7.3.1 Patch 8 (7.3.1.20190228154648) 17 December 2018
NETWORK INTERFACE IJ12108 NAPATECH SERVICE CAN FAIL WITH 'ADAPTER 0: ERROR DETECTED ON BONDING INTERFACE. NIF LBW ERROR = 0X4' IN MESSAGES CLOSED Resolved in:
QRadar 7.3.2 (7.3.2.20190201201121)
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)
31 December 2018
SERVICES / GEOGRAPHIC DATA IJ12107 EXCEPTION THROWN AFTER MAXMIND DATABASE IS UPDATED CAN CAUSE MULTIPLE QRADAR PROCESSING ISSUES CLOSED Closed as a duplicate of APAR IJ04898. 09 August 2019
FORWARDED EVENTS IJ12098 FORWARDING EVENTS WITH LARGE PAYLOADS CAN CAUSE A MESSAGESIZEEXCEPTION ON THE TARGET APPLIANCE RECEIVING THE DATA CLOSED Resolved in:
QRadar 7.3.2 Patch 1 (7.3.2.20190410024210)
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)
QRadar 7.3.1 Patch 7 Interim Fix 01 (7.3.1.20181217203039)
31 December 2018
VULNERABILTY SCAN IJ11978 QRADAR VULNERABILITY MANAGER - VULNERABILITY SCAN RESULTS ONLY GENERATE FOR ONE INSTANCE OF A SERVICE RUNNING ON MORE THAN ONE PORT CLOSED Resolved in:
QRadar 7.3.2 Patch 1 (7.3.2.20190410024210)
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)
10 December 2018
ASSET SEARCH IJ11922 ADDITIONAL FILTERS CANNOT BE ADDED TO A LOADED ASSET SAVED SEARCH CLOSED Resolved in QRadar 7.3.1 Patch 8 (7.3.1.20190228154648). 31 December 2018
SERVICES IJ11494 QRADAR NETWORK INSIGHTS (QNI) DECAPPER 'OUT OF MEMORY' INSTANCES CAUSED BY 'MYSPACE' INSPECTOR CLOSED Resolved in:
QRadar 7.3.2 Patch 1 (7.3.2.20190410024210)
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)
30 November 2018
LOG SOURCE INTERFACE IJ11493 LOG SOURCE WINDOW CAN TAKE MINUTES TO LOAD DUE TO THREAD LOCK CLOSED Resolved in:
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)
QRadar 7.3.2 Patch 2 (7.3.2.20190522204210)

NOTE: Users who cannot update log source in the standard user interface can use the Log Source Management app to update log sources.
27 November 2018
REFERENCE DATA IJ11490 REFERENCE SET IS NOT PURGED AFTER TIME TO LIVE EXPIRES WHEN 'DO NOT LOG ELEMENTS' IS SELECTED AT CREATION CLOSED Resolved in QRadar 7.3.1 Patch 8 (7.3.1.20190228154648). 30 November 2018
LOG SOURCE - ORACLE IJ11423 ORACLE LOG SOURCES CAN DISPLAY AS STATUS 'SUCCESS' BUT ARE NOT REPORTING (ORAI18N-10.2.0.JAR REMOVAL) CLOSED Resolved in:
QRadar 7.3.2 (7.3.2.20190201201121)
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)
31 December 2018
DASHBOARD - VULNERABILITY SEARCH IJ11242 DASHBOARDS USING A SAVED VULNERABILITY SEARCH CONTAINING A REFERENCE SET CAN SOMETIMES BE BLANK CLOSED Resolved in QRadar 7.3.1 Patch 8 (7.3.1.20190228154648). 19 November 2018
EXPORT - CSV IJ11204 QRADAR VULNERABILITY MANAGER - COUNTS AND RESULTS CAN BE INCONSISTENT AND DO NOT MATCH CSV EXPORTS CLOSED Resolved in QRadar 7.3.1 Patch 8 (7.3.1.20190228154648). 13 November 2018
TUNNELS - ENCRYPTION IJ11168 QRADAR INCIDENT FORENSICS - ENCRYPTED INCIDENT FORENSICS APPLIANCES ARE MISSING THE REQUIRED HTTPS TUNNEL CONFIGURATION CLOSED Resolved in:
QRadar 7.3.2 Patch 1 (7.3.2.20190410024210)
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)
30 November 2018
HIGH-AVAILABILITY (HA) - APP FRAMEWORK IJ11030 QRADAR APPS CAN FAIL TO LOAD AFTER FAILOVER TO SECONDARY CLOSED Resolved in QRadar 7.3.1 Patch 8 (7.3.1.20190228154648). 27 November 2018
QFLOW IJ10867 FLOWS CAN APPEAR WITH EQUAL SOURCE AND DESTINATION BYTESAND PACKETS FOR IANA INFORMATION ELEMENTS 23 AND 240 CLOSED Resolved in:
QRadar 7.3.2 (7.3.2.20190201201121)
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)
QRadar 7.2.8 Patch 15 (7.2.8.20190118175747)
11 February 2019
USER ROLES - RIGHT-CLICK IJ10829 ENHANCED RIGHT-CLICK MENU IS ENABLED FOR USERS WITHOUT 'IP RIGHT CLICK MENU EXTENTIONS' PERMISSION CLOSED Resolved in:
QRadar 7.3.2 Patch 1 (7.3.2.20190410024210)
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)
31 December 2018
FLOWS IJ10747 NETFLOW V9 AND IPFIX TCP FLAGS ARE MISSING OR INCORRECT WHEN A SINGLE BYTE ENCODING IS USED CLOSED Resolved in QRadar 7.3.1 Patch 8 (7.3.1.20190228154648). 1 November 2018
OFFENSE - PERFORMANCE IJ10694 OFFENSE PAGES IN THE QRADAR USER INTERFACE CAN BE SLOW TO LOAD WHEN LARGE NETWORK HIERARCHIES EXIST CLOSED Resolved in:
QRadar 7.3.2 Patch 2 (7.3.2.20190522204210)
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)
15 November 2018
REPORTS IJ10645 REPORTS GENERATED BASED ON A SAVED SEARCH DISPLAY 'OTHER' IN THE 'DESTINATION NETWORK' FIELD CLOSED Resolved in:
QRadar 7.3.2 Patch 1 (7.3.2.20190410024210)
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)
01 November 2018
OFFENSE - PERFORMANCE IJ10622 OFFENSES TAB CAN BE SLOW TO LOAD THE USER INTERFACE WHEN HISTORICAL CORRELATION PROFILES EXIST CLOSED Resolved in:
QRadar 7.3.2 Patch 1 (7.3.2.20190410024210)
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)
01 November 2018
REPORTS IJ10609 "NO DATA FOR CHART" IN TIMESERIES REPORT WHEN 'TIME' VARIABLE IS THE HORIZONTAL AXIS CLOSED Resolved in:
QRadar 7.3.2 Patch 1 (7.3.2.20190410024210)
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)
QRadar 7.2.8 Patch 15 (7.2.8.20190118175747)
12 June 2019
API - /SIEM/OFFENSES IJ10603 API CALLS TO THE OFFENSE MODEL FOR SOURCE_ADDRESSES/ID AND LOCAL_DESTINATION_ADDRESSES/ID CAN TAKE TOO LONG CLOSED Resolved in QRadar 7.3.1 Patch 8 (7.3.1.20190228154648). 01 November 2018
OFFENSE SEARCH IJ10580 CONVERTING FROM LOG MANAGER TO SIEM RESETS DATA RETENTION SETTINGS TO DEFAULT - DATA LOSS CAN OCCUR CLOSED Resolved in QRadar 7.3.1 Patch 8 (7.3.1.20190228154648). 15 November 2018
ADMIN - ASSET PROFILES IJ10402 'AN ERROR HAS OCCURRED. REFRESH YOUR BROWSER (PRES F5)' WHEN ACCESSING THE 'ASSET PROFILER CONFIGURATION' INTERFACE FROM THE ADMIN TAB CLOSED Resolved in:
QRadar 7.3.2 Patch 1 (7.3.2.20190410024210)
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)
31 October 2018
RULES - SUPERFLOWS IJ10372 [CUSTOM CRE] SUPERFLOWS DO NOT COUNT TOWARDS DOUBLE MATCH COUNT RULES CLOSED Resolved in:
QRadar 7.3.2 Patch 1 (7.3.2.20190410024210)
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)
12 October 2018
SEARCH - NETWORK ACTIVITY IJ10110 'THE SERVER ENCOUNTERED AN ERROR READING ON OR MORE FILES' WHEN PERFORMING A NETWORK ACTIVITY SEARCH AFTER UPGRADE CLOSED Resolved in:
QRadar 7.3.2 (7.3.2.20190201201121)
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)
07 October 2018
NETWORK HIERARCHY IJ09228 'AN ERROR OCCURRED STRING INDEX OUT OF RANGE' WHEN EXPANDING OR COLLAPSING NETWORK HIERARCHY CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)
16 October 2018
SERVICES - FLOW PROCESSORS IJ09226 [EC] FLOW PROCESSORS (17XX) WITH MANY CONNECTED FLOW COLLECTOR (12XX/13XX) APPLIANCES CAN RUNOUT OF USBABLE FILE HANDLES FOR THE ECS-EC PROCESS CLOSED Resolved in QRadar 7.3.1 Patch 8 (7.3.1.20190228154648) 03 October 2018
OFFENSES TAB - DISPLAY IJ09219 UNABLE TO VIEW OFFENSE 'CATEGORY NAME' COLUMN DATA AND 'NETWORK' COLUMN DATA IN ASSOCIATED OFFENSES TAB VIEWS CLOSED Resolved in QRadar 7.3.1 Patch 8 (7.3.1.20190228154648) 15 October 2018
ASSET TAB - DISPLAY IJ09053 SOME FIELD DETAILS THAT ARE DISPLAYED IN THE ASSET SUMMARY WINDOW ARE NOT DISPLAYED IN THE ASSET TABLE WINDOW CLOSED Resolved in:
QRadar 7.3.2 Patch 1 (7.3.2.20190410024210)
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)
16 October 2018
SERVICES / GEOGRAPHIC DATA IJ09018 CRE PROCESSOR THREADS CAN DIE WHEN THE MAXMIND DATABASE IS UPDATED VIA AUTO UPDATE CLOSED Resolved in:
QRadar 7.3.2 (7.3.2.20190201201121)
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)
13 December 2018
ADVANCED SEARCH (AQL) IJ08960 ADVANCED SEARCH (LOG ACTIVITY) CAN FAIL WHEN CALCULATING EPS AND SORTING ON EPS CLOSED Closed as suggestion for future release. Thrown "ArithmeticException: divide by zero" is expected behaviour for this query. This behaviour is consistent with industry standard SQL engines. The workaround is to not divide by zero.
For AQL like:
( max(endTime) - min(startTime) )

change the query to:
( max(endTime) - min(startTime)  + 1)

A suggestion APAR identifies a function/operation that is not within the product specifications, for which a fix is not planned. Implementation of this modification would be a product enhancement. This APAR is considered for any future products/releases. For more information on feature requests and QRadar, see the QRadar Support Request for Enhancement (RFE) FAQ page.
18 December 2018
OFFENSES - DISPLAY IJ08399 THE OFFENSE SUMMARY PAGE CAN SOMETIMES TAKE LONGER THAN EXPECTED TO DISPLAY A SINGLE OFFENSE (60 SECONDS) CLOSED Resolved in QRadar 7.3.1 Patch 8. 26 September 2018
APP NODE IJ03980 FAILED/UNRECOVERABLE APP NODE CANNOT BE REMOVED FROM QRADAR USER INTERFACE CLOSED Resolved in QRadar 7.3.1 Patch 8 (7.3.1.20190228154648). 25 May 2018
RULES - PERFORMANCE IJ06484 RULES CONTAINING TESTS AGAINST GEOGRAPHIC LOCATION CAN SOMETIMES CAUSE NEGATIVE CRE PIPELINE PERFORMANCE CLOSED Resolved in QRadar 7.3.1 Patch 8 (7.3.1.20190228154648). 18 May 2018
RULES - RESPONSE LIMITER IJ02748 'PLEASE ENTER A VALID OPTION PER INDEX' MESSAGE DISPLAYED WHEN ATTEMPTING TO SET A RULE RESPONSE LIMITER ON AN OFFENSE CLOSED Resolved in QRadar 7.3.1 Patch 8 (7.3.1.20190228154648). 21 December 2017
HIGH-AVAILABILITY (HA) IJ02465 ISSUES CAN BE ENCOUNTERED AFTER PATCHING A HIGH AVAILABILITY PRIMARY HOST THAT WAS REBUILT USING HA RECOVERY PROCEDURE CLOSED Resolved in QRadar 7.3.1 Patch 8 (7.3.1.20190228154648). 13 December 2017
CSV EXPORT IJ02468 EXPORT TO CSV CONTAINING NUMBERS WITH A SPACE SEPARATOR CAN DISPLAY INCORRECTLY IN MICROSOFT EXCEL CLOSED Resolved in QRadar 7.3.2 (7.3.2.20190201201121). 13 December 2017
REFERNCE DATA IJ01874 ASSOCIATED RULES COUNT IN THE REFERENCE SET MANAGEMENT USER INTERFACE CAN APPEAR DIFFERENT THAN REFERENCE SET EDITOR SCREEN CLOSED Closed as suggestion for future release.

This issue could not be replicated in QRadar 7.2.8 or QRadar 7.3.2 releases. There are a number of default reference sets which are attached to default custom rules. When one of the default custom rules is modified, a duplicate rule is created in the QRadar database (known as an override rule) which obsoletes the default rule. The Admin -> Reference Set Management page tallies both of these rules in the "Associated Rules" count that is displayed.

A suggestion APAR identifies a function/operation that is not within the product specifications, for which a fix is not planned. Implementation of this modification would be a product enhancement. This APAR is considered for any future products/releases. For more information on feature requests and QRadar, see the QRadar Support Request for Enhancement (RFE) FAQ page.
06 March 2019
RULES IV93954 RULE TEST 'WHEN AT LEAST [N] EVENTS ARE SEEN WITH THE SAME [PROPERTIES] IN [X] [MIN|HR|DAYS]' NOT FIRING WHEN EXPECTED CLOSED Resolved in QRadar 7.3.2 Patch 4 (7.3.2.20190803012943) 26 February 2019
PORT ORDER IJ13900 QRADAR NETWORK INSIGHTS: INCORRECT NETWORK PORT ORDER DISPLAYED IN 'CONFIGURE QNI PORTS' WINDOW COMPARED TO THE BACK OF THE QNI APPLIANCE CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

NOTE: Documentation updated to indicate the correct or expected port order for 1901, 1920 and 1920-C.
25 February 2019
DOMAIN MANAGEMENT IJ13244 EXCEPTION GENERATED IN QRADAR LOGGING WHEN CUSTOM EVENT PROPERTIES (CEP) ARE ADDED TO A DOMAIN OPEN: Reported in QRadar 7.3.2 No workaround available. Log keywords:
QRadar.saveDomain
com.q1labs.frameworks.session.SessionContext
[ERROR] leak(s) detected in session context
26 February 2019
CUSTOM ACTIONS IJ03208 CUSTOM ACTION PARAMETER SCRIPT ORDERING IS NOT HONORED CLOSED Resolved in QRadar 7.3.2 (7.3.2.20190201201121). 26 January 2018
DISK SPACE IJ12276 LUCENE INDEXES ARE NOT REMOVED BY ROUTINE QRADAR DISK MAINTENANCE CLOSED Resolved in:
QRadar 7.3.2 (7.3.2.20190201201121)
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)
11 February 2019
NETWORK INTERFACE - FIRMWARE IJ12105 QRADAR NETWORK INSIGHTS - NAPATECH3 SERVICE CAN FAIL ON NETWORK INSIGHTS APPLIANCES DUE TO FIRMWARE UPGRADE TEST SCRIPT TRANSITIONING TO CLOSED Resolved in:
QRadar 7.3.2 (7.3.2.20190201201121)
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)
11 February 2019
NETWORK INTERFACE IJ11384 QRADAR NETWORK INSIGHTS - NAPATECH3 SERVICE CAN DIE WHEN MULTIPLE NETWORK INSIGHTS APPLIANCES ARE IN A STACKED CONFIGURATION TRANSITIONING TO CLOSED Resolved in:
QRadar 7.3.2 (7.3.2.20190201201121)
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)
11 February 2019
USER INTERFACE / LOGIN IJ10166 USERS CANNOT LOG INTO QRADAR DUE TO THREAD DEADLOCK CLOSED Resolved in:
QRadar 7.3.1 Patch 7 (7.3.1.20181123182336)
QRadar 7.3.1 Patch 6 Interim Fix 2
29 November 2018
SEARCHES IJ10862 EXPORTED ASSET SEARCHES CONTAINING A NETWORK FILTER CAN GENERATE BLANK XML OR CSV FILES CLOSED Resolved in QRadar 7.3.1 Patch 7 (7.3.1.20181123182336)

It had been reported in QRadar 7.3.1 Patch 5 that when exporting data from the Asset tab after applying a network filter, the generated xml or CSV reports can sometimes be empty. Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs:
[tomcat.tomcat] [ExportJob-admin-308db28c-xxx-xxx-xxx-xxxxxxxxxx] com.q1labs.core.sql.queryframework.QueryFramework: [ERROR]
Chained SQL Exception [1/2]: ERROR: missing FROM-clause entry for table "netid"
29 November 2018
REPORTS IJ05334 TABLE REPORT VALUE FORMATTING CAN DISPLAY INCORRECTLY FOR AQL AGGREGATED DATA CLOSED This issue resolved in QRadar 7.3.1 Patch 7 (7.3.1.20181123182336) 29 November 2018
FLOWS IJ08471 QRADAR NETWORK INSIGHTS CONTENT FLOWS ARE COUNTED AGAINST FLOW LICENSE WHEN THEY SHOULDN'T BE CLOSED Resolved in:
QRadar 7.3.2 (7.3.1.20190201201121)
QRadar 7.3.1 Patch 7 (7.3.1.20181123182336)
QRadar 7.3.1 Patch 6 IF02 (7.3.1.20181019113425)
QRadar 7.3.1 Patch 6 IF01 (7.3.1.20181002221547)
29 November 2018
UPGRADES IJ08432 BACKLEVEL JTDS JAR FILES IN QRADAR 7.3.1 CAN SOMETIMES CAUSE AN OUT OF MEMORY WITH ECS-EC-INGRESS PROCESS CLOSED This issue resolved in QRadar 7.3.1 Patch 7 (7.3.1.20181123182336)

It has been reported that the older jtds-1.2.6.jar file can reside within multiple QRadar directories instead of the newer jtds-1.3.3i.jar after patching/upgrading QRadar. In instances where the two different versions of jtds .jar files are simultaneously present in working directories of QRadar, and Log Sources using JDBC are in use, the ecs-ec-ingress process can go out of memory. If you have issues, Contact Support for a possible workaround that might address this issue in some instances.
29 November 2018
OFFENSES IJ09017 OFFENSES NOT GENERATED WHEN USING A CUSTOM EVENT PROPERTY AS OFFENSE INDEX IN HISTORICAL CORRELATION CLOSED Resolved in:
QRadar 7.3.2 (7.3.2.20190201201121)
QRadar 7.3.1 Patch 7 (7.3.1.20181123182336)
QRadar 7.2.8 Patch 15 (7.2.8.20190118175747)
30 November 2018
REPORTS IJ09036 AQL QUERY WITH AN AGGREGATE THAT IS RUN AGAINST A CURSOR THAT CONTAINS AN AGGREGATE FAILS WITH 'GENRAL FAILURE' OPEN (Transitioning to closed) This issue resolved in QRadar 7.3.1 Patch 7 (7.3.1.20181123182336) 29 November 2018
DASHBOARD IJ08228 CREATING AN AQL QUERY WITH A SUB-SELECT CAN CAUSE DASHBOARD TIMESERIES TO FAIL DUE TO THE GLOBAL VIEW CREATED CLOSED This issue resolved in QRadar 7.3.1 Patch 7 (7.3.1.20181123182336) 29 November 2018
FLOWS IJ11163 NETFLOW V9 / IPFIX INITIATOR/RESPONDER OCTET/PACKET FIELD DATA IS NOT PROCESSED BY QRADAR OPEN (Transitioning to closed) Resolved in:
QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)
QRadar 7.3.1 Patch 7 (7.3.1.20181123182336)
QRadar 7.2.8 Patch 15 (7.2.8.20190118175747)
29 November 2018
FLOWS IJ10158 QRADAR NETWORK INSIGHTS (QNI) DECAPPER 'OUT OF MEMORY' INSTANCES CAUSED BY MULTIPLE INSPECTOR COMPONENTS CLOSED Resolved in:
QRadar 7.3.1 Patch 7 (7.3.1.20181123182336)
QRadar 7.3.1 Patch 6 Interim Fix 1 (7.3.1.20181002221547)
29 November 2018
APPLIANCES IJ00712 A STANDBY HA MANAGED HOST REBUILT FROM THE RECOVERY IMAGE MAY NOT MERGE /STORE/TRANSIENT CORRECTLY CAUSING HA ISSUES OPEN (Transitioning to closed) This issue resolved in QRadar 7.3.1 Patch 7 (7.3.1.20181123182336) 29 November 2018
EVENTS / GEOGRAPHIC DATA IJ04898 GEOGRAPHIC COUNTRY/REGION INDEXING CAN CAUSE UNEXPECTED EVENT COLLECTION INTERRUPTION WHEN GEODATA UPDATES OCCUR CLOSED Resolved in:
QRadar 7.3.2 Patch 1 (7.3.2.20190410024210)
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)
09 August 2019
DISK SPACE IJ03438 /OPT/QRADAR/SUPPORT CAN RUN OUT OF FREE SPACE AFTER UPGRADE DUE TO A LARGE NUMBER OF FAILED REPLICATION FILES CLOSED Resolved in QRadar 7.3.1 Patch 7 (7.3.1.20181123182336)

It has been identified that the monitored partition /opt/qradar/support can run out of free space after an upgrade when a large amount of failed replication files exist in that location (their default storage location). The /opt/qradar/ partition has a reduced file space size in 7.3.0.x and can be filled faster than expected when system issues cause multiple failed replication files in quick succession.

NOTE: Services on a QRadar appliance are stopped when less than 5% free space is detected in a monitored partion until the free space issue is corrected. For more information on QRadar Disk Space and resolving issues, see QRadar Disk Space 101.
29 November 2018
OFFENSES IJ10545 OFFENSE SOURCE SUMMARY DISPLAYS INCORRECTLY FOR OFFENSES INDEXED ON REGEX CUSTOM PROPERTIES WITH FIELD TYPE "IP" OPEN (Transitioning to closed) Resolved in:
QRadar 7.3.1 Patch 7 (7.3.1.20181123182336)
QRadar 7.2.8 Patch 14
29 November 2018
UPGRADES IJ10818 CHANGES MADE TO LOGROTATE IN QRADAR 7.3.1 PATCH 6 CAN CAUSE /VAR/LOG AND OR /OPT TO RUN OUT OF FREE SPACE OPEN (Transitioning to closed) Resolved in QRadar 7.3.1 Patch 7 (7.3.1.20181123182336) 29 November 2018
EVENTS IJ03211 HOSTCONTEXT SERVICES CAN FAIL TO START DURING A HIGH AVAILABILITY (HA) FAILOVER TO SECONDARY EP/FP APPLIAN CLOSED Resolved in QRadar 7.3.1 Patch 7 (7.3.1.20181123182336)

It has been identified that in some instances, hostcontext can fail to start during a High Availability (HA) failover to Secondary due to a race condition. This particular situation occurs when hostcontext tries to start, but the prerequisite "IMQ" is not yet in a running state.

Events/Flows are inacccessible in the User Interface from affected Managed Hosts until this issue is corrected.

Workaround: Restart the hostcontext service once it is confirmed that IMQ is running using the following commands from an SSH session to the Secondary appliance:
# systemctl status imq

If IMQ is in active (running) state then, type:
# systemctl restart hostcontext
29 November 2018
DATA IJ08827 HOSTCONTEXT STARTUP ON A MANAGED HOST CAN OCCUR PRIOR TO DATABASE VERIFICATION OPEN (Transitioning to closed) Resolved in QRadar 7.3.1 Patch 7 (7.3.1.20181123182336) 29 November 2018
SCANS IV99512 CONCURRENT SCHEDULED SCANS THAT INCLUDE IP EXCLUSIONS CAN FAIL TO START AT THE SCHEDULED TIME CLOSED Resolved in:
QRadar 7.3.2 Patch 1 (7.3.2.20190410024210)
QRadar 7.3.1 Patch 7 (7.3.1.20181123182336)
29 November 2018
SCANS IV91226 QVM SCAN CAN FAIL TO START/PROGRESS WHEN THERE ARE A LARGE NUMBER OF IP ADDRESS SCAN EXCLUSIONS DUE TO A POSTGRES EXCEPTION Transitioning to closed Resolved in QRadar 7.3.1 Patch 7 (7.3.1.20181123182336) 29 November 2018
REPORTS IJ09183 VULNERABILITY TRENDING REPORTS CAN SOMETIMES BE BLANK CLOSED Resolved in:
QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)
QRadar 7.3.1 Patch 7 (7.3.1.20181123182336)
29 November 2018
SEARCHES IJ08226 CLICKING 'VIEW IN BY' IN A VULNERABILITY SEARCH DASHBOARD NAVIGATES TO INCORRECT QRADAR WINDOW CLOSED Resolved in QRadar 7.3.1 Patch 7 (7.3.1.20181123182336) 29 November 2018
SCANS IJ07030 VULNERABILITY SCANS EXPERIENCE A DELAY PRIOR TO COMMENCING WHEN A HIGH NUMBER OF IP EXCLUSIONS ARE DEFINED CLOSED Resolved in:
QRadar 7.3.2 Patch 1 (7.3.2.20190410024210)
QRadar 7.3.1 Patch 7 (7.3.1.20181123182336)
29 November 2018
SCHEDULED SCAN IJ03246 QRADAR VULNERABILITY MANAGER - ALL SCHEDULED SCANS THAT RUN ON DECEMBER 1ST START AT MIDNIGHT NO MATTER WHAT TIME THEY ARE CONFIGURED TO START CLOSED Resolved in:
QRadar 7.3.1 Patch 7 (7.3.1.20181123182336)
QRadar 7.2.8 Patch 12 (7.2.8.20180416164940)

It has been identified that any QVM scan that is configured to run on December 1st starts at midnight ignoring the actual configured scan start time.
29 November 2018
DATA / RULES IJ10999 UPDATES TO REFERENCE DATA USING CUSTOM EVENT PROPERTIES (CEP) CAN CAUSE CEP AND RULES TO BE RELOADED/TMP CLOSED Resolved in:
QRadar 7.3.2 Patch 1 (7.3.2.20190410024210)
QRadar 7.3.1 Patch 7 (7.3.1.20181123182336)
29 November 2018
OFFENSES IJ10070 QRADAR CAN STOP GENERATING OFFENSES DUE TO AN INCORRECT NULL CHECK OPEN (Transitioning to closed) Resolved in QRadar 7.3.1 Patch 7 (7.3.1.20181123182336) 29 November 2018
RULES IJ08227 CUSTOM RULE ENGINE DOES NOT USE LOG SOURCES CONTAINED IN 'OTHER' LOG SOURCE GROUP FOR FUNCTIONAL TEST PARAMETERS CLOSED This issue resolved in QRadar 7.3.1 Patch 7 (7.3.1.20181123182336) 29 November 2018
USER INTERFACE IJ10532 WINCOLLECT AGENT 'LAST HEARTBEAT' STATUS DISPLAYS AS "UNAVAILABLE" WHEN WORKING AS EXPECTED OPEN (Transitioning to closed) Resolved in:
QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)
QRadar 7.3.1 Patch 7 (7.3.1.20181123182336)
QRadar 7.3.1 Patch 6 Interim Fix 2
QRadar 7.2.8 Patch 15
29 November 2018
DEPLOY CHANGES IJ10514 QRADAR VULNERABILITY MANAGER DEPLOY FUNCTION STAYS AT "INITIATING DEPLOYMENT" AFTER A MANUAL OR AUTOMATIC AUTOUPDATE CLOSED This issue resolved in QRadar 7.3.1 Patch 6 Interim Fix 2 24 October 2018
UPGRADES IJ09572 PATCH/UPGRADE TO QRADAR 7.3.1 PATCH 6 CAN HANG FOR AN EXTENDED PERIOD OF TIME (HOURS) WITH VULN_MAP_ASSET_MV DOES NOT EXIST CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
DOMAINS IJ07713 QRADAR DOES NOT ALLOW ALL TOP LEVEL DOMAINS IN EMAIL ADDRESS DATA VALIDATION, CAN RETURN 'EMAIL ADDRESS IS NOT VALID' CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
USER INTERFACE IJ06980 DASHBOARDS AND/OR QUICK SEARCHES CAN DISAPPEAR AFTER MODIFICATIONS HAVE BEEN MADE TO USER SETTINGS CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
SEARCHES IV54692 EVENT SEARCHES THAT FILTER BY THE EVENT PROCESSOR MIGHT DISPLAY UNEXPECTED GRAPH RESULTS CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
REPORTS IJ07276 RTF FORMATTED REPORTS CAN FAIL TO GENERATE WITH A NULLPOINTEREXCEPTION DISPLAYED IN THE LOGS CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
SEARCHES IJ07123 INCONSISTENT RESULTS FOR ASSET SEARCHES 'ASSETS WITH OPEN SERVICE = DNS' VS 'ASSETS WITH OPEN SERVICE = DOMAIN' CLOSED Closed as suggestion for future release. Asset searching works the way it was designed. We have verified that using asset with Open service equals any of domain or DNS will fix this issue for customers. Closing as works as designed.

A suggestion APAR identifies a function/operation that is not within the product specifications, for which a fix is not planned. Implementation of this modification would be a product enhancement. This APAR is considered for any future products/releases. For more information on feature requests and QRadar, see the QRadar Support Request for Enhancement (RFE) FAQ page.
18 September 2018
REPORTS IJ06862 REPORT RUNNER OUT OF MEMORY CAN OCCUR WHILE ATTEMPTING TO GENERATE VERY LARGE TABLE CHART PDF REPORTS CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
SEARCHES IJ06807 MODIFYING THE START TIME FOR A LOG ACTIVITY SEARCH CAUSES A BLANK UI WINDOW FOR SOME QRADAR USER LOCALES CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
ASSETS IJ05767 WHEN AN ASSET'S 'GIVEN NAME' IS SET ON THE 'EDIT ASSET PROFILE' WINDOW, IT CAN NO LONGER BE EDITED SUCCESSFULLY CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
ASSETS IJ05756 WHEN AN ASSET HAS A 'GIVEN NAME' ASSIGNED, ANY SUBSEQUENT ASSET NAME CHANGES DO NOT OCCUR IN 'EDIT ASSET PROFILE' WINDOW CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
SEARCHES IJ00800 "HTTP ERROR 400" ERROR WHEN DRILLING DOWN INTO SEARCH RESULTS USING INTERNET EXPLORER 11 AND EDGE WEB BROWSER CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
EVENTS IJ07456 EVENT DATA FROM SPILLOVER QUEUE CAN SOMETIMES FAIL TO PARSE WHEN PROCESSED BY THE REGULAR QRADAR PIPELINE CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
HOSTS IJ07127 QRADAR HOSTS CAN TAKE A LONGER THAN EXPECTED TIME TO RECONNECT AFTER A VPN CONNECTION RESET OR INTERRUPTION HAS OCCURRED CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
QUERIES IJ06633 SNMPD DAEMON CRASH OCCURS WHEN PERFORMING A WIDE QUERY CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
DATA IJ02816 APPLICATION DATA CONTINUES TO BE SENT TO THE ASSET MODEL AFTER DISABLING 'CLIENT APPLICATION PROFILING' CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
DASHBOARD IJ05151 DASHBOARD WIDGETS AND REPORTS CAN BE EMPTY AFTER A COMPLETED UPGRADE FROM 7.2.8P1+ TO 7.3.0+ OR 7.3.1+ CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
DATA IJ03225 DATA BACKUPS CAN TAKE LONGER THAN EXPECTED OR FAIL TO COMPLETE CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
EVENTS IJ02598 MISSING THE FILE /STORE/PERSISTENT_QUEUE/ECS-EC.ECS-EC CAUSES EVENT PROCESSING/STORAGE TO FAIL CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
SERVICES IJ07138 QRADAR INCIDENT FORENSICS - PACKET CAPTURE FAILS DUE TO NAPATECH3 SERVICE FAILING TO START CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
DISK SPACE / NETFLOW IJ08089 QFLOW PROCESS CAN FAIL ON A MANAGED HOST WHILE APPENDING MESSAGE TEXT SEQUENCE NUMBERS WHEN RECEIVING NETFLOW CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
RULES IJ04902 GEOGRAPHIC RULE TESTS CONTAINING COUNTRIES WITH SPACES IN THEIR NAMES (MULTIPLE WORDS) ARE NOT BEING MATCHED CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
USER INTERFACE IJ04174 APPS TABS CAN BE SLOW TO LOAD AND/OR OR FAIL TO LOAD IN THE USER INTERFACE DUE TO DOCKER FREE SPACE PROVISIONING CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
LOG SOURCES IV87195 SOME QRADAR CONFIGURATIONS CONTAINING A LARGE NUMBER OF LOG SOURCES CAN SOMETIMES EXPERIENCE PERFORMANCE DEGRADATION CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
DATA IJ06757 IMPORTED REFERENCE DATA DOES NOT EXPIRE AT ITS TIME TO LIVE WHEN THE REFERENCE DATA STRUCTURE IS IMPORTED USING CMT CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
DATABASE IJ04182 CONTENT MANAGEMENT TOOL CAN FAIL DURING THE IMPORT OF CUSTOM_ACTION TABLES CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
UPGRADES IV99773 QRADAR DEPLOY FUNCTION REQUIRED AFTER UPGRADE CAN FAIL IF THERE IS NOT ENOUGH FREE SPACE IN /TMP CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
UPGRADES IJ07254 BUILD OR REBUILD OF A DISCONNECTED HIGH AVAILABILITY (HA) SECONDARY APPLIANCE (500) FROM QRADAR 7.2.8P1 TO 7.3.1 CAN FAIL CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
LOGS IJ06866 LOG ROTATE NEEDS TO RUN MORE FREQUENTLY CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
QUERIES IJ06633 SNMPD DAEMON CRASH OCCURS WHEN PERFORMING A WIDE QUERY CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
APPLIANCES IJ06268 DBUS COMPONENT OF SYSTEMD CAN SOMETIMES ENTER A HUNG STATE CAUSING SOME RHEL COMMANDS TO FAIL TO RUN AS EXPECTED CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
UPGRADES IJ06082 QRADAR UPGRADE TO 7.3.1.X CAN FAIL DURING THE INSTALLATION PROCESSES INCLUDED WITHIN "34-POSTGRESQL-UPGRADE.SH" CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
SEARCHES IJ06148 'THERE WAS AN ERROR DOWNLOADING THIS ITEM' MESSAGE WHEN USING AN AQL SEARCH WITH TABLE, BAR, OR PIE CHARTS FOR A DASHBOARD CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
APPLIANCES IJ02752 RUNNING THE QFLOW_DTLS_CERT_SETUP.PY AS PART OF A QNI APPLIANCE SETUP CAN FAIL CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
BACKUP IJ06480 RISK MANAGER BACKUP PROCESS FAILS WHEN IT IS INSTALLED ON A QRADAR SOFTWARE INSTALL VS APPLIANCE INSTALL CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
SIMULATIONS IJ06008 QRADAR RISK MANAGER SIMULATION CAN FAIL WITH 'NO RESULTS' IN THE SIMULATIONS SCREEN CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
SEARCHES IJ06914 LEFT AND RIGHT KEYBOARD ARROW KEYS DO NOT RESPOND APPROPRIATELY WHILE BEING USED WITHIN SOME QRADAR SEARCH FIELDS CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
DEVICES IJ03313 QRADAR VULNERABILITY MANAGER - 'APPLICATION ERROR' WHEN PERFORMING A NORMALIZED DEVICE COMPARISON FOR A PALO ALTO DEVICE CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
LICENSES IJ01180 VULNERABILITY MANAGER 'TRY IT OUT' ICON IS STILL PRESENT AFTER APPLYING A PROPER VULNERABILITY MANAGER LICENSE CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
OFFENSES IV90797 DISPLAYING OFFENSE COUNT BY CATEGORY AND/OR NETWORK DOES NOT RESPECT USER ACCOUNT DOMAIN CONFIGURATION CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
EVENTS IJ07174 "(1026) INVALID DATA" WHEN ADDING COMMA SEPARATED IP ADDRESSES TO AN EVENT RULE CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
OFFENSES IJ06833 OFFENSES CAN HAVE AN INCORRECT START TIME THAT IS PRIOR TO THE OFFENSE CREATION TIME WHEN USING "MATCH COUNT" RULES CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
EVENTS IJ05592 NETWORK NAME AND EVENT 'DIRECTION' CAN BE DISPLAYED INCORRECTLY WHEN EVENTS CONTAIN IPV6 ADDRESSES CLOSED Resolved in QRadar 7.3.1 Patch 6 18 September 2018
USER INTERFACE IJ04928 HOVERING OVER AN IP ADDRESS DOES NOT SHOW THE NETWORK NAME IF THE COUNTRY FIELD IS NOT POPULATED IN NETWORK HIERARCHY CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
OFFENSES IJ08032 QRADAR USERS WITHOUT THE 'MANAGE OFFENSE CLOSING' USER ROLE OPTION SELECTED CAN CLOSE OFFENSES CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
AUTHENTICATION IJ07975 LDAP LOGIN CAN FAIL FOR USERS WITH INTERNAL OR OPERATIONAL ATTRIBUTES CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
SERVICES IJ08436 PROCESS RUNNING OUT OF MEMORY DOES NOT CREATE SYSTEM.DMP FILE CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
SEARCHES IJ08828 NON-ADMIN USERS ARE UNABLE TO USE SEARCH FILTER 'LOG SOURCE GROUP', THE LIST DOES NOT LOAD CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
RULES IJ08845 /VAR/LOG/ FILLING WITH 'COM.Q1LABS.CORE.AQL.XFORCEFUNCTIONS: [ERROR]' MESSAGES CLOSED This issue resolved in QRadar 7.3.1 Patch 6 18 September 2018
REPORTS IJ08219 INCOMPLETE RESULTS IN REPORTS WHEN SELECTING 'DAY OF THE WEEK' TARGETED DATA SELECTION CONTAINER DETAILS CLOSED Closed as suggestion for future release.

Workaround: Instead of selecting the day of the week under the Targeted Data Selection in the container details of the Report, if the day of the week parameter is included in the AQL query of the search, the completed report contains all the expected results for the day of the week specified in the AQL Query.

Details: It has been identified that there can be incomplete or inconsistent results in reports when day of the Week is selected under the Targeted Data Selection in the container details of the report.

For example:
  1. From the Log Activity tab, create a new search A for which data is not being accumulated (i.e. without the Group by clause)
  2. From the Reports tab, create a new monthly report based on the search.
  3. In the Container details of the report, check the Targeted Data Selection checkbox. Then select day of the week (e.g. Saturday and Sunday)
  4. Select Tables in the Graph Type dropdown box. Select 65,000 in the Limit Events/Logs to Top dropdown box.
  5. Run the report. Verify the records in the report.

Results
  • Expected: The report should contain records for all the Saturdays and Sundays of the previous month.
  • Actual: The report contains only records for the last Sunday of the month.
24 August 2018
APP FRAMEWORK IJ08034 USING THE STIG SCRIPTS ON A QRADAR CONSOLE CAN CAUSE THE APP FRAMEWORK TO FAIL OPEN Contact Support for a possible workaround 20 August 2018
VULNERABILITY SCAN IJ08038 OUTPOST24 VULNERABILITY SCAN STARTS AND THEN FAILS WITH NULLPOINTEREXCEPTION IN QRADAR.LOG OPEN No workaround available. 14 August 2018
APP FRAMEWORK IJ08092 ZOOKEEPER CAN FAIL TO START WHEN ZERO-LENGTH FILES ARE PRESENT IN LOGS DIRECTORY CAUSING MICROSERVICES INSTALLATION TO FAIL CLOSED Resolved in:
QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)
QRadar 7.3.0 Patch 6 (7.3.0.20171107151332)

It had been identified in QRadar 7.3.0 versions that zookeeper can fail to start due to an exception that occurs while starting a new session if zero length log files exist in the /var/lib/zookeeper/verson-2 directory. When this exception occurs, microservices installation fails. Messages similar to the following might be visible when checking the marathon logs on journalctl:
marathon[17960]: [2017-07-20 15:19:10,929] WARN Session 0x0 for server /:2181, unexpected error, closing socket connection and example.net:2181
marathon[17960]: java.net.ConnectException: Connection refused
marathon[17960]: at sun.nio.ch.SocketChannelImpl.checkConnect(Native Method)
marathon[17960]: at sun.nio.ch.SocketChannelImpl.finishConnect(SocketChannelImpl.java:731)
marathon[17960]: at org.apache.zookeeper.ClientCnxnSocketNIO.doTransport(ClientCnxnSocketNIO.java:356)
marathon[17960]: at org.apache.zookeeper.ClientCnxn$SendThread.run(ClientCnxn.java:1192)


Optionally. The following exception might also be visible in the logs using: journalctl -u zookeeper
zookeeper[27112]: 2017-07-20 15:21:58,580 [myid:] - ERROR [main:ZooKeeperServerMain@64] - Unexpected exception, exiting abnormally
zookeeper[27112]: java.io.EOFException 
zookeeper[27112]: at java.io.DataInputStream.readFully(DataInputStream.java:208)
zookeeper[27112]: at java.io.DataInputStream.readInt(DataInputStream.java:398)>/pre>
27 February 2019
ASSETS IV89674 ASSET RECONCILIATION BLACKLIST REFERENCE SETS CAN BECOME BLOATED DUE TO NO EXPIRY DATE BEING SET CLOSED Install Baseline Maintenance Content Extension v1.0.5 or later 8 August 2018
REPORTS IJ06051 'WEEKLY SUCCESSFUL LOGIN EVENTS' REPORT CONTAINS QRADAR APP LOGINS CLOSED Install Baseline Maintenance Content Extension v1.0.5 or later 8 August 2018
REPORTS IJ02578 ASSET DEVIATION REPORT LINK CONTAINED WITHIN A SYSTEM NOTIFICATION DOES NOT WORK CLOSED Install Baseline Maintenance Content Extension v1.0.5 or later 28 August 2018
PERFORMANCE IV87193 QRADAR SYSTEM DEGRADATION AND/OR DROPPED EVENTS CAN BE CAUSED BYSOME VULNERABILITY CRE TESTS CLOSED Resolved in 7.2.8 Patch 11 24 August 2018
SEARCH IJ00698 LOG ACTIVITY SEARCH SHOWS TWO OR MORE ROWS WITH SAME EVENT NAME CLOSED Resolved in 7.3.1 Patch 5 31 July 2018
FLOWS IJ06593 QRADAR PACKET CAPTURE CAN SOMETIMES NOT INGEST/PROCESS PCAP FILES UNTIL A DEPLOY FULL CONFIGURATION IS PERFORMED CLOSED as unreproducible Complete a 'Deploy Full Configuration'. If you continue to experience this issue, contact QRadar Support. 30 July 2018
INSTALL/UPGRADE IJ01523 QRADAR UPGRADE TO 7.3.0.X ON SOFTWARE APPLIANCES CAN FAIL WITH ERROR 'STORAGE CONFIGURATION FAILED' CLOSED as Permanent restriction. No workaround available. 30 July 2018
SEACH IJ05806 SOME LOG ACTIVITY SEARCHES STOP RETURNING RESULTS FROM LOG SOURCE GROUPS AFTER PATCH/UPGRADE TO QRADAR 7.3.1 CLOSED Resolved in 7.3.1 Patch 5 29 July 2018
RULE RESPONSE IJ04903 'THIS INFORMATION SHOULD SET OR REPLACE THE NAME OF THE ASSOCIATED OFFENSE' NOT ALWAYS WORKING AS EXPECTED CLOSED Resolved in 7.3.1 Patch 5 29 July 2018
REPORTS IJ05109 USING A FILTER CONTAINING A COMMA OPERATOR IN THE REGEX DOES NOT WORK WITH 'WHEN THE EVENT MATCHES THIS SEARCH FILTER' RULE CLOSED Resolved in 7.3.1 Patch 5 29 July 2018
REPORTS IJ04906 USING THE RIGHT-CLICK FILTER 'SOURCE OR DESTINATION IP IS...' IN A LOG ACTIVITY SEARCH DOES NOT WORK AS EXPECTED CLOSED Resolved in 7.3.1 Patch 5 29 July 2018
INSTALL/UPGRADE IJ05110 A FAILED AND ROLLED BACK PATCH ATTEMPT FROM 7.3.0.X TO 7.3.1.X CAN CAUSE ISSUES WHEN ATTEMPTING TO PATCH AGAIN CLOSED Resolved in 7.3.1 Patch 4 IF01 and ported to 7.3.1 Patch 5 29 July 2018
USER INTERFACE IJ05185 UNABLE TO EDIT QRADAR LDAP CONFIGURATION AFTER A PREVIOUSLY MAPPED USER ROLE OR SECURITY PROFILE IS DELETED CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
USER INTERFACE IV97787 THE QRADAR ASSET TAB CAN BE SLOW TO LOAD WHEN THERE ARE A LARGE NUMBER OF ASSET VULNERABILITY INSTANCES CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
SEARCHES IJ06611 POP UP WINDOW WITH NO SEARCH RESULTS WHEN DRILLING DOWN INTO SEARCH RESULTS CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
SEARCHES IJ05806 SOME LOG ACTIVITY SEARCHES STOP RETURNING RESULTS FROM LOG SOURCE GROUPS AFTER PATCH/UPGRADE TO QRADAR 7.3.1 CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
REPORTS IJ06278 RUNNING A LOG SOURCE REPORT AGAINST AN EMPTY LOG SOURCE GROUP RETURNS ALL LOG SOURCES CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
REPORTS IJ05341 'EXPORT TO XML' OR 'EXPORT TO CSV' FROM THE QRADAR ASSETS TAB CAN SOMETIMES UNEXPECTEDLY STOP/FAIL CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
SEARCHES IJ04906 USING THE RIGHT-CLICK FILTER 'SOURCE OR DESTINATION IP IS...' IN A LOG ACTIVITY SEARCH DOES NOT WORK AS EXPECTED CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
SEARCHES IJ03405 AQL SEARCHES THAT COMPLETE FROM THE LOG ACTIVITY PAGE CAN DISPLAY UNEXPECTED HTML CHARACTERS CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
SEARCHES IJ00489 COMMAS ARE SWITCHED TO 'OR' WHEN MULTIPLE CUSTOM EVENT PROPERTIES ARE CONTAINED IN A SEARCH CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
OFFENSES IV99417 OFFENSE START TIMES CAN JUMP BACK IN TIME IF CUSTOMER HAS LONG RUNNING OFFENSES AND LONG DELAY BETWEEN START AND STORAGE TIME. CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
OFFENSES IV92376 OFFENSES CAN SOMETIMES NOT GENERATE WHEN A RULE RESPONSE TO CREATE A NEW OFFENSE INDEXED BY HOSTNAME (CUSTOM) IS CONFIGU CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
SEARCHES IV85637 TOP SOURCES AND TOP DESTINATION DASHBOARD SEARCHES REPORT DATA FROM ALL DOMAINS NOT JUST THE CONFIGURED ONES CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
FLOWS IV84601 CATEGORIZATION OF OFF-SITE SOURCE AND TARGET FOR FLOWS DISPLAYS AS 'UNKNOWN' AND APPLICATION DISPLAYS AS 'OTHER' CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
EVENTS IJ06381 EVENTS FORWARDED VIA AN OFFENSE RULE DO NOT HAVE A VALID SYSLOG HEADER APPENDED CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
EVENTS IJ05338 EVENT COLLECTION CAN STOP DUE TO A BUFFER UNDERFLOW EXCEPTION IN ECS-EC REQUIRING AN ECS-EC-INGRESS SERVICE RESTART CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
LOG SOURCES IJ04654 LOGFILE PROTOCOL LOG SOURCES CAN STOP WORKING, FAIL TO CONNECT WITH ERROR 'ALGORITHM NEGOTIATION FAIL' IN CONFIG WINDOW CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
OFFENSES IJ04225 USING THE QRADAR API "GET /SIEM/OFFENSE" TO RETRIEVE A LIST OF OFFENSES CAN TAKE LONGER THAN EXPECTED TO COMPLETE CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
OFFENSES IJ00971 AN APPLICATION ERROR MAY OCCUR IN THE OFFENSE TAB WHEN THE END TIME FOR AN OFFENSE IS IN THE FUTURE CLOSED This issue resolved in QRadar 7.3.1 Patch 5, QRadar 7.3.1 Patch 4, and QRadar 7.2.8 Patch 12 2 August 2018
CUSTOM EVENTS IJ00878 CUSTOM EVENT PROPERTY WITH SPACE IN ITS NAME IS NOT FORWARDED TO THE DESTINATION CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
SEARCHES IJ05096 QUICK SEARCHES CONTAINING AN 'AND' OPERATOR CAN SOMETIMES FAIL TO PROGRESS TO COMPLETION CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
LICENSES IJ03439 CLICKING THE 'SUSPECT CONTENT' ICON DISPLAYS A BLANK PAGE WHEN NO APPROPRIATE LICENSE IS INSTALLED/CONFIGURED CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
TRAFFIC IJ01001 QNI CLASSIFIES LDAP TRAFFIC AS FTP TRAFFIC CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
FLOWS IJ02836 NO FLOWS BEING RECEIVED FROM A QFLOW APPLIANCE CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
DATABASE IJ04314 QRADAR DATABASE REPLICATION TO MANAGED HOSTS CAN FAIL WHEN THE CONSOLE /STORETMP HAS INSUFFICIENT FREE SPACE AVAILABLE CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
DATA IJ03316 DATA BACKUPS FAIL WHEN EVENT/FLOW LOG HASHING IS ENABLED CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
LOG SOURCES IJ02749 'TARGET EXTERNAL DESTINATIONS' BECOMES UNSELECTED AFTER PERFORMING A 'BULK EDIT' OF LOG SOURCES CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
RULES IJ02262 RULES IMPORTED FROM A SYSTEM WITH CONFIGURED DOMAINS TO A SYSTEM WITHOUT DOMAINS CAN SEE REFERENCE SET DATA ISSUES CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
UPGRADE IJ06277 UPGRADE TO 7.3.X FAILS AND PROMPTS FOR REDHAT ISO WHEN /VAR/LOG/INSTALL.LOG IS MISSING CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
UPGRADES IJ05311 GARP REQUEST DURING HA_SETUP.SH CAN SOMETIMES BE BLOCKED BY A NETWORK SWITCH PREVENTING ARP TABLES FROM BEING UPDATED CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
UPGRADES IJ05110 A FAILED AND ROLLED BACK PATCH ATTEMPT FROM 7.3.0.X TO 7.3.1.X CAN CAUSE ISSUES WHEN ATTEMPTING TO PATCH AGAIN CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
UPGRADES IJ04472 RECOVERY REINSTALL ON A HIGH AVAILABILITY PRIMARY CAN FAIL DISPLAYING AS 'UNKNOWN' STATE IN SYSTEM AND LICENSE WINDOW CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
UPGRADES IJ03981 QRADAR UPGRADE AND/OR PATCH FAILS WITH 'ERROR EXECUTING 34-POSTGRESQL-UPGRADE.SH' WHEN UNEXPECTED DATABASE EXIST CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
UPGRADES IJ00104 QRADAR UPGRADE TO 7.3.0.X CAN FAIL "...GENERATE_ENVIRONMENT.SH: OPTION REQUIRES AN ARGUMENT -- N" CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
APPLIANCES IJ05193 SOME QRADAR SOFTWARE APPLIANCES ARE NOT ABLE TO ADD A QVM SCANNER IN THE QRADAR USER INTERFACE CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
SECURITY IJ01123 Q1X509TRUSTMANAGER LEAKS FILE HANDLES IF THERE IS A TRUST STORE IN /OPT/QRADAR/CONF/TRUSTED_CERTIFICATES CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
DEVICES IJ02635 'APPLICATION ERROR' WHEN PERFORMING A NORMALIZED DEVICE COMPARISON FOR A PALO ALTO DEVICE CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
QVM SCANS IJ06302 SCAN EXPORT DOES NOT HONOR SPECIFIED VULNERABILITIES THAT ARE CONFIGURED IN THE SCAN POLICY CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
QVM DOMAINS IJ01180 INTERACTION WITH IBM BIGFIX AND QVM CAN FAIL WHEN DOMAIN AUTHENTICATION IS USED CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
ASSETS IJ00941 EXCEPTIONED VULNERABILITIES ARE STILL APPEARING IN MANAGE VULNERABILITY VIEW FOR SOME ASSETS CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
EVENTS IJ02457 UNPARSED CRE EVENTS CONTAINING 'WHERE CATEGORY BETWEEN..." OBSERVED WHEN USER BEHAVIOR ANALYTICS (UBA) APP INSTALLED CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
REPORTS IJ04421 REPORTS CAN FAIL TO RUN WHEN EVENT AND/OR FLOW HASHING WITH HMAC IS ENABLED IN ARIEL DATABASE SETTINGS CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
LOGS IV98932 /VAR/LOG/ PARTITION CAN BECOME FILLED DUE TO REPEATED TEST EXCEPTION MESSAGES BEING LOGGED CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
SCANS IV97516 'WHEN THE DESTINATION IS VULNERABLE TO CURRENT EXPLOIT ON ANY PORT' RULE TEST STOPS WORKING AFTER VULNERABILITY SCAN CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
USER INTERFACE IJ06084 SETTING A DELEGATED ADMINISTRATION PERMISSION FOR 'MANAGE REFERECE DATA' ONLY DOES NOT ALLOW ACCESS TO ADMIN TAB CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
API IJ06032 CHANGES MADE WITHIN THE INCLUDED QRADAR API CHANGED HOW SOME QRADAR APPS FETCH DATA (EG. USER BEHAVIOR ANALYTICS - UBA) CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
SEARCHES IJ05712 QRADAR REFERENCE SET DATA FILTER SEARCHES (MANUAL AND WITHIN SOME APPS) CAN TAKE LONGER THAN EXPECTED TO COMPLETE CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
SEARCHES IJ05109 USING A FILTER CONTAINING A COMMA OPERATOR IN THE REGEX DOES NOT WORK WITH 'WHEN THE EVENT MATCHES THIS SEARCH FILTER' RUL CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
EVENTS IJ04903 'THIS INFORMATION SHOULD SET OR REPLACE THE NAME OF THE ASSOCIATED OFFENSE' NOT ALWAYS WORKING AS EXPECTED CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
SEARCHES IJ03209 'ADD' BUTTON DOES NOT WORK WHEN AN 'EQUALS ANY OF' CONDITION IS PRESENT WITHIN THE RULE WIZARD WITH MORE THAN ONE PROPERTY CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
RULES IJ02670 RULE TEST 'AND WHEN THE URL (CUSTOM) IS CATEGORIZED BY X-FORCE AS ONE OF THE FOLLOWING CATEGORIES' CAN SOMETIMES FAIL TO FIRE CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
REFERENCE SETS IJ02533 ERROR 'JAVA.LANG.NUMBERFORMATEXCEPTION:EMPTY STRING' IS GENERATED WHEN ATTEMPTING TO ADD REFERENCE SET VALUES CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
RULES IJ02437 BUILDING BLOCKS CAN FAIL TO WORK AS EXPECTED WHILE RULES ARE BEING RELOADED CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
RULES IJ00772 REGULAR EXPRESSIONS IN THE RULE EDITOR DO NOT WORK WITH JAPANESE CHARACTORS CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
SERVICES IJ02782 REQUIRED SERVICES RESTART IS NOT PERFORMED AFTER SWITCH FROM DAYLIGHT SAVING TIME TO STANDARD TIME CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
USER INTERFACE IJ07150 REPORT GROUPS ARE SOMETIMES NOT SHAREABLE FROM AN ADMIN TO A NON-ADMIN USER CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
FORENSICS DECAPPER IJ07872 QRADAR NETWORK INSIGHTS STOPS PROCESSING FLOWS, PACKETS DROPPED BY THE DECAPPER CLOSED This issue resolved in QRadar 7.3.1 Patch 5 2 August 2018
EVENTS IJ02819 '...SENT A TOTAL OF XXXX EVENT(S) DIRECTLY STORAGE...QUEUE IS AT 0 PERCENT CAPACITY" DURING OVER LICENSE EPS SPIKES CLOSED Resolved in:
QRadar 7.3.1 Patch 5 (7.3.1.20180720020816)
QRadar 7.3.1 Patch 4 Interim Fix 1 (7.3.1.20180601192933)
27 July 2018
WINCOLLECT IJ05619 NETAPP DATA ONTAP EVENTS THAT ARE COLLECTED USING WINCOLLECT CAN BE MISSING EVENT PAYLOAD DATA FOLLOWING MESSAGE= CLOSED This issue is resolved in WinCollect 7.2.8 10 July 2018
WINCOLLECT IJ03314 WINCOLLECT AGENT STOPS SENDING EVENTS TO COLLECTOR 'COULD NOT RESTART AGENT PROCESS AFTER UNEXPECTED EXIT' IN LOGS CLOSED This issue is resolved in WinCollect 7.2.8 10 July 2018
WINCOLLECT IJ02840 UNABLE TO UPGRADE/INSTALL WINCOLLECT 7.2.7 ON WINDOWS SERVER CORE 2016 USING THE PATCH/CONFIGURATION CONSOLE INSTALLER CLOSED This issue is resolved in WinCollect 7.2.8 10 July 2018
WINCOLLECT IJ02744 WINCOLLECT CAN SOMETIMES STOP COLLECTING SECURITY EVENTS DUE TO AN ISSUE WITH SID TRANSLATION CLOSED This issue is resolved in WinCollect 7.2.8 10 July 2018
WINCOLLECT IJ01529 WINCOLLECT 7.2.7 LOG SOURCES CONFIGURED TO USE MSEVEN6 AND POLLING INTERVAL OF 1500 OR LOWER CAN STOP RECEIVING LOGS CLOSED This issue is resolved in WinCollect 7.2.8 10 July 2018
WINCOLLECT IJ01089 HIGH CPU LOAD OBSERVED AFTER UPGRADING WINCOLLECT TO VERSION 7.2.7 AND USING MSEVEN6 CLOSED This issue is resolved in WinCollect 7.2.8 10 July 2018
WINCOLLECT IJ01531 WINCOLLECT CAN SOMETIMES STOP GATHERING WINDOWS IIS LOGS UNTIL A RESTART OF THE AGENT OCCURS CLOSED This issue is resolved in WinCollect 7.2.8 10 July 2018
WINCOLLECT IJ01528 DUPLICATE WINCOLLECT HOSTNAMES CAN BE CREATED DURING A WINCOLLECT UPGRADE CLOSED This issue is resolved in WinCollect 7.2.8 10 July 2018
WINCOLLECT IV96284 UPGRADING THE WINCOLLECT .SFS CAN REQUIRE AN ADDITIONAL 'DEPLOY FULL CONFIGURATION' TO COMPLETE SOME AGENT INSTALLATIONS CLOSED This issue is resolved in WinCollect 7.2.8 and later. See WinCollect 101 for the latest software release. 10 July 2018
WINCOLLECT IJ06382 INSTALLING WINCOLLECT 7.2.7 ON QRADAR 7.3.1.X REQUIRES THE ECS-EC-INGRESS PROCESS TO BE RESTARTED CLOSED This issue is resolved in WinCollect 7.2.8 10 July 2018
WINCOLLECT IJ01186 WINCOLLECT AGENT STATUS DISPLAYED IN THE QRADAR USER INTERFACE CAN BE INACCURATE CLOSED This issue is resolved in WinCollect 7.2.8 10 July 2018
WINCOLLECT IJ01921 WINCOLLECT VERSION 7.2.6 AND HIGHER LOG SOURCES CONFIGURED WITH MSEVEN6 PROTOCOL USE A DYNAMIC PORT RANGE 49152 TO 65535 CLOSED This issue is resolved in WinCollect 7.2.8 10 July 2018
CONFIGURATION SERVER PROTOOL (WINCOLLECT) IV99280 CHANGES MADE TO THE WINCOLLECT SERVER CONFIGURATION ARE NOT PUSHED OUT TO WINCOLLECT AGENTS CLOSED This issue is resolved in QRadar 7.2.8 Patch 14 24 October 2018
WINCOLLECT IV96608 WINCOLLECT 7.2.6 STOPS COLLECTING EVENTS ON WINDOWS COMPUTERS AFTER THEY REBOOT/RESTART CLOSED This issue is resolved in WinCollect 7.2.7 8 September 2017
WINCOLLECT IV98218 WINCOLLECT PULLS INCOMPLETE PAYLOADS FROM 32 BIT VERSIONS OF MICROSOFT WINDOWS SERVER OS DNS EVENT LOGS CLOSED This issue is resolved in WinCollect 7.2.7 8 September 2017
WINCOLLECT IV91737 KOREAN LANGUAGE CHARACTERS DO NOT DISPLAY CORRECTLY IN EVENTS THAT ARE GATHERED USING WINCOLLECT FILE FORWARDING CLOSED Resolved in WinCollect 7.2.6 29 May 2017
WINCOLLECT IV96608 WINCOLLECT 7.2.6 STOPS COLLECTING EVENTS ON WINDOWS COMPUTERS AFTER THEY REBOOT/RESTART CLOSED This issue is resolved in WinCollect 7.2.6 08 September 2017
WINCOLLECT IV92211 EVENT PAYLOAD IS TRUNCATED AFTER 'MESSAGE=' FOR WINDOWS EVENT ID 4688 WHEN USING AN XPATH QUERY IN A WINCOLLECT LOG SOURCE CLOSED This issue is resolved in WinCollect 7.2.6 29 May 2017
WINCOLLECT IV96364 THE WINCOLLECT 7.2.6 .SFS FOR QRADAR 7.3 NEEDS TO BE APPLIED AFTER UPGRADING QRADAR FROM 7.2.8.X TO 7.3.0.X CLOSED This issue is resolved in WinCollect 7.2.6 29 May 2017
SEARCH IJ10953 ADD +' BUTTON CAN STOP RESPONDING WHEN USING THE 'SEARCH FILTER' RULE TEST WITH 'EQUALS ANY OF' OPTION OPEN: FOUND IN QRADAR 7.2.8 Use/create a Building Block to match multiple entries to apply as a single test condition to the rule. 28 November 2018
LOG SOURCE GROUPS IJ10154 A'ERROR OCCURRED WHILE SEARCHING FOR DEPENDENTS' MESSAGE WHEN DELETING AN EMPTY LOG SOURCE GROUP OPEN: REPORTED IN QRADAR 7.2.7 Contact QRadar Support for a possible workaround that might address this issue in some instances. 28 November 2018
DISK SPACE / HA SECONDARY IJ10640 /VAR/LOG/ PARTITION CAN FILL ON HIGH AVAILABILITY SECONDARIES DUE TO /VAR/LOG/SYSTEMSTABMON NOT BEING ROTATED CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

Users who see HA secondary appliances in an Unknown state unexcpectely should consider upgrading to resolve this log rotation issue.
28 November 2018
GEOGRAPHIC DATA IJ11032 HOVER OVER OF AN IP ADDRESS'S GEOGRAPHIC FLAG CAN SOMETIMES SHOW INCORRECT INFORMATION CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852) 28 November 2018
COMMAND LINE IJ11110 BENIGN ERROR IN QRADAR LOGGING 'RUNTIME EXCEPTION PROCESSING REQUEST GET QUERY STATUS - QUERYSTATUSWAIT...' CLOSED Resolved in QRadar 7.3.2 (7.3.2.20190201201121). 14 May 2019
OFFENSES IJ10956 'OFFENSES' COUNT NUMBER DISPLAYED ON THE OFFENSE SUMMARY SCREEN CAN BE INCORRECT IN MULTI-DOMAIN ENVIRONMENTS OPEN: REPORTED IN QRADAR 7.2.8 No workaround available. 28 November 2018
APP FRAMEWORK IJ10675 QRADAR APPS FAIL TO INSTALL WHEN THE EXTENSION VALIDATION KEYSTORE PASSWORD CANNOT BE DECRYPTED OPEN: REPORTED IN QRADAR 7.3.1 No workaround available. 28 November 2018
APP FRAMEWORK IJ10949 QRADAR APPS CAN SOMETIMES FAIL TO LOAD DUE TO A RACE CONDITION AFTER THE TOMCAT SERVICE HAS BEEN RESTARTED OPEN: REPORTED IN QRADAR 7.3.1 PATCH 5 IF01 A manual restart of select services from the command line of the QRadar Console can sometimes correct the issue. To restart services, log in as root and type: 1. systemctl stop hostcontext, 2: systemctl restart tomcat, 3: systemctl start hostcontext. The QRadar user interface will be inaccessible until all required services are successfully restarted. If you are unsure of this procedure, Contact QRadar Support. 28 November 2018
SEARCH IJ10924 SEARCH DATA CONFIGURED TO BE ACCUMULATED (TIME SERIES) CAN FAIL TO DISPLAY DUE TO INVALID REGEX OPEN: REPORTED IN QRADAR 7.3.0 AND 7.3.1 VERSIONS No workaround available. 28 November 2018
MSRPC PROTOCOL IJ11495 DISABLED MSRPC CONNECTIONS DO NOT ALWAYS CLOSE THE CONNECTION BETWEEN THE QRADAR HOST AND THE WINDOWS SYSTEM OPEN: REPORTED IN PROTOCOL-WINDOWSEVENTRPC-7.3-20170818183912 No workaround available. 23 November 2018
API IJ11393 USING THE API TO UPDATE LOG SOURCES CAN RETURN: COULD NOT UPDATE LOGSOURCE {NUMBER}. THE TOTAL MAXIMUM...' OPEN: REPORTED IN QRADAR 7.3.1 PATCH 3 No workaround available. 21 November 2018
DASHBOARD IJ11170 DASHBOARD SEARCHES CONTAINING SEARCHES WITH UNIQUE COUNTS ENABLED CAN DISPLAY INCONSISTENT RESULTS OPEN: REPORTED IN QRADAR 7.2.8 No workaround available.

It has been identified that Dashboards and Reports created with searches using unique counts can display results that are different than what is displayed for the same search run in Log Source activity. Dashboard results over longer periods also have significantly lower values displayed than a more recent time period when this issue occurs.
05 March 2019
OFFENSES IJ10557 OFFENSE PAGE CAN BE SLOW TO LOAD WHEN THERE ARE TOO MANY INACTIVE OFFENSES REMAINS AFTER RETENTION PERIOD ELAPSED OPEN: REPORTED IN QRADAR 7.2.8 For more details on Offense retention, see the QRadar Knowledge Center 21 November 2018
ADVANCED SEARCH (AQL) IJ11113 AQL SEARCH CAN GENERATE A "FAILED TO INSTANTIATE FUNCTION 'INOFFENSE'" ERROR MESSAGE CANCELLED Unable to reproduce the problem on the reported release. It has been determined that this AQL query issue is not reproducible or falls outside the intended functionality of QRadar. 16 November 2018
SEARCH IJ10582 SEARCH WITH FILTER 'USERNAME IS NOT N/A' IN REPORTS AND DASHBOARDS CAN CAUSE 'ACCUMULATOR FALLING BEHIND' SYSTEM NOTIFICATIONS OPEN: REPORTED IN QRADAR 7.3.1 PATCH 6 IF 1 Where possible, do not use the search filter "Username is not N/A" until the fix pack is released that addresses this issue. 16 November 2018
SYSTEM DATE / TIME IJ10892 MANUALLY SETTING APPLIANCE SYSTEM DATE IN THE QRADAR USER INTERFACE CAN CHANGE THE DATE TO -1 DAY AFTER SERVICES ARE RESTARTED OPEN: REPORTED IN QRADAR 7.3.1 PATCH 5 Contact QRadar Support for a possible workaround that might address this issue in some instances. 7 November 2018
USER INTERFACE IJ10395 HOVER-TEXT DISPLAYS 'NO EXTRA DATA FOR COULD BE LOCATED FOR THIS ITEM' INSTEAD OF LDAP USERNAME IN DOMAIN ENVIRONMENT CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852) 1 November 2018
NETWORK HIERARCHY / SECURITY PROFILE IJ10376 NAME CHANGE MADE TO A NETWORK HIERARCHY OBJECT IS NOT REFLECTED IN THE QRADAR ADMIN - SECURITY PROFILES OPEN: REPORTED IN QRADAR 7.2.8 No workaround available. 1 November 2018
APP FRAMEWORK IJ10112 QRADAR APPS FAIL TO LOAD WITH 'UNAUTHORIZED: AUTHENTICATION REQUIRED' IN QRADAR LOGS OPEN: REPORTED IN QRADAR 7.3.0 AND QRADAR 7.3.1 VERSIONS Contact QRadar Support for a possible workaround that might address this issue in some instances. 1 November 2018
FLOWS IJ10404 FLOWS EXCEEDING 4GB IN SIZE DISPLAY INCORRECT PACKET AND BYTE NUMBERS OPEN: REPORTED IN QRADAR 7.3.0 AND QRADAR 7.3.1 VERSIONS Contact QRadar Support for a possible workaround that might address this issue in some instances. 1 November 2018
EVENT RETENTION IJ07162 CONFIGURED DATA RETENTION DELETE SETTINGS ARE NOT HONORED FOR MULTI-TENANCY CLOSED Resolved in:
QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)
QRadar 7.3.1 Patch 6 (7.3.1.20180912181210)

The search can be run either using ILIKE in AQL or 'matches any' for a faster results when using non-English locale for the QRadar User Interface.
31 OCTOBER 2018
SEARCH IJ10743 SEARCH WITH 'CONTAINS ANY OF' CAN BE SLOWER TO COMPLETE WHEN USING SOME NON-ENGLISH LOCALES FOR QRADAR CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

The search can be run either using ILIKE in AQL or 'matches any' for a faster results when using non-English locale for the QRadar User Interface.
31 OCTOBER 2018
OFFENSES IJ09472 OFFENSES CAN FAIL TO GENERATE AFTER CHANGES ARE MADE TO THE NETWORK HIERARCHY CLOSED Resolved in:
QRadar 7.3.2 (7.3.2.20190201201121)
QRadar 7.3.1 Patch 5 (7.3.1.20180720020816)

Workaround: Performing a restart of the Console's ecs-ep process from an SSH session or doing a Deploy Full Configuration (User Interface) should correct this issue. This action can be completed from the command line or the user interface.

Command line: systemctl restart ecs-ep
QRadar User Interface: Admin -> Advanced drop down -> Deploy Full Configuration

NOTE: Proper QRadar functionality requires all neccessary QRadar services to be in running state. Restarting services or performing a Deploy Full Configuration can cause an interuption of collection, processing and/or storage of events/flows until all required services are functioning as required.
31 OCTOBER 2018
REPORTS IJ09185 REPORTS CREATED FROM AN AQL QUERY ON ACCUMULATED OR RAW DATA THAT CONTAIN A SUB-SELECT QUERY FAIL TO GENERATE OPEN: REPORTED IN QRADAR 7.3.1 PATCH 1 No workaround available. 31 OCTOBER 2018
USER INTERFACE ACCESS IJ09375 TOMCAT OUT OF MEMORY CAN OCCUR WHEN API GET REQUEST PULLS A VERY LARGE /LOCAL_DESTINATION_ADDRESSES OPEN: REPORTED IN QRADAR 7.3.1 PATCH 1 No workaround available. 1 NOVEMBER 2018
COMMAND LINE IJ10111 FALSE POSITIVE (BENIGN) QRADAR LOG MESSAGES THAT APPEAR TO INDICATE A PROBLEM WITH QRADAR MAGISTRATE (MPC) AFTER DEPLOY OPEN: REPORTED IN QRADAR 7.3.1 PATCH 4 Administrators who see the transaction exception error messages defined in the APAR can ignore these benign log messages. No workaround available. 31 OCTOBER 2018
RULES IJ10827 DISABLED CUSTOM EVENT PROPERTIES (CEP) IN RULES OR CALCUATED CEP'S CAN CAUSE RULES NOT TO FIRE AS EXPECTED CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

From an SSH session to the QRadar Console appliance can locate the properties, then enable them in the user interface with the following command:
grep -r "UnknownPropertyException" /var/log/ | grep -o -E "No property '[a-zA-Z0-9 ]+' exists" | sort | uniq
1 NOVEMBER 2018
MANAGED HOSTS IJ10406 ATTEMPTING TO RE-ADD A MANAGED HOST (MH) THAT ORIGINALLY FAILED TO ADD DUE TO TIMEOUT CAN LEAVE THE MH IN A STUCK STATE OPEN: REPORTED IN QRADAR 7.3.1 VERSIONS Contact QRadar Support for a possible workaround that might address this issue in some instances. 30 OCTOBER 2018
MICROSOFT OFFICE 365 IJ08977 MICROSOFT OFFICE 365 LOG SOURCE CAN STOP COLLECTING WITH 'ERROR -AN ERROR OCCURRED INDICATING THAT THE REQUIRED CERTIFICATE..' CLOSED This issue has been resolved in the following protocol updates delivered via QRadar weekly auto updates:
  • PROTOCOL-Office365RESTAPI-7.3-20190527145902.noarch.rpm or later
  • PROTOCOL-Office365RESTAPI-7.2-20190527145902.noarch.rpm or later

This update resolves multiple issues:
1. Resolves an issue where the protocol could retrieve duplicate events when polling for data. 2. Resolves an issue where the protocol could ask for a range of data larger than what the Office 365 API would allow. This issue was caused by a change on the Office 365 by Microsoft. 3. Resolves a issue where Office 365 could incorrectly change how other protocols validate certificates. 4. Resolves an issue where the Log source API could treat the client secret as a text field instead of password field in QRadar 7.3.x versions. 5. This update requires the admin to first install the latest version of the Protocol Common framework to be installed on the QRadar Console if you are manually updating protocol RPMs.

09 January 2019
SEARCH IJ10377 FILTERING BY MULTIPLE REFERENCE SETS USING 'DOES NOT EXIST IN ANY OF' DOES NOT WORK AS EXPECTED CLOSED Closed as suggestion for future release. It has been identified that using a reference set search filter that uses "Does not exist in any of" with multiple reference sets does not filter the results as expected. It has been noted in the comments that users can leverage the search value Does not exist in all of to resolve the issue in the APAR comments.

A suggestion APAR identifies a function/operation that is not within the product specifications, for which a fix is not planned. Implementation of this modification would be a product enhancement. This APAR is considered for any future products/releases. For more information on feature requests and QRadar, see the QRadar Support Request for Enhancement (RFE) FAQ page.
11 June 2019
AUTO UPDATE IJ10791 MANIFEST REQUIRES VERSION 8.9 BUT THE SCRIPTS ONLY CONTAIN 8.8. CANNOT CONTINUE' AFTER AUTOUPDATE IS RUN OPEN: REPORTED IN QRADAR 7.3.1 VERSIONS Download the file autoupdate-8.9-2.noarch.rpm from IBM Fix Central and copy it to the QRadar Console. After the file is copied onto the QRadar console, install it via an SSH session to the QRadar console using the following command: yum -y install autoupdate-8.9-2.noarch.rpm 27 OCTOBER 2018
WINCOLLECT IJ10748 THE WINCOLLECT FILE FORWARDER CAN SOMETIMES STOP FORWARDING LESS ACTIVELY UPDATED FILES/DIRECTORIES CLOSED Resolved in WinCollect 7.2.8 Patch 1. See WinCollect 7.2.8 Patch 2 release notes to update as Fix Central no longer lists WinCollect 7.2.8 Patch 1 for download. 7 DECEMBER 2018
WINCOLLECT IJ12128 WINCOLLECT BUILD NUMBER IS NOT DISPLAYED IN THE WINCOLLECT AGENT VERSION FIELD CLOSED Resolved in WinCollect 7.2.8 Patch 2 19 December 2018
WINCOLLECT IJ10390 WINCOLLECT AGENTS DO NOT COMPLETE INSTALLATION DUE TO UNSUCCESSFUL PULL OF THE REQUIRED .PEM FILE CLOSED Resolved in WinCollect 7.2.8 Patch 1. See WinCollect 7.2.8 Patch 2 release notes to update. IBM Fix Central no longer lists WinCollect 7.2.8 Patch 1 for download. 25 OCTOBER 2018
REPORTS IJ06125 A REPORT RUNNER OUT OF MEMORY CAN SOMETIMES OCCUR WHILE CREATINGA REPORT WITH PDF FORMAT WITH VERY HIGH LIMITS (65K) RECORDS CLOSED Duplicate of IJ06862 and resolved in QRadar 7.3.1 Patch 6 25 OCTOBER 2018
HIGH AVAILABILITY (HA) IJ10367 HIGH AVAILABILITY (HA) FAILOVER CAN OCCUR WHEN A PING TEST FAILS FROM THE ACTIVE NODE AND SUCCEEDS FROM THE STANDBY OPEN: REPORTED IN MULTIPLE QRADAR 7.2.8 VERSIONS Contact QRadar Support for a possible workaround that might address this issue in some instances. 20 OCTOBER 2018
NETWORK HIERARCHY IJ09228 'AN ERROR OCCURRED STRING INDEX OUT OF RANGE' WHEN EXPANDING OR COLLAPSING NETWORK HIERARCHY OPEN Rename the network to ensure the name does not conflict. 16 OCTOBER 2018
DOMAINS & TENANTS IJ09193 NON-ADMIN TENANT USER CANNOT SEE FLOW OFFENSES IN THE DOMAIN THEY HAVE PERMISSIONS FOR OPEN No workaround available. 16 OCTOBER 2018
REPORTS IJ08958 REPORT FAILS WITH RESULTSET OBJECT DOES NOT CONTAIN COLUMN "SINGLEARGSCALARFUNCTIONADAPTER(SUM(EVENTCOUNT))" OPEN: REPORTED IN QRADAR 7.3.1 PATCH 4 No workaround available. 16 OCTOBER 2018
SEARCH - AQL CUSTOM PROPERTIES IJ08858 'APPLICATION ERROR' WHEN VIEWING EVENTS AFTER A QRADAR USER HAS BEEN REMOVED THAT CREATED AQL CUSTOM PROPERTIES CLOSED Resolved in:
QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)
QRadar 7.3.2 (7.3.2.20190201201121)
16 OCTOBER 2018
DATA NODE IJ09057 'TUNNEL HAS FAILED TO START' MESSAGES AFTER REASSIGNING AN ENCRYPTED DATA NODE TO A DIFFERENT EVENT PROCESSOR OPEN Contact QRadar Support for a possible workaround that might address this issue in some instances.

It has been identified that residual tunnel configuration data exists on an Event Processor (EP) after reassigning an encrypted Data Node from that EP to a different EP. Messages similar to the following might be visible in /var/log/qradar.log when this occurs:
[hostcontext.hostcontext] [ProcessMonitor] com.q1labs.hostcontext.processmonitor.ProcessManager: 
[ERROR] [127.0.0.1/- -] Process tunnel.tunnel7 has failed to start for 1884 intervals. Continuing to try to start...
[hostcontext.hostcontext] [ProcessMonitor] com.q1labs.hostcontext.processmonitor.ProcessManager: 
[ERROR] [127.0.0.1/- -] Process tunnel.tunnel6 has failed to start for 1884 intervals. Continuing to try to start...
16 OCTOBER 2018
RIGHT-CLICK IJ08964 RIGHT CLICK FOR "X-FORCE EXCHANGE LOOKUP" IS NOT DISPLAYED ON URL ITEM FROM AN AQL QUERY SEARCH IN LOG ACTIVITY OPEN: REPORTED IN QRADAR 7.2.8 PATCH 12 No workaround available. 16 OCTOBER 2018
HIGH AVAILABILITY (HA) IJ08975 /STORE ON ISCSI MOUNT CAN EXPERIENCE CORRUPTION DURING A HIGH AVAILABILITY (HA) FAILOVER OPEN: REPORTED IN QRADAR 7.3.0 AND 7.3.1 VERSIONS No workaround available. 16 OCTOBER 2018
REPORTS IJ09156 SOME OUT OF THE BOX QRADAR REPORTS COMPLETE SUCCESSFULLY WHILE GENERATING A RUNTIMEEXCEPTION IN QRADAR LOGS CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

It has been identified that some out of the box QRadar reports complete successfully, but generate a "RuntimeException" in the QRadar logs. List of affected reports:

Daily reports
  • Daily Top Applications (Internet)
  • Daily Geographic Traffic Distribution
  • Daily User Authentication Activity
  • Top_IDSIPS_Alerts_Daily
Weekly reports
  • Top Applications (Internet) Weekly
  • Top IDS/IPS Alerts (Weekly)
  • Top IDS/IPS Alerts by Geography (Weekly)
Messages similar to the following might be visible in /var/log/qradar.log when this issue is occurring for reports:
[report_runner] [main] com.q1labs.reporting.ReportServices: [WARN] [NOT:0000004000127.0.0.1/- -] [-/- -]Error occurred creating Accumulated Result Set. Trying to fall back to raw query if possible.
16 OCTOBER 2018
OFFENSES - HISTORICAL CORRELATION IJ08422 OFFENSE NAMES CREATED FROM HISTORICAL CORRELATION USE EVENT/FLOW LOW LEVEL CATEGORY INSTEAD OF EVENT NAME CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852) 16 OCTOBER 2018
USER BEHAVIOR ANALYTICS APPLICATION IJ08911 MACHINE LEARNING FAILS DURING USER BEHAVIOR ANALYTICS (UBA) INSTALLATION ON QRADAR 7.3.1 PATCH 5 OPEN: REPORTED IN QRADAR 7.2.8 PATCH 5 See the following technical note: User Behavior Analytics: Troubleshooting Machine Learning after message 'Installation has failed' in QRadar 7.3.1 Patch 5 16 OCTOBER 2018
BACKUP / RECOVERY IJ08864 CONFIG RESTORE WITH ONLY THE 'INSTALLED APPLICATIONS CONFIGURATION' CHECK BOX SELECTED CLOSES ALL OFFENSES OPEN: Reported in QRadar 7.3.1 Patch 4 No workaround available.

It has been identified that when a config restore is performed with only the 'Installed Applications Configuration' check box selected, all Offenses are set to closed status. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[hostcontext.hostcontext] [BackupServices_restore] 
com.q1labs.hostcontext.backup.BackupRecoveryEngine: [INFO][127.0.0.1/- -]Current task: reset sim
16 October 2018
WINCOLLECT IJ10392 WINCOLLECT 7.2.8 NOT RECEIVING WINDOWS IAS LOGS WHEN CONFIGURED USING "IAS LEGACY" FORMAT. OPEN: REPORTED IN WINCOLLECT 7.2.8 No workaround available. 15 OCTOBER 2018
JDBC PROTOCOL IJ10114 'TABLE NOT FOUND' MESSAGE WHEN USING UPPER CASE TABLE NAMES TO JOIN WITH POSTGRES (LOWER CASE) OPEN: REPORTED IN QRADAR 7.2.8 AND QRADAR 7.3.1 VERSIONS Administrators can verify with the database administrator if the tables are case sensitive before they connect using the JDBC protocol. 12 OCTOBER 2018
OFFENSE MANAGER IJ09316 SOURCE IPS AND DESTINATION IPS DISPLAY 'UNAUTHORIZED' IN OFFENSES TAB FOR USERS WITH APPROPRIATE RIGHTS OPEN: REPORTED IN QRADAR 7.3.1 PATCH 6 Avoid duplicate names within the Network Hierarchy, Network Group names. 9 OCTOBER 2018
LOG SOURCE GROUPS IJ08218 A NON-ADMIN USER WITH NON-ADMIN USER ROLE AND WITH ADMIN ROLE PERMISSIONS CAN SOMETIMES NOT CHANGE A LOG SOURCE GROUP CLOSED Resolved in QRadar 7.3.2 (7.3.2.20190201201121)

Where possible: use admin user role instead of non-admin user role with admin permissions until a software update can be released.
9 OCTOBER 2018
LOG SOURCE GROUPS IJ07879 QRADAR APP GRAPHING STOPS, DISPLAYS A BLANK SCREEN CLOSED Resolved in:
QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)
QRadar 7.3.2 (7.3.2.20190201201121)
QRadar 7.3.1 Patch 8 IF01 (7.3.1.20181217203039)
19 OCTOBER 2018
FLOWS - FLOW PROCESSORS IJ09226 [EC] FLOW PROCESSORS WITH MANY CONNECTED FLOW COLLECTORS CAN RUNOUT OF FILE HANDLES FOR THE ECS-EC PROCESS OPEN: REPORTED IN QRADAR 7.3.0 VERSIONS No workaround available. 3 OCTOBER 2018
GEOGRAPHIC DATA IJ08974 QRADAR GEOGRAPHIC FILTERS DO NOT WORK FOR COUNTRY NAMES THAT DO NOT MATCH THE MAXMIND DATABASE CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)
26 SEPTEMBER 2018
OFFENSE MANAGER IJ08399 OFFENSE SUMMARY PAGE CAN SOMETIMES TAKE LONGERTHAN EXPECTED OPEN: REPORTED IN QRADAR 7.3.1 PATCH 3 No workaround available. 26 SEPTEMBER 2018
AUDIT EVENTS IJ09486 SIM AUDIT BACKEND SECURITY EVENTS DO NOT EASILY ALLOW FOR SYSTEM IDENTIFICATION CLOSED This issue has been resolved in the following Device Support Module (DSM) updates:

DSM-SIMAudit-7.2-20190307101941.noarch.rpm or later DSM-SIMAudit-7.3-20190307131138.noarch.rpm or later

Details: It has been identified that the SIM Audit Backend events do not easily allow for system identification as to which QRadar appliance the commands were run on. There is no identifying information (such as system IP address) as to which system commands were run in the QRadar environment. For example:
Aug 21 11:27:45 127.0.0.1 127.0.0.1 root@127.0.0.1 38666 22 | [Backend] [Command] [CommandExecuted] : ls -ltr /store/
Aug 21 11:28:21 127.0.0.1 127.0.0.1 root@127.0.0.1 59414 22 | [Backend] [Command] [CommandExecuted] : rm -fv /tmp/activationkey.*

Administrators will receive updates for this issue from QRadar weekly auto updates. QRadar Console appliances without access to the Internet can download the files from the AutoUpdate bundle posted to IBM Fix Central and manually install the weekly update on their QRadar Console appliance.


26 SEPTEMBER 2018
SERVICES / DATA PIPELINE IJ05649 'DEPLOY CHANGES' CAN SOMETIMES CAUSE A DROP IN CONNECTION BETWEEN ECS-EC AND ECS-EP LEADING TO EVENTS BEING DROPPED CLOSED Resolved in QRadar 7.3.1 patch 6. 27 SEPTEMBER 2018
SEARCH / HISTORICAL CORRELATION IJ08851 NULLPOINTER EXCEPTION IN LOGS WHEN LOADING A SAVED SEARCH THAT CONTAINS SEARCH CRITERIA THAT INCLUDES A PURGED OFFENSE CLOSED Resolved in:
QRadar 7.3.2 (7.3.2.20190201201121)
QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)

It had been reported by QRadar 7.3.0 users that a nullpointerexception can occur when a Saved Search is loaded that contains search criteria that includes a previously purged offense. This can result incorrect results from the affected search when loaded and also cause historical correlation to fail to run.

Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs. View the APAR for full error logs:
[tomcat.tomcat] [ArielQueryManager] com.q1labs.ariel.ui.bean.EventSearchDelegate: 
[ERROR][-/- -]Error processing offenseId parameter for offense EQ 4391
[tomcat.tomcat] [ArielQueryManager] java.lang.NullPointerException
[tomcat.tomcat] [ArielQueryManager]  at com.q1labs.ariel.ui.bean.IUIArielSearchDelegate
  $OffenseProcessor.addOffenseSearchCriteria(IUIArielSearchDelegate.java:106)
[tomcat.tomcat] [ArielQueryManager]  at com.q1labs.ariel.ui.bean.QueryHandleSerializer
  .deserialize(Query HandleSerializer.java:34)
[tomcat.tomcat] [ArielQueryManager]  at com.google.gson.TreeTypeAdapter.read(TreeTypeAdapter.java:58)
07 March 2019
SERVICES - ARIEL PROXY IJ08848 ARIEL_PROXY_SERVER CAN GO OUT OF MEMORY DURING SEARCHES ON LARGE MULTI-CPU APPLIANCES DUE TO DEFAULT TUNING PARAMETER CLOSED This issue was resolved in QRadar 7.3.1 patch 6. 18 SEPTEMBER 2018
LOG SOURCES - WINDOWS IJ07877 DELETING A BULK ADDED WINDOWS LOG SOURCE CAN CAUSE THE ASSOCIATED ACTIVE DIRECTORY ACCOUNT TO BECOME LOCKED OUT CLOSED Resolved in:
QRadar 7.3.2 (7.3.2.20190201201121)
QRadar 7.3.1 Patch 6 (7.3.1.20180912181210)
QRadar 7.2.8 Patch 14 (7.2.8.20181017162208)

It had been identified that Active Directory (AD) passwords used in bulk grouped MSRPC Log sources can become locked out after deleting one of the associated Log Sources. When deleting a bulk added MSRPC Log Source, there are hash values returned to the User Interface (UI) for the Active Directory password field surpassing the 100 character limit. After you click Save with the hash value displayed in the password field of the Log Source edit screen, the database entry for the AD password is changed. QRadar attempts to log in to the remote Windows computers with that incorrect password and causes the account to be locked out.

Workaround: Manually enter the correct AD password into the password field prior to clicking Save while deleting the MSRPC bulk added Log Source. The following article describes the issue and how to resolve it manually: https://www.ibm.com/support/docview.wss?uid=ibm10743761.
11 June 2019
SERVICES - APP FRAMEWORK IJ08847 QRADAR APP TABS CAN BE BLANK AFTER A 'RESTART WEB SERVER' IS PERFORMED FROM THE ADMIN TAB CLOSED Resolved in QRadar 7.3.1 patch 6.

It had been identified in QRadar 7.3.0 Patch 5 that after a Tomcat / Restart Web Server is completed from the Admin tab that apps could display blank tabs when the user logged back in to QRadar. The following error message might be displayed in /var/log/qradar.error:
[tomcat.tomcat] [gui_app_startup_thread] com.q1labs.uiframeworks.util.ApplicationStartupThread:[ERROR][127.0.0.1/- -] 
Error occurred processing [QRadar_App_Name] 1652
[tomcat.tomcat] [gui_app_startup_thread]com.q1labs.restapi_annotations.content.exceptions.endpointExceptions.
InvalidParameterException: Application requested 4096(mb) of memory, but only 628(mb) is available.
[tomcat.tomcat] [gui_app_startup_thread] at com.q1labs.uiframeworks.application.api.validation.handlers.AppResourceHandler. validateMemory(AppResourceHandler.java:70)
18 SEPTEMBER 2018

IBM prides itself on delivering world class software support with highly skilled, customer-focused people. QRadar Support is available 24×7 for all high severity issues. For QRadar resources, technical help, guidance, and information see our QRadar Support 101 pages.