page-brochureware.php

QRADAR APARS 101

QRadar information related to known issues, important alerts and problem resolutions.

What are APARs?

QRadar uses Authorized Program Analysis Reports (APARs) to track issues reported by users. These problem reports include the status of the issue for the end user, either as an ONGOING or CLOSED problem. This page is intended to help users locate known issues who have not yet subscribed to IBM My Notifications or to view alerts on APARs that QRadar Support feels are important.

Searching the APAR table

The QRadar Support team created this QRadar APARs 101 page to make APARs more searchable for users and administrators. The search field in the table below allows you to search for specific versions or keywords. Administrators who want to filter by a specific version can use a combination of keywords or use the version buttons and sort by keyword using the Search bar.


Last update: 27 January 2021 – Updated page to list 15 items resolved with the release of 7.4.2 Fix Pack 2 and added 8 security bulletins.
Component Number Description Status More information Date
SECURITY BULLETIN CVE-2019-19126
CVE-2020-10754
CVE-2019-19956
CVE-2019-20388
CVE-2020-7595
CVE-2019-5482
CVE-2018-20843
CVE-2019-15903
CVE-2019-20386
CVE-2019-16935
CVE-2020-8492
CVE-2019-17498
CVE-2019-2974
CVE-2020-2574
CVE-2020-2752
CVE-2020-2780
CVE-2020-2812
CVE-2019-14907
CVE-2019-14866
IBM QRADAR SIEM IS VULNERABLE TO USING COMPONENTS WITH KNOWN VULNERABILITIES CLOSED Resolved in
QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)

Affected versions
  • IBM QRadar SIEM 7.4.2 GA to 7.4.2 Patch 1
  • IBM QRadar SIEM 7.4.0 to 7.4.1 Patch 1
  • IBM QRadar SIEM 7.3.0 to 7.3.0 Patch 5
Issue
  • CVE-2019-19126: GNU C Library could allow a local attacker to bypass security restrictions, caused by failing to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution. An attacker could exploit this vulnerability to bypass ASLR for a setuid program. CVSS Base score: 4
  • CVE-2020-10754: NetworkManager could allow a remote authenticated attacker to bypass security restrictions, caused by improper configuration in the nmcli. By connecting to a network, an attacker could exploit this vulnerability to bypass authentication. CVSS Base score: 4.3
  • CVE-2019-19956: libxml2 is vulnerable to a denial of service, caused by a memory leak in xmlParseBalancedChunkMemoryRecover in parser.c. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 3.3
  • CVE-2019-20388: GNOME libxml2 could allow a remote attacker to obtain sensitive information, caused by a xmlSchemaValidateStream memory leak in xmlSchemaPreRun in xmlschemas.c. By persuading a victim to open a specially crafted file, an attacker could exploit this vulnerability to obtain sensitive information.
  • CVE-2020-7595: The Gnome Project Libxml2 is vulnerable to a denial of service, caused by an error in xmlStringLenDecodeEntities in parser.c. An attacker could exploit this vulnerability to cause the application to enter into an infinite loop. CVSS Base score: 7.5
  • CVE-2019-5482: cURL libcurl is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the tftp_receive_packet function. By sending specially-crafted request containing an OACK without the BLKSIZE option, a remote attacker could overflow a buffer and execute arbitrary code on the system. CVSS Base score: 6.3
  • CVE-2018-20843: libexpat is vulnerable to a denial of service, caused by an error in the XML parser. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to consume all available CPU resources. CVSS Base score: 3.3
  • CVE-2019-15903: libexpat is vulnerable to a denial of service, caused by a heap-based buffer over-read in XML_GetCurrentLineNumber. By using a specially-crafted XML input, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 5.3
  • CVE-2019-20386: systemd is vulnerable to a denial of service, caused by a memory leak in the button_open function in login/logind-button.c. By executing the udevadm trigger command, a local attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 6.2
  • CVE-2019-16935: Python is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the python/Lib/DocXMLRPCServer.py. A remote attacker could exploit this vulnerability using the server_title field to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials. CVSS Base score: 6.1
  • CVE-2020-8492: Python is vulnerable to a denial of service, caused by a flaw in the urllib.request.AbstractBasicAuthHandler. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a Regular Expression Denial of Service (ReDoS). CVSS Base score: 5.3
  • CVE-2019-17498: libssh2 is vulnerable to a denial of service, caused by an out-of-bounds read when connecting to a malicious SSH server that sends a disconnect message. A remote attacker could exploit this vulnerability to cause a denial of service or obtain sensitive information. CVSS Base score: 6.5
  • CVE-2019-2974: An unspecified vulnerability in product related to the Server Oracle MySQL component could allow an authenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. CVSS Base score: 6.5
  • CVE-2020-2574: An unspecified vulnerability in Oracle MySQL related to the Client C API component could allow an unauthenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. CVSS Base score: 5.9
  • CVE-2020-2752: An unspecified vulnerability in Oracle MySQL related to the Client C API component could allow an authenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. CVSS Base score: 5.3
  • CVE-2020-2780: An unspecified vulnerability in Oracle MySQL related to the Server Server: DML component could allow an authenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. CVSS Base score: 6.5
  • CVE-2020-2812: An unspecified vulnerability in Oracle MySQL related to the Server Server: Stored Procedure component could allow an authenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. CVSS Base score: 4.9
  • CVE-2019-14907: Samba is vulnerable to a denial of service, caused by an error after a failed character conversion at log level 3 or above. By sending a specially crafted string during the NTLMSSP authentication exchange, an attacker could exploit this vulnerability to cause a long-lived process to terminate. CVSS Base score: 6.5
  • CVE-2019-14866: GNU cpio could allow a local authenticated attacker to gain elevated privileges on the system, caused by the failure to properly validate input files when generating TAR archives. An attacker could exploit this vulnerability to inject any tar content and compromise the system. CVSS Base score: 6.7
26 January 2021
SECURITY BULLETIN CVE-2018-18074
CVE-2018-20060
CVE-2019-11236
CVE-2019-11324
CVE-2019-5094
CVE-2019-5188
CVE-2020-11008
CVE-2019-12450
CVE-2019-14822
CVE-2019-14973
CVE-2019-17546
CVE-2017-15715
CVE-2018-1283
CVE-2018-1303
CVE-2019-10098
CVE-2020-1927
CVE-2020-1934
CVE-2017-18551
CVE-2018-20836
CVE-2019-15217
CVE-2019-15807
CVE-2019-15917
CVE-2019-16231
CVE-2019-16233
CVE-2019-16994
CVE-2019-17053
CVE-2019-17055
CVE-2019-19046
CVE-2019-19062
CVE-2019-19063
CVE-2019-19332
CVE-2019-19447
CVE-2019-19524
CVE-2019-19530
CVE-2019-19534
CVE-2019-19537
CVE-2019-19767
CVE-2019-19807
CVE-2019-20054
CVE-2019-20636
CVE-2019-9454
CVE-2019-9458
CVE-2020-10690
CVE-2020-10732
CVE-2020-10742
CVE-2020-10751
CVE-2020-10942
IBM QRADAR SIEM IS VULNERABLE TO USING COMPONENTS WITH KNOWN VULNERABILITIES CLOSED Resolved in
QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)

Affected versions
  • IBM QRadar SIEM 7.4.2 GA to 7.4.2 Patch 1
  • IBM QRadar SIEM 7.4.0 to 7.4.1 Patch 1
  • IBM QRadar SIEM 7.3.0 to 7.3.0 Patch 5
Issue
  • CVE-2018-18074: The Requests package for Python could allow a remote attacker to obtain sensitive information, caused by sending information in an insecure manner. By sniffing the network, a remote attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 5.3
  • CVE-2018-20060: urllib3 could allow a remote attacker to obtain sensitive information, caused by the failure to remove the Authorization HTTP header when following a cross-origin redirect. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to obtain credentials in the Authorization header. CVSS Base score: 7.5
  • CVE-2019-11236: Python urllib3 is vulnerable to CRLF injection, caused by improper validation of user-supplied input by the request parameter. By sending a specially-crafted HTTP response containing CRLF character sequences, a remote attacker could exploit this vulnerability to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. CVSS Base score: 5.3
  • CVE-2019-11324: urllib3 could allow a remote attacker to bypass security restrictions, caused by mishandling of certificates. By sending a specially-crafted certificate, an attacker could exploit this vulnerability to allow SSL connections. CVSS Base score: 5.3
  • CVE-2019-5094: E2fsprogs could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an out-of-bounds write in the quota file functionality. By persuading a victim to open a specially-crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 7.5
  • CVE-2019-5188: E2fsprogs could allow a local authenticated attacker to execute arbitrary code on the system, caused by an out-of-bounds write in the directory rehashing function. By using a specially-crafted ext4 directory, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 7.5
  • CVE-2020-11008: Git could allow a remote attacker to obtain sensitive information, caused by a flaw in the external “credential helper” programs. By feeding a specially-crafted URL to git clone, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system. CVSS Base score: 7.5
  • CVE-2019-12450: GNOME GLib could allow a remote attacker to bypass security restrictions, caused by improper permission control in the file_copy_fallback in gio/gfile.c. An attacker could exploit this vulnerability to bypass access restrictions. CVSS Base score: 5.3
  • CVE-2019-14822: IBus could allow a local authenticated attacker to bypass security restrictions, caused by improper authorization validation. By sending a specially-crafted request, an attacker could exploit this vulnerability to monitor and send method calls to the ibus bus of another user. CVSS Base score: 5.5
  • CVE-2019-14973: LibTIFF is vulnerable to a denial of service, caused by an iInteger overflow in the _TIFFCheckMalloc and _TIFFCheckRealloc in tif_aux.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 3.3
  • CVE-2019-17546: libtiff is vulnerable to a heap-based buffer overflow, caused by an integer overflow in the tif_getimage.c. By persuading a victim to open a specially-crafted file, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVSS Base score: 7.8
  • CVE-2017-15715: Apache HTTPD could allow a remote attacker to bypass security restrictions, caused by the FilesMatch expression matching ‘$’ to a newline character in a malicious filename instead of the end of the filename. By matching the trailing portion of the filename, an attacker could exploit to bypass security controls that use the FilesMatch directive. CVSS Base score: 3.7
  • CVE-2018-1283: Apache HTTPD could allow a remote attacker to bypass security restrictions, caused by an error when mod_session is configured with SessionEnv on to forward session data to CGI applications. By using a specially crafted “Session” header, an attacker could exploit this vulnerability to modify mod_session data on the system. CVSS Base score: 5.3
  • CVE-2018-1303: Apache HTTPD is vulnerable to a denial of service, caused by an out-of-bounds memory read error in mod_cache_socache. By sending a specially crafted HTTP request header, an attacker could exploit this vulnerability to cause the service to crash. CVSS Base score: 5.3
  • CVE-2019-10098: Apache HTTP Server could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability in the mod_rewrite module. An attacker could exploit this vulnerability using a specially-crafted URL to redirect a victim to arbitrary Web sites. CVSS Base score: 3.7
  • CVE-2020-1927: Apache HTTP Server could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability in the mod_rewrite module. An attacker could exploit this vulnerability using a specially-crafted URL to redirect a victim to arbitrary Web sites. CVSS Base score: 7.4
  • CVE-2020-1934: Apache HTTP Server could allow a remote attacker to execute arbitrary code on the system, caused by the use of uninitialized value in mod_proxy_ftp. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system. CVSS Base score: 8.1
  • CVE-2017-18551: Linux kernel is vulnerable to a buffer overflow, caused by a missing bounds check in drivers/i2c/i2c-core-smbus.c. An attacker could overflow an array and perform unspecified actions. CVSS Base score: 7.8
  • CVE-2018-20836: Linux Kernel is vulnerable to a denial of service, caused by a race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c. A local attacker could exploit this vulnerability to cause the system to crash. CVSS Base score: 4
  • CVE-2019-15217: Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference in the yurex.c driver. By using a specially-crafted USB device, a physical attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 4.6
  • CVE-2019-15807: Linux Kernel is vulnerable to a denial of service, caused by a memory leak in sas_expander.c when SAS expander discovery fails. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 7.5
  • CVE-2019-15917: Linux Kernel could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free when hci_uart_register_dev() fails in hci_uart_set_proto() in drivers/bluetooth/hci_ldisc.c. A remote attacker could exploit this vulnerability to execute arbitrary code on the system or cause a denial of service. CVSS Base score: 7.3
  • CVE-2019-16231: Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference in drivers/net/fjes/fjes_main.c. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 7.5
  • CVE-2019-16233: Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference in drivers/scsi/qla2xxx/qla_os.c. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 7.5
  • CVE-2019-16994: Linux Kernel is vulnerable to a denial of service, caused by a memory leak in the sit_init_net function in net/ipv6/sit.c. By sending a specially-crafted request, a local attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 6.2
  • CVE-2019-17053: Linux Kernel could allow a local authenticated attacker to bypass security restrictions, caused by not enforcing CAP_NET_RAW in the ieee802154_create function in net/ieee802154/socket.c in the AF_IEEE802154 network module. By sending a specially-crafted request, an attacker could exploit this vulnerability to create a raw socket. CVSS Base score: 5.5
  • CVE-2019-17055: Linux Kernel could allow a local authenticated attacker to bypass security restrictions, caused by not enforcing CAP_NET_RAW in the base_sock_create function in drivers/isdn/mISDN/socket.c in the AF_ISDN network module. By sending a specially-crafted request, an attacker could exploit this vulnerability to create a raw socket. CVSS Base score: 5.5
  • CVE-2019-19046: Linux Kernel is vulnerable to a denial of service, caused by a memory leak in the __ipmi_bmc_register() function in drivers/char/ipmi/ipmi_msghandler.c. A remote attacker could exploit this vulnerability to consume all available memory resources. CVSS Base score: 7.5
  • CVE-2019-19062: Linux Kernel is vulnerable to a denial of service, caused by a memory leak in the crypto_report() function in crypto/crypto_user_base.c. A remote attacker could exploit this vulnerability to consume all available memory resources. CVSS Base score: 7.5
  • CVE-2019-19063: Linux Kernel is vulnerable to a denial of service, caused by multiple memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c. A remote attacker could exploit this vulnerability to consume all available memory resources. CVSS Base score: 7.5
  • CVE-2019-19332: Linux Kernel is vulnerable to a denial of service, caused by an out-of-bounds memory write in KVM hypervisor. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 5.5
  • CVE-2019-19447: Linux Kernel could allow a local attacker to execute arbitrary code on the system, caused by a use-after-free flaw in the ext4_put_super function in fs/ext4/super.c. By using a specially-crafted image file, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system. CVSS Base score: 8.4
  • CVE-2019-19524: Linux Kernel is vulnerable to a denial of service, caused by a use-after-free condition in drivers/input/ff-memless.c. By connecting a specially-crafted USB device, an attacker could exploit this vulnerability to cause a kernel panic. CVSS Base score: 4.2
  • CVE-2019-19530: Linux Kernel is vulnerable to a denial of service, caused by a use-after-free condition in drivers/usb/class/cdc-acm.c. By connecting a specially-crafted USB device, an attacker could exploit this vulnerability to cause a kernel panic. CVSS Base score: 4.2
  • CVE-2019-19534: Linux Kernel could allow a local attacker to obtain sensitive information, caused by missing memory initialization in drivers/net/can/usb/peak_usb/pcan_usb_core.c. By connecting a specially-crafted USB device, an attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 2.4
  • CVE-2019-19537: Linux Kernel is vulnerable to a denial of service, caused by a race condition in drivers/usb/core/file.c. By connecting a specially-crafted USB device, an attacker could exploit this vulnerability to cause the system to stop responding. CVSS Base score: 4.2
  • CVE-2019-19767: Linux Kernel is vulnerable to a denial of service, caused by a use-after-free in the __ext4_expand_extra_isize and ext4_xattr_set_entry functions in fs/ext4/inode.c and fs/ext4/super.c. By sending a specially-crafted request, a local attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 6.2
  • CVE-2019-19807: Linux Kernel is vulnerable to a denial of service, caused by a use-after-free in sound/core/timer.c. By sending a specially crafted request, a local attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 4
  • CVE-2019-20054: Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c. By sending a specially crafted request, a local attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 4
  • CVE-2019-20636: Linux Linux could allow a local attacker to execute arbitrary code on the system, caused by an out-of-bounds write flaw in the input_set_keycode function. By using a specially-crafted keycode table, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system. CVSS Base score: 8.4
  • CVE-2019-9454: Google Android could allow a local authenticated attacker to gain elevated privileges on the system, caused by a memory corruption in the i2c driver. An attacker could exploit this vulnerability to escalate privileges. CVSS Base score: 7.8
  • CVE-2019-9458: Google Android could allow a local attacker to gain elevated privileges on the system, caused by a race condition in the video driver. An attacker could exploit this vulnerability to escalate privileges. CVSS Base score: 8.4
  • CVE-2020-10690: Linux Kernel is vulnerable to a denial of service, caused by a use-after-free in the cdev_put function in the Precision Time Protocol (PTP). By removing a PTP device while chardev is open, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 4.4
  • CVE-2020-10732: Linux Kernel could allow a local authenticated attacker to obtain sensitive information, caused by a flaw in the implementation of Userspace core dumps. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information or cause a program to crash. CVSS Base score: 3.3
  • CVE-2020-10742: Linux Kernel is vulnerable to a denial of service, caused by a stack-based buffer overflow during Direct IO write. A local authenticated attacker could exploit this vulnerability using a reach out of the index after one memory allocation by kmalloc to cause the NFS client to crash. CVSS Base score: 6
  • CVE-2020-10751: Linux Kernel could allow a local authenticated attacker to bypass security restrictions, caused by a flaw with improper validation of first netlink message by the SELinux LSM hook implementation. By sending a specially-crafted request, an attacker could exploit this vulnerability to allow or deny the rest of the netlink messages within the skb with the granted permission without further processing. CVSS Base score: 6.1
  • CVE-2020-10942: Linux Kernel is vulnerable to a denial of service, caused by improper validation of an sk_family field by the get_raw_socket function in drivers/vhost/net.c. By sending specially-crafted system calls, a local attacker could exploit this vulnerability to cause a kernel stack corruption resulting in a denial of service condition. CVSS Base score: 6.2
26 January 2021
SECURITY BULLETIN CVE-2019-2974
CVE-2020-2574
CVE-2020-2752
CVE-2020-2780
CVE-2020-2812
CVE-2019-14973
CVE-2019-17546
CVE-2019-17498
CVE-2017-15715
CVE-2018-1283
CVE-2018-1303
CVE-2017-15715
CVE-2018-1283
CVE-2018-1303
CVE-2019-10098
CVE-2020-1927
CVE-2020-1934
CVE-2017-18551
CVE-2019-10098
CVE-2020-1927
CVE-2020-1934
CVE-2019-5094
CVE-2019-5188
CVE-2020-0034
IBM QRADAR SIEM IS VULNERABLE TO USING COMPONENTS WITH KNOWN VULNERABILITIES CLOSED Resolved in
QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)

Affected versions
  • IBM QRadar SIEM 7.4.2 GA to 7.4.2 Patch 1
  • IBM QRadar SIEM 7.4.0 to 7.4.1 Patch 1
  • IBM QRadar SIEM 7.3.0 to 7.3.0 Patch 5
Issue
  • CVE-2019-2974: An unspecified vulnerability in product related to the Server Oracle MySQL component could allow an authenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. CVSS Base score: 6.5
  • CVE-2020-2574: An unspecified vulnerability in Oracle MySQL related to the Client C API component could allow an unauthenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. CVSS Base score: 5.9
  • CVE-2020-2752: An unspecified vulnerability in Oracle MySQL related to the Client C API component could allow an authenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. CVSS Base score: 5.3
  • CVE-2020-2780: An unspecified vulnerability in Oracle MySQL related to the Server Server: DML component could allow an authenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. CVSS Base score: 6.5
  • CVE-2020-2812: An unspecified vulnerability in Oracle MySQL related to the Server Server: Stored Procedure component could allow an authenticated attacker to cause a denial of service resulting in a high availability impact using unknown attack vectors. CVSS Base score: 4.9
  • CVE-2019-14973: LibTIFF is vulnerable to a denial of service, caused by an iInteger overflow in the _TIFFCheckMalloc and _TIFFCheckRealloc in tif_aux.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 3.3
  • CVE-2019-17546: libtiff is vulnerable to a heap-based buffer overflow, caused by an integer overflow in the tif_getimage.c. By persuading a victim to open a specially-crafted file, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVSS Base score: 7.8
  • CVE-2019-17498: libssh2 is vulnerable to a denial of service, caused by an out-of-bounds read when connecting to a malicious SSH server that sends a disconnect message. A remote attacker could exploit this vulnerability to cause a denial of service or obtain sensitive information. CVSS Base score: 6.5
  • CVE-2017-15715: Apache HTTPD could allow a remote attacker to bypass security restrictions, caused by the FilesMatch expression matching ‘$’ to a newline character in a malicious filename instead of the end of the filename. By matching the trailing portion of the filename, an attacker could exploit to bypass security controls that use the FilesMatch directive. CVSS Base score: 3.7
  • CVE-2018-1283: Apache HTTPD could allow a remote attacker to bypass security restrictions, caused by an error when mod_session is configured with SessionEnv on to forward session data to CGI applications. By using a specially crafted “Session” header, an attacker could exploit this vulnerability to modify mod_session data on the system. CVSS Base score: 5.3
  • CVE-2018-1303: Apache HTTPD is vulnerable to a denial of service, caused by an out-of-bounds memory read error in mod_cache_socache. By sending a specially crafted HTTP request header, an attacker could exploit this vulnerability to cause the service to crash. CVSS Base score: 5.3
  • CVE-2019-10098: Apache HTTP Server could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability in the mod_rewrite module. An attacker could exploit this vulnerability using a specially-crafted URL to redirect a victim to arbitrary Web sites. CVSS Base score: 3.7
  • CVE-2020-1927: Apache HTTP Server could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability in the mod_rewrite module. An attacker could exploit this vulnerability using a specially-crafted URL to redirect a victim to arbitrary Web sites. CVSS Base score: 7.4
  • CVE-2020-1934: Apache HTTP Server could allow a remote attacker to execute arbitrary code on the system, caused by the use of uninitialized value in mod_proxy_ftp. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system. CVSS Base score: 8.1
  • CVE-2019-5094: E2fsprogs could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an out-of-bounds write in the quota file functionality. By persuading a victim to open a specially-crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 7.5
  • CVE-2019-5188: E2fsprogs could allow a local authenticated attacker to execute arbitrary code on the system, caused by an out-of-bounds write in the directory rehashing function. By using a specially-crafted ext4 directory, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 7.5
  • CVE-2020-0034: Google Android could allow a remote attacker to obtain sensitive information, caused by an out-of-bounds read in the vp8_decode_frame of decodeframe.c. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 7.5
26 January 2021
SECURITY BULLETIN CVE-2020-11979
APACHE ANT AS USED BY IBM QRADAR SIEM IS VULNERABLE TO INSECURE TEMPORARY FILES CLOSED Resolved in
QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)

Affected versions
  • IBM QRadar SIEM 7.4.2 GA to 7.4.2 Patch 1
  • IBM QRadar SIEM 7.4.0 to 7.4.1 Patch 1
  • IBM QRadar SIEM 7.3.0 to 7.3.0 Patch 5
Issue
CVE-2020-11979: Apache Ant could allow a remote authenticated attacker to bypass security restrictions, caused by an insecure temporary file flaw. By sending a specially-crafted request, an attacker could exploit this vulnerability to inject modified source files into the build process. CVSS Base score: 6.5
26 January 2021
SECURITY BULLETIN CVE-2020-4789
IBM QRADAR SIEM IS VULNERABLE TO ARBITRARY FILE READ CLOSED Resolved in
QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)

Affected versions
  • IBM QRadar SIEM 7.4.2 GA to 7.4.2 Patch 1
  • IBM QRadar SIEM 7.4.0 to 7.4.1 Patch 1
  • IBM QRadar SIEM 7.3.0 to 7.3.0 Patch 5
Issue
CVE-2020-4789: IBM QRadar could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing “dot dot” sequences (/../) to view arbitrary files on the system. CVSS Base score: 6.5
26 January 2021
SECURITY BULLETIN CVE-2020-4787
IBM QRADAR SIEM IS VULNERABLE TO SERVER SIDE REQUEST FORGERY (SSRF) CLOSED Resolved in
QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)

Affected versions
  • IBM QRadar SIEM 7.4.2 GA to 7.4.2 Patch 1
  • IBM QRadar SIEM 7.4.0 to 7.4.1 Patch 1
  • IBM QRadar SIEM 7.3.0 to 7.3.0 Patch 5
Issue
CVE-2020-4787: IBM QRadar is vulnerable to server side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. CVSS Base score: 4.2
26 January 2021
SECURITY BULLETIN CVE-2020-4786
IBM QRADAR SIEM IS VULNERABLE TO SERVER SIDE REQUEST FORGERY (SSRF) CLOSED Resolved in
QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)

Affected versions
  • IBM QRadar SIEM 7.4.2 GA to 7.4.2 Patch 1
  • IBM QRadar SIEM 7.4.0 to 7.4.1 Patch 1
  • IBM QRadar SIEM 7.3.0 to 7.3.0 Patch 5
Issue
CVE-2020-4786: IBM QRadar Network Security is vulnerable to server side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. CVSS Base score: 5.4
26 January 2021
SECURITY BULLETIN CVE-2020-5421
SPRING FRAMEWORK AS USED BY IBM QRADAR SIEM IS VULNERABLE TO IMPROPER INPUT VALIDATION CLOSED Resolved in
QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)

Affected versions
  • IBM QRadar SIEM 7.4.2 GA to 7.4.2 Patch 1
  • IBM QRadar SIEM 7.4.0 to 7.4.1 Patch 1
  • IBM QRadar SIEM 7.3.0 to 7.3.0 Patch 5
Issue
CVE-2020-5421: VMware Tanzu Spring Framework could allow a remote attacker to bypass security restrictions, caused by improper input validation. By using a specially-crafted jsessionid path parameter, an attacker could exploit this vulnerability to bypass RFD Protection. CVSS Base score: 5.3
26 January 2021
SERVICES IJ30161 A QRADAR “DEPLOY CHANGES” PERFORMED ON DECEMBER 31 2020 CAN CAUSE QRADAR FUNCTIONALITY ISSUES CLOSED Resolved in
QRadar 7.4.2 Fix Pack 1 (7.4.2.20210105144619)
QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)

Workaround
For more detailed information, please see the following Flash Notification: https://ibm.biz/BdfDdV

An issue report and FAQ is available for IJ30161 from QRadar Support. For more information, see: https://www.ibm.com/support/pages/node/6398674

Issue
Performing a “Deploy Changes” function on December 31 2020 can cause a QRadar deployment to stop functioning as expected. This issue is related to the function that validates a license key.

Messages similar to the following might be visible in var/log/qradar.log when this issue occurs: [ecs-ec-ingress.ecs-ec-ingress] [main] com.eventgnosis.ecs:
[INFO] [NOT:6000][X.X.X.X/- -] [-/- -]Waiting for valid
license...
[ecs-ep.ecs-ep] [main] com.eventgnosis.ecs: [INFO]
[NOT:6000][X.X.X.X/- -] [-/- -]Waiting for valid license...
[ecs-ec.ecs-ec] [main] com.eventgnosis.ecs: [INFO]
[NOT:6000][X.X.X.X/- -] [-/- -]Waiting for valid license..


Note: This affects a manual “Deploy changes” function or any that are performed automatically (example: Auto Update)
11 January 2021
RULES IJ29115 PERFORMING AN EXTENSION MANAGEMENT UNINSTALL CAN SOMETIMES CORRUPT RULES WITHIN QRADAR CLOSED Resolved in
QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)

Workaround
Upgrade to a QRadar verison to resolve this issue or contact QRadar Support for a possible workaround that might address this issue in some instances.

Issue
Performing an Uninstall with the Extension Manager can corrupt rules if QRadar’s change-tracker has incorrectly recorded the “new_value” field in content_field_info within the QRadar database.

When this occurs, attempting to modify a rule response or edit or delete a rule can generate an error pop-up similar to: A server exception occurred:
PersistenceException: ERROR: could not parse XML document
Detail: line 1: Start tag expected, '<' not found
and messages in /varlog/qradar.log similar to:
[tomcat.tomcat] [pool-1-thread-3]
org.apache.openjpa.lib.jdbc.ReportingSQLException: ERROR: could
not parse XML document
  Detail: line 1: Start tag expected, '<' not found
16 November 2020
FORWARDING DESTINATIONS IJ27364 THE OPTION TO USE IPV6 SOURCE AND DESTINATION FROM AN EVENT WHEN CONFIGURING JSON FORWARDING DESTINATION IS NOT AVAILABLE CLOSED Resolved in
QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)

Workaround
A custom property could be added to parse IPv6 from events and used in the JSON format. For more information, see: How to create custom properties in QRadar.

Issue
When configuring Forwarding Destinations to forward data to other system using IPV6, the source or destination from an event is not an available option to select from when using JSON.
02 September 2020
FLOW FORWARDING IJ26689 FORWARDING NORMALIZED FLOWS THAT ARE ASSOCIATED TO A DOMAIN FAILS WITH A BUFFERUNDERFLOWEXCEPTION WRITTEN TO QRADAR LOGGING CLOSED Resolved in
QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)

Workaround
Potential workaround for this issue. Note: This will impact all event and flow forwarding of normalized data, setting it to the the default domain.

  1. On the QRadar Console that is sending, edit nva.conf:
    vi /store/configservices/staging/globalconfig/nva.conf
    Add and save the following line:
    IS_DOMAIN_FORWARDING=0
  2. Log in to QRadar as an administrator.
  3. Click the Admin tab > Deploy Changes.
  4. On the Managed Host that is sending events or flows, type the following command to restart the ecs-ec service:
    systemctl restart ecs-ec


    Issue
    Forwarding normalized flows that are associated to a domain on the sending side to another deployment fails and a BufferUnderflowException is generated in QRadar logging. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
    com.q1labs.sem.nio.network.ReceiverServerWithChannelActivity
    0.0.0.0:32005: [WARN] [NOT:0000004000][X.X.X.X/- -] [-/-
    -]Error: /127.0.0.1:41902 : RuntimeException : 0 records read,
    type: 68, expected buffer size after decompression: 0, expected
    record size: 195, java.nio.DirectByteBuffer[pos=182 lim=209
    cap=13312000], Serializer:
    com.q1labs.core.types.networkevent.mapping.NetworkEventMappings$
    ECSMappingAll@1
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
    java.lang.RuntimeException: 0 records read, type: 68, expected
    buffer size after decompression: 0, expected record size: 195,
    java.nio.DirectByteBuffer[pos=182 lim=209 cap=13312000],
    Serializer:
    com.q1labs.core.types.networkevent.mapping.NetworkEventMappings$
    ECSMappingAll@1
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.frameworks.nio.network.protocol.ProtocolProcessor.dec
    ode(ProtocolProcessor.java:281)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.frameworks.nio.network.protocol.ProtocolProcessor.dec
    odeCompressedObjectsSync(ProtocolProcessor.java:302)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.frameworks.nio.network.protocol.Protocol.pollMessage(
    Protocol.java:1185)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.frameworks.nio.network.protocol.Protocol$2.readFromCh
    annel(Protocol.java:126)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.frameworks.nio.network.protocol.Protocol.read(Protoco
    l.java:396)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.frameworks.nio.network.ReceiverServerProtocol.readAll
    (ReceiverServerProtocol.java:85)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.frameworks.nio.network.ReceiverServer.read(ReceiverSe
    rver.java:229)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.sem.nio.network.ReceiverServerWithChannelActivity.run
    (ReceiverServerWithChannelActivity.java:140)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at java.lang.Thread.run(Thread.java:818)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
    Caused by: java.nio.BufferUnderflowException
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at java.nio.DirectByteBuffer.get(DirectByteBuffer.java:271)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at java.nio.ByteBuffer.get(ByteBuffer.java:715)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.core.types.networkevent.CustomPropertyRecord.fromByte
    BufferForMPC(CustomPropertyRecord.java:164)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.core.types.networkevent.mapping.NetworkEventMappingUt
    ils.readCustomPropertiesWithMPCAttributes(NetworkEventMappingUti
    ls.java:435)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.core.types.flow.mapping.FlowRecordMappingECS.readCust
    omProperties(FlowRecordMappingECS.java:139)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.core.types.flow.mapping.FlowRecordMapping.getData(Flo
    wRecordMapping.java:393)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.core.types.flow.mapping.FlowRecordMapping.get(FlowRec
    ordMapping.java:226)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.core.types.flow.mapping.FlowRecordMappingECS.get(Flow
    RecordMappingECS.java:65)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.core.types.flow.mapping.FlowRecordMappingECSAll.get(F
    lowRecordMappingECSAll.java:30)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.core.types.networkevent.mapping.NetworkEventMappings$
    ECSMappingAll.getFlow(NetworkEventMappings.java:71)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.core.types.networkevent.mapping.NetworkEventMappingEx
    .get(NetworkEventMappingEx.java:86)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.core.types.networkevent.mapping.NetworkEventMappingEx
    .get(NetworkEventMappingEx.java:25)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.frameworks.nio.network.protocol.ProtocolProcessor.dec
    ode(ProtocolProcessor.java:272)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      ... 8 more
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
    com.q1labs.sem.nio.network.ReceiverServerWithChannelActivity
    0.0.0.0:32005: [WARN] [NOT:0000004000][X.X.X.X/- -] [-/-
    -]Error: /127.0.0.1:41930 : RuntimeException : 2 records read,
    type: 68, expected buffer size after decompression: 0, expected
    record size: 540, java.nio.DirectByteBuffer[pos=1130 lim=1411
    cap=65536], Serializer:
    com.q1labs.core.types.networkevent.mapping.NetworkEventMappings$
    ECSMappingAll@1
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
    java.lang.RuntimeException: 2 records read, type: 68, expected
    buffer size after decompression: 0, expected record size: 540,
    java.nio.DirectByteBuffer[pos=1130 lim=1411 cap=65536],
    Serializer:
    com.q1labs.core.types.networkevent.mapping.NetworkEventMappings$
    ECSMappingAll@1
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.frameworks.nio.network.protocol.ProtocolProcessor.dec
    ode(ProtocolProcessor.java:281)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.frameworks.nio.network.protocol.ProtocolProcessor.dec
    odeCompressedObjectsSync(ProtocolProcessor.java:302)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.frameworks.nio.network.protocol.Protocol.pollMessage(
    Protocol.java:1185)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.frameworks.nio.network.protocol.Protocol$2.readFromCh
    annel(Protocol.java:126)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.frameworks.nio.network.protocol.Protocol.read(Protoco
    l.java:396)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.frameworks.nio.network.ReceiverServerProtocol.readAll
    (ReceiverServerProtocol.java:85)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.frameworks.nio.network.ReceiverServer.read(ReceiverSe
    rver.java:229)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.sem.nio.network.ReceiverServerWithChannelActivity.run
    (ReceiverServerWithChannelActivity.java:140)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at java.lang.Thread.run(Thread.java:818)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
    Caused by: java.nio.BufferUnderflowException
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at java.nio.DirectByteBuffer.get(DirectByteBuffer.java:271)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at java.nio.ByteBuffer.get(ByteBuffer.java:715)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.core.types.networkevent.CustomPropertyRecord.fromByte
    BufferForMPC(CustomPropertyRecord.java:164)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.core.types.networkevent.mapping.NetworkEventMappingUt
    ils.readCustomPropertiesWithMPCAttributes(NetworkEventMappingUti
    ls.java:435)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.core.types.flow.mapping.FlowRecordMappingECS.readCust
    omProperties(FlowRecordMappingECS.java:139)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.core.types.flow.mapping.FlowRecordMapping.getData(Flo
    wRecordMapping.java:393)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.core.types.flow.mapping.FlowRecordMapping.get(FlowRec
    ordMapping.java:226)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.core.types.flow.mapping.FlowRecordMappingECS.get(Flow
    RecordMappingECS.java:65)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.core.types.flow.mapping.FlowRecordMappingECSAll.get(F
    lowRecordMappingECSAll.java:30)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.core.types.networkevent.mapping.NetworkEventMappings$
    ECSMappingAll.getFlow(NetworkEventMappings.java:71)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.core.types.networkevent.mapping.NetworkEventMappingEx
    .get(NetworkEventMappingEx.java:86)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.core.types.networkevent.mapping.NetworkEventMappingEx
    .get(NetworkEventMappingEx.java:25)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      at
    com.q1labs.frameworks.nio.network.protocol.ProtocolProcessor.dec
    ode(ProtocolProcessor.java:272)
    [ecs-ep.ecs-ep] [ReceiverServer:ecs-ep/EP/Q1From_EC_via_TCPIP]
      ... 8 more
31 July 2020
RULE RESPONSE IJ28818 ARIEL DATA FILE CORRUPTION CAN OCCUR CAUSING "I/O ERROR" DURING SEARCHES WHEN EMAIL RESPONSE TO A SPECIFIC RULE IS CONFIGURED CLOSED Resolved in
QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)

Workaround
Where possible, do not use the email response option when using the rule "log source stopped sending events".

Issue
Ariel data corruption can occur when using the rule "log source stopped sending events" with a large number of Custom Event Properties (CEP) and/or log sources in a log source group with an email response configured.

When this data corruption is experienced, ariel searches can generate an "I/O error" in the QRadar User Interface if these corrupted files are acccessed.

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
java.lang.IndexOutOfBoundsException
        at java.nio.Buffer.checkBounds(Buffer.java:578)
        at java.nio.ByteBuffer.get(ByteBuffer.java:686)
        at
java.nio.DirectByteBuffer.get(DirectByteBuffer.java:285)
        at
com.q1labs.core.types.BitMask.getBitMask(BitMask.java:107)
        at
com.q1labs.core.types.event.mapping.NormalizedEventMappingV2.get
(NormalizedEventMappingV2.java:61)
        at
com.q1labs.core.types.event.mapping.NormalizedEventMappingV2.get
(NormalizedEventMappingV2.java:31)
        at
com.q1labs.ariel.FileReader.doRead(FileReader.java:192)
        at com.q1labs.ariel.FileReader.read(FileReader.java:184)
        at
com.q1labs.ariel.RecordDumper.dumpRecords(RecordDumper.java:66)
        at
com.q1labs.cve.utils.CommandLineClient.doDump(CommandLineClient.
java:153)
        at
com.q1labs.cve.utils.CommandLineClient.run(CommandLineClient.jav
a:188)
        at
com.q1labs.cve.utils.CommandLineClient.main(CommandLineClient.ja
va:173)


------- or --------
java.lang.IllegalStateException: Potential mapping error. Array
size: -1792 Max is 32767
 at
com.q1labs.frameworks.nio.MappingBase.getSizeShort(MappingBase.j
ava:86)
 at
com.q1labs.frameworks.nio.MappingBase.getSizeShort(MappingBase.j
ava:80)
 at
com.q1labs.core.types.networkevent.mapping.NetworkEventMappingUt
ils.readCustomRuleResultMap(NetworkEventMappingUtils.java:238)
 at
com.q1labs.core.types.event.mapping.NormalizedEventMappingV2.rea
dCustomRules(NormalizedEventMappingV2.java:715)
 at
com.q1labs.core.types.event.mapping.NormalizedEventMappingV2.get
(NormalizedEventMappingV2.java:147)
 at
com.q1labs.core.types.event.mapping.NormalizedEventMappingV2.get
(NormalizedEventMappingV2.java:35)
 at com.q1labs.ariel.FileReader.doRead(FileReader.java:192)
 at com.q1labs.ariel.FileReader.read(FileReader.java:184)
 at
com.q1labs.ariel.searches.service.ids.ArielFile$Crawler.nextReco
rd(ArielFile.java:31)
 at
com.q1labs.ariel.searches.service.ids.ArielFile.next(ArielFile.j
ava:206)
 at
com.q1labs.ariel.searches.service.ids.FilteredSource.next(Filter
edSource.java:39)
 at
com.q1labs.ariel.searches.tasks.QueryWorker.execute(QueryWorker.
java:53)
 at
com.q1labs.ariel.searches.tasks.ServiceTaskBase.runTask(ServiceT
askBase.java:89)
 at
com.q1labs.ariel.searches.tasks.ServiceTask.runTask(ServiceTask.
java:69)
 at
com.q1labs.ariel.searches.tasks.ServiceTaskBase$Runner.run(Servi
ceTaskBase.java:32)
 at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec
utor.java:1160)
 at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe
cutor.java:635)
 at java.lang.Thread.run(Thread.java:818)


-------or-------
[ecs-ep.ecs-ep] Ariel Writer#events
com.q1labs.frameworks.core.ThreadExceptionHandler: [ERROR]
[NOT:0000003000][ IP_ADDRESS/- -] [-/- -]Exception was uncaught
in thread: Ariel Writer#events
[ecs-ep.ecs-ep] Ariel Writer#events
java.lang.NullPointerException
[ecs-ep.ecs-ep] Ariel Writer#events at
com.q1labs.core.types.networkevent.CustomPropertyRecord.toByteBu
ffer(CustomPropertyRecord.java:188)
[ecs-ep.ecs-ep] Ariel Writer#events at
com.q1labs.core.types.networkevent.mapping.NetworkEventMappingUt
ils.writeCustomProperties(NetworkEventMappingUtils.java:326)
[ecs-ep.ecs-ep] Ariel Writer#events at
com.q1labs.core.types.event.mapping.NormalizedEventMappingV2.put
CustomProperties(NormalizedEventMappingV2.java:701)
[ecs-ep.ecs-ep] Ariel Writer#events at
com.q1labs.core.types.event.mapping.NormalizedEventMappingV2.put
Event(NormalizedEventMappingV2.java:541)
[ecs-ep.ecs-ep] Ariel Writer#events at
com.q1labs.core.types.event.mapping.NormalizedEventMappings$Exlu
deCachedResults.putData(NormalizedEventMappings.java:68)
[ecs-ep.ecs-ep] Ariel Writer#events at
com.q1labs.core.types.event.mapping.NormalizedEventMappingV2.put
(NormalizedEventMappingV2.java:281)
[ecs-ep.ecs-ep] Ariel Writer#events at
com.q1labs.core.types.event.mapping.NormalizedEventMappingV2.put
(NormalizedEventMappingV2.java:35)
[ecs-ep.ecs-ep] Ariel Writer#events at
com.q1labs.ariel.io.NIOFileWriter.write(NIOFileWriter.java:110)
[ecs-ep.ecs-ep] Ariel Writer#events at
com.q1labs.ariel.io.SimpleWriter.writeRecord(SimpleWriter.java:47)
[ecs-ep.ecs-ep] Ariel Writer#events at
com.q1labs.ariel.io.BucketWriter.writeRecord(BucketWriter.java:62)
[ecs-ep.ecs-ep] Ariel Writer#events at
com.q1labs.ariel.io.AbstractDatabaseWriter.put(AbstractDatabaseW
riter.java:114)
[ecs-ep.ecs-ep] Ariel Writer#events at
com.q1labs.ariel.DatabaseWriterAsync.processRecord(DatabaseWrite
rAsync.java:131)
[ecs-ep.ecs-ep] Ariel Writer#events at
com.q1labs.ariel.ScatteringDatabaseWriter.access$401(ScatteringD
atabaseWriter.java:30
10 November 2020
PROTOCOLS IJ29518 SMBTAILPROTOCOL LOG SOURCES CAN FUNCTION NORMALLY BUT DISPLAY IN 'ERROR' STATE WHEN A JNQEXCEPTION OCCURS OPEN Workaround
No workaround available.

APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the Subscribe button on the right side of this page or ask a question about this APAR in our Support Forums.

Issue
Log Sources using the SMBTail Protocol display in an error state when a jNQ exception is thrown, but the Log Source continues to function as expected. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[ecs-ec-ingress.ecs-ec-ingress] [Folder Monitor
[127.0.0.1][smb://127.0.0.1/dhcplog/]]
com.q1labs.semsources.sources.smbtail.io.jnq.JNQException:
Unable to create/open - j50.log status = -1073741757
(0xc0000043) (0xC0000043)
[ecs-ec-ingress.ecs-ec-ingress] [Folder Monitor
[127.0.0.1][smb://127.0.0.1/dhcplog/]]
com.q1labs.semsources.sources.windowsdhcp.WindowsDHCPTailProvide
r: [ERROR] [NOT:0000003000][10.42.165.13/- -] [-/-
-]TailingException: Unable to create/open - j50.log status =
-1073741757 (0xc0000043) (0xC0000043)
02 December 2020
PROTOCOLS IJ29923 THE QRADAR MSRPC PROTOCOL CAN INCREASE CPU UTILIZATION ON MICROSOFT WINDOWS SERVERS OPEN Workaround
A flash notice is available for administrators that describes how to downgrade the Microsoft Windows Security Event Log over MSRPC version. For more information, see: https://www.ibm.com/support/pages/node/6382106.

Issue
Administrators with the latest version of the MSRPC protocol from 9 December 2020 weekly auto update can experience increased CPU utilization for the EventLog service under svchosts.exe on their Windows Servers. Over time, this issue can lead to instability for the remote server. Administrators can downgrade their Microsoft Security Event Log over MSRPC protocol (PROTOCOL-WindowsEventRPC) version to avoid this reported issue.

The following RPM versions are affected by this issue:
  • PROTOCOL-WindowsEventRPC-7.3-20201110190432.noarch.rpm
  • PROTOCOL-WindowsEventRPC-7.4-20201110190414.noarch.rpm
14 December 2020
UPGRADE IJ28593 QRADAR PATCHING PROCESS CAN BE SLOWER THAN EXPECTED WHEN MILLIONS OF RECORDS EXIST IN DATABASE TARGET TABLES OPEN Workaround
Contact support for a possible workaround that might address this issue in some instances.

Issue
The QRadar patching process can run slower than expected in instances where there are millions of records in the database target tables.

To identify why the patching process is experiencing issues, review the patches.log file for database clean up ID messages. If /var/log/setup-#####/patches.log displays Removing ID messages for target database tales at a rate of less than 50 lines per second, this can indicate that you need to contact support. For example:
Removing id = XXXXX from public.target table.
08 December 2020
SECURITY BULLETIN CVE-2020-2590
CVE-2020-2601
CVE-2020-14621
CVE-2020-14577
CVE-2020-14578
CVE-2020-14579
CVE-2020-2781
CVE-2020-2583
MULTIPLE VULNERABILITIES IN IBM JAVA SDK AND IBM JAVA RUNTIME AFFECT IBM QRADAR SIEM CLOSED Resolved in
QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

Affected versions
  • IBM QRadar SIEM 7.3.0 to 7.3.0 Patch 5
  • IBM QRadar SIEM 7.4.0 to 7.4.1 Patch 1
Issue
  • CVE-2020-2590: An unspecified vulnerability in Java SE related to the Java SE Security component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. CVSS Base score: 3.7
  • CVE-2020-2601: An unspecified vulnerability in Oracle Java SE related to the Java SE, Java SE Embedded Security component could allow an unauthenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors. CVSS Base score: 6.8
  • CVE-2020-14621: An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact. CVSS Base score: 5.3
  • CVE-2020-14577: An unspecified vulnerability in Java SE related to the JSSE component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. CVSS Base score: 3.7
  • CVE-2020-14578: An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 3.7
  • CVE-2020-14579: An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 3.7
  • CVE-2020-2781: An unspecified vulnerability in Java SE related to the Java SE JSSE component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 5.3
  • CVE-2020-2583: An unspecified vulnerability in Java SE related to the Java SE Serialization component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 3.7
15 December 2020
SECURITY BULLETIN CVE-2019-12400 APACHE SANTUARIO AS USED IN IBM QRADAR SIEM IS VULNERABLE TO IMPROPER INPUT VALIDATION CLOSED Resolved in
QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

Affected versions
  • IBM QRadar SIEM 7.3.0 to 7.3.0 Patch 5
  • IBM QRadar SIEM 7.4.0 to 7.4.1 Patch 1
Issue
Apache Santuario XML Security for Java could allow a remote attacker to bypass security restrictions, caused by the loading of XML parsing code from an untrusted source. An attacker could exploit this vulnerability to launch further attacks on the system when validating signed documents. CVSS Base score: 5.3
15 December 2020
SECURITY BULLETIN CVE-2020-13692 POSTGRESSQL JDBC DRIVER AS USED IN IBM QRADAR SIEM IS VULNERABLE TO INFORMATION DISCLOSURE CLOSED Resolved in
QRadar 7.4.2 (7.4.2.20201113144954)
QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

Affected versions
  • IBM QRadar SIEM 7.3.0 to 7.3.0 Patch 5
  • IBM QRadar SIEM 7.4.0 to 7.4.1 Patch 1
Issue
PostgreSQL JDBC Driver could allow a remote authenticated attacker to obtain sensitive information, caused by an XML external entity (XXE) error when processing XML data. By sending specially crafted XML data, a remote attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 6.5
15 December 2020
SECURITY BULLETIN CVE-2014-3607 LDAPTIVE AS USED IN IBM QRADAR SIEM IS VULNERABLE TO SPOOFING CLOSED Resolved in
QRadar 7.4.2 (7.4.2.20201113144954)
QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

Affected versions
  • IBM QRadar SIEM 7.3.0 to 7.3.0 Patch 5
  • IBM QRadar SIEM 7.4.0 to 7.4.1 Patch 1
Issue
Ldaptive could allow a remote attacker to conduct spoofing attack in DefaultHostnameVerifier, caused by the failure to properly verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate. By persuading a victim to visit a specially crafted Web site, an attacker could exploit this vulnerability to spoof SSL server. CVSS Base score: 5.3
15 December 2020
LOG SOURCE MANAGEMENT APP IJ29323 EXPORTING LOG SOURCES TO CSV THAT USE AN XPATH WITH LINE BREAKS CAUSES EXTRA LINES TO BE GENERATED WITHIN THE EXPORTED CSV FILE OPEN Workaround
When exporting Log Sources from the Log Source Management (LSM) app, users can remove the line breaks when entering the data into the LSM app or edit the CSV file to remove them after it is generated by the export.

Issue
When exporting Log Sources from the Log Source Management app, if there are Windows Log Sources using XPath that contains line breaks, it causes the exported CSV file to display incorrectly by also adding lines into the CSV file.
19 November 2020
UBA IJ29455 USER BEHAVIOR ANALYTICS (UBA) APP VERSIONS PRIOR TO VERSION 3.8 FAIL TO START AFTER AN UPGRADE TO QRADAR 7.4.2 GA OPEN Workaround
Administrators can upgrade their UBA app to version 3.8 or later after they complete their QRadar 7.4.2 upgrade.

Issue
The User Behavior Analytics for QRadar App (UBA) versions prior to 3.8 fail to load or start after an upgrade to QRadar version 7.4.2 GA.
26 November 2020
AUTO UPDATE IJ29298 AUTOUPDATE ERROR IN THE QRADAR USER INTERFACE AFTER CHANGING TO THE NEW CLOUD BASED ADDRESS OPEN Workaround
This error described is benign and does not cause any problems with the autoupdate download or expected functionality.

Issue
After changing the Autoupdate server to the new Cloud based address, the user interface can display a benign error message as described in this technical note.

Error message:
Autoupdate settings are updated. However, the system cannot
connect to the specified web server address, directory. This
will cause updates to fail. Verify that web server address,
directory, credentials and the proxy settings are configured
correctly and the web server is running properly.
16 November 2020
ASSETS IJ26166 VULN COUNT IN ASSET LIST VIEW CAN FAIL TO MATCH VULN COUNT IN ASSET DETAILS OR QVM MANAGE VULNS BY ASSET VIEW OPEN Workaround
No workaround available.

APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the Subscribe button on the right side of this page or ask a question about this APAR in our Support Forums.

Issue
The vulnerability count in Asset list view can fail to match the vulnerability count in asset details or in the QVM manage vulnerabilities by asset view. This vulnerability count mismatch can be observed when using the api endpoint /qvm/vuln also. The mismatch occurs when vulnerabilities are no longer present on a second scan after being fixed or a service being disabled. The mismatch can also occur if vulnerability exceptions are configured.
14 July 2020
SCAN RESULTS IJ29292 WHEN THE QVM PROCESSOR IS NOT RUNNING ON THE CONSOLE, SCAN START AND STOP EMAILS CONTAIN INCORRECT DATA IN SUBJECT AND BODY OPEN Workaround
No workaround available.

APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the Subscribe button on the right side of this page or ask a question about this APAR in our Support Forums.

Issue
When the QVM processor is not running on the console, scan start and scan stop emails contain: '$body.scanProfile.name' instead of the name of the scan profile.
24 November 2020
USER INTERFACE IJ28347 THE TOMCAT SERVICE CAN HANG ON STARTUP WHEN CUSTOM AQL PROPERTIES EXIST CLOSED Resolved in
QRadar 7.4.2 (7.4.2.20201113144954)
QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)

Workaround
Administrators can install the software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances.

Issue
In some instances the QRadar Tomcat service (required for the User Interface) can hang during service startup due to the occurence of deadlocks when there are custom AQL properties configured in QRadar.
26 November 2020
SYSTEM NOTIFICATIONS IJ26223 QRADAR DEPLOY OVERWRITES INDIVIDUALLY CONFIGURED SAR SENTINEL NOTIFICATION TUNING FOR EACH MANAGED HOST WITH CONSOLE'S CLOSED Resolved in
QRadar 7.4.2 (7.4.2.20201113144954)
QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)

Workaround
Administrators can install the software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances.

Issue
The QRadar Deploy function overwrites the SAR Sentinel notification configuration tunings for each Managed Host in the deployment with that of the Console. This can cause erroneous SAR Sentinel "system load" notification messages to be generated for some QRadar Managed Hosts.
26 November 2020
DSM EDITOR IJ26131 'FAILED TO LOAD DATA' ERROR DISPLAYED IN THE QRADAR DSM EDITOR WINDOW CLOSED Resolved in
QRadar 7.4.2 (7.4.2.20201113144954)

Workaround
Administrators can install a software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances.

Issue
A 'failed to load data' message can be displayed in the QRadar DSM Editor while performing Event mapping.

Example steps that can generate this error:
  1. Open the Event mapping tab in DSM Editor for LS type Windows Security Event Log.
  2. Filter for event with ID=1 & category="Microsoft-Windows-Sysmon/Operational".
  3. Override that event with any other event (does not matter which one), and save the changes.
  4. Reload DSM editor and the following error is displayed, "failed to load data".
Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[tomcat.tomcat]
[/console/restapi/api/application/data_ingestion/mappings/12]
com.q1labs.frameworks.session.SessionContext: [ERROR] 1 leak(s)
detected in session context: xxxx-xxxx-xxxx-xxxx-xxxx
[tomcat.tomcat]
[/console/restapi/api/application/data_ingestion/mappings/12]
com.q1labs.frameworks.session.SessionContext: [ERROR]
java.sql.PreparedStatement leak detected. Object created in
following code path
[tomcat.tomcat]
[/console/restapi/api/application/data_ingestion/mappings/12]
java.lang.Exception
[tomcat.tomcat]
[/console/restapi/api/application/data_ingestion/mappings/12] at
com.q1labs.frameworks.session.BaseWrapper.{init}(BaseWrapper.java)
[tomcat.tomcat]
[/console/restapi/api/application/data_ingestion/mappings/12] at
com.q1labs.frameworks.session.PreparedStatementWrapper.{init}(Pr
eparedStatementWrapper.java:35)
[tomcat.tomcat]
[/console/restapi/api/application/data_ingestion/mappings/12] at
com.q1labs.frameworks.session.ConnectionWrapper.prepareStatement
(ConnectionWrapper.java:262)
[tomcat.tomcat]
[/console/restapi/api/application/data_ingestion/mappings/12] at
com.ibm.si.data_ingestion.api.impl.application.ApplicationAPIImp
l.getMappings(ApplicationAPIImpl.java:262)
[tomcat.tomcat]
[/console/restapi/api/application/data_ingestion/mappings/12] at
com.ibm.si.data_ingestion.api.v7_0.application.ApplicationAPI.ge
tEventMappings(ApplicationAPI.java:175)
[tomcat.tomcat] 
[/console/restapi/api/application/data_ingestion/mappings/12]
org.postgresql.util.PSQLException: The column name lc_name was
not found in this ResultSet.
[tomcat.tomcat]
[/console/restapi/api/application/data_ingestion/mappings/12] at
org.postgresql.jdbc.PgResultSet.findColumn(PgResultSet.java)
[tomcat.tomcat]
[/console/restapi/api/application/data_ingestion/mappings/12] at
org.postgresql.jdbc.PgResultSet.getString(PgResultSet.java:2467)
[tomcat.tomcat]
[/console/restapi/api/application/data_ingestion/mappings/12] at
com.mchange.v2.c3p0.impl.NewProxyResultSet.getString(NewProxyRes
ultSet.java:3342)
[tomcat.tomcat]
[/console/restapi/api/application/data_ingestion/mappings/12] at
org.apache.openjpa.lib.jdbc.DelegatingResultSet.getString(Delega
tingResultSet.java:187)
[tomcat.tomcat]
[/console/restapi/api/application/data_ingestion/mappings/12] at
com.ibm.si.data_ingestion.api.impl.application.ApplicationAPIImp
l.getMappings(ApplicationAPIImpl.java:284)
26 November 2020
QRADAR NETWORK INSIGHTS IJ26096 WHEN RUNNING QNI IN ADVANCED MODE MESSAGES '...[ERRNO 24] TOO MANY OPEN FILES' ARE WRITTEN TO QRADAR LOGGING CLOSED Resolved in
QRadar 7.4.2 (7.4.2.20201113144954)
QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)

Workaround
Administrators can install the software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances.

Issue
When running QRadar Network Insights in Advanced Mode, repeated messages similar to the following can sometimes be observed being written to /var/log/qradar.log:
TikaServer (6690) - ERROR - Error starting subprocess: [Errno
24] Too many open files
TikaServer (6690) - ERROR - Error starting subprocess: [Errno
24] Too many open files
26 November 2020
SEARCH IJ26095 QUICK SEARCH 'TOP IDS/IPS ALERT BY COUNTRY/REGION' GROUPS BY THE NON-EXISTENT COLUMN 'GEOGRAPHIC COUNTRY/REGION' CLOSED Resolved in
QRadar 7.4.2 (7.4.2.20201113144954)

Workaround
Administrators can install the software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances.

Issue
The quick search 'Top IDS/IPS Alert by Country/Region' groups by a non-existent column 'Geographic Country/Region'.

For example:
  1. Navigate to the Log Activity tab and select Quick Searches.
  2. Load the search "Top IDS/IPS Alert by Country/Region".
    Note that it is grouping by the column "Geographic Country/Region".
  3. Go to Edit Search. Notice that the Group by column is empty.
  4. Search for the column under the "Available Columns".

    Results
    Expected: Column "Geographic Country/Region" is diplayed.
    Actual Result: Column "Geographic Country/Region" is not displayed, instead the columns "Source Geographic Country/Region" and "Destination Geographic Country/Region" are displayed.
26 November 2020
QRADAR VULNERABILITY MANAGER IJ26089 QVM SCHEDULED SCANS CAN FAIL TO DISPLAY WHEN THERE ARE A LARGE NUMBER OF SCAN PROFILE CRON SCHEDULES CLOSED Resolved in
QRadar 7.4.2 (7.4.2.20201113144954)

Workaround
No workaround available. Administrators must upgrade to resolve this software issue.

Issue
QRadar Vulnerability Manager scheduled scans entries can fail to be displayed in the User Interface calendar view when there are a large number (hundreds) of scan profile cron schedules. When this issue is occurring, clicking in the scheduled scans view in the User Interface can generate an error in the QRadar Console's /var/log/qradar.error log when the qvmprocessor is deployed on a separate QRadar managed host. Note: This issue is less likely to occur on systems where there are only a small number of scan profiles. Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs:
[tomcat.tomcat] [admin@127.0.0.1(8387)
/console/JSON-RPC/QVM.getCronScanProfiles
QVM.getCronScanProfiles]
com.q1labs.core.ui.servlet.RemoteJavaScript: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]An exception occurred
while executing the remote method 'getCronScanProfiles'
{hostname} tomcat[13976]: org.apache.cxf.interceptor.Fault:
Could not receive Message.
[tomcat.tomcat] [admin@127.0.0.1(8387)
/console/JSON-RPC/QVM.getCronScanProfiles
QVM.getCronScanProfiles] javax.xml.ws.WebServiceException:
Could not receive Message.
[tomcat.tomcat] [admin@127.0.0.1(8387)
/console/JSON-RPC/QVM.getCronScanProfiles
QVM.getCronScanProfiles]    at
org.apache.cxf.jaxws.JaxWsClientProxy.mapException(JaxWsClientPr
oxy.java:183)
[tomcat.tomcat] [admin@127.0.0.1(8387)
/console/JSON-RPC/QVM.getCronScanProfiles
QVM.getCronScanProfiles]    at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.ja
va:145)
[tomcat.tomcat] [admin@127.0.0.1(8387)
/console/JSON-RPC/QVM.getCronScanProfiles
QVM.getCronScanProfiles]    at
org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.j
ava:56)
[tomcat.tomcat] [admin@127.0.0.1(8387)
/console/JSON-RPC/QVM.getCronScanProfiles
QVM.getCronScanProfiles]    at
org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java)
[tomcat.tomcat] [admin@127.0.0.1(8387)
/console/JSON-RPC/QVM.getCronScanProfiles
QVM.getCronScanProfiles]    at
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSende
rEndingInterceptor.handleMessage(MessageSenderInterceptor.java)
{hostname} tomcat[13976]: at
org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:355)
[tomcat.tomcat] [admin@127.0.0.1(8387)
/console/JSON-RPC/QVM.getCronScanProfiles
QVM.getCronScanProfiles]    at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInte
rceptorChain.java:308)
[tomcat.tomcat] [admin@127.0.0.1(8387)
/console/JSON-RPC/QVM.getCronScanProfiles
QVM.getCronScanProfiles]    at
org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:531)
[tomcat.tomcat] [admin@127.0.0.1(8387)
/console/JSON-RPC/QVM.getCronScanProfiles
QVM.getCronScanProfiles]    at
org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:440)
[tomcat.tomcat] [admin@127.0.0.1(8387)
/console/JSON-RPC/QVM.getCronScanProfiles
QVM.getCronScanProfiles]    at
org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:355)
[tomcat.tomcat] [admin@127.0.0.1(8387)
/console/JSON-RPC/QVM.getCronScanProfiles
QVM.getCronScanProfiles]    at
org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:313)
[tomcat.tomcat] [admin@127.0.0.1(8387)
/console/JSON-RPC/QVM.getCronScanProfiles
QVM.getCronScanProfiles]    at
org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java)
[tomcat.tomcat] [admin@127.0.0.1(8387)
/console/JSON-RPC/QVM.getCronScanProfiles
QVM.getCronScanProfiles]    at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.ja
va:140)
[tomcat.tomcat] [admin@127.0.0.1(8387)
/console/JSON-RPC/QVM.getCronScanProfiles
QVM.getCronScanProfiles]    ... 67 more
[tomcat.tomcat] [admin@127.0.0.1(8387)
/console/JSON-RPC/QVM.getCronScanProfiles
QVM.getCronScanProfiles] Caused by:
[tomcat.tomcat] [admin@127.0.0.1(8387)
/console/JSON-RPC/QVM.getCronScanProfiles
QVM.getCronScanProfiles] java.net.SocketTimeoutException: Read
timed out
[tomcat.tomcat] [admin@127.0.0.1(8387)
/console/JSON-RPC/QVM.getCronScanProfiles
QVM.getCronScanProfiles]    at
java.net.SocketInputStream.socketRead0(Native Method)
[tomcat.tomcat] [admin@127.0.0.1(8387)
/console/JSON-RPC/QVM.getCronScanProfiles
QVM.getCronScanProfiles]    at
java.net.SocketInputStream.socketRead(SocketInputStream.java)
[tomcat.tomcat] [admin@127.0.0.1(8387)
/console/JSON-RPC/QVM.getCronScanProfiles
QVM.getCronScanProfiles]    at
java.net.SocketInputStream.read(SocketInputStream.java:182)
[tomcat.tomcat] [admin@127.0.0.1(8387)
/console/JSON-RPC/QVM.getCronScanProfiles
QVM.getCronScanProfiles]    at
java.net.SocketInputStream.read(SocketInputStream.java:152)
[tomcat.tomcat] [admin@127.0.0.1(8387)
/console/JSON-RPC/QVM.getCronScanProfiles
QVM.getCronScanProfiles]    at com.ibm.jsse2.b.a(b.java:297)
[tomcat.tomcat] [admin@127.0.0.1(8387)
/console/JSON-RPC/QVM.getCronScanProfiles
QVM.getCronScanProfiles]    at com.ibm.jsse2.b.a(b.java:290)
[tomcat.tomcat] [admin@127.0.0.1(8387)
/console/JSON-RPC/QVM.getCronScanProfiles
QVM.getCronScanProfiles]    at com.ibm.jsse2.av.a(av.java:840)
{hostname} tomcat[13976]: at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec
utor.java:1160)
{hostname} tomcat[13976]: at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe
cutor.java:635)
{hostname} tomcat[13976]: at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(T
askThread.java:61)
{hostname} tomcat[13976]: at
java.lang.Thread.run(Thread.java:818)
{hostname} tomcat[13976]: Caused by:
{hostname} tomcat[13976]: java.net.SocketTimeoutException:
SocketTimeoutException invoking
https://XXXXXXXXXX:9999/scanProfileService: Read timed out
{hostname} tomcat[13976]: at
sun.reflect.GeneratedConstructorAccessor697.newInstance(Unknown
Source)
{hostname} tomcat[13976]: at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Delega
tingConstructorAccessorImpl.java:57)
{hostname} tomcat[13976]: at
java.lang.reflect.Constructor.newInstance(Constructor.java:437)
{hostname} tomcat[13976]: at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.ma
pException(HTTPConduit.java:1402)
{hostname} tomcat[13976]: at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.cl
ose(HTTPConduit.java:1386)
{hostname} tomcat[13976]: at
org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.j
ava:56)
{hostname} tomcat[13976]: at
org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java)
{hostname} tomcat[13976]: at
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSende
rEndingInterceptor.handleMessage(MessageSenderInterceptor.java)
{hostname} tomcat[13976]: ... 74 more
{hostname} tomcat[13976]: Caused by:
{hostname} tomcat[13976]: java.net.SocketTimeoutException: Read
timed out
{hostname} tomcat[13976]: at
java.net.SocketInputStream.socketRead0(Native Method)
{hostname} tomcat[13976]: at
java.net.SocketInputStream.socketRead(SocketInputStream.java:127)
{hostname} tomcat[13976]: at
java.net.SocketInputStream.read(SocketInputStream.java:182)
26 November 2020
OFFENSES IJ25448 'APPLICATION ERROR' WHEN ATTEMPTING TO CLOSE AN OFFENSE ACCESSED FROM AN EMAIL LINK CLOSED Resolved in
QRadar 7.4.2 (7.4.2.20201113144954)
QRadar 7.4.1 (7.4.1.20200716115107)
QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505)
QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002)

Workaround
Navigate manually to the Offense using the QRadar user interface "Offenses" tab.

Issue
When attempting to close an Offense from within an email link, an "Application Error" is generated in the QRadar User Interface.

The Offense opens as expected from within the email link, but the "Application Error" occurs when attempting to close it. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[tomcat.tomcat] [admin@127.0.0.1 (1312)
/console/do/sem/properties]
com.q1labs.uiframeworks.action.ExceptionHandler: [ERROR]
[NOT:0000003000][127.0.0.1 /- -] [-/- -]An exception occurred
while processing the request:
[tomcat.tomcat] [admin@127.0.0.1 (1312)
/console/do/sem/properties]
com.ibm.si.content_management.utils.ApplicationErrorStateException
[tomcat.tomcat] [admin@127.0.0.1 (1312)
/console/do/sem/properties]    at
com.q1labs.sem.ui.action.MaintainProperties.findNextForward(Main
tainProperties.java:230)
[tomcat.tomcat] [admin@127.0.0.1 (1312)
/console/do/sem/properties]    at
com.q1labs.sem.ui.action.MaintainProperties.updatePropertiesSecu
re(MaintainProperties.java:80)
[tomcat.tomcat] [admin@127.0.0.1 (1312)
/console/do/sem/properties]    at
com.q1labs.sem.ui.action.MaintainProperties.updateProperties(Mai
ntainProperties.java:213)
[tomcat.tomcat] [admin@127.0.0.1 (1312)
/console/do/sem/properties]    at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[tomcat.tomcat] [admin@127.0.0.1 (1312)
/console/do/sem/properties]    at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessor
Impl.java:90)
[tomcat.tomcat] [admin@127.0.0.1 (1312)
/console/do/sem/properties]    at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod
AccessorImpl.java:55)
[tomcat.tomcat] [admin@127.0.0.1 (1312)
/console/do/sem/properties]    at
java.lang.reflect.Method.invoke(Method.java:508)
[tomcat.tomcat] [admin@127.0.0.1 (1312)
/console/do/sem/properties]    at
org.apache.struts.actions.DispatchAction.dispatchMethod(Dispatch
Action.java:280)
[tomcat.tomcat] [admin@127.0.0.1 (1312)
/console/do/sem/properties]    at
org.apache.struts.actions.DispatchAction.execute(DispatchAction.
java:216)
[tomcat.tomcat] [admin@127.0.0.1 (1312)
/console/do/sem/properties]    at
com.q1labs.uiframeworks.actions.DispatchAction.execute(DispatchA
ction.java:64)
[tomcat.tomcat] [admin@127.0.0.1 (1312)
/console/do/sem/properties]    at
org.apache.struts.action.RequestProcessor.processActionPerform(R
equestProcessor.java:484)
[tomcat.tomcat] [admin@127.0.0.1 (1312)
/console/do/sem/properties]    at
com.q1labs.uiframeworks.action.RequestProcessor.processActionPer
form(RequestProcessor.java:101)
[tomcat.tomcat] [admin@127.0.0.1 (1312)
/console/do/sem/properties]    at
org.apache.struts.action.RequestProcessor.process(RequestProcess
or.java:275)
[tomcat.tomcat] [admin@127.0.0.1 (1312)
/console/do/sem/properties]    at
org.apache.struts.action.ActionServlet.process(ActionServlet.jav
a:1482)
[tomcat.tomcat] [admin@127.0.0.1 (1312)
/console/do/sem/properties]    at
com.q1labs.uiframeworks.action.ActionServlet.process(ActionServl
et.java:122)
[tomcat.tomcat] [admin@127.0.0.1 (1312)
/console/do/sem/properties]    at
org.apache.struts.action.ActionServlet.doPost(ActionServlet.java)
[tomcat.tomcat] [admin@127.0.0.1 (1312)
/console/do/sem/properties]    at
javax.servlet.http.HttpServlet.service(HttpServlet.java:661)
[tomcat.tomcat] [admin@127.0.0.1 (1312)
/console/do/sem/properties]    at
javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
[tomcat.tomcat] [admin@127.0.0.1 (1312)
/console/do/sem/properties]    at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
(ApplicationFilterChain.java:231)
[tomcat.tomcat] [admin@127.0.0.1 (1312)
/console/do/sem/properties]    at
org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
tionFilterChain.java:166)
[tomcat.tomcat] [admin@127.0.0.1 (1312)
/console/do/sem/properties]    at
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.ja
va:52)
[tomcat.tomcat] [admin@127.0.0.1 (1312)
/console/do/sem/properties]    at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
(ApplicationFilterChain.java:193)
[tomcat.tomcat] [admin@127.0.0.1 (1312)
/console/do/sem/properties]    at
org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
tionFilterChain.java:166)
[tomcat.tomcat] [admin@127.0.0.1 (1312)
/console/do/sem/properties]    at
com.q1labs.uiframeworks.servlet.AddUserHeaderFilter.doFilter(Add
UserHeaderFilter.java:86)
[tomcat.tomcat] [admin@127.0.0.1 (1312)
/console/do/sem/properties]    at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
(ApplicationFilterChain.java:193)
[tomcat.tomcat] [admin@127.0.0.1 (1312)
/console/do/sem/properties]    at
org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
tionFilterChain.java:166)
[tomcat.tomcat] [admin@127.0.0.1 (1312)
/console/do/sem/properties]    at
com.q1labs.uiframeworks.servlet.ThreadNameFilter.doFilter(Thread
NameFilter.java:53)
[tomcat.tomcat] [admin@127.0.0.1 (1312)
/console/do/sem/properties]    at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
(ApplicationFilterChain.java:193)
[tomcat.tomcat] [admin@127.0.0.1 (1312)
/console/do/sem/properties]    at
org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
tionFilterChain.java:166)
[tomcat.tomcat] [admin@127.0.0.1 (1312)
/console/do/sem/properties]    at
com.q1labs.core.ui.filters.StrutsParamFilter.doFilter(StrutsPara
mFilter.java:41)
[tomcat.tomcat] [admin@127.0.0.1 (1312)
/console/do/sem/properties]    at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
(ApplicationFilterChain.java:193)
[tomcat.tomcat] [admin@127.0.0.1 (1312)
/console/do/sem/properties]    at
org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
tionFilterChain.java:166)
[tomcat.tomcat] [admin@127.0.0.1 (1312)
/console/do/sem/properties]    at
com.q1labs.uiframeworks.postauthredirect.PostLoginRedirectFilter
.doFilter(PostLoginRedirectFilter.java:70)
[tomcat.tomcat] [admin@127.0.0.1 (1312)
/console/do/sem/properties]    at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
(ApplicationFilterChain.java:193)
[tomcat.tomcat] [admin@127.0.0.1 (1312)
/console/do/sem/properties]    at
org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
tionFilterChain.java:166)
[tomcat.tomcat] [admin@127.0.0.1 (1312)
/console/do/sem/properties]    at
com.q1labs.uiframeworks.auth.AuthenticationVerificationFilter.do
Filter(AuthenticationVerificationFilter.java:304)
15 September 2020
ASSETS IJ25823 NO ASSETS FOUND WHEN USING SCAN RESULTS -> OPEN SERVICES -> ASSETS CLOSED Resolved in
QRadar 7.4.2 (7.4.2.20201113144954)

Workaround
Perform an asset search on the Asset tab using the "Assets With Open Service" search parameter.

Issue
An asset can fail to be found when using Scan Results -> Open Services -> Assets on the Vulnerabilities tab. This occurs when the asset has the service, but has no vulnerabilities.
26 November 2020
SEARCH IJ25805 NULLPOINTEREXCEPTION CAN CAUSE ACCUMULATED VALUE TIMESERIES DATA DISCREPANCIES WHEN MANAGED HOSTS ARE ENCRYPTED CLOSED Resolved in
QRadar 7.4.2 (7.4.2.20201113144954)

Workaround
Where possible, disable encryption for Managed Hosts.

Issue
When encryption is enabled for Managed Hosts, there can be variances in the accumulated value reported by some ADE Rules vs accumulated values shown in the timeseries graph when a Null Pointer Exception occurs.

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[accumulator.accumulator] [SE client /127.0.0.1:59638]
com.q1labs.frameworks.core.ThreadExceptionHandler: [ERROR] [
NOT:0000003000][127.0.0.1/- -] [-/- -]Exception was uncaught in
thread: SE client /127.0.0.1:59638
[accumulator.accumulator] [SE client /127.0.0.1:59638]
java.lang.NullPointerException
[accumulator.accumulator] [SE client /127.0.0.1:59638]    at
com.q1labs.frameworks.nio.network.protocol.Protocol.pollMessage(
Protocol.java:1227)
[accumulator.accumulator] [SE client /127.0.0.1:59638]    at
com.q1labs.frameworks.nio.network.Communicator.read(Communicator
.java:108)
[accumulator.accumulator] [SE client /127.0.0.1:59638]    at
com.q1labs.cve.sentryengine.SentryEngineCommunicator.run(SentryE
ngineCommunicator.java:50)
[accumulator.accumulator] [SE client /127.0.0.1:59638]    at
java.lang.Thread.run(Thread.java:812)
And
[accumulator.accumulator] [SE client /127.0.0.1:33012]
com.q1labs.frameworks.core.ThreadExceptionHandler: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]Exception was uncaught
in thread: SE client /127.0.0.1:33012
[accumulator.accumulator] [SE client /127.0.0.1:33012]
java.lang.NullPointerException
[accumulator.accumulator] [SE client /127.0.0.1:33012]    at
com.q1labs.frameworks.nio.network.protocol.Protocol.pollMessage(
Protocol.java:1227)
[accumulator.accumulator] [SE client /127.0.0.1:33012]    at
com.q1labs.frameworks.nio.network.protocol.Protocol.readFromSock
et(Protocol.java:413)
[accumulator.accumulator] [SE client /127.0.0.1:33012]    at
com.q1labs.frameworks.nio.network.Communicator.selectAndRead(Com
municator.java:134)
[accumulator.accumulator] [SE client /127.0.0.1:33012]    at
com.q1labs.frameworks.nio.network.Communicator.read(Communicator
.java:110)
[accumulator.accumulator] [SE client /127.0.0.1:33012]    at
com.q1labs.cve.sentryengine.SentryEngineCommunicator.run(SentryE
ngineCommunicator.java:50)
[accumulator.accumulator] [SE client /127.0.0.1:33012]    at
java.lang.Thread.run(Thread.java:812)
And
[accumulator.accumulator] [SE client /127.0.0.1:53604]
com.q1labs.frameworks.core.ThreadExceptionHandler: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]Exception was uncaught
in thread: SE client /127.0.0.1:53604
[accumulator.accumulator] [SE client /127.0.0.1:53604]
java.lang.NullPointerException
[accumulator.accumulator] [SE client /127.0.0.1:53604]    at
com.q1labs.frameworks.nio.network.protocol.Protocol.disposeBuffe
r(Protocol.java:1121)
[accumulator.accumulator] [SE client /127.0.0.1:53604]    at
com.q1labs.frameworks.nio.network.protocol.Protocol.decodeObject
Internal(Protocol.java:291)
[accumulator.accumulator] [SE client /127.0.0.1:53604]    at
com.q1labs.frameworks.nio.network.protocol.Protocol.processProto
colMessage(Protocol.java:1074)
[accumulator.accumulator] [SE client /127.0.0.1:53604]    at
com.q1labs.frameworks.nio.network.protocol.Protocol.pollMessage(
Protocol.java:1198)
[accumulator.accumulator] [SE client /127.0.0.1:53604]    at
com.q1labs.frameworks.nio.network.protocol.Protocol.readFromSock
et(Protocol.java:413)
[accumulator.accumulator] [SE client /127.0.0.1:53604]    at
com.q1labs.frameworks.nio.network.Communicator.selectAndRead(Com
municator.java:134)
[accumulator.accumulator] [SE client /127.0.0.1:53604]    at
com.q1labs.frameworks.nio.network.Communicator.read(Communicator
.java:110)
[accumulator.accumulator] [SE client /127.0.0.1:53604]    at
com.q1labs.cve.sentryengine.SentryEngineCommunicator.run(SentryE
ngineCommunicator.java:50)
[accumulator.accumulator] [SE client /127.0.0.1:53604]    at
java.lang.Thread.run(Thread.java:812)
26 November 2020
OFFENSES IJ25800 OFFENSES CAN BE CLOSED WITH NO APPROPRIATE REASON FOR CLOSE BEING SELECTED CLOSED Resolved in
QRadar 7.4.2 (7.4.2.20201113144954)

Workaround
Ensure to select a proper reason from the available drop dwon list options.

Issue
Offense Closed Reason can be blank for an offense if a previously used Reason for Close has been removed from the list and a QRadar user clicks OK without making another selection from drop-down.

When this occurs, the closing reason for the affected offense displays as NULL in Offense reports.
26 November 2020
WINCOLLECT IJ24355 WINCOLLECT 7.2.9 PATCH 3 INSTALLATION CAN FAIL UNEXPECTEDLY DUE TO THE MINIMUM UPGRADE VERSION CHECK CLOSED Resolved in
QRadar 7.4.2 (7.4.2.20201113144954)

Workaround
Temporarily rename the .minimum_upgrade_version hidden file that is causing the problem and rerun the WinCollect Installer. After the installation completes, rename the .minimum_upgrade_version hidden file back to the original filename.
  1. SSH to the QRadar Console.
  2. Type the following command:
    mv /etc/qradar/.minimum_upgrade_version
    /etc/qradar/.minimum_upgrade_version_old
  3. Run the WinCollect Installer.
  4. After the installation is complete, run the following command:
    mv /etc/qradar/.minimum_upgrade_version_old
    /etc/qradar/.minimum_upgrade_version

Issue
When attempting to install the SFS for WinCollect 7.2.9 P3 on Qradar 7.3.2, an error similar to the following might be observed during the installation process: "You are attempting to upgrade to 2019.14.0. The installed version only supports upgrades to 7.3.3.20191203144110".
26 November 2020
QRADAR VULNERABILITY MANAGER IJ22896 'FOUND BY SCAN PROFILE' SEARCH RETURNS NO RESULTS WHEN SCAN PROFILE NAME STARTS OR ENDS WITH SPACE (BLANK) CHARACTERS CLOSED Resolved in
QRadar 7.4.2 (7.4.2.20201113144954)

Workaround
None for existing scan profiles. Do not add leading or trailing spaces when creating a scan profile.

Issue
A "Found By Scan Profile" search returns no results when the name of the scan profile starts or ends with space (blank) characters.
26 November 2020
UPGRADE IJ26199 LACK OF ADEQUATE FREE SPACE ON /BOOT PARTITION CAN CAUSE QRADAR PATCH FAILURE DURING RPM INSTALL CLOSED Resolved in
QRadar 7.4.2 (7.4.2.20201113144954)

Workaround
Administrators can install the software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances.

Issue
Older QRadar appliance configurations allowed for smaller /boot partititons. As such, when upgrading QRadar, there can sometimes be inadequate free space available in the /boot partition causing the upgrade to fail during rpm file installation.

This lack of adequate available free space in the /boot partition is not currently identified during the QRadar pretests in Test Mode performed when an upgrade is performed. Messages similar to the following might be visible in the patches.log file for the QRadar installation version attempted (/var/log/setup-7.x.x.xxxxxx):
[6/9] Install & Upgrade Packages
Transaction check error:
  installing package kernel-3.XXXXXXXXXX.el7.x86_64 needs 812KB
on the /boot filesystem
Error Summary
-------------
Disk Requirements:
At least 1MB more space needed on the /boot filesystem.
Please Check patches.log
[INFO](patchmode) error was during install and we can't rollback
[WARN](patchmode) =============================================
[WARN](patchmode) [6/9] Install & Upgrade Packages  PROBLEMS!
Can we roll back?? [6/9] Install & Upgrade Packages ? no
[WARN](patchmode)
26 November 2020
APPLICATION FRAMEWORK IJ23719 SI-QRADARCA CAN RETURN SUCCESSFUL STATUS EVEN WHEN A CERT IS FAILING WITH CERTIFICATE SIGNING FAILED CLOSED Resolved in
QRadar 7.4.2 (7.4.2.20201113144954)

Workaround
Administrators can install the software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances.

Issue
Running si-qradarca (i.e. # opt/qradar/ca/bin/si-qradarca) can return:
"Successfully setup server certificate for service"

Which conflicts with errors displayed in /var/log/localca.log:
time="2020-01-23T15:25:16Z" level=error msg="Validating CSR
/etc/docker/tls/si-docker.csr failed for host X.X.X.X with
error Certificate signing failed for
/opt/qradar/ca/certs/from-X.X.X.X/si-docker.csr as no hostname
is found in deployment for ip address X.X.X.X"
26 November 2020
VULNERABILITY SCANNER IJ23838 CREATING A TENABLE SECURITY CENTER SCAN CAN SOMETIMES FAIL WITH 'FAILED TO LOGIN TO TENABLE SECURITY SCANNER' IN QRADAR LOGGING CLOSED Resolved in
QRadar 7.4.2 (7.4.2.20201113144954)

Workaround
No workaround available. Administrators must upgrade to resolve this software issue.

Issue
Creating a Tenable Security Center scan using correct credentials can sometimes fail. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[vis] [Scanner Manager]
com.q1labs.vis.scanners.tenable.securitycenter.SecurityCenterRES
TClient: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/-
-]IOException caught while executing API call; Error message
[java.security.NoSuchAlgorithmException: Error constructing
implementation (algorithm: Default, provider: IBMJSSE2, class:
com.ibm.jsse2.aj)]
[vis] [Scanner Manager] com.q1labs.vis.ScannerManager: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]Could not initialize
scanner 'TenableSecurityCenter - Regression': Failed to
initialize Tenable Security Center module; Error message
[Failed to login to Tenable Security Center;]
[vis] [Scanner Manager]
com.q1labs.vis.exceptions.ScannerInitException: Failed to
initialize Tenable Security Center module; Error message
[Failed to login to Tenable Security Center;]
[vis] [Scanner Manager]    at
com.q1labs.vis.scanners.tenable.securitycenter.SecurityCenterMod
ule.init(SecurityCenterModule.java:104)
[vis] [Scanner Manager]    at
com.q1labs.vis.scanners.base.ScannerModule.init(ScannerModule.ja
va:310)
[vis] [Scanner Manager]    at
com.q1labs.vis.ScannerManager.initializeScanner(ScannerManager.j
ava:482)
[vis] [Scanner Manager]    at
com.q1labs.vis.ScannerManager.submitFailedStatusIfInitError(Scan
nerManager.java:298)
[vis] [Scanner Manager]    at
com.q1labs.vis.ScannerManager.processScanRequest(ScannerManager.
java:243)
[vis] [Scanner Manager]    at
com.q1labs.vis.ScannerManager.processScanRequest(ScannerManager.
java:208)
[vis] [Scanner Manager]    at
com.q1labs.vis.messages.VisRequestMessageEnum$1.process(VisReque
stMessageEnum.java:42)
[vis] [Scanner Manager]    at
com.q1labs.vis.ScannerManager.run(ScannerManager.java:155)
[vis] [Scanner Manager]    at
java.lang.Thread.run(Thread.java:818)
[vis] [Scanner Manager] Caused by:
[vis] [Scanner Manager]
com.q1labs.vis.exceptions.ScannerInitException: Failed to login
to Tenable Security Center;
[vis] [Scanner Manager]    at
com.q1labs.vis.scanners.tenable.securitycenter.SecurityCenterMod
ule.init(SecurityCenterModule.java:99)
[vis] [Scanner Manager]    ... 8 more
[vis] [Scanner Manager] com.q1labs.vis.ScannerManager: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]Unable to initialize
scanner module 61 for scan request 11.
[vis] [Scanner Manager]
com.q1labs.vis.exceptions.ScannerInitException: Could not
initialize scanner 'TenableSecurityCenter - Regression': Failed
to initialize Tenable Security Center module; Error message
[Failed to login to Tenable Security Center;]
[vis] [Scanner Manager]    at
com.q1labs.vis.ScannerManager.initializeScanner(ScannerManager.j
ava:491)
[vis] [Scanner Manager]    at
com.q1labs.vis.ScannerManager.submitFailedStatusIfInitError(Scan
nerManager.java:298)
[vis] [Scanner Manager]    at
com.q1labs.vis.ScannerManager.processScanRequest(ScannerManager.
java:243)
[vis] [Scanner Manager]    at
com.q1labs.vis.ScannerManager.processScanRequest(ScannerManager.
java:208)
[vis] [Scanner Manager]    at
com.q1labs.vis.messages.VisRequestMessageEnum$1.process(VisReque
stMessageEnum.java:42)
[vis] [Scanner Manager]    at
com.q1labs.vis.ScannerManager.run(ScannerManager.java:155)
[vis] [Scanner Manager]    at
java.lang.Thread.run(Thread.java:818)
[vis] [Scanner Manager] Caused by:
[vis] [Scanner Manager]
com.q1labs.vis.exceptions.ScannerInitException: Failed to
initialize Tenable Security Center module; Error message
[Failed to login to Tenable Security Center;]
[vis] [Scanner Manager]    at
com.q1labs.vis.scanners.tenable.securitycenter.SecurityCenterMod
ule.init(SecurityCenterModule.java:104)
[vis] [Scanner Manager]    at
com.q1labs.vis.scanners.base.ScannerModule.init(ScannerModule.ja
va:310)
[vis] [Scanner Manager]    at
com.q1labs.vis.ScannerManager.initializeScanner(ScannerManager.j
ava:482)
[vis] [Scanner Manager]    ... 6 more
[vis] [Scanner Manager] Caused by:
[vis] [Scanner Manager]
com.q1labs.vis.exceptions.ScannerInitException: Failed to login
to Tenable Security Center;
[vis] [Scanner Manager]    at
com.q1labs.vis.scanners.tenable.securitycenter.SecurityCenterMod
ule.init(SecurityCenterModule.java:99)
[vis] [Scanner Manager]    ... 8 more
26 November 2020
HIGH AVAILABILITY (HA) IJ21012 A HIGH AVAILABILITY FAILOVER CAN OCCUR AS MANAGED HOSTS REMOVED FROM DEPLOYMENT ARE NOT UPDATED IN THE PING TEST LIST CLOSED Resolved in
QRadar 7.4.2 (7.4.2.20201113144954)

Workaround
No workaround available. Administrators must upgrade to resolve this software issue.

Issue
It has been identified that in some instances a High Availablity (HA) failover can occur due to Managed Hosts being removed from the QRadar Deployment, not being removed from the ping test list.
26 November 2020
PERFORMANCE IJ23649 SYSTEMSTABMON CAN RESULT IN LARGE NUMBERS OF STUCK 'DF' COMMANDS WHEN A HUNG NFS MOUNT OCCURS CLOSED Resolved in
QRadar 7.4.2 (7.4.2.20201113144954)
QRadar 7.4.1 (7.4.1.20200716115107)
QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

Workaround
Administrators can install the software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances.

Issue
It has been identified that in some instances a High Availablity (HA) failover can occur due to Managed Hosts being removed from the QRadar Deployment, not being removed from the ping test list.
26 November 2020
APP HOST IJ21302 APPS CAN FAIL TO LOAD IN QRADAR DUE TO FAILED CERTIFICATE REPLICATION TO APP HOST CLOSED Resolved in
QRadar 7.4.2 (7.4.2.20201113144954)

Workaround
Administrators can install the software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances.

Issue
It has been identified that the QRadar update-remote-certs.sh script fails to list the proper IP of App Host if the Qradar Console is in a NATed environment when an App Host is not. When this issue is occuring, certificate generation fails to push out as the managed host IP returns an empty result.
26 November 2020
DEPLOY CHANGES IJ21234 RHEL KERNEL CRASH CAN OCCUR WHEN IPTABLES RESTARTS DURING QRADAR DEPLOY FUNCTIONS WHERE NAT'D CONNECTIONS EXIST CLOSED Resolved in
QRadar 7.4.2 (7.4.2.20201113144954)
QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

Workaround
Administrators can install the software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances.

Issue
It has been identified that iptables restarts during QRadar Deploy functions and can cause a RHEL kernel crash on systems that have NAT'd connections configured.
26 November 2020
CERTIFICATES IJ21198 DER ENCODED CERTIFICATE IS ACCEPTED BY QRADAR BUT THEN DOES NOT WORK AS EXPECTED CLOSED Resolved in
QRadar 7.4.2 (7.4.2.20201113144954)

Workaround
Convert the DER encoded certificate to PEM type and retry to install the cert using /opt/qradar/bin/install-ssl-cert.sh.

Issue
It has been identified that QRadar install-ssl-cert.sh allows DER encoded certificate files to be copied to QRadar, but QRadar does not work as expected with this format of certificate files.
26 November 2020
APPLICATION FRAMEWORK IJ21178 QRADAR APPS CAN FAIL TO LOAD WITH 'ERROR INITIALIZING CORE: FAILED TO LOCK MEMORY: CANNOT ALLOCATE MEMORY' ERROR CLOSED Resolved in
QRadar 7.4.2 (7.4.2.20201113144954)

Workaround
No workaround available. Administrators can upgrade to the released software vresion that resolves this issue.

Issue
It has been identified that in some instances QRadar Apps can fail to load. Messages similar to the following might be visible when this issue is occuring after attempting to restart vault:
# systemctl restart vault-qrd
{hostname} ensure-vault-ready-for-unseal.sh[23036]: Ensuring vault
is ready to be unsealed...
{hostname} si-vault[23035]: Error initializing core: Failed to lock
memory: cannot allocate memory
{hostname} si-vault[23035]: This usually means that the mlock
syscall is not available.
{hostname} si-vault[23035]: Vault uses mlock to prevent memory from
being swapped to
{hostname} si-vault[23035]: disk. This requires root privileges as
well as a machine
{hostname} si-vault[23035]: that supports mlock. Please enable
mlock on your system or
{hostname} systemd[1]: vault-qrd.service: main process exited,
code=exited, status=1/FAILURE
{hostname} ensure-vault-ready-for-unseal.sh[23036]: % Total    %
Received % Xferd  Average Speed   Time    Time     Time  Current
{hostname} ensure-vault-ready-for-unseal.sh[23036]: Dload  Upload
Total   Spent    Left  Speed
{hostname} ensure-vault-ready-for-unseal.sh[23036]: 0     0    0
 0    0     0      0      0 --:--:-- --:--:-- --:--:--
0curl: (7) Failed to connect to {IP_ADDRESS}: Invalid argument
26 November 2020
QRADAR NETWORK INSIGHTS IJ20593 QNI LOG MESSAGES CAN DISPLAY INCORRECT STATISTICS WHEN LOW (BASIC) INSPECTION LEVEL IS SELECTED CLOSED Resolved in
QRadar 7.4.2 (7.4.2.20201113144954)

Workaround
No workaround available. Administrators can upgrade to the released software vresion that resolves this issue.

Issue
It has been identified that QRadar Network Inspection (QNI) can generate system log messages with incorrect statistics when Low (Basic) inspection level is selected.
26 November 2020
DISK SPACE IJ17854 /TMP CAN FILL UP WITH NUMEROUS /TMP/TMP.XXXXXXXXXX DIRECTORIES CLOSED Resolved in
QRadar 7.4.2 (7.4.2.20201113144954)

Workaround
No workaround available. Administrators can upgrade to the released software vresion that resolves this issue.

Issue
It has been identified that the /tmp partition can sometimes fill up with /tmp/tmp.xxxxxxxx directories due to a missing cleanup configuration within QRadar.
26 November 2020
OFFENSES IJ19855 OFFENSE WITH A LONG DESCRIPTION SPLITS AUDIT LOG INTO MULTIPLE ROWS CAUSING UNKNOWN SIM GENERIC EVENTS CLOSED Resolved in
QRadar 7.4.2 (7.4.2.20201113144954)

Workaround
No workaround available. Administrators can upgrade to the released software vresion that resolves this issue.

Issue
It has been identified that Offenses with a long offense description can split one audit log message into multiple rows causing Unknown SIM Generic events within QRadar.
26 November 2020
SERVICES IJ12278 CONSOLE APPLIANCE CAN EXPERIENCE A KERNEL PANIC CLOSED Resolved in
QRadar 7.4.2 (7.4.2.20201113144954)

Workaround
Administrators can install the software version that resolves this software issue. If you are unable to upgrade, you can contact support to diagnose any Console crash/failure to clearly identify the cause of the issue.

Support can implement a possible workaround that might address this issue in some instances.

Issue
It has been identified that a QRadar Console can experience a kernel panic and crash due to values in:
/usr/lib/systemd/system/iptables.service
26 November 2020
LICENSE IJ06169 FlOW PROCESSOR (1729) APPLIANCES ARE ASSIGNED AN INCORRECT AND EXPIRING LICENSE BY DEFAULT AFTER BEING ADDED INTO A QRADAR DEPLOYMENT CLOSED Resolved in
QRadar 7.4.2 (7.4.2.20201113144954)

Workaround
Email q1pd@us.ibm.com to receive a Flow Processor license update and apply a corrected license to the appropriate 1729 appliance in the System and License Management interface from the Admin tab.

Issue
It has been identified that a 1729 appliance added into a QRadar deployment receive an incorrect license. By default, the license expires in 33 days for the appliance, unless replaced.
26 November 2020
HIGH AVAILABILITY (HA) IJ04244 RE-ADDING A PREVIOUSLY REMOVED HIGH AVAILABILITY 15XX SECONDARY INTO AN HA PAIR CAN FAIL DURING THE GLUSTERFS CONFIGURATION CLOSED Resolved in
QRadar 7.4.2 (7.4.2.20201113144954)

Workaround
Administrators can install the software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances.

Issue
It has been identified that removing a High Availability (HA) Event Collector (15xx) Secondary appliance and then attempting to re-add it back into an HA pair can sometimes result in the glusterFS failing to be correctly configured. When this issue occurs, the HA join process fails.

Messages similar to the following might be visible in the qradar_hasync.log file when this issue occurs:
[INFO] [ha_sync_replication.py] Failed to run command 'start':
fuse directory "/store/persistent_queueha" is populated, but
"/store/persistent_queue" is not empty. Please manually migrate
data from "/store/persistent_queue to
"/store/persistent_queueha"
26 November 2020
MANAGED HOSTS IJ03437 QRADAR COMPONENTS CAN SOMETIMES BE REMOVED WHEN ADDING A NEW MANAGED HOST TO A QRADAR DEPLOYMENT CLOSED Resolved in
QRadar 7.4.2 (7.4.2.20201113144954)

Workaround
Administrators can install the software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances.

Issue
It has been identified that during the process of adding a new Managed Host to a QRadar deployment that QRadar components can sometimes be removed from a deployment.

For example, Managed Hosts that are in the ADDING or ADD_FAILED_RETRY_CONNECTION state in the managedhost and serverhost tables can cause the qvmprocessor components to be removed during the rewrite of the deployment.xml file after the Admin tab, Actions drop-down, Deploy Full Configuration is performed.
26 November 2020
MANAGED HOSTS IJ02463 UNABLE TO ADD A MANAGED HOST TO A DEPLOYMENT IF THE APPLIANCE SERIAL NUMBER ALREADY EXISTS IN THE DEPLOYMENT CLOSED Resolved in
QRadar 7.4.2 (7.4.2.20201113144954)

Workaround
Administrators can install the software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances.

Issue
It has been identified that a Managed Host cannot be added into a QRadar Deployment if the appliance serial number already exisits in the Deployment. Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs:
[tomcat.tomcat] [Thread-296]
com.ibm.si.configservices.api.v3_0.deployment.DeploymentAPI:
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]unable to add
managed host: The serial number is already found in the
deployment.
[tomcat.tomcat] [Thread-296]
com.q1labs.restapi_annotations.content.exceptions.endpointExcept
ions.ServerProcessingException: The serial number is already
found in the deployment.
[tomcat.tomcat] [Thread-296]    at
com.ibm.si.configservices.api.impl.DeploymentAPIImpl.addManagedH
ost(DeploymentAPIImpl.java:849)
[tomcat.tomcat] [Thread-296]    at
com.ibm.si.configservices.api.v3_0.deployment.DeploymentAPI$AddH
ostThread.run(DeploymentAPI.java:979)
[tomcat.tomcat] [Thread-296]    at
java.lang.Thread.run(Thread.java:785)
[tomcat.tomcat] [Thread-296] Caused by:
[tomcat.tomcat] [Thread-296]
com.q1labs.configservices.common.ConfigServicesException: The
serial number is already found in the deployment.
[tomcat.tomcat] [Thread-296]    at
com.q1labs.configservices.capabilities.CapabilitiesHandler.addMa
nagedHost(CapabilitiesHandler.java:1858)
[tomcat.tomcat] [Thread-296]    at
com.ibm.si.configservices.api.impl.DeploymentAPIImpl.addManagedH
ost(DeploymentAPIImpl.java:818
26 November 2020
UPGRADE IV90332 APPLYING A PATCH REVISION TO A QRADAR MANAGED HOST IN A DEPLOYMENT PRIOR TO THE CONSOLE IS ALLOWED TO OCCUR CLOSED Resolved in
QRadar 7.4.2 (7.4.2.20201113144954)

Workaround
Administrators can install the software version that resolves this software issue. If you are unable to upgrade, or experience this problem, contact support for a possible workaround that might address this issue in some instances.

Issue
QRadar's documented patching process steps state that the Console be patched successfully prior to patching any attached Managed Host.

The patch framework currently allows the install of a QRadar patch revision onto a QRadar Managed Host prior to the Console being patched.

When this situation occurs, the Managed Host can expereince various states of instability including required processes not starting.
26 November 2020
USER ROLES IJ23839 'USER ROLE' PAGE ON THE QRADAR USER INTERFACE CAN BEHAVE DIFFERENTLY DEPENDING ON USER ROLE SELECTED CLOSED Resolved in
QRadar 7.4.2 (7.4.2.20201113144954)

Workaround
Administrators can install the software version that resolves this software issue. If you are unable to upgrade or experience this issue, contact support for a possible workaround that might address this issue in some instances.

Issue
The QRadar User Roles Admin page can behave differently depending on the first role that is selected when opening the page.

For example:
  1. Create a user role called AAadmin with Delegated Administration.
  2. Save your changes.
  3. Close the user role interface and reopen it.
  4. Create a second user role called reporttest.
  5. Assign reporttest the Privilege - Distribute Reports via Email
    Note: Maintain Templates and Reports will be selected automatically.
  6. Save and close the screen.
  7. Update user role AAadmin to have Admin - System Administrator privilege.
  8. Save and close the screen.
  9. Navigate back into user roles screen again.
  10. Choose user reporttest.
  11. De-select Reports and all reporting options will be removed.
  12. When Distribute Reports via Email is selected, Maintain Templates and Reports is not.
26 November 2020
DATA SYNCHRONIZATION APP IJ29345 SCRIPT REQUIRED FOR A QRADAR DATA SYNCHRONIZATION APP NOTIFICATION MIGHT BE MISSING IN SOME QRADAR PATCH VERSIONS CLOSED Resolved in
QRadar 7.4.2 (7.4.2.20201113144954)

Workaround
No workaround available.

APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the Subscribe button on the right side of this page or ask a question about this APAR in our Support Forums.

Issue
It has been identified that an updated script (generate_environment.sh) for the QRadar Data Synchronization App can be missing from some QRadar patch versions.

The updated generate_environment.sh script alerts if the data sync is on the Destination Site and warns if the process is not started.
26 November 2020
REFERENCE DATA IJ28797 REFERENCE DATA API DATA 'ADDS OR UPDATES' INTO REFERENCE SETS CAN BE SLOW OR TIMEOUT CLOSED Resolved in
QRadar 7.4.2 (7.4.2.20201113144954)

Workaround
Administrators can install the software version that resolves this software issue. If you are unable to upgrade or experience this issue, contact support for a possible workaround that might address this issue in some instances.

Issue
The reference data API can be slow or time out when adding or updating data within QRadar reference sets. This behavior can be observed when using QRadar Apps that use the API for this functionality. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[tomcat.tomcat] [x.x.x.x (3730)
/console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
   at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(Nio
Endpoint.java:1623)
[tomcat.tomcat] [x.x.x.x (3730)
/console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
   at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcess
orBase.java:49)
[tomcat.tomcat] [x.x.x.x (3730)
/console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
   at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec
utor.java:1160)
[tomcat.tomcat] [x.x.x.x (3730)
/console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
   at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe
cutor.java:635)
[tomcat.tomcat] [x.x.x.x (3730)
/console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
   at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(T
askThread.java:61)
[tomcat.tomcat] [x.x.x.x (3730)
/console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
   at java.lang.Thread.run(Thread.java:818)
[tomcat.tomcat] [x.x.x.x (3730)
/console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
Caused by:
[tomcat.tomcat] [x.x.x.x (3730)
/console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
com.q1labs.restapi_annotations.content.exceptions.endpointExcept
ions.ServerProcessingException: Adding/updating data to Set
{REFSET NAME} failed
[tomcat.tomcat] [x.x.x.x (3730)
/console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
   at
com.q1labs.core.api.v3_0.referencedata.ReferenceDataAPI_Sets.add
DataToSet(ReferenceDataAPI_Sets.java:550)
[tomcat.tomcat] [x.x.x.x (3730)
/console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
   at sun.reflect.GeneratedMethodAccessor1143.invoke(Unknown
Source)
[tomcat.tomcat] [x.x.x.x (3730)
/console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
   at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod
AccessorImpl.java:55)
[tomcat.tomcat] [x.x.x.x (3730)
/console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
   at java.lang.reflect.Method.invoke(Method.java:508)
[tomcat.tomcat] [x.x.x.x (3730)
/console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
   at
com.q1labs.restapi.servlet.utilities.APIRequestHandler.invokeMet
hod(APIRequestHandler.java:1038)
[tomcat.tomcat] [x.x.x.x (3730)
/console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
   at
com.q1labs.restapi.servlet.utilities.APIRequestHandler.redirectR
equest(APIRequestHandler.java:406)
[tomcat.tomcat] [x.x.x.x (3730)
/console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
   ...
61 more
[tomcat.tomcat] [x.x.x.x (3730)
/console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
Caused by:
[tomcat.tomcat] [x.x.x.x (3730)
/console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
org.apache.catalina.connector.ClientAbortException:
java.io.EOFException
[tomcat.tomcat] [x.x.x.x (3730)
/console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
   at
org.apache.catalina.connector.InputBuffer.realReadBytes(InputBuf
fer.java:348)
[tomcat.tomcat] [x.x.x.x (3730)
/console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
   at
org.apache.catalina.connector.InputBuffer.checkByteBufferEof(Inp
utBuffer.java:663)
[tomcat.tomcat] [x.x.x.x (3730)
/console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
   at
org.apache.catalina.connector.InputBuffer.read(InputBuffer.java:
370)
[tomcat.tomcat] [x.x.x.x (3730)
/console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
   at
org.apache.catalina.connector.CoyoteInputStream.read(CoyoteInput
Stream.java:183)
[tomcat.tomcat] [x.x.x.x (3730)
/console/restapi/api/reference_data/sets/bulk_load/{REFSET NAME}]
26 November 2020
PROTOCOLS IJ26183 ECS-EC-INGRESS PROCESS CAN SOMETIMES GO OUT OF MEMORY WHEN LOG SOURCES ARE USING THE WINDOWS IIS PROTOCOL OPEN Workaround
Contact Support for a possible workaround that might address this issue in some instances.

Issue
In some instances, the ecs-ec-ingress process (required for event collection) can experience out of memory occurences that are caused by Log Sources using the Windows IIS Protocol when an incorrect .jar file is referenced for use. Messages similar to the following that are referencing a Log Source connecting to an SMB Host might be visible in /var/log/qradar.log when this issue occurs:
[ecs-ec-ingress.ecs-ec-ingress] [Folder Monitor
[x.x.x.x][smb://x.x.x.x/LogFiles/]]
com.q1labs.semsources.sources.smbtail.io.SmbFileWithRetries:
[ERROR] [NOT:0000003000][x.x.x.x/- -] [-/-
-][smb://x.x.x.x/LogFiles/W3SVC13] exists(): Failed: Access
error for file W3SVC13 status = -1073741790 (0xc0000022)
(0xC0000022)
15 July 2020
PROTOCOLS IJ26863 THE USE OF MSRPC AND IIS SIMULTANEOULY MIGHT CAUSE POTENTIAL DEADLOCK THREADS CLOSED Resolved in
PROTOCOL-WindowsEventRPC-7.3-20201028123850.noarch.rpm
PROTOCOL-WindowsEventRPC-7.4-20201028123859.noarch.rpm

Workaround
A weekly auto update is pending for users with the resolved RPM files. If you need assistance to apply a workaround, contact QRadar Support for a possible workaround that might address this issue.

Issue
It has been observed that MSRPC and IIS Log Sources cannot be used simultaneously due to a potential thread deadlock.

Administrators might be required to disable a protocol until a Microsoft Windows Security Event Log over MSRPC protocol update can be delivered. This might be the result of a jar file.

Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
"RPCEventLogHandler thread" Id=3378 in BLOCKED on
lock=com.example.common.NamedRepository@abc
 owned by RPCEventLogHandler thread Id=7388
 at
com.example.client.Server.dispose(Server.java:350)
 at
com.example.client.Server.disconnect(Server.java:750)
 at
com.example.client.Server.disconnect(Server.java:702)
 at
com.example.client.Mount.doMount(Mount.java:521)
 at
com.example.client.Mount.doMount(Mount.java:483)
 at
com.example.client.Mount.doMount(Mount.java:479)
 at
com.example.client.Mount.{init}(Mount.java:280)
 at com.example.
client.rpc.SmbTransport.{init}(SmbTransport.java:29)
 at
com.example.client.rpc.Dcerpc.connect(Dcerpc.java:818)
 at
com.example.client.rpc.Dcerpc.{init}(Dcerpc.java:445)
 at
com.example.client.rpc.Winreg.{init}(Winreg.java:130)
 at com.q1
labs.semsources.sources.windowseventrpc.eventsource.common.Event
LogWinRegistry.connectRemoteRegistry(EventLogWinRegistry.java:58)
 at com.q1labs.semsources.sources.windowseventrpc.eventsource.
RPCSession.queryRemoteHostInfo(RPCSession.java:80)
 at com.q1lab
s.semsources.sources.windowseventrpc.eventsource.RPCSession.{ini
t}(RPCSession.java:53)
 at com.q1labs.semsources.sources.windows
eventrpc.eventsource.RPCEventLogHandler.connect(RPCEventLogHandl
er.java:129)
 at com.q1labs.semsources.sources.windowseventrpc.e
ventsource.RPCEventLogHandler.run(RPCEventLogHandler.java:372)
at java.lang.Thread.run(Thread.java:818)
"RPCEventLogHandler thread" Id=7388 in TIMED_WAITING on
lock=java.util.concurrent.locks.ReentrantLock$NonfairSync@bxyz
(running in native)
 owned by RPCEventLogHandler thread Id=3378
 at sun.misc.Unsafe.park(Native Method)
 at java.util.concurrent.locks.LockSupport.parkNanos(LockSupport.java)
 at java.util.concurrent.locks.AbstractQueuedSynchronizer.doAcquireNa
nos(AbstractQueuedSynchronizer.java)
 at java.util.concurren
t.locks.AbstractQueuedSynchronizer.tryAcquireNanos(AbstractQueue
dSynchronizer.java:1258)
 at java.util.concurrent.locks.Reentran
tLock.tryLock(ReentrantLock.java:453)
 at
com.example.client.Server.tryLock(Server.java:1528)
 at
com.example.client.Server.waitTryLock(Server.java:1542)
 at
com.example.client.Server.disconnect(Server.java:739)
 at
com.example.client.Server.disconnect(Server.java:714)
 at
com.example.client.Server.checkTimeouts(Server.java:665)
 at
com.example.client.Server.findOrCreate(Server.java:965)
 -
locked com.example.common.NamedRepository@a2d539c5
 at
com.example.client.Mount.doMount(Mount.java:498)
 at
com.example.client.Mount.doMount(Mount.java:483)
 at
com.example.client.Mount.doMount(Mount.java:479)
 at
com.example.client.Mount.{init}(Mount.java:280)
 at com.example.
client.rpc.SmbTransport.{init}(SmbTransport.java:29)
 at
com.example.client.rpc.Dcerpc.connect(Dcerpc.java:818)
 at
com.example.client.rpc.Dcerpc.{init}(Dcerpc.java:445)
 at
com.example.client.rpc.Lsar.{init}(Lsar.java:118)
 at com.q1labs
.semsources.sources.windowseventrpc.util.SIDCache.{init}(SIDCach
e.java:40)
 at com.q1labs.semsources.sources.windowseventrpc.eve
ntsource.RPCEventLogHandler.connect(RPCEventLogHandler.java:127)
 at com.q1labs.semsources.sources.windowseventrpc.eventsource.R
PCEventLogHandler.run(RPCEventLogHandler.java:372)
 at
java.lang.Thread.run(Thread.java:818)
13 August 2020
UPGRADE IJ29294 PATCHING A DETACHED 1599 APPLIANCE CAN COMPLETE BUT WITH AN ERROR THAT IS BENIGN OPEN Workaround
This error message is caused by the /opt/qradar/bin/generate_cert_from_csr.sh attempting to access files if it was part of a QRadar deployment instead of detached. The error is therefore benign, and can be safely ignored.

Issue
Patching a detached 1599 appliance type to QRadar 7.4.1 FP2 can complete with an error similar to the following:
Patch Report for xxx.xxx.xxx.xxx, appliance type: 1599
hostname :  patch test succeeded.
Error running 209: /media/updates/scripts/QRADAR-2072.install
--mode mainpatch
hostname :  patch successful with errors.

Messages similar to the following might be visible in the /var/log/setup-7.4.1.xxxxxx/patches.log file when this issue occurs:
Nov 10 14:48:29 2020: Nov 10 14:48:29
2020:[DEBUG](-i-patchmode) Running script
/media/updates/scripts/QRADAR-2072
.install --mode mainpatch
Nov 10 14:48:30 2020: [QRADAR-2072] [mainpatch:Run]
/opt/qradar/bin/generate_cert_from_csr.sh
cat: /opt/qradar/conf/host.token: No such file or directory
Exception in thread "main"
java.lang.ArrayIndexOutOfBoundsException: Array index out of
range: 1
        at com.ibm.si.mks.Util.main(Util.java:352)
grep:
/store/configservices/deployed/globalconfig/deployment.xml: No
such file or directory
Nov 10 14:48:30 2020: Nov 10 14:48:30
2020:[DEBUG](-i-patchmode) Error running 209:
/media/updates/scripts/QRADAR-
2072.install --mode mainpatch; Got error code of 1.
Nov 10 14:48:30 2020: Nov 10 14:48:30
2020:[ERROR](-i-patchmode) Error running 209:
/media/updates/scripts/QRADAR-
2072.install --mode mainpatch
16 November 2020
API / RULES IJ25486 INCORRECT SYSTEM RULE NAME CAN BE RETURNED FROM AN API QUERY AFTER THE RULE HAS BEEN RENAMED AND TOMCAT HAS BEEN RESTARTED CLOSED Resolved in
QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)
QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

Workaround
Use the QRadar user interface to perform the required search. This issue appears to only affect API searches.

Issue
Ariel query via API that makes use of rulename function returns incorrect name for system rules where the name has been changed AND tomcat has been restarted. For example:
  1. User modifies the name of a system rule.
  2. Via the QRadar API, execute an AQL query that returns rulename(creeventlist) as a column.
  3. The data returned shows the updated rule name.

    Results
    After a restart of the tomcat service and the above steps are repeated, the data returned from the API call shows the original name of the system rule, despite the fact that this was modified to a new name.
16 November 2020
CONTENT MANAGEMENT TOOL IJ27031 CONTENT MANAGEMENT TOOL IMPORT DEOPTIMIZES CUSTOM PROPERTIES REFERENCED IN A SEARCH FILTER TEST, REDUCING RULE PERFORMANCE CLOSED Resolved in
QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)

Workaround
No workaround available. Administrators can complete a software upgrade to QRadar 7.4.1 Fix Pack 2 to resolve this issue.

Issue
When using the Content Management Tool (CMT) to import a deoptimized property where the property already exists and is optimized, QRadar checks to see if there is anything on the system which needs it to be optimized, and if so, does not update it as it would negatively impact rule processing performance.

This check works for some rule tests, but does not work if the custom property is referenced in a search filter test or AQL test. The CMT allows the property to be deoptimized despite there being an active rule using it.

This can introduce performance issues for affected rules when this issue occurs.
16 November 2020
RULES IJ27238 OFFENSE RULE SNMP TRAP RESPONSE FOR 'TOP 5 TARGETS' ONLY DISPLAYS 1 IP ADDRESS (THE TOP TARGET) INSTEAD OF TOP 5 CLOSED Resolved in
QRadar 7.4.2 (7.4.2.20201113144954)
QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)

No workaround available. Administrators can complete a software upgrade to QRadar 7.4.1 Fix Pack 2 to resolve this issue.

Issue
When using the Content Management Tool (CMT) to import a deoptimized property where the property already exists and is optimized, QRadar checks to see if there is anything on the system which needs it to be optimized, and if so, does not update it as it would negatively impact rule processing performance.

This check works for some rule tests, but does not work if the custom property is referenced in a search filter test or AQL test. The CMT allows the property to be deoptimized despite there being an active rule using it.

This can introduce performance issues for affected rules when this issue occurs.
16 November 2020
INSTALLATION IJ27831 'FAILED TO MODIFY RX AND TX VALUE FOR ETH0' WHEN INSTALLING QRADAR ON A KVM THAT IS USING VIRTIO_NET DRIVER CLOSED Resolved in
QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)
QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

  1. Using the vi command, edit the /sbin/ifup-local file.
  2. Change the vale of ETHTOOL_ENABLED=1 to ETHTOOL_ENABLED=0.

Your file should match the code snippet provided in this ifup-local example:
if [[ "${DEVICE}" =~ ^bond.* ]]; then
       ETHTOOL_ENABLED=0
else
       ethtool -g "${DEVICE}" 2&>1 > /dev/null
       if [ "$?" -ne 1 ] ; then
               ETHTOOL_ENABLED=0
       else
                ETHTOOL_ENABLED=1
       fi
fi
Change to:
if [[ "${DEVICE}" =~ ^bond.* ]]; then
       ETHTOOL_ENABLED=0
else
       ethtool -g "${DEVICE}" 2&>1 > /dev/null
       if [ "$?" -ne 1 ] ; then
               ETHTOOL_ENABLED=0
       else
                ETHTOOL_ENABLED=0
       fi
fi


Issue
During the Network Information setup page of a QRadar installation, a message similar to "failed to modify rx and tx value for eth0" can sometimes be observed. This occurs when QRadar is installed on a KVM with the Virtio_Net driver and the ring buffer settings are attempted to be applied by the install, but fail.

Attempting to manually configure the ring buffer settings with the ifup-local command fails with a similar error message. On this type of KVM installation, the QRadar installation should not be attempting to apply ring buffer settings. On this type of KVM installation, the QRadar installation should not be attempting to apply ring buffer settings for network interfaces.

To verify if the Virtio_Net driver is in use, the following can be run from a command line:
ethtool -i eth0 | grep -i driver
The following output indicates the virtio_net driver is installed:
driver:virtio_net
16 November 2020
RULE RESPONSE IJ27086 'THIS INFORMATION SHOULD CONTRIBUTE TO THE NAME OF THE ASSOCIATED OFFENSE' RULE RESPONSE NOT WORKING AS EXPECTED CLOSED Resolved in
QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)
QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

Workaround
Where possible, change option 5 in the example to use "This information should set or replace the name of the associated offense(s)" configured within in the Rule Response.

Issue
When selecting 'This information should contribute to the name of the associated offense(s)' in a Rule Reponse for an offense generated by a rule testing the building block 'when the event(s) have not been detected by one or more of these log sources for this many seconds', the description of the offense is not set to the event description.

For example:
  1. Create a new rule that tests this building block: "when the event(s) have not been detectedby one or more of these log sources for this many seconds".
  2. In the rule response, check the "Dispatch New Event" box.
  3. Give the event a descriptive name.
  4. In the section that appears after checking this box, check "Ensure the dispatched event is part of an offense" under "Event Details".
  5. Under "Offense Naming", check "This information should contribute to the name of the associated offense(s)".
  6. Wait for the rule to be triggered and observe that the Description field of the offense generated is not set to the name of the event that was specified, but is instead "Log source 'xxxx' has stopped emitting events".
16 November 2020
ASSETS IJ24031 QRADAR ASSET CLEANUP PROCESS CAN FAIL AND GENERATE A PSQLEXCEPTION WHEN ATTEMPTING TO RUN CLOSED Resolved in
QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)

Workaround
No workaround available. Administrators can complete a software upgrade to QRadar 7.4.1 Fix Pack 2 to resolve this issue.

Issue
When the QRadar Asset Cleanup attempts to run, it can sometimes fail with a PSQL Exception generated in QRadar logging. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[assetprofiler.assetprofiler] [AssetCleanupThread]
com.q1labs.assetprofile.cleanup.AssetCleanupWorker: [INFO]
[NOT:0000006000][127.0.0.1/- -] [-/- -]Following message
suppressed 633 times in 300000 milliseconds
[assetprofiler.assetprofiler] [AssetCleanupThread]
com.q1labs.assetprofile.cleanup.AssetCleanupWorker: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/-
-]AssetCleanupWorker.run(): Unable to cleanup asset. Skipping
to next...
[assetprofiler.assetprofiler] [AssetCleanupThread]
com.q1labs.assetprofile.cleanup.AssetCleanupException:
org.postgresql.util.PSQLException: This statement has been
closed.
[assetprofiler.assetprofiler] [AssetCleanupThread]    at
com.q1labs.assetprofile.cleanup.AssetCleanupWorker.createCleanup
Updates(AssetCleanupWorker.java:614)
[assetprofiler.assetprofiler] [AssetCleanupThread]    at
com.q1labs.assetprofile.cleanup.AssetCleanupWorker.cleanupAssetC
omponents(AssetCleanupWorker.java:172)
[assetprofiler.assetprofiler] [AssetCleanupThread]    at
com.q1labs.assetprofile.cleanup.AssetCleanupWorker.cleanAsset(As
setCleanupWorker.java:405)
[assetprofiler.assetprofiler] [AssetCleanupThread]    at
com.q1labs.assetprofile.cleanup.AssetCleanupWorker.walkAssetMode
lAndClean(AssetCleanupWorker.java:260)
[assetprofiler.assetprofiler] [AssetCleanupThread]    at
com.q1labs.assetprofile.cleanup.AssetCleanupWorker.run(AssetClea
nupWorker.java:99)
[assetprofiler.assetprofiler] [AssetCleanupThread] Caused by:
[assetprofiler.assetprofiler] [AssetCleanupThread]
org.postgresql.util.PSQLException: This statement has been
closed.
[assetprofiler.assetprofiler] [AssetCleanupThread]    at
org.postgresql.jdbc2.AbstractJdbc2Statement.checkClosed(Abstract
Jdbc2Statement.java:2637)
[assetprofiler.assetprofiler] [AssetCleanupThread]    at
org.postgresql.jdbc2.AbstractJdbc2Statement.getResultSet(Abstrac
tJdbc2Statement.java:830)
[assetprofiler.assetprofiler] [AssetCleanupThread]    at
com.mchange.v2.c3p0.impl.NewProxyPreparedStatement.getResultSet(
NewProxyPreparedStatement.java:1408)
[assetprofiler.assetprofiler] [AssetCleanupThread]    at
org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.getResul
tSet(DelegatingPreparedStatement.java:202)
[assetprofiler.assetprofiler] [AssetCleanupThread]    at
org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.getResul
tSet(DelegatingPreparedStatement.java:200)
[assetprofiler.assetprofiler] [AssetCleanupThread]    at
org.apache.openjpa.jdbc.sql.PostgresDictionary$PostgresPreparedS
tatement.executeQuery(PostgresDictionary.java:1026)
[assetprofiler.assetprofiler] [AssetCleanupThread]    at
org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeQ
uery(DelegatingPreparedStatement.java:265)
[assetprofiler.assetprofiler] [AssetCleanupThread]    at
org.apache.openjpa.jdbc.kernel.JDBCStoreManager$CancelPreparedSt
atement.executeQuery(JDBCStoreManager.java:1774)
[assetprofiler.assetprofiler] [AssetCleanupThread]    at
org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeQ
uery(DelegatingPreparedStatement.java:265)
[assetprofiler.assetprofiler] [AssetCleanupThread]    at
org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeQ
uery(DelegatingPreparedStatement.java:255)
[assetprofiler.assetprofiler] [AssetCleanupThread]    at
com.q1labs.assetprofile.cleanup.AssetCleanupWorker.createCleanup
Updates(AssetCleanupWorker.java:568)
[assetprofiler.assetprofiler] [AssetCleanupThread]    ... 4 more
16 November 2020
REPORTS IJ25351 ATTACHMENTS IN REPORT MAIL CAN BE CORRUPTED AFTER A QRADAR PATCH HAS BEEN APPLIED CLOSED Resolved in
QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)
QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

Workaround
Use a short report name. As an example, for Japanese locale, using a report name of less than 10 characters fixed the issue. This issue may also occur when using languages with UTF-8 multibyte characters.

Issue
Mail attachments from QRadar Reports can be corrupted after smtp jar files have been upgraded within a QRadar patch (7.3.3 Fix Pack 2 or later).

For example: The Mail attachment is split into filename*0= and filename*1=.
16 November 2020
QRADAR NETWORK INSIGHTS IJ22720 QRADAR NETWORK INSIGHTS (QNI) PERFORMANCE DEGRADATION CAUSED BY YAHOO MAIL INSPECTOR COMPONENT CLOSED Resolved in
QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)
QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

Workaround
If experiencing QNI performance degradation, contact Support for assistance with a system thread dump examination to determine if this issue is the cause.

Issue
When using the Yahoo Mail inspector component (libymailinsp.so), QNI decapper processes can be working as expected and then begin to drop packets leading to flows stopping.

QNI cannot process flow traffic as expected while the decapper service is in this thread bound condition.
16 November 2020
OFFENSE MANAGER IJ24634 QRADAR VERSIONS 7.3.2 OR LATER DO NOT INCLUDE THE "REPLY-TO:" FIELD WITHIN GENERATED NOTIFICATION EMAILS CLOSED Resolved in
QRadar 7.4.2 (7.4.2.20201113144954)
QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

Workaround
No workaround available. Administrators can complete a software upgrade to QRadar 7.4.1 Fix Pack 2 to resolve this issue.

Issue
Notification emails no longer include the "Reply-To:" field in email headers. QRadar versions pre-7.3.2 are not affected. Example of pre-7.3.2 QRadar:
From: "QRADAR@localhost.localdomain"
{QRADAR@localhost.localdomain}
Reply-To: "root@localhost" {root@localhost.test.com}
To: "root@localhost" {root@localhost.test.com}
Subject: Offense #1
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
16 November 2020
ROUTING RULES IJ27022 LARGE AMOUNTS OF REVERSE DNS LOOKUPS CAN BE GENERATED WHEN OFFLINE ROUTING RULES ARE CONFIGURED IN QRADAR CLOSED Resolved in
QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)
QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

Workaround
No workaround available. Administrators can complete a software upgrade to QRadar 7.4.1 Fix Pack 2 or 7.3.3 Fix Pack 6 to resolve this issue.

Issue
When offline routing rules have been configured within QRadar (Admin -> System Configuration -> Routing Rules), large amounts of reverse DNS lookups can be generated. This can cause issues in some customer environments with their DNS server load.

The issue described only occurs when forwarding "normalized' data, not raw payloads.
16 November 2020
FLOWS IJ28601 DEFAULT NETFLOW FLOW SOURCE DOES NOT WORK ON NEWLY ADDED FLOW PROC AND GENERATES 'NO FLOW SOURCE DEFINED' ERROR IN LOGGING CLOSED Resolved in
QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)

Workaround
Performing a remove and re-add of the flow processor appliance from the QRadar Deployment corrects this issue. For more information, see steps 3 and 5 from the documentation.

Issue
The default netflow is not working as expected on a newly added Flow Processor. During the initial add process, the FLOWSOURCE_LIST under nva.qflow.qflow*.conf is not populated, causing qflow to not work as expected and no flows are received. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[hostcontext.hostcontext] [Thread-1803]
com.q1labs.hostcontext.processmonitor.ProcessManager: [INFO]
[NOT:0000006000][172.18.142.131/- -] [-/- -]Starting process
qflow.qflow102
[QRADAR] [23524] qflow: [INFO] Reading in application
signatures from file: /opt/qradar/conf/signatures.xml
[QRADAR] [23524] qflow: [INFO] Application Signatures
successfully read in from file: /opt/qradar/conf/signatures.xml
[QRADAR] [23524] qflow: [INFO] Application mapper loading
/opt/qradar/conf/user_application_mapping.conf
[QRADAR] [23524] qflow: [INFO] Flow Buffer Size = 100000
[QRADAR] [23524] qflow: [INFO] Connecting to
172.18.142.131:32010
[QRADAR] [23524] qflow: [INFO] Initializing qflow: 23524
[QRADAR] [23524] qflow: [INFO] Packet Source Multi threading:
disabled
[QRADAR] [23524] qflow: [INFO] The Flow Governor flow limit is
set to: 176508 based on DEPLOYMENT_FLOW_LIMIT: 1500000,
HARDWARE_FLOW_LIMIT: 176508 and QF_GOVERNOR (user flow limit): 0
[QRADAR] [23524] qflow: [INFO] Flow De-Duplication: enabled
[QRADAR] [23524] qflow: [INFO] TLVFlowFields: parse and
processing of /opt/qradar/conf/flowFieldsDataType-conf.xml
completed successfully
[QRADAR] [23524] qflow: [INFO] Initializing Flow Aggregator
[QRADAR] [23524] qflow: [INFO] The host.token file is encrypted
on disk, decrypting for use.
[QRADAR] [23524] qflow: [INFO] Initializing Packet Aggregator
[QRADAR] [23524] qflow: [INFO] Flow debug log level set to 0
[QRADAR] [23524] qflow: [ERROR] No flow sources defined -
sleeping until signal
16 November 2020
LOG SOURCES IJ29030 LOG SOURCES DELETED FROM WITHIN LOG SOURCE GROUPS CAN STILL APPEAR IN THE QRADAR USER INTERFACE OPEN Workaround
Contact Support for a possible workaround that might address this issue in some instances.

Issue
When a Log Source (that is assigned to a Log Source group) is deleted, that Log Source can sometimes continue to be displayed in the Log Source group. For example:
  1. Admin > Log Source groups > Have a Log Source group (Test LSG).
  2. Create a Log Source using the Log Source Management app (Test1) assign (Test1 to TEST LSG).
  3. Create a Log Source using the QRadar legacy User Interface (Test2) assign (Test2 to TEST LSG).
  4. Deploy Changes.
  5. Delete the Log Sources (Test1 and Test2) from Log Source Management app.
  6. Open Log Source groups and check the "Test LSG" Result: Test1 and Test2 are still displayed in the group.
03 November 2020
MANAGED HOST IJ29041 REMAP (COMPONENT ID) OPTION CAN FAIL TO BE DISPLAYED DURING ADD HOST FUNCTION OPEN Workaround
Contact Support for a possible workaround that might address this issue in some instances.

Issue
When adding a Managed Host to a QRadar Deployment, if the deployment model contains a connection where the target/source ID is invalid (a component with that ID does not exist in deployment.xml) the remap host model does not pop-up in the User Interface.

When this issue occurs, it prevents the ability to perform the remap of component IDs on the Managed Host being added. The Managed Host add function completes, but an error is written to /var/log/qradar.error stating 'unable to add managed host' similar to the following:
[tomcat.tomcat] [Thread-140205]
com.ibm.si.configservices.api.v3_0.deployment.DeploymentAPI:
[ERROR] [NOT:0000003000][x.x.x.x/- -] [-/- -] unable to add
managed host: Unable to marshal deployment to staging while
adding conection: Connection source contains an invalid
component id 102
03 November 2020
JDBC PROTOCOL IJ29049 LOG SOURCES CONFIGURED TO USE JDBC CAN FAIL TO COLLECT LOGS AFTER AN ECS-EC-INGRESS SERVICE RESTART HAS OCCURRED OPEN Workaround
Contact Support for a possible workaround that might address this issue in some instances.

Issue
JDBC Log Sources can fail to collect events after an ecs-ec-ingress service restart has occurred. In these instances, the Log Sources continue to display "Success" state with a last status update of days or weeks prior to the ecs-ec-ingress restart date.
03 November 2020
CUSTOM EVENT PROPERTIES IJ29043 LARGE AMOUNT OF COLON " : " SYMBOLS GENERATED DURING JSON PARSING FOR WINDOWS EVENT LOG IN CUSTOM EVENT PROPERTIES OPEN Workaround
No workaround available.

APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates by clicking on the Subscribe button on the right side of this page or ask a question about this APAR in our Support Forums: https://ibm.biz/qradarforums

Issue
When attempting to use the JSON parser in Custom Event Properties to parse Windows Event Logs, a large amount of colon " : " symbols are generated and incorrect parser results are output. For example:
  1. Navigate to Admin tab, and open Custom Event Properties.
  2. Click Add in title bar.
  3. Have a test payload, enter it into Test Field.
  4. In Property Expression Definition section, Extraction using JSON key path.
  5. In JSON keypath field, enter /"event_data"
  6. In test field, large amounts of colon " : " symbols are generated and highlighted, and not ALL event_data elements are parsed
  7. Continue updating JSON keypath field, enter /"event_data"/"CommandLine"
  8. Cannot obtain the CommandLine output.
03 November 2020
SECURITY PROFILES IJ29042 USERS CREATED USING LDAP USER ATTRIBUTES CAN HAVE NO ADMIN ROLE SECURITY PROFILES FOR ADMIN ROLES OPEN Workaround
Configure the LDAP server so that users that have an Admin role get a Admin Security Profile.

Issue
Users created via LDAP User attributes can have Non Admin security profiles for Admin Roles.

If accounts are configured via the User Interface, and a user has an Admin Role, they have to have Admin Security Profile. For example:
  1. Have two Admin Roles and two security profiles.
  2. Have an LDAP server and setup LDAP User Attributes making the User Role Attribute return Admin.
  3. Have the Security Profile Attribute return a Security Profile that is not Admin.
  4. Log in and have a User created with a User Role of Admin but not a Security Profile of Admin.

    Result
    When attempting to change that User in the Qradar User Interface: You can only select Admin for the security profile or if a new user is created with an Admin role they can only have Admin as the Security Profile.
03 November 2020
SECURITY BULLETIN CVE-2019-13232 UNZIP AS USED BY IBM QRADAR SIEM IS VULNERABLE TO DENIAL OF SERVICE CLOSED Resolved in
QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)
QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

Affected versions
  • IBM QRadar SIEM 7.4.0 to 7.4.1 GA
  • IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 4

Issue
Info-ZIP UnZip is vulnerable to a denial of service, caused by mishandling the overlapping of files inside a ZIP container. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause resource consumption. CVSS Base score: 3.3
13 October 2020
SECURITY BULLETIN CVE-2018-1313 APACHE DERBY AS USED BY IBM QRADAR SIEM IS VULNERABLE TO IMPROPER INPUT VALIDATION CLOSED Resolved in
QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)
QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

Affected versions
  • IBM QRadar SIEM 7.4.0 to 7.4.1 GA
  • IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 4

Issue
Apache Derby could allow a remote attacker to bypass security restrictions, caused by improper validation of network packets received. By sending a specially-crafted network packet, an attacker could exploit this vulnerability to boot a database whose location and contents are under the user's control. CVSS Base score: 7.5
13 October 2020
RULES IJ28494 QRADAR USERS WITHOUT "VIEW CUSTOM RULES" AND "MAINTAIN CUSTOM RULES" ACCESS CAN STILL SEE FULL LIST OF CUSTOM RULES UNDER LOG OPEN Workaround
No Workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR to get updates or ask a question about this APAR in our Support Forum.

Issue
QRadar users can access custom rules even when their access has not been granted to 'View Custom Rules' and 'Maintain Custom Rules' while searching in Log Activity.

To recreate this issue:
  1. Log in to QRadar as an administrator.
  2. Click the Admin tab.
  3. Click User Roles.
  4. Create a new user role without the View Custom Rules and Maintain Custom Rules permission.
  5. Click the Users icon.
  6. Assign the user role to the new user.
  7. Log in to QRadar as the new user.
  8. Click the Log Activity tab.
  9. Click Search > New Search.
  10. Click Search parameters > Parameter Custom rule [Indexed].

    Results
    Verify both Rule Group and Rules are visible by the user who should not have access.
05 October 2020
RULES IJ28759 RULE RESPONSE EMAILS CONTAINING CUSTOM EVENT PROPERTIES DISPLAY THOSE PROPERTIES AS "N/A" IN THE RULE RESPONSE/td> CLOSED Resolved in
QRadar 7.4.2 (7.4.2.20201113144954)
QRadar 7.4.1 Fix Pack 1 Intern Fix 1 (7.4.1.20201018191117)

Workaround
No workaround available. APARs identified with no workaround typically require a software update to resolve. Administrators with QRadar 7.4.1 Fix Pack 1 can install the associated interim fix as recommended by QRadar Support. The Interim Fix 1 can only install on QRadar 7.4.1 Fix Pack 1.

Issue
Rule responses that use email templates containing Custom Event Properties do not populate the properties correctly in the response.

When this issue occurs, those properties display as "N/A" in the response.
26 November 2020
SERVICES / ADD HOST IJ25854 "SOFTWARE INSTALL" QRADAR EVENT COLLECTOR OR DATANODE CAN FAIL TO START REQUIRED SERVICES AFTER ADDED TO DEPLOYMENT OPEN Workaround
Perform a full replication on the affected Managed Host from a command line prompt:
  1. Log in to the QRadar Console as the root user.
  2. Open an SSH session to the Event Collector or Data Node appliance.
  3. Type the following command to force a full replication:
    /opt/qradar/bin/replication.pl -full

    Results
    Wait for the replication to complete. If you experience errors when this command is run or want assistance verifying this issue, contact QRadar Support
Issue
Required services on a "software install" Event Collector or DataNode fail to start after they are added to the QRadar deployment.
27 June 2020
OFFENSES IJ25797 NULLPOINTEREXCEPTION WRITTEN TO QRADAR LOGGING WHEN VIEWING EVENTS ASSOCIATED TO AN OFFENSE OPEN Workaround
No workaround available, this issue requires a software release to resolve.

Issue
A Null Pointer Exception is written to Qradar logging when attempting to view Events associated with Offense. To replicate this issue:
  1. Log in to QRadar.
  2. Click the Offenses tab.
  3. Select All Offenses.
  4. Double click on an offense to view the offense details.
  5. From the Last 10 offenses section, click the Events button.

    Results
    An NullPointerException error is displayed in the QRadar logs.

Messages similar to the following might then be visible in /var/log/qradar.log:
[tomcat.tomcat] [ArielQueryManager]
com.q1labs.ariel.ui.bean.EventSearchDelegate: [ERROR] [127.0.0.1/- -] 
[-/- -]Error processingoffenseId parameter for offense EQ 1
[tomcat.tomcat] [ArielQueryManager]
java.lang.NullPointerException
[tomcat.tomcat] [ArielQueryManager]    at
com.q1labs.ariel.ui.bean.IUIArielSearchDelegate$OffenseProcessor
.addOffenseSearchCriteria(IUIArielSearchDelegate.java:106)
[tomcat.tomcat] [ArielQueryManager]    at
com.q1labs.ariel.ui.bean.EventSearchDelegate.prepareQuery(EventS
earchDelegate.java:265)
[tomcat.tomcat] [ArielQueryManager]    at
com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSearchForm.
java:965)
[tomcat.tomcat] [ArielQueryManager]    at
com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSearchForm.
java:790)
[tomcat.tomcat] [ArielQueryManager]    at
com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSearchForm.
java:746)
[tomcat.tomcat] [ArielQueryManager]    at
com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSearchForm.
java:740)
[tomcat.tomcat] [ArielQueryManager]    at
com.q1labs.ariel.ui.bean.QueryHandleSerializer.deserialize(Query
HandleSerializer.java:191)
[tomcat.tomcat] [ArielQueryManager]    at
com.q1labs.ariel.ui.bean.QueryHandleSerializer.deserialize(Query
HandleSerializer.java:34)
[tomcat.tomcat] [ArielQueryManager]    at
com.google.gson.internal.bind.TreeTypeAdapter.read(TreeTypeAdapter.java:69)
[tomcat.tomcat] [ArielQueryManager]    at
com.google.gson.Gson.fromJson(Gson.java:887)
[tomcat.tomcat] [ArielQueryManager]    at
com.google.gson.Gson.fromJson(Gson.java:852)
[tomcat.tomcat] [ArielQueryManager]    at
com.google.gson.Gson.fromJson(Gson.java:801)
[tomcat.tomcat] [ArielQueryManager]    at
com.q1labs.ariel.ui.bean.EventSearchDelegate.deserialize(EventSe
archDelegate.java:433)
[tomcat.tomcat] [ArielQueryManager]    at
com.q1labs.core.dao.ariel.ArielQueryHandle.getQueryHandle(ArielQ
ueryHandle.java:158)
[tomcat.tomcat] [ArielQueryManager]    at
com.q1labs.ariel.ui.ArielQueryManager.run(ArielQueryManager.java:594)
27 June 2020
SECURITY BULLETIN CVE-2020-13934
CVE-2019-17566
CVE-2019-4378
CVE-2020-1945
CVE-2020-0543
CVE-2020-0548
CVE-2020-0549
CVE-2010-4710
CVE-2020-5408
CVE-2019-13990
CVE-2020-13935
CVE-2019-10241
CVE-2019-10247
CVE-2020-11022
CVE-2020-11023
CVE-2018-15494
CVE-2020-5398
180875
IBM QRADAR SIEM IS VULNERABLE TO USING COMPONENTS WITH KNOWN VULNERABILITIES CLOSED Resolved in
QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)
QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

Affected versions
  • IBM QRadar SIEM 7.4.0 to 7.4.1 GA
  • IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 4
Issue
The product includes vulnerable components (e.g., framework libraries) that may be identified and exploited with automated tools.
07 October 2020
SECURITY BULLETIN CVE-2020-4280 IBM QRADAR SIEM IS VULNERABLE TO DESERIALIZATION OF UNTRUSTED DATA CLOSED Resolved in
QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)
QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

Affected versions
  • IBM QRadar SIEM 7.4.0 to 7.4.1 GA
  • IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 4
Issue
IBM QRadar could allow a remote attacker to execute arbitrary commands on the system, caused by insecure deserialization of user-supplied content by the Java deserialization function. By sending a malicious serialized Java object, an attacker could exploit this vulnerability to execute arbitrary commands on the system. CVSS Base Score: 6.3
07 October 2020
SECURITY BULLETIN CVE-2018-12545
CVE-2017-9735
CVE-2017-7658
CVE-2017-7656
CVE-2017-7657
CVE-2019-10241
CVE-2019-10247
CVE-2018-12536
CVE-2019-0222
CVE-2020-1941
CVE-2018-8006
CVE-2018-11775
CVE-2017-15709
CVE-2015-7559
CVE-2019-12423
CVE-2019-17573
CVE-2019-12419
CVE-2020-1954
CVE-2019-12406
IBM QRADAR SIEM IS VULNERABLE TO USING COMPONENTS WITH KNOWN VULNERABILITIES CLOSED Resolved in
QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)
QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

Affected versions
  • IBM QRadar SIEM 7.4.0 to 7.4.1 GA
  • IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 4
Issue
The product includes vulnerable components (e.g., framework libraries) that may be identified and exploited with automated tools.
07 October 2020
SECURITY BULLETIN CVE-2019-4545 IBM QRADAR SIEM IS VULNERABLE TO KDC SPOOFING CLOSED Resolved in
QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)
QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

Affected versions
  • IBM QRadar SIEM 7.4.0 to 7.4.1 GA
  • IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 4
Issue
IBM QRadar SIEM when configured to use Active Directory Authentication may be susceptible to spoofing attacks. CVSS Base Score: 7.5
07 October 2020
SECURITY BULLETIN CVE-2018-8009
CVE-2018-15494
CVE-2020-9489
CVE-2020-11023
CVE-2020-11022
IBM QRADAR INCIDENT FORENSICS IS VULNERABLE TO USING COMPONENT WITH KNOWN VULNERABILITIES CLOSED Resolved in
QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)
QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

Affected versions
  • IBM QRadar Incident Forensics 7.4.0 to 7.4.1 GA
  • IBM QRadar Incident Forensics 7.3.0 to 7.3.3 Patch 4
Issue
The product includes vulnerable components (e.g., framework libraries) that may be identified and exploited with automated tools.
07 October 2020
DATA OBFUSCATION IJ26220 DATA DEOBFUSCATION KEYS CAN FAIL TO WORK AS EXPECTED IN SOME QRADAR DOMAIN ENVIRONMENTS CLOSED Resolved in
QRadar 7.4.1 (7.4.1.20200716115107)
QRadar 7.4.0 Fix Pack 4 (7.3.3.20200629201233)
QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

Workaround
No workaround available.

Issue
Data deobfuscation fails when using the correct deobfuscation key for events that are tagged to an Event Collector domain where the Event Collector is connected to an Event Processor. The data deobfuscation keys created can sometimes fail with a message similar to "Deobfuscation fail". Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[tomcat.tomcat] [admin@127.0.0.1 (2367)
/console/do/obfuscation/obfuscationdecryption]
com.q1labs.obfuscation.ui.action.ObfuscationDecryptionAction:
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/-
-]qradar.obfuscation.ui.obfuscationdecryption.error.CORRESPONDIN
G_DECRYPTION_KEY_FOUND_IN_SESSION_BUT_DECRYPTION_FAIL,
javax.crypto.BadPaddingException: decryption fail.
javax.crypto.BadPaddingException: Given final block not
properly padded
17 July 2020
SEARCH IJ25350 SAVED SEARCHES CAN GENERATE AN APPLICATION ERROR WHEN A CUSTOM EVENT PROPERTY USES A RESERVED AQL KEY NAME CLOSED Resolved in
QRadar 7.4.2 (7.4.2.20201113144954)
QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)
QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

Workaround
Delete the Custom Event Property as disabling the property does not resolve the search errors.

Issue
When a custom event property is named using a reserved AQL name in QRadar, such as 'searchName', the user interface can generate an Application Error in the user interface when the search run.

Note: This issue can be reproduced with the following steps, but it is not recommended as creating the custom property value as described can cause searches from running as documented in the error logs.
  1. Log in to the Console as an administrator.
  2. Click the Admin tab.
  3. Click the Custom Event Properties icon.
  4. Click Add.
  5. In the New Property field, type searchName
  6. Click the Log Activity tab.
  7. From the Quick Search menu, select any saved search.

    Results
    Expected result: Load saved search successfully.
    Actual result: "Application Error" is displayed.
Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[tomcat.tomcat] [admin@127.0.0.1(8847)
/console/do/ariel/arielSearch] Caused by:
[tomcat.tomcat] [admin@127.0.0.1(8847)
/console/do/ariel/arielSearch] java.lang.RuntimeException:
Error processing criteria searchName
[tomcat.tomcat] [admin@127.0.0.1(8847)
/console/do/ariel/arielSearch]    at
com.q1labs.cve.utils.CriteriaBuilder.getCriteria(CriteriaBuilder
.java:1517)
[tomcat.tomcat] [admin@127.0.0.1(8847)
/console/do/ariel/arielSearch]    at
com.q1labs.cve.utils.CriteriaBuilder.getQueryParams(CriteriaBuil
der.java:386)
[tomcat.tomcat] [admin@127.0.0.1(8847)
/console/do/ariel/arielSearch]    at
com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSear
chForm.java:927)
[tomcat.tomcat] [admin@127.0.0.1(8847)
/console/do/ariel/arielSearch]    ... 81 more
[tomcat.tomcat] [admin@127.0.0.1(8847)
/console/do/ariel/arielSearch] Caused by:
[tomcat.tomcat] [admin@127.0.0.1(8847)
/console/do/ariel/arielSearch]
java.lang.IllegalArgumentException: Operation Event is not
valid. Should be one of [EQ, LT, LE, GT, GE, NEQ]
[tomcat.tomcat] [admin@127.0.0.1(8847)
/console/do/ariel/arielSearch]    at
com.q1labs.cve.utils.CriteriaBuilder.updateCriteria_Expression(C
riteriaBuilder.java:1047)
[tomcat.tomcat] [admin@127.0.0.1(8847)
/console/do/ariel/arielSearch]    at
com.q1labs.cve.utils.CriteriaBuilder.updateCriteria(CriteriaBuil
der.java:1316)
[tomcat.tomcat] [admin@127.0.0.1(8847)
/console/do/ariel/arielSearch]    at
com.q1labs.cve.utils.CriteriaBuilder.getCriteria(CriteriaBuilder
.java:1424)
[tomcat.tomcat] [admin@127.0.0.1(8847)
/console/do/ariel/arielSearch]    ... 83 more
[tomcat.tomcat] [admin@127.0.0.1(8847)
/console/do/ariel/arielSearch]
org.apache.jsp.qradar.jsp.ArielSearch_jsp: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]Could not forward to
exception page, possibly an included JSP?
[tomcat.tomcat] [admin@127.0.0.1(8964)
/console/JSON-RPC/QRadar.getGlobalViewDetails
QRadar.getGlobalViewDetails]
com.q1labs.core.ui.servlet.RemoteJavaScript: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]An exception occurred
while executing the remote method 'getGlobalViewDetails'
[tomcat.tomcat] [admin@127.0.0.1(8964)
/console/JSON-RPC/QRadar.getGlobalViewDetails
QRadar.getGlobalViewDetails] java.lang.RuntimeException:
java.lang.RuntimeException: Error processing criteria searchName
[tomcat.tomcat] [admin@127.0.0.1(8964)
/console/JSON-RPC/QRadar.getGlobalViewDetails
QRadar.getGlobalViewDetails]    at
com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSear
chForm.java:1007)
[tomcat.tomcat] [admin@127.0.0.1(8964)
/console/JSON-RPC/QRadar.getGlobalViewDetails
QRadar.getGlobalViewDetails]    at
com.q1labs.ariel.ui.bean.ArielSearchForm.toQueryParams(ArielSear
chForm.java:790)
[tomcat.tomcat] [admin@127.0.0.1(8964)
/console/JSON-RPC/QRadar.getGlobalViewDetails
QRadar.getGlobalViewDetails]    at
com.q1labs.ariel.ui.UIArielServices.getGlobalViewID(UIArielServi
ces.java:12530)
[tomcat.tomcat] [admin@127.0.0.1(8964)
/console/JSON-RPC/QRadar.getGlobalViewDetails
QRadar.getGlobalViewDetails]    at
com.q1labs.ariel.ui.UIArielServices.getGlobalViewDetails(UIAriel
Services.java:12253)
[tomcat.tomcat] [admin@127.0.0.1(8964)
/console/JSON-RPC/QRadar.getGlobalViewDetails
QRadar.getGlobalViewDetails]    at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[tomcat.tomcat] [admin@127.0.0.1(8964)
/console/JSON-RPC/QRadar.getGlobalViewDetails
QRadar.getGlobalViewDetails]    at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessor
Impl.java:90)
[tomcat.tomcat] [admin@127.0.0.1(8964)
/console/JSON-RPC/QRadar.getGlobalViewDetails
QRadar.getGlobalViewDetails]    at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod
AccessorImpl.java:55)
12 June 2020
UPGRADE IJ22566 QRADAR PATCHING CAN FAIL AND ROLLBACK ON BLANK TABLES IN A QVM FUSION DATABASE CLOSED Resolved in
QRadar 7.4.2 (7.4.2.20201113144954)
QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)
QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

Workaround
If you are unable to upgrade, contact Support for a possible workaround that might address this issue in some instances.

Issue
The QRadar patching process can fail and rollback when there are unexpected blank tables within the QRadar Vulnerability Manager (QVM) fusion database. Messages similar to the following might be visible during the patch process and also within the most recent /var/log/setup-7.3.3.xxxxxxxxx/patches.log
Dec 2 11:57:21 2019: Dec 2 11:57:21 2019:[DEBUG]
ip={host_ipaddress}
Dec 2 11:57:21 2019: Dec 2 11:57:21 2019:[DEBUG] starting
Dec 2 11:57:21 2019: Dec 2 11:57:21 2019:[DEBUG] Found 0 patch
report files.
Dec 2 11:57:21 2019: Dec 2 11:57:21 2019:[DEBUG]
Patch Report for 172.16.77.26, appliance type: 1202
{hostname}: patch test succeeded.
1 SQL script errors were detected; Error applying script [3/3]
'/media/updates/opt/qvm/db/sql/functions/all_functions.sql' for
Test_fusionvm database.; details:
WARNING: SET TRANSACTION can only be used in transaction blocks
ERROR: insert or update on table "toolsuitecomponents" violates
foreign key constraint
"fk_toolsuitecomponents_toolsuite_l7protocolcodes"
DETAIL: Key (l7protocolcode)=(18) is not present in table
"toolsuite_l7protocolcodes".
CONTEXT: SQL statement "INSERT INTO ToolSuiteComponents VALUES
(10001,5,'netbios -
ports','/bin/netbios/netbios_ports.pl','1.0',TRUE,TRUE,18,'','',
1,5,10000,2,10,2)"
PL/pgSQL function enable_netbios_ports() line 4 at SQL statement
{hostname} : patch rolled back.
Dec 2 11:57:21 2019: Dec 2 11:57:21 2019:[DEBUG] pr=
Patch Report for , appliance type: 1202
{hostname} : patch test succeeded.
1 SQL script errors were detected; Error applying script [3/3]
'/media/updates/opt/qvm/db/sql/functions/all_functions.sql' for
Test_fusionvm database.; details:
WARNING: SET TRANSACTION can only be used in transaction blocks
ERROR: insert or update on table "toolsuitecomponents" violates
foreign key constraint
"fk_toolsuitecomponents_toolsuite_l7protocolcodes"
DETAIL: Key (l7protocolcode)=(18) is not present in table
"toolsuite_l7protocolcodes".
CONTEXT: SQL statement "INSERT INTO ToolSuiteComponents VALUES
(10001,5,'netbios -
ports','/bin/netbios/netbios_ports.pl','1.0',TRUE,TRUE,18,'','',
1,5,10000,2,10,2)"
PL/pgSQL function enable_netbios_ports() line 4 at SQL statement
{hostname} : patch rolled back.
Dec 2 11:57:21 2019: Dec 2 11:57:21 2019:[DEBUG] non console;
interactive end.
Dec 2 11:57:21 2019: Dec 2 11:57:21 2019:[DEBUG] complete
Dec 2 11:57:21 2019: Dec 2 11:57:21 2019:[DEBUG] finishing up
and restarting services.
Mon Dec 2 11:57:21 AST 2019: ./patchInstaller.pl -patchfile
/storetmp/2019140_QRadar_patchupdate-2019.14.0.20191031163225.sf
s -p ./superpatches.manifest.xml completed with result 1
05 February 2020
SECURITY BULLETIN CVE-2019-0201 APACHE ZOOKEEPER AS USED BY IBM QRADAR SIEM IS VULNERABLE TO INFORMATION DISCLOSURE CLOSED Resolved in
QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)

Affected versions
  • IBM QRadar SIEM 7.4.1 General Availability (GA)
  • IBM QRadar Risk Manager 7.4.1 General Availability (GA)
  • IBM QRadar Vulnerability Manager 7.4.1 General Availability (GA)
  • IBM QRadar Incident Forensics 7.4.1 General Availability (GA)
  • IBM QRadar Network Insights 7.4.1 General Availability (GA)

Issue
Apache ZooKeeper could allow a remote attacker to obtain sensitive information, caused by the failure to check permissions by the getACL() command. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 7.5
21 September 2020
OFFENSES IJ27346 OFFENSE API CALLS CAN CAUSE A HOSTCONTEXT TXSENTRY TO OCCUR AS NO LIMIT IS APPLIED TO THE NUMBER OF FIELDS TO BE RETURNED CLOSED Resolved in
QRadar 7.4.2 (7.4.2.20201113144954)
QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)

Workaround
Administrators can install QRadar 7.4.1 Fix Pack 1 to resolve this issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances. This issue reported by users with QRadar 7.4.1 (GA) General Availability installed.

Issue
The hostcontext process can experience a TxSentry (process is killed when taking too long to complete) that is caused by the Offense API not having limits set on the number of fields that it can return.

This behavior can be observed during the usage of some QRadar apps that use Offense API calls (eg. Incident Overview app). Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[hostcontext.hostcontext]
[baa9069a-d7b2-48bf-ab9b-32962f1f8055/SequentialEventDispatcher]
com.q1labs.hostcontext.tx.TxSentry: [WARN]
[NOT:0000004000][X.X.X.X/- -] [-/- -] Lock acquired on host
X.X.X.X: rel=offense_device_link_pkey age=638 granted=t
mode=AccessShareLock query='SELECT DISTINCT (CASE WHEN
offense_properties.user'
[hostcontext.hostcontext]
[baa9069a-d7b2-48bf-ab9b-32962f1f8055/SequentialEventDispatcher]
com.q1labs.hostcontext.tx.TxSentry: [WARN]
[NOT:0000004000][X.X.X.X/- -] [-/- -] Lock acquired on host
X.X.X.X: rel=sensordevicetype age=638 granted=t
mode=AccessShareLock query='SELECT DISTINCT (CASE WHEN
offense_properties.user'
[hostcontext.hostcontext]
[baa9069a-d7b2-48bf-ab9b-32962f1f8055/SequentialEventDispatcher]
com.q1labs.hostcontext.tx.TxSentry: [WARN]
[NOT:0000004000][X.X.X.X/- -] [-/- -] Lock acquired on host
X.X.X.X: rel=sensordevice_eccomponentid_idx age=638 granted=t
mode=AccessShareLock query='SELECT DISTINCT (CASE WHEN
offense_properties.user'
31 August 2020
HIGH AVAILABILITY (HA) IJ18179 LOG COLLECTION ON A HIGH AVAILABILITY SECONDARY CAN FAIL TO OCCUR AFTER INITIAL FAILOVER DUE TO MISSING JAR FILES CLOSED Resolved in
QRadar 7.4.2 (7.4.2.20201113144954)
QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)
QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

Workaround
  1. Click the Admin tab.
  2. From the Advanced menu, select Deploy Full Configuration.
  3. Wait for the full deploy to complete.
  4. Select Advanced, and click Restart Event Collection Services.
Issue
It has been identified that some required jar files are not copied to opt/ibm/si/services/ecs-ec-ingress/eventgnosis/lib/q1labs on a High Availability (HA) secondary appliance until a Deploy Full Configuration is performed after the HA secondary becomes active.
18 October 2019
HISTORICAL CORRELATION IJ26306 EVENT/FLOW WINDOW IS BLANK FOR HISTORICAL CORRELATION OFFENSES AND VIEWING 'LAST 10 EVENTS/FLOWS' GENERATES ERROR CLOSED Resolved in
QRadar 7.4.2 (7.4.2.20201113144954)
QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)

Workaround
Administrators can install QRadar 7.4.1 Fix Pack 1 to resolve issues where the Offenses tab can display errors for related event and flow information. This issue was reported by users at QRadar 7.4.0 Fix Pack 2 and later.

Issue
While attempting to view Events or Flows associated with a Historical Correlation Offense, the Event/Flow List window displays a blank page.

When attempting to view the "Last 10 Events/Flows" for a Historical Correlation Offense, a message similar to the following is generated:
An error occurred while fetching the Events for this offense
or
An Error occurred while fetching the Flows for this offense
Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
tomcat[44128]: Caused by:
tomcat[44128]: java.lang.NoSuchMethodError:
com/ibm/si/core/offensemapper/OffenseMapperFactory.getOffenseMap
perType(ILjava/lang/String;Ljava/lang/String;)Lcom/ibm/si/core/o
ffensemapper/OffenseMapperType; (loaded from file:
/opt/qradar/webapps/console/WEB-INF/lib/q1labs_core.jar by
PluginClassLoader
tomcat[44128]: context: console
tomcat[44128]: delegate: false
tomcat[44128]: ---------- Parent Classloader:
tomcat[44128]: java.net.URLClassLoader@17b2c16d
tomcat[44128]: ) called from class
com.ibm.si.hc.HistoricalCorrelationProcessor (loaded from
file:/opt/qradar/webapps/console/WEB-INF/lib/q1labs_hc.jar by
PluginClassLoader
tomcat[44128]: context: console
tomcat[44128]: delegate: false
tomcat[44128]: ---------- Parent Classloader:
tomcat[44128]: java.net.URLClassLoader@17b2c16d
tomcat[44128]: ).
tomcat[44128]: at
com.ibm.si.hc.HistoricalCorrelationProcessor.transformQueryParam
s(HistoricalCorrelationProcessor.java:2538)
17 July 2020
REPORTS IJ26071 CSV REPORTS CAN FAIL TO GENERATE WHEN THERE IS NO ACCUMULATED DATA CLOSED Resolved in
QRadar 7.4.2 (7.4.2.20201113144954)
QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)
QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

Workaround
Use the .pdf report output for reports. The PDF option allows the report to be created and no error to be generated in the QRadar logs. Administrators who require CSV reports can install QRadar 7.4.1 Fix Pack 1. This issue was reported by users at QRadar 7.3.2 Patch 6.

Issue
When a report is configured for .csv output and that report has no accumulated data, the report fails to generate and an error is logged to QRadar logging.

Messages similar to the folllowing might be visible in /var/log/qradar.log when this issue occurs:
[report_runner] [main] com.q1labs.reporting.ReportRunner:
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Error
initializing ReportRunner
[report_runner] [main] java.lang.Throwable:
java.lang.RuntimeException: REPORT
[MONTHLY#^#e028752#$#c64ac148-b504-4918-9fe3-76a4fba6c7f6#^#1583
161424583]: Failed to run using template
[e028752#$#c64ac148-b504-4918-9fe3-76a4fba6c7f6.xml]
[report_runner] [main]    at
com.q1labs.reporting.ReportRunner.main(ReportRunner.java:300)
[report_runner] [main] Caused by:
[report_runner] [main] java.lang.RuntimeException: REPORT
[MONTHLY#^#e028752#$#c64ac148-b504-4918-9fe3-76a4fba6c7f6#^#1583
161424583]: Failed to run using template
[e028752#$#c64ac148-b504-4918-9fe3-76a4fba6c7f6.xml]
[report_runner] [main]    at
com.q1labs.reporting.Report.process(Report.java:623)
[report_runner] [main]    at
com.q1labs.reporting.ReportRunner.main(ReportRunner.java:246)
[report_runner] [main] Caused by:
[report_runner] [main] java.lang.RuntimeException: REPORTING
CSV builder: More than on table header found. This is invalid
for single table report
[report_runner] [main]    at
com.q1labs.reporting.csv.ReportCSVBuilder.buildColumnRecord(Repo
rtCSVBuilder.java:100)
[report_runner] [main]    at
com.q1labs.reporting.csv.ReportCSVBuilder.buildCsvFile(ReportCSV
Builder.java:177)
[report_runner] [main]    at
com.q1labs.reporting.Report.process(Report.java:520)
[report_runner] [main]    ... 1 more
14 July 2020
SYSTEM NOTIFICATIONS IJ22900 NOTIFICATION TABLE CONTAINS DUPLICATE ROWS FOR THE SAME EVENT CAUSING DISCREPANCY IN NOTIFICATION DATA DISPLAYED CLOSED Resolved in
QRadar 7.4.2 (7.4.2.20201113144954)
QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)
QRadar 7.4.1 (7.4.1.20200716115107)
QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

Workaround
Administrators can install QRadar 7.4.1 Fix Pack 1 to resolve this issue.

Issue
When opening a Notification for, “An invalid protocol source configuration may be stopping event collection.” there is an incorrect number of events displayed that does not match the number of notifications.

For example, the Notification displays (6 events), but when clicking on “view all” there are only 3 events.
09 October 2020
QRADAR VULNERABILITY MANAGER / EXPORT IJ25880 AN EXCEPTION IS THROWN WHEN ATTEMPTING AN EXPORT FROM THE SCAN RESULTS VULNERABILITIES LIST CLOSED Resolved in
QRadar 7.4.2 (7.4.2.20201113144954)
QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)

Workaround
Administrators can install QRadar 7.4.1 Fix Pack 1 to resolve issues when exporting scan results from the Vulnerabilities tab. This issue was reported by users at QRadar Vulnerability Manager 7.4.0 (GA) General Availability and later.

Issue
An Export error pop up exception is generated when attempting to export the list of vulerabilities from the Scan Results user interface. For example:
  1. Log in to the QRadar user interface.
  2. click the Vulnerabilities tab.
  3. Select Scan Results and highlight the vulnerabilities to export.
  4. Select one of the following options:
    • Actions > Export to CSV
    • Actions > Export to XML

    Results
    The error exception popup is generated in the user interface:
    There was a problem completing your export. Please try again later.

    Optionally, administrators can review the logs to determine if a NoSuchMethodException is generated in the logs:
    java.lang.NoSuchMethodException:
    com.sun.proxy.$Proxy182.getVulnerabilities(java.lang.String,
    java.lang.String, int, int, java.lang.String, java.lang.String,
    int, int, java.lang.String) at
    java.lang.Class.newNoSuchMethodException(Class.java:562) at
    java.lang.Class.throwExceptionOrReturnNull(Class.java:1195) at
    java.lang.Class.getMethodHelper(Class.java:1259) at
    java.lang.Class.getMethod(Class.java:1187) at
    com.q1labs.core.ui.coreservices.export.ExportJobProcessor.export
    VulnerabilityTabJDBCSearchFusionVMQuery(ExportJobProcessor.java:
    703) at
    com.q1labs.core.ui.coreservices.export.ExportJobProcessor.run(Ex
    portJobProcessor.java:196)
27 June 2020
LOG ACTIVITY IJ26129 EVENTS COPIED FROM ONE QRADAR DEPLOYMENT TO ANOTHER CANNOT BE OPENED IF THE COMPONENT ID DOES NOT EXIST IN THE NEW ONE CLOSED Resolved in
QRadar 7.4.2 (7.4.2.20201113144954)
QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)
QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

Workaround
Administrators can install QRadar 7.4.1 Fix Pack 1 to resolve issues when copying event data between appliances. This issue was reported by users at QRadar 7.4.0 Fix Pack 1 and later.

Issue
When events are copied from one QRadar deployment to another and the component id associated to those events does not exist within the data on the new QRadar deployment, those events cannot be opened.

An "Application Error" is generated in the QRadar User Interface when these affected events are attempted to be opened.

Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs:
{timetstamp}18:14:55.738727 ::ffff:127.0.0.1 [tomcat.tomcat]
[user@host (8302) /console/do/ariel/arielDetails]
com.q1labs.uiframeworks.action.ExceptionHandler: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]An exception occurred
while processing the request:
{timetstamp}18:14:55.739787 ::ffff:127.0.0.1 [tomcat.tomcat]
[user@host (8302) /console/do/ariel/arielDetails]
java.lang.NullPointerException
18:14:55.739968 ::ffff:127.0.0.1 [tomcat.tomcat]
[user@host (8302) /console/do/ariel/arielDetails]    at
com.q1labs.events.ui.bean.EventForm.copyFromDAO(EventForm.java:919)
{timetstamp}18:14:55.739968 ::ffff:127.0.0.1 [tomcat.tomcat]
[user@host (8302) /console/do/ariel/arielDetails]    at
com.q1labs.ariel.ui.UIArielServices.getRecordBean(UIArielService
s.java:5873)
{timetstamp}18:14:55.739968 ::ffff:127.0.0.1 [tomcat.tomcat]
[user@host (8302) /console/do/ariel/arielDetails]    at
com.q1labs.ariel.ui.action.ArielDetails.viewDetails(ArielDetails
.java:36)
{timetstamp}18:14:55.739968 ::ffff:127.0.0.1 [tomcat.tomcat]
[user@host (8302) /console/do/ariel/arielDetails]    at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
{timetstamp}18:14:55.739968 ::ffff:127.0.0.1 [tomcat.tomcat]
[user@host (8302) /console/do/ariel/arielDetails]    at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessor
Impl.java:90)
{timetstamp}18:14:55.740992 ::ffff:127.0.0.1 [tomcat.tomcat]
[user@host (8302) /console/do/ariel/arielDetails]    at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod
AccessorImpl.java:55)
{timetstamp}18:14:55.740992 ::ffff:127.0.0.1 [tomcat.tomcat]
[user@host (8302) /console/do/ariel/arielDetails]    at
java.lang.reflect.Method.invoke(Method.java:508)
15 July 2020
QRADAR NETWORK INSIGHTS / UPGRADE IJ22448 PATCH OF A QNI APPLIANCE CAN FAIL WHEN THE NAPATECH SERVICE FAILS TO START CLOSED Resolved in
QRadar 7.4.2 (7.4.2.20201113144954)
QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)
QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

Workaround
Administrators can install QRadar 7.4.1 Fix Pack 1 to resolve Napatech service issues related to software upgrades. This issue might be experienced by users at QRadar Network Insights 7.3.2 (GA) General Availability or later.

Issue
QRadar patching fails on a QNI appliance that has a failed Napatech card and/or the required napatech3 service is not able to be started.
09 October 2020
QFLOW IJ25317 QFLOW MEMORY USAGE CAN CONTINUALLY GROW AS ADDITIONAL UNIQUE TEMPLATES ARE USED CLOSED Resolved in
QRadar 7.4.2 (7.4.2.20201113144954)
QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)

Workaround
Administrators can install QRadar 7.4.1 Fix Pack 1 to resolve this issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances. This issue might be experienced by users with memory issues related to QFlow with QRadar 7.3.2 Fix Pack 7 or later installed.

Issue
The QRadar qflow process currently does not flush any of its templates from memory when they have been inactive for a period of time.

As more unique templates are used by the qflow process (eg. QNI/third party exporter restarts cause a "new" template to be stored in QFlow memory), the memory used by qflow continually grows.
12 June 2020
LICENSING IJ23772 AVERAGE EPS REPORTED FOR A MANAGED HOST CAN REPORT ZERO (0) DUE TO NULL VALUES LISTED IN A GLOBAL VIEW (GV) CLOSED Resolved in
QRadar 7.4.2 (7.4.2.20201113144954)
QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)

Workaround
Administrators can install QRadar 7.4.1 Fix Pack 1 to resolve this issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances. This issue might be experienced by users with memory issues related to QFlow with QRadar 7.3.2 Fix Pack 7 or later installed.

Issue
The Average EPS in the table License_pool_allocation for some Managed Hosts is not updated due to a NullPointerException that occurs in a Global View (GV).

When this occurs, the Average EPS for affected Managed Hosts can display as zero (0) EPS.
19 September 2020
REPORTS IJ10609 "NO DATA FOR CHART" IN TIMESERIES REPORT WHEN 'TIME' VARIABLE IS THE HORIZONTAL AXIS CLOSED Resolved in
QRadar 7.4.2 (7.4.2.20201113144954)
QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)
QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

Workaround
No workaround available.

Issue
It has been identified that timeseries reports with the Time variable configured for the X-Axis display "No data for Chart". For example, to replcate this issue:
  1. Click the Reports tab and create a weekly report.
  2. In the Chart Type, select Events/Logs.
  3. In the Container Details, select a pre-configured aggregated search (timeseries).
  4. Under Additional Details, select:
    • Graph Type: Bar
    • Limit Events/Logs to Top: 5
    • Horizontal (X) Axis: Time
    • Vertical (Y) Axis: Count
    • Timeline Interval: 1 day
  5. Save the report.
  6. Verify the data is being accumulated for the search.

    Results
    When the report runs as scheduled, it is generated with the "No Data for Chart" in the container message. The report is successfully generated when the user specifies any other variable in the Horizontal (X) axis instead of the "Time" variable.
09 October 2020
TELNET FLOW INSPECTOR IJ18004 QRADAR NETWORK INSIGHTS (QNI) TELNET INSPECTOR CAN INCORRECTLY CLASSIFY SOME LDAP FLOW TRAFFIC AS TELNET TRAFFIC CLOSED Resolved in
QRadar 7.4.2 (7.4.2.20201113144954)
QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)
QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

Workaround
Administrators can install QRadar 7.4.1 Fix Pack 1 to resolve this issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances. This issue reported by users with QRadar 7.4.1 (GA) General Availability installed.

Issue
It has been identified that in some instances, the QRadar Network Insights (QNI) Telnet Inspector can incorrectly classify LDAP flow traffic as Telnet traffic. When this occurs, false positives can sometimes occur within rule functionality.
09 October 2020
DEPLOY CHANGES IJ25798 DEPLOY FUNCTION CAN FAIL DUE TO AN INCONSISTENT INDEX FROM THE CONSOLE VS MANAGED HOSTS CLOSED Resolved in
QRadar 7.4.2 (7.4.2.20201113144954)
QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)

Workaround
Administrators can install QRadar 7.4.1 Fix Pack 1 to resolve this issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances. This issue reported by users with QRadar 7.4.1 (GA) General Availability installed.

Issue
A QRadar deploy function can fail when there is inconsistency in an index (reference_data_element_data1) from what is on the Console vs what is on a Managed Host.

Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs:
[hostcontext.hostcontext] [Thread-68701] ComponentOutput:
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
replication:
psql:/store/replication/tx0000000000000302764.sql:220939:
ERROR:  index row size 2928 exceeds maximum 2712 for index
"reference_data_element_data1"
[hostcontext.hostcontext] [Thread-68701] ComponentOutput:
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
replication: HINT:  Values larger than 1/3 of a buffer page
cannot be indexed.
[hostcontext.hostcontext] [Thread-68701] ComponentOutput:
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
replication: Consider a function index of an MD5 hash of the
value, or use full text indexing.
[hostcontext.hostcontext] [Thread-68701] ComponentOutput:
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
replication: CONTEXT:  SQL statement "INSERT INTO
public.reference_data_element SELECT * FROM
rep.public_reference_data_element"
[hostcontext.hostcontext] [Thread-68701] ComponentOutput:
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
replication: PL/pgSQL function
replicate_restore_dump(text,text) line 24 at EXECUTE
{hostname}-primary replication[197954]: Could not apply
/store/replication/tx0000000000000302764.sql.
27 June 2020
LICENSE IJ13317 LICENSE POOL MANAGEMENT CAN DISPLAY "N/A" FOR THE EPS RATE FOR SOME HOSTS WITH A NULL POINTER EXCEPTION IN THE LOGS CLOSED Resolved in
QRadar 7.4.2 (7.4.2.20201113144954)
QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)

Workaround
Administrators can install QRadar 7.4.1 Fix Pack 1 to resolve issues where the the System and License Management user interface displays N/A.

Issue
It has been identifed that in some instances the EPS rate for a host can display as "N/A" in the License Pool Management window. This has most often been observed with High Availability hosts. Messages similar to the following might be visible in /var/log/qradar.log when this issue is occuring.

Note: The the GV number can vary in the log instances. For example, GV_{Number}_HOURLY:
{hostname}[hostcontext.hostcontext]
[e42ecea2-e414-426d-b3c6-e397734e6a70/SequentialEventDispatcher]
com.q1labs.hostcontext.licensing.LicenseMonitor: [INFO]
[NOT:0000006000][Con.sol.eIP.20/- -] [-/- -]Following message
suppressed 1 times in 300000 milliseconds
{hostname}[hostcontext.hostcontext]
[e42ecea2-e414-426d-b3c6-e397734e6a70/SequentialEventDispatcher]
com.q1labs.hostcontext.licensing.LicenseMonitor: [ERROR]
[NOT:0000003000][Con.sol.eIP.20/- -] [-/- -]Cannot retrieve
data for GV_{Number}_HOURLY
{hostname}[hostcontext.hostcontext]
[e42ecea2-e414-426d-b3c6-e397734e6a70/SequentialEventDispatcher]
java.lang.NullPointerException
{hostname}[hostcontext.hostcontext]
[e42ecea2-e414-426d-b3c6-e397734e6a70/SequentialEventDispatcher]
   at
com.q1labs.hostcontext.licensing.Statistics.getIP(Statistics.jav
a:243)
{hostname}[hostcontext.hostcontext]
[e42ecea2-e414-426d-b3c6-e397734e6a70/SequentialEventDispatcher]
   at
com.q1labs.hostcontext.licensing.Statistics.updateEPSorFPS(Stati
stics.java:186)
{hostname}[hostcontext.hostcontext]
[e42ecea2-e414-426d-b3c6-e397734e6a70/SequentialEventDispatcher]
   at
com.q1labs.hostcontext.licensing.Statistics.getEpsFps(Statistics
.java:127)
{hostname}[hostcontext.hostcontext]
[e42ecea2-e414-426d-b3c6-e397734e6a70/SequentialEventDispatcher]
   at
com.q1labs.hostcontext.licensing.Statistics.update(Statistics.ja
va:49)
{hostname}[hostcontext.hostcontext]
[e42ecea2-e414-426d-b3c6-e397734e6a70/SequentialEventDispatcher]
   at
com.q1labs.hostcontext.licensing.LicenseMonitor.timeExpired(Lice
nseMonitor.java:239)
{hostname}[hostcontext.hostcontext]
[e42ecea2-e414-426d-b3c6-e397734e6a70/SequentialEventDispatcher]
   at
com.q1labs.frameworks.events.timer.TimerEventGenerator$TimerEven
tInfo.dispatchEvent(TimerEventGenerator.java:234)
{hostname}[hostcontext.hostcontext]
[e42ecea2-e414-426d-b3c6-e397734e6a70/SequentialEventDispatcher]
   at
com.q1labs.frameworks.events.SequentialEventDispatcher$DispatchT
hread.run(SequentialEventDispatcher.java:129)
06 February 2019
DEPLOY CHANGES IJ15527 DEPLOY FUNCTION CAN TIMEOUT WHEN A REQUIRED PROCESS IS UNABLE TO CONNECT TO QRADAR APPS CLOSED Resolved in
QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)
QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002)
QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)

Workaround
No workaround available.

Issue
It has been identified that when QRadar Apps do not respond to a required process during a Deploy function, the Deploy can timeout. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
[hostcontext.hostcontext]
[b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher]
com.q1labs.hostcontext.configuration.ConfigSetUpdater: [ERROR]
[NOT:0000003000][127.0.0.1/- -] [-/- -]Failed to execute db app
sync post deploy action
[hostcontext.hostcontext]
[b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher]
com.q1labs.configservices.process.ProcessException: Unable to
execute platform app sync.
[hostcontext.hostcontext]
[b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] at
com.q1labs.hostcontext.action.DBAppSyncPostDeployAction.executeA
ction(DBAppSyncPostDeployAction.java)
[hostcontext.hostcontext]
[b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] at
com.q1labs.hostcontext.configuration.ConfigSetUpdater.postDownlo
adAndApply(ConfigSetUpdater.java)
[hostcontext.hostcontext]
[b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] at
com.q1labs.hostcontext.configuration.ConfigSetUpdater.downloadAn
dApplyConfiguration(ConfigSetUpdater.java)
[hostcontext.hostcontext]
[b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] at
com.q1labs.hostcontext.configuration.ConfigSetUpdater.startDownl
oadAndApplyConfiguration(ConfigSetUpdater.java)
[hostcontext.hostcontext]
[b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] at
com.q1labs.hostcontext.configuration.ConfigChangeObserver.update
Configuration(ConfigChangeObserver.java)
[hostcontext.hostcontext]
[b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] at
com.q1labs.hostcontext.configuration.ConfigChangeObserver.update
(ConfigChangeObserver.java)
[hostcontext.hostcontext]
[b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] at
com.q1labs.hostcontext.observer.Subject.updateNotify(Subject.java)
[hostcontext.hostcontext]
[b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] at
com.q1labs.hostcontext.observer.JMSMessageSubject.messageReceive
d(JMSMessageSubject.java)
[hostcontext.hostcontext]
[b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] at
com.q1labs.frameworks.events.jms.JMSMessageEvent.dispatchEvent(J
MSMessageEvent.java)
[hostcontext.hostcontext]
[b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] at
com.q1labs.frameworks.events.SequentialEventDispatcher$DispatchT
hread.run(SequentialEventDispatcher.java)
[hostcontext.hostcontext]
[b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher]
Caused by:
[hostcontext.hostcontext]
[b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher]
com.ibm.si.application.conman.sync.ApplicationSyncException: An
error occurred while attempting to sync apps on host
[e7979a607d5e320f8c98.localdeployment]
[hostcontext.hostcontext]
[b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] at
com.ibm.si.application.conman.sync.DBConmanSyncService.syncAppsO
nHost(DBConmanSyncService.java)
[hostcontext.hostcontext]
[b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] at
com.ibm.si.application.conman.sync.DBConmanSyncService.performMa
nagedHostAppSync(DBConmanSyncService.java)
[hostcontext.hostcontext]
[b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] at
com.ibm.si.application.conman.sync.DBConmanSyncService.performSy
nc(DBConmanSyncService.java)
[hostcontext.hostcontext]
[b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher] at
com.q1labs.hostcontext.action.DBAppSyncPostDeployAction.executeA
ction(DBAppSyncPostDeployAction.java)
[hostcontext.hostcontext]
[b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher]
   ... 9 more
[hostcontext.hostcontext]
[b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher]
Caused by:
[hostcontext.hostcontext]
[b02e2506-44ef-4b31-8253-6914f3da479f/SequentialEventDispatcher]
com.ibm.si.application.platform.exception.ApplicationPlatformSer
viceException: 20 attempts across 10 minutes failed to connect
to these apps: 1004:[Reference Data Import - LDAP]
16 May 2019
MICROSOFT OFFICE 365 MESSAGE TRACE IJ26483 ECS-EC-INGRESS SERVICE CAN EXPERIENCE OUT OF MEMORY OCCURRENCES WHEN MICROSOFT OFFICE 365 MESSAGE TRACE LOG SOURCE IS ENABLED OPEN Workaround
Contact Support for a possible workaround that might address this issue in some instances.

Issue
The QRadar ecs-ec-ingress service (used to collect events) can experience Out Of Memory occurrences when Microsoft Office 365 Message Trace log sources are in use (enabled) and large volumes of events are being ingested by the log source at initial startup.
25 July 2020
WINCOLLECT IJ27064 WINCOLLECT CAN CAPTURE RANDOM IP ADDRESSES FOR POPULATING THE ‘ORIGINATING COMPUTER’ FIELD IN EVENTS OPEN Workaround
No workaround available. APARs identified with no workaround may require a software delivery to resolve. This reported issue will be considered for a future release and administrators can subscribe to the APAR for notices about software to resolve this issue.

Issue
WinCollect can capture random IP addresses to populate the ‘OriginatingComputer=ipaddress’ field in events being written.
25 August 2020
DEPLOY CHANGES IJ25798 DEPLOY FUNCTION CAN FAIL DUE TO AN INCONSISTENT INDEX FROM THE CONSOLE VS MANAGED HOSTS OPEN Workaround
Contact Support for a possible workaround that might address this issue in some instances.

Issue
A QRadar deploy function can fail when there is inconsistency in an index (reference_data_element_data1) from what is on the Console vs what is on a Managed Host.

Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs:
[hostcontext.hostcontext] [Thread-68701] ComponentOutput:
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
replication:
psql:/store/replication/tx0000000000000302764.sql:220939:
ERROR:  index row size 2928 exceeds maximum 2712 for index
"reference_data_element_data1"
[hostcontext.hostcontext] [Thread-68701] ComponentOutput:
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
replication: HINT:  Values larger than 1/3 of a buffer page
cannot be indexed.
[hostcontext.hostcontext] [Thread-68701] ComponentOutput:
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
replication: Consider a function index of an MD5 hash of the
value, or use full text indexing.
[hostcontext.hostcontext] [Thread-68701] ComponentOutput:
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
replication: CONTEXT:  SQL statement "INSERT INTO
public.reference_data_element SELECT * FROM
rep.public_reference_data_element"
[hostcontext.hostcontext] [Thread-68701] ComponentOutput:
[ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
replication: PL/pgSQL function
replicate_restore_dump(text,text) line 24 at EXECUTE
{hostname}-primary replication[197954]: Could not apply
/store/replication/tx0000000000000302764.sql.
27 June 2020
LOG SOURCE MANAGEMENT APP IJ27045 UNABLE TO ADD MULTIPLE LOG SOURCES AT A TIME TO A LOG SOURCE GROUP USING THE LOG SOURCE MANAGEMENT APP OPEN Workaround
Moving the Log Sources one at a time to Log Source groups works as expected.

Issue
Attempting to add multiple Log Sources at a time to a Log Source Management Group using the Log Source Management app does not work as expected.

When selecting multiple Log Sources and then selecting “add to group”, a loading bar is displayed indicating the move process is occurring and a completion/success message is generated. Despite the appearance of success of the Log Sources being moved, the selected Log Sources have not been added to the group.
24 August 2020
LOG ACTIVITY IJ27199 ‘DEVICE STOPPED EMITTING EVENTS’ EVENT CAN DISPLAY INCORRECT LOG SOURCE TIME OF EPOCH 0 CLOSED Resolved in
QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)

Workaround
No workaround available. Administrators can complete a software upgrade to QRadar 7.4.1 Fix Pack 2 to resolve this issue.

Issue
The event ‘Device Stopped Emitting events’ details page can display an incorrect Log Source Time of EPOCH 0 (i.e. Jan 1 1970) due to the device sending the event’s “time” value not being set correctly.

This can cause unexpected rule behavior due to the incorrect value for the Log Source Time.
16 November 2020
DSM EDITOR IJ26226 DSM EDITOR FAILS TO PREVIEW CUSTOM PROPERTY OVERRIDE OF ‘ANY’ ‘ANY’ FOR HIGH AND LOW LEVEL CATEGORY BUT PARSES IT CORRECTLY OPEN Workaround
No workaround available.

Issue
When adding selectivity to a custom property override in the DSM Editor page and using “any” for both High Level Category and Low Level Category, nothing is displayed in the DSM Editor preview, but it parses as expected in the pipline if it is applied.
22 July 2020
EXTENSION MANAGEMENT IJ26462 ‘FAILED EXTENSION INSTALLATION TASK FOR EXTENSION ID ‘ WHEN PERFORMING A DSM IMPORT CLOSED Workaround
No workaround available. This issue is closed as permanent restriction.

This scenario is one that we will not resolve through the legacy import process. The newer import process in development will support a resolution (by the user) of these conflict cases during the installation process; so it should be able to fix this issue.

Issue
Performing a DSM Import from within the QRadar User Interface can fail with the error “Failed Extension installation task for extension id XX”.

For example:
  1. Log in to QRadar as an administrator.
  2. Click the Admin tab > Extension Management > Add.
  3. Browse to the location of the DSM zip file that had been previously exported.
  4. Select the Install immediately check box click Add.
  5. Click OK.

    Results Error pop up is generated:
    "Failed Extension installation task for extension id XX"
24 July 2020
DASHBOARD IJ26192 RSS FEED DASHBOARDS DO NOT WORK WHEN QRADAR IS BEHIND A PROXY CLOSED Workaround
No workaround available. This issue is closed as permanent restriction.

Issue
When QRadar is behind a proxy, RSS feed dashboard items cannot connect and report an error. Example error meesage in the Dashboard:
Unable to view rss feed of url http://feeds.feedburner.com/SecurityIntelligence.
14 July 2020
OFFENSES / REPORTS IJ25398 THERE ARE DISCREPANCIES IN THE COLUMNS INCLUDED WITHIN THE OFFENSE SEARCH AND OFFENSE DETAILS REPORT CLOSED Workaround
No workaround available.

Issue
There are discrepancies in the columns included within the Offense search and Offense details report.
For example:
  • In the QRadar User Interface, go to Offense tab.
  • Create a offense search with the filter contributing rule and offense type.
  • Save the search.
  • Go to the Report tab.
  • Create a new Offense Details report based on offense search.
  • Run the report.

    Results
    There is a discrepancy in the columns included in the Offense search and Offense details report.

  • Comments
    Unfortunately, there will be no work done on the existing Offense Screen/Searches or Reporting that will allow the user to refine the offense details.

    The user may use the Offense API, which will have significant performance improvements in 7.4.1, to retrieve the information that they are looking for.
    14 July 2020
    DASHBOARD IJ26192 RSS FEED DASHBOARDS DO NOT WORK WHEN QRADAR IS BEHIND A PROXY CLOSED Workaround
    No workaround available. This issue is closed as permanent restriction.

    Issue
    When QRadar is behind a proxy, RSS feed dashboard items cannot connect and report an error. Example error meesage in the Dashboard:
    Unable to view rss feed of url http://feeds.feedburner.com/SecurityIntelligence.
    14 July 2020
    REPORTS IJ26321 REPORTS CAN FAIL TO COMPLETE DUE TO A LOCK ON THE QRADAR DATABASE PREVENTING REPORT TEMPLATES FROM LOADING OPEN Workaround
    Administrators can restart the reporting executor service, which allows the report templates to reload and creates a new transaction session.
    1. Log in to the QRadar Console as the root user.
    2. To restart the reporting executor, type:
      systemctl restart reporting_executor
    3. To verify the issue, manually start the report in the QRadar interface.

    Issue
    In some instances, QRadar report templates can fail to load due to a lock that is applied to the QRadar database preventing the database transaction from retrieving report templates. The database fails to connect as the session connection is already considered dead or previously used and closed. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [reporting_executor.reporting_executor] [Report Queue]
    com.q1labs.reporting.ReportServices: [INFO]
    [NOT:0000006000][xx.xx.xx.xx/- -] [-/- -]Reporting Scheduler is enabled
    [reporting_executor.reporting_executor] [Report Queue]
    com.q1labs.reporting.ReportServices: [ERROR]
    [NOT:0000003000][xx.xx.xx.xx/- -] [-/- -]Lock to templates
    folder is acquired by another process, skipping templates reload.
    [reporting_executor.reporting_executor] [Report Queue]
    com.q1labs.core.shared.ariel.CustomKeyCreator: [ERROR]
    [NOT:0000003000][xx.xx.xx.xx/- -] [-/- -]Exception loading
    custom property ID ed1cbe38-1f8a-4621-a838-8a6400c61384
    [reporting_executor.reporting_executor] [Report Queue]
    {openjpa-2.4.3-r422266:1833086 fatal general error}
    org.apache.openjpa.persistence.PersistenceException: This
    connection has been closed. {SELECT t0.id, t0.autodiscovered,
    t0.creationdate, t0.database, t0.datepattern, t0.description,
    t0.description_id, t0.editdate, t0.forceparse, t0.languagetag,
    t0.propertyname, t0.sequenceid, t0.tenant_id, t0.propertytype,
    t0.username FROM ariel_regex_property t0 WHERE (t0.id = ?)}
    {code=0, state=08003}
    FailedObject: SELECT a FROM ArielRegexProperty a WHERE a.id =
    ?1 [java.lang.String]
    [reporting_executor.reporting_executor] [Report Queue]    at
    org.apache.openjpa.jdbc.sql.DBDictionary.narrow(DBDictionary.jav
    a:5003)
    ..
    [reporting_executor.reporting_executor] [Report Queue] Caused
    by:
    [reporting_executor.reporting_executor] [Report Queue]
    org.apache.openjpa.lib.jdbc.ReportingSQLException: This
    connection has been closed. {SELECT t0.id, t0.autodiscovered,
    t0.creationdate, t0.database, t0.datepattern, t0.description,
    t0.description_id, t0.editdate, t0.forceparse, t0.languagetag,
    t0.propertyname, t0.sequenceid, t0.tenant_id, t0.propertytype,
    t0.username FROM ariel_regex_property t0 WHERE (t0.id = ?)}
    
    25 July 2020
    UPGRADE / HIGH AVAILABILITY (HA) IJ12252 QRADAR PATCH FAILS WHEN MORE THAN ONE .SFS IS MOUNTED CLOSED Resolved in QRadar 7.4.1 (7.4.1.20200716115107)

    Workaround
    To resolve the issue, remove the deleted mounts by typing umount /media/updates as many times as needed, or until all /media/updates mount references are removed.

    Type the command mount | grep media to verify the all volumes mounted to /media/updates are removed.

    Remount the .SFS file you need to patch or update your system. Check for deleted mounts on both Primary and Secondary HA nodes. For more information, see the following technical note.

    Issue
    It has been identified that when two sfs files are mounted, the QRadar patch test is successful, but the patch fails with an error similar to “Original patch sfs file, ‘{patch_file_path}’ not found, please verify and restore the file.”

    Look for similar messages in /var/log/setup-/patches.log:
    Copying file
    /storetmp/732_QRadar_interimfix-7.3.2.20190522204210-IF02-201907
    10135412.sfs to host
    /storetmp:/storetmp/732_QRadar_interimfix-7.3.2.20190522204210-I
    F02-20190710135412.sfs
    cp: cannot create regular file
    'root@/storetmp:/storetmp/732_QRadar_interimfix-7.3.2.2019052220
    4210-IF02-20190710135412.sfs/732_QRadar_interimfix-7.3.2.2019052
    2204210-IF02-20190710135412.sfs': No such file or directory
    [ERROR] Couldn't copy patch file FILE to host /storetmp.
    [ERROR] Copied patch file to standby host, but MD5 sums do not match.
    [ERROR](a-i-has-testmode) HOSTNAME-secondary : patch test
    failed.
    [ERROR](a-i-has-testmode) Patching can not continue
    Patch Report for IP-ADDRESS, appliance type: 1828
    HOSTNAME-primary : patch test succeeded.
    Copied patch file to standby host, but MD5 sums do not match.
    See the following Technote for additional information:
    https://www.ibm.com/support/pages/node/1072998
    22 November 2019
    LOG SOURCE MANAGEMENT APP IJ24187 TESTING A CONFIGURATION IN THE LOG SOURCE MANAGEMENT APP CAN FAIL FOR SOME PROTOCOLS WHILE THE CONFIGURED LOG SOURCE WORKS OPEN Workaround
    No workaround available.

    Issue
    Testing a configuration using the Log Source Management App can fail with an unknown error on some protocols. Regular operation of the configured Log Source to collect data can function properly in some instances where the testing function fails.
    08 April 2020
    DATA OBFUSCATION / DOMAINS IJ24467 DOMAIN OBFUSCATION PROFILE CAN FAIL TO BE COPIED CORRECTLY TO EVENT COLLECTOR CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
    QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)

    Workaround
    Contact Support for a possible workaround that might address this issue in some instances.

    Issue
    A Domain Obfuscation profile can fail to be applied to the correct domain due to obfuscation_field_expression_domain and obfuscation_reg_expression_domain failing to be added to the Event Collector replication profile sent from the QRadar Console.
    24 April 2020
    EMAIL / SMTP IJ25315 EMAILS FROM RULE RESPONSES CAN FAIL AND NOT BE SENT PROPERLY CLOSED Resolved in QRadar 7.4.1 (7.4.1.20200716115107)

    Workaround
    As a temporary workaround, you can set the smtp_host_lookup value from “dns” to “dns,native” in the /etc/postfix/main.cf file by running the following commands in CLI on the host(s) that the email server is configured:
    1. Use SSH to log in to the QRadar appliance.
      sed -i "s/smtp_host_lookup = dns/smtp_host_lookup = dns,native/g" /etc/postfix/main.cf
    2. You will also need to change the script /opt/ibm/si/si-postfix/bin/configure-postfix.sh to prevent the postfix service to reset the configuration by running this command:
      sed -i "s/'tls|sasl|smtp' |/'tls|sasl|smtp' | grep -v
      smtp_host_lookup |/g"
      /opt/ibm/si/si-postfix/bin/configure-postfix.sh


    3. Issue
      Due to the new SMTP changes in QRadar v7.4.0 where the relay host is changed to localhost, the SMTP configuration is overwritten for the lookup causing emails to not be sent properly. This issue can prevent emails from features such as the rule response to not be sent.

      The following errors can be seen in the /var/log/maillog file when this issue occurs:
      May 29 10:17:37 postfix/smtp[1446]: warning: relayhost
      configuration problem
      May 29 10:17:37 postfix/smtp[1448]: 31145B59:
      to=, relay=none, delay=435,
      delays=395/0.03/40/0, dsn=4.4.3, status=deferred (Host or
      domain name not found. Name service error for name=localhost
      type=AAAA: Host not found)
      To identify the issue you can use the grep command to verify if
      the error is found such as:
      1) grep -A1 "relayhost configuration problem" /var/log/maillog
    02 June 2020
    LOG SOURCE MANAGEMENT APP IJ25871 BULK EDIT > ADD TO GROUP FOR LOG SOURCES USING THE LOG SOURCE MANAGEMENT APP V6 DOES NOT WORK AS EXPECTED CLOSED Workaround
    No workaround available.

    Issue
    Performing a Bulk Edit > Add to Group function for log sources using the Log Source Managment (LSM) app v6 displays as successful but does not add the log sources to the group. The LSM app v5 does not experience this issue.
    30 June 2020
    SEARCH / HIGH AVAILABILITY (HA) IJ07275 ARIEL CURSOR FILES (USED FOR SAVED SEARCHES) ARE LOST AFTER A HIGH AVAILABILITY CONSOLE FAILOVER OCCURS CLOSED Resolved in QRadar 7.3.2 Patch 2 (7.3.2.20190522204210)

    Workaround
    No workaround available.

    Issue
    It has been identified that the Ariel cursor files, which are created and used for saved searches, are not being copied to the Standby HA console appliance. When a High Availability (HA) console failover occurs, the Saved Searches no longer appear in the QRadar User Interface as the required cursor files are not present.
    07 March 2019
    AMAZON AWS REST API PROTOCOL IJ26748 AMAZON AWS S3 REST API PROTOCOL CAN POLL FOR PREVIOUSLY PROCESSED EVENTS DUE TO AN AWS API CHANGE OPEN Workaround
    No workaround available.

    Issue
    It has been identified that when using the Amazon AWS S3 REST API protocol that the QRadar appliance can poll for older events. This causes Amazon AWS S3 and Cisco Umbrella log sources to poll for events that were previously processed by QRadar. Previously, QRadar used a marker file to determine the last polling interval to ensure that the AWS S3 buckets polled did not request older events in the API query. This functionality has changed recently in the Amazon AWS REST API. The root cause of this issue is a transition of the Amazon AWS REST API to use a new startAfter key value in API queries.

    This issue is reported in the following protocol versions:
    • AmazonAWSRESTAPI-7.3-20200618175646.noarch.rpm AmazonAWSRESTAPI
    • 7.4-20200619004601.noarch.rpm
    An update is in progress for the Amazon AWS S3 REST API protocol to include a new startAfter key in event queries. A protocol RPM update is required to resolve this issue.To determine your current Amazon AWS S3 REST API protocol version, use the Admin > Auto Update icon in QRadar user interface or yum info PROTOCOL-AmazonAWS from the command line. Administrators with impacted protocol versions can subscribe to this APAR or open a case for QRadar Support and reference the APAR number.
    02 August 2020
    SYSTEM NOTIFICATIONS IJ26134 SYSTEM NOTIFICATIONS FOR ‘PROCESS TUNNEL.TUNNEL{XXX} HAS FAILED TO START…” CAN BE CAUSED BY DUPLICATE OFFSITE TUNNEL CREATION CLOSED Resolved in QRadar 7.4.1 (7.4.1.20200716115107)

    Workaround
    Contact Support for a possible workaround that might address this issue in some instances.

    Issue
    QRadar System Notifications relating to tunnels not starting can be observed when duplicate tunnels for encrypted offsite targets are created by QRadar within the deployment.xml configuration file. Additional duplicate tunnels can be generated after each subsequent Deploy function when this issue occurs.

    Event name: “Error: Process monitor application has failed to startup multiple times”

    Payload:
    Apr 8 23:48:58 127.0.0.1 [ProcessMonitor]
    com.q1labs.hostcontext.processmonitor.ProcessManager: [ERROR]
    [NOT:0150114103][x.x.x.x/- -] [-/- -]Process tunnel.tunnel293
    has failed to start for 6828 intervals. Continuing to try to
    start...
    15 July 2020
    SYSTEM NOTIFICATIONS IJ26118 QRADAR SYSTEM NOTIFICATIONS THAT CONTAIN QIDS WITH URL LINKS CAN DISPLAY INCORRECTLY AFTER PATCHING QRADAR CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505)
    QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002)

    Workaround
    No workaround available.

    Issue
    QRadar System Notifications that contain QIDs with URL links can fail to display correctly after patching. (e.g. assetprofiler QID – 38750073)
    14 July 2020
    DEPLOY CHANGES IJ25798 DEPLOY FUNCTION CAN FAIL DUE TO AN INCONSISTENT INDEX FROM THE CONSOLE VS MANAGED HOST(S) CLOSED Resolved in QRadar 7.4.1 (7.4.1.20200716115107)

    Workaround
    Contact Support for a possible workaround that might address this issue in some instances.

    Issue
    A QRadar deploy function can fail when there is inconsistency in an index (reference_data_element_data1) from what is on the Console vs what is on a Managed Host. Messages similar to the following might be visible in /var/log/qradar.error when this issue is occurs:
    [hostcontext.hostcontext] [Thread-68701] ComponentOutput:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
    replication:
    psql:/store/replication/tx0000000000000302764.sql:220939:
    ERROR: index row size 2928 exceeds maximum 2712 for index
    "reference_data_element_data1"
    [hostcontext.hostcontext] [Thread-68701] ComponentOutput:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
    replication: HINT: Values larger than 1/3 of a buffer page
    cannot be indexed.
    [hostcontext.hostcontext] [Thread-68701] ComponentOutput:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
    replication: Consider a function index of an MD5 hash of the
    value, or use full text indexing.
    [hostcontext.hostcontext] [Thread-68701] ComponentOutput:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
    replication: CONTEXT:  SQL statement "INSERT INTO
    public.reference_data_element SELECT * FROM
    rep.public_reference_data_element"
    [hostcontext.hostcontext] [Thread-68701] ComponentOutput:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
    replication: PL/pgSQL function
    replicate_restore_dump(text,text) line 24 at EXECUTE
    hostname-primary replication[197954]: Could not apply
    /store/replication/tx0000000000000302764.sql.
    27 June 2020
    LICENSE / QRADAR NETWORK INSIGHTS IJ25793 LICENSE CANNOT BE APPLIED SUCCESSFULLY TO QNI APPLIANCE TYPES 6500 ON PATCHED DEPLOYMENTS OPEN Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505)

    Workaround
    Note: This commannd can take a couple minutes before it returns to the shell prompt as the Tomcat restart may take a couple minutes.

    Run the following command:
    sed -i.install
    's/^forensicsRealtime=.*/forensicsRealtime=6200,6300,6400,6500,0
    ,software/g'
    /opt/qradar/conf/templates/deployments/applianceTypes.properties
    ; systemctl restart tomcat
    Note: Formatting on this page may result in the command to be wrapped. Please note the format example below: sed -i.install ‘text’ /filepath ; systemctl restart tomcat

    Issue
    In some instances, licenses cannot be successfully applied to QRadar Network Insight (QNI) appliance types 6500. This behavior has been observed in QRadar deployments that have been patched (i.e., not fresh installs).
    29 July 2020
    CUSTOM PROPERTIES / DATA OBFUSCATION IJ19993 CUSTOM PROPERTY IS NOT PROPERLY PARSED FROM EVENT PAYLOAD WHEN EXPRESSION BASED DATA OBFUSCATION HAS BEEN IN USE CLOSED Resolved in QRadar 7.4.1 (7.4.1.20200716115107)

    Workaround
    No workaround available.

    Issue
    It has been identified that a correctly configured Custom Property does not properly parse event data when expression based Data Obfuscation has been configured and is in use. When this occurs, the expected event payload data is not parsed for use and display by QRadar.
    07 October 2019
    QRADAR VULNERABILITY MANAGER IJ22496 ‘{PROFILENAME} CANNOT BE RAN AS IT HAS ON DEMAND SCANNING ENABLED’ WHEN SCAN NAME CONTAINS ‘RC’ OR CRE’ CLOSED Resolved in QRadar 7.4.1 (7.4.1.20200716115107)

    Workaround
    No workaround available.

    Issue
    Scan profiles cannot be run from the Scan Results screen when a scan name contains ‘RC’ or ‘CRE’.

    A message similar to: “{ProfileName} cannot be ran as it has On Demand Scanning enabled” is generated in the QRadar User Interface when this issue is occurring.
    10 February 2020
    SEARCH / SHOW AQL IJ21226 ‘SHOW AQL’ BUTTON DISPLAYS “NULL” OUTPUT FOR A SAVED SEARCH USING ‘PAYLOAD MATCHES REGULAR EXPRESSION’ FILTER CLOSED Resolved in QRadar 7.4.1 (7.4.1.20200716115107)

    Workaround
    No workaround available.

    Issue
    It has been identified that using the “Show AQL” button for a saved search using the “Payload Matches Regular Expression” filter displays “null” in the text field where the AQL should display. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [tomcat.tomcat] [admin@127.0.0.1(6577)
    /console/restapi/api/ariel/saved_searches/2818]
    com.q1labs.cve.api.v10_0.ariel.ArielAPI_v10: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Error occurred while
    returning the saved search
    [tomcat.tomcat] [admin@127.0.0.1(6577)
    /console/restapi/api/ariel/saved_searches/2818]
    java.lang.RuntimeException: Predicate
    'com.q1labs.core.types.event.NormalizedEventPredicate$PayloadMat
    ches@34bf9463' [class: class
    com.q1labs.core.types.event.NormalizedEventPredicate$PayloadMatc
    hes] doesn't implement I2AQL
    [tomcat.tomcat] [admin@127.0.0.1(6577)
    /console/restapi/api/ariel/saved_searches/2818]    at
    com.q1labs.ariel.ql.I2AQL.aql(I2AQL.java:142)
    [tomcat.tomcat] [admin@127.0.0.1(6577)
    /console/restapi/api/ariel/saved_searches/2818]    at
    com.q1labs.ariel.ql.I2AQL.aql(I2AQL.java:147)
    [tomcat.tomcat] [admin@127.0.0.1(6577)
    /console/restapi/api/ariel/saved_searches/2818]    at
    com.q1labs.cve.utils.CriteriaBuilder.buildAql(CriteriaBuilder.ja
    va:512)
    [tomcat.tomcat] [admin@127.0.0.1(6577)
    /console/restapi/api/ariel/saved_searches/2818]    at
    com.q1labs.cve.utils.ArielSearchForm2AQL.convert(ArielSearchForm
    2AQL.java:143)
    [tomcat.tomcat] [admin@127.0.0.1(6577)
    /console/restapi/api/ariel/saved_searches/2818]    at
    com.q1labs.cve.utils.ArielSearchForm2AQL.convert(ArielSearchForm
    2AQL.java:105)
    [tomcat.tomcat] [admin@127.0.0.1(6577)
    /console/restapi/api/ariel/saved_searches/2818]    at
    com.q1labs.cve.api.impl.ariel.ArielAPIImpl.convertToAQL(ArielAPI
    Impl.java:1112)
    [tomcat.tomcat] [admin@127.0.0.1(6577)
    /console/restapi/api/ariel/saved_searches/2818]    at
    com.q1labs.cve.api.impl.ariel.ArielAPIImpl.buildArielSavedSearch
    DTO(ArielAPIImpl.java:1091)
    [tomcat.tomcat] [admin@127.0.0.1(6577)
    /console/restapi/api/ariel/saved_searches/2818]    at
    com.q1labs.cve.api.impl.ariel.ArielAPIImpl.getSavedSearch(ArielA
    PIImpl.java:1123)
    [tomcat.tomcat] [admin@127.0.0.1(6577)
    /console/restapi/api/ariel/saved_searches/2818]    at
    com.q1labs.cve.api.v10_0.ariel.ArielAPI_v10.getSavedSearch(Ariel
    API_v10.java:199)
    [tomcat.tomcat] [admin@127.0.0.1(6577)
    /console/restapi/api/ariel/saved_searches/2818]    at
    sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    [tomcat.tomcat] [admin@127.0.0.1(6577)
    /console/restapi/api/ariel/saved_searches/2818]    at
    sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessor
    Impl.java:90)
    [tomcat.tomcat] [admin@127.0.0.1(6577)
    /console/restapi/api/ariel/saved_searches/2818]    at
    sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod
    AccessorImpl.java:55)
    [tomcat.tomcat] [admin@127.0.0.1(6577)
    /console/restapi/api/ariel/saved_searches/2818]    at
    java.lang.reflect.Method.invoke(Method.java:508)
    [tomcat.tomcat] [admin@127.0.0.1(6577)
    /console/restapi/api/ariel/saved_searches/2818]    at
    com.q1labs.restapi.servlet.utilities.APIRequestHandler.invokeMet
    hod(APIRequestHandler.java:1031)
    [tomcat.tomcat] [admin@127.0.0.1(6577)
    /console/restapi/api/ariel/saved_searches/2818]    at
    com.q1labs.restapi.servlet.utilities.APIRequestHandler.redirectR
    equest(APIRequestHandler.java:399)
    [tomcat.tomcat] [admin@127.0.0.1(6577)
    /console/restapi/api/ariel/saved_searches/2818]    at
    com.q1labs.restapi.servlet.utilities.APIRequestHandler.handleReq
    uest(APIRequestHandler.java:239)
    [tomcat.tomcat] [admin@127.0.0.1(6577)
    /console/restapi/api/ariel/saved_searches/2818]    at
    com.q1labs.restapi.servlet.apidelegate.APIDelegate.handleRequest
    (APIDelegate.java:303)
    [tomcat.tomcat] [admin@127.0.0.1(6577)
    /console/restapi/api/ariel/saved_searches/2818]    at
    com.q1labs.restapi.servlet.apidelegate.APIDelegate.service(APIDe
    legate.java:221)
    [tomcat.tomcat] [admin@127.0.0.1(6577)
    /console/restapi/api/ariel/saved_searches/2818]    at
    javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
    [tomcat.tomcat] [admin@127.0.0.1(6577)
    /console/restapi/api/ariel/saved_searches/2818]    at
    org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
    (ApplicationFilterChain.java:231)
    [tomcat.tomcat] [admin@127.0.0.1(6577)
    /console/restapi/api/ariel/saved_searches/2818]    at
    org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
    tionFilterChain.java:166)
    [tomcat.tomcat] [admin@127.0.0.1(6577)
    /console/restapi/api/ariel/saved_searches/2818]    at
    org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.ja
    va:52)
    [tomcat.tomcat] [admin@127.0.0.1(6577)
    /console/restapi/api/ariel/saved_searches/2818]    at
    org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
    (ApplicationFilterChain.java:193)
    [tomcat.tomcat] [admin@127.0.0.1(6577)
    /console/restapi/api/ariel/saved_searches/2818]    at
    org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
    tionFilterChain.java:166)
    [tomcat.tomcat] [admin@127.0.0.1(6577)
    /console/restapi/api/ariel/saved_searches/2818]    at
    com.q1labs.uiframeworks.auth.EulaFilter.doFilter(EulaFilter.java
    :141)
    [tomcat.tomcat] [admin@127.0.0.1(6577)
    /console/restapi/api/ariel/saved_searches/2818]    at
    org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
    (ApplicationFilterChain.java:193)
    27 November 2019
    AUTO UPDATE IJ21293 AUTOUPDATE AND CRON NOT RUNNING ON 7.3.2 QRADAR IMAGES INSTALLED ON GOOGLE CLOUD PLATFORM AND AMAZON WEB SERVICES CLOSED Resolved in QRadar 7.4.1 (7.4.1.20200716115107)

    Workaround
    Performing the following commands from a command line on the system after it’s built corrects the issue outlined in the APAR.
    $ sudo su -
    $ pwck
    $ systemctl start crond.service

    Issue
    It has been identified that 7.3.2 QRadar Images installed on Google Cloud Platform and Amazon Web Services (AWS) do not have Automatic Updates and the cron service does not run.
    09 December 2019
    BACKUP AND RESTORE IJ21230 CONFIG BACKUP CAN TAKE LONGER THAN EXPECTED TO COMPLETE IF A MANAGED HOST TIMEOUT OCCURS CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
    QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)

    Workaround
    Contact Support for a possible workaround that might address this issue in some instances.

    Issue
    It has been identified that the script update-remote-certs.sh does not have an SSH connection timeout configured for the rsync command.

    This can result in a longer than expected time to restore a config backup if Managed Host connections experience a timeout.
    29 July 2020
    REFERENCE DATA IJ21228 TOMCAT OUT OF MEMORY CAN OCCUR DURING AUTOMATED REFERENCE DATA CLEANUP BY QRADAR CLOSED Resolved in QRadar 7.4.1 (7.4.1.20200716115107)

    Workaround
    Contact Support for a possible workaround that might address this issue in some instances.

    Issue
    It has been identified that in some instances, the tomcat process can experience an Out of Memory occurance during QRadar’s automated cleanup of reference data. The QRadar User Interface is unavailable during a tomcat Out Of Memory occurance until the affected services recover.

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    com.q1labs.core.shared.referencedata.ReferenceDataManager:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/-
    -]ReferenceDataManager.deleteFromReferenceDataCollection() -
    SQLException caught while trying to delete from Reference Data
    Collection : UBA : User Accounts, Successful, Recent
    com.q1labs.core.shared.referencedata.ReferenceDataManager:
    [ERROR] Chained SQL Exception [1/2]: Batch entry 0 delete from
    reference_data_element rde where rde.rdk_id = (select id from
    reference_data_key where rd_id = 53 and domain_info =
    2147483647) and data= ? was aborted: An I/O error occurred
    while sending to the backend. Call getNextException to see
    other errors in the batch.
    com.q1labs.core.shared.referencedata.ReferenceDataManager:
    [ERROR] Chained SQL Exception [2/2]: An I/O error occurred
    while sending to the backend.
    com.q1labs.core.shared.referencedata.ReferenceDataManager:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/-
    -]ReferenceDataManager.deleteFromReferenceDataCollection()
    getNextException():
    java.sql.BatchUpdateException: Batch entry 0 delete from
    reference_data_element rde where rde.rdk_id = (select id from
    reference_data_key where rd_id = 53 and domain_info =
    2147483647) and data = ? was aborted: An I/O error occurred
    while sending to the backend. Call getNextException to see
    other errors in the batch.
    at org.postgresql.jdbc.BatchResultHandler.handleError(BatchResultHa
    ndler.java:148)
    at org.postgresql.jdbc.PgStatement.executeBatch(PgStatement.java)
    at org.postgresql.jdbc.PgPreparedStatement.executeBatch(PgPreparedS
    tatement.java:1556)
    at com.mchange.v2.c3p0.impl.NewProxyPreparedStatement.executeBatch(
    NewProxyPreparedStatement.java:1723)
    at org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeB
    atch(DelegatingPreparedStatement.java:250)
    at org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator$LoggingCo
    nnection$LoggingPreparedStatement.executeBatch(LoggingConnection
    Decorator.java:1149)
    at org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeB
    atch(DelegatingPreparedStatement.java:250)
    at org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeB
    atch(DelegatingPreparedStatement.java:250)
    at org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.executeB
    atch(DelegatingPreparedStatement.java:250)
    at org.apache.openjpa.jdbc.kernel.JDBCStoreManager$CancelPreparedSt
    atement.executeBatch(JDBCStoreManager.java:1809)
    at com.q1labs.frameworks.session.PreparedStatementWrapper.executeBa
    tch(PreparedStatementWrapper.java:265)
    at com.q1labs.core.dao.referencedata.light.ReferenceDataCacheSet.ru
    nSqlStatement(ReferenceDataCacheSet.java:494)
    at com.q1labs.core.dao.referencedata.light.ReferenceDataCacheSet.de
    leteData(ReferenceDataCacheSet.java:576)
    at com.q1labs.core.dao.referencedata.light.ReferenceDataCacheSet.ac
    cess$800(ReferenceDataCacheSet.java:36)
    at com.q1labs.core.dao.referencedata.light.ReferenceDataCacheSet$5.
    call(ReferenceDataCacheSet.java:273)
    at com.q1labs.core.dao.referencedata.light.ReferenceDataCacheSet$5.
    call(ReferenceDataCacheSet.java:251)
    at com.q1labs.core.dao.referencedata.light.RefDataCacheLock.writeCa
    cheAccess(RefDataCacheLock.java:125)
    at com.q1labs.core.dao.referencedata.light.ReferenceDataCacheSet.de
    leteElement(ReferenceDataCacheSet.java:250)
    at com.q1labs.core.dao.referencedata.light.RefDataDomainProtection.
    deleteElement(RefDataDomainProtection.java:83)
    at com.q1labs.core.shared.referencedata.ReferenceDataManager.delete
    FromReferenceDataCollection(ReferenceDataManager.java:885)
    at com.q1labs.core.shared.referencedata.ReferenceDataManager.delete
    FromReferenceDataCollection(ReferenceDataManager.java:946)
    at com.q1labs.core.shared.referencedata.ReferenceDataTimer.expireDa
    ta(ReferenceDataTimer.java:186)
    at com.q1labs.core.shared.referencedata.ReferenceDataTimer.timeExpi
    red(ReferenceDataTimer.java:68)
    at com.q1labs.frameworks.events.timer.TimerEventGenerator$TimerEven
    tInfo.dispatchEvent(TimerEventGenerator.java:234)
    at com.q1labs.frameworks.events.SequentialEventDispatcher$DispatchT
    hread.run(SequentialEventDispatcher.java:129)
    Caused by:
    org.postgresql.util.PSQLException: An I/O error occurred while
    sending to the backend.
    at org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorIm
    pl.java:333) 
    at org.postgresql.jdbc.PgStatement.executeBatch(PgStatement.java:81
    6)... 23 more
    Caused by:
    java.net.SocketException: Socket closed
    at java.net.SocketInputStream.socketRead0(Native Method)
    at java.net.SocketInputStream.socketRead(SocketInputStream.java:127)
    at java.net.SocketInputStream.read(SocketInputStream.java:182)
    at java.net.SocketInputStream.read(SocketInputStream.java:152)
    06 December 2019
    RULES IJ20895 PARSING RULE 'WHEN THE EVENT MATCHES THIS SEARCH FILTER' CAN GENERATE A NUMBERFORMATEXCEPTION CLOSED Resolved in QRadar 7.4.1 (7.4.1.20200716115107)

    Workaround
    Attempt to use different test conditon(s) for achieving the same expected output as the failing rule set.

    Issue
    It has been identified that a "NumberFormatException" is generated when Rules using the following conditions are executed:
    • When the event matches this search filter
    • Custom rule equals any of 'Rule A', 'Rule B', 'Rule C'.
    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [ecs-ep.ecs-ep]
    [27592323-5063-4bc6-910b-205a351006fc/SequentialEventDispatcher]
    com.q1labs.semsources.cre.tests.ArielFilterTest: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Error parsing parameters
    [ecs-ep.ecs-ep]
    [27592323-5063-4bc6-910b-205a351006fc/SequentialEventDispatcher]
    java.lang.NumberFormatException: For input string: "100003 100033 100001"
    [ecs-ep.ecs-ep][27592323-5063-4bc6-910b-205a351006fc/SequentialEventDispatcher]
    at java.lang.NumberFormatException.forInputString(NumberFormatExcep
    tion.java:76)
    [ecs-ep.ecs-ep] [27592323-5063-4bc6-910b-205a351006fc/SequentialEventDispatcher]
    at java.lang.Integer.parseInt(Integer.java:592) [ecs-ep.ecs-ep]
    [27592323-5063-4bc6-910b-205a351006fc/SequentialEventDispatcher]
    at java.lang.Integer.parseInt(Integer.java:627)
    [ecs-ep.ecs-ep]
    [27592323-5063-4bc6-910b-205a351006fc/SequentialEventDispatcher]
    at com.q1labs.semsources.cre.tests.ArielFilterTest.createArielTest(
    ArielFilterTest.java:49)
    [ecs-ep.ecs-ep]
    [27592323-5063-4bc6-910b-205a351006fc/SequentialEventDispatcher]
    at com.q1labs.semsources.cre.tests.ArielFilterTest.setParms(ArielFi
    lterTest.java:90)
    [ecs-ep.ecs-ep]
    [27592323-5063-4bc6-910b-205a351006fc/SequentialEventDispatcher]
    at com.q1labs.semsources.cre.tests.CREEventTest.init(CREEventTest.j
    ava:121)
    [ecs-ep.ecs-ep]
    [27592323-5063-4bc6-910b-205a351006fc/SequentialEventDispatcher]
    at com.q1labs.semsources.cre.CustomRule.(CustomRule.java:178)
    [ecs-ep.ecs-ep]
    [27592323-5063-4bc6-910b-205a351006fc/SequentialEventDispatcher]
    at com.q1labs.semsources.cre.CustomRuleReader.preProcessNewRules(Cu
    stomRuleReader.java:742)
    [ecs-ep.ecs-ep]
    [27592323-5063-4bc6-910b-205a351006fc/SequentialEventDispatcher]
    at com.q1labs.semsources.cre.CustomRuleReader.readRules(CustomRuleR
    eader.java:332)
    [ecs-ep.ecs-ep]
    [27592323-5063-4bc6-910b-205a351006fc/SequentialEventDispatcher]
    at com.q1labs.semsources.cre.CustomRuleReader.objectChanged(CustomR
    uleReader.java:1114)
    [ecs-ep.ecs-ep]
    [27592323-5063-4bc6-910b-205a351006fc/SequentialEventDispatcher]
    at com.q1labs.frameworks.events.config.ConfigurationChangeEvent.dis
    patchEvent(ConfigurationChangeEvent.java:125)
    [ecs-ep.ecs-ep]
    [27592323-5063-4bc6-910b-205a351006fc/SequentialEventDispatcher]
    at com.q1labs.frameworks.events.SequentialEventDispatcher$DispatchT
    hread.run(SequentialEventDispatcher.java:129)
    13 November 2019
    RULES IJ20631 RULES WITH CONDITIONS THAT SPAN ACROSS MIDNIGHT DO NOT WORK AS EXPECTED CLOSED Resolved in QRadar 7.4.1 (7.4.1.20200716115107)

    Workaround
    Separate conditions in two different rules one that involves the required time frame (example: 18:00 to midnight and midnight to 03:00). Create two building blocks and include them in a rule that use the filter "and when the event match any of the following {building blocks}"

    Issue
    It has been identified that rules created with conditions that span across midnight, do not fire as expected. Example of rule conditions within a rule that does not fire:
    • and when event(s) occur after 18:00
    • and when event(s) occur before 03:00
    13 November 2019
    RULES IJ20762 RULES WITH CONDITIONS THAT SPAN ACROSS MIDNIGHT DO NOT WORK AS EXPECTED CLOSED Resolved in QRadar 7.4.1 (7.4.1.20200716115107)

    Workaround
    Separate conditions in two different rules one that involves the required time frame (example: 18:00 to midnight and midnight to 03:00). Create two building blocks and include them in a rule that use the filter "and when the event match any of the following {building blocks}"

    Issue
    It has been identified that rules created with conditions that span across midnight, do not fire as expected. Example of rule conditions within a rule that does not fire:
    • and when event(s) occur after 18:00
    • and when event(s) occur before 03:00
    13 November 2019
    RULES IJ20328 'WHEN THE EVENT(S) HAVE NOT BEEN DETECTED BY ONE OR MORE OF THESE LOG SOURCE GROUPS' TEST ALLOWS RULE ACTIONS TO BE SET CLOSED Resolved in QRadar 7.4.1 (7.4.1.20200716115107)

    Workaround
    Do not set rule actions for these tests.

    Issue
    It has been identified that when setting a rule with "when the event(s) have not been detected by one or more of these log source groups for this many seconds", rule actions can be set. However, for the other rules of the type "have not been detected", rule actions are disabled with a statement:
    No action(s) available with the 'event(s) have not been detected' test
    A rule action should not be able to be configured on a non existing event.
    16 October 2019
    SERVICES / BACKUP AND RESTORE IJ20760 HOSTCONTEXT FAILS TO START WHEN A CONFIG PRIOR TO 7.1MR2 IS RESTORED ON A NEW INSTALL OF 7.3.1 CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

    Workaround
    If you cannot upgrade to a version where this issue is resolved, contact Support for a possible workaround that might address this issue in some instances.

    Issue
    It has been identified that hostcontext fails to start after a config has been restored on a new install of 7.3.x with a backup taken from a system originally installed prior to version 7.1MR2.

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [hostcontext.hostcontext] [main]
    com.ibm.si.application.platform.AppPlatformManager: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]An error occurred while
    refreshing platform selection.
    [hostcontext.hostcontext] [main] java.lang.Exception: Failed to
    read workloads host from database using cached id [53].
    [hostcontext.hostcontext] [main]    at
    com.ibm.si.application.platform.AppPlatformManager.createConManC
    lient(AppPlatformManager.java:330)
    [hostcontext.hostcontext] [main]    at
    com.ibm.si.application.platform.AppPlatformManager.initLocal(App
    PlatformManager.java:209)
    [hostcontext.hostcontext] [main]    at
    com.ibm.si.application.platform.AppPlatformManager.refresh(AppPl
    atformManager.java:175)
    [hostcontext.hostcontext] [main]    at
    com.ibm.si.application.platform.AppPlatformManager.onInit(AppPla
    tformManager.java:94)
    [hostcontext.hostcontext] [main]    at
    com.q1labs.frameworks.naming.FrameworksNaming.initializeNewCompo
    nent(FrameworksNaming.java:916)
    [hostcontext.hostcontext] [main]    at
    com.q1labs.frameworks.naming.FrameworksNaming.getApplicationScop
    edComponent(FrameworksNaming.java:897)
    [hostcontext.hostcontext] [main]    at
    com.q1labs.frameworks.core.FrameworksContext.getSingletonInstanc
    e(FrameworksContext.java:1404)
    [hostcontext.hostcontext] [main]    at
    com.ibm.si.application.platform.AppPlatformManager.getInstance(A
    ppPlatformManager.java:80)
    [hostcontext.hostcontext] [main]    at
    com.q1labs.hostcontext.app.LocalApplicationSentry.onInit(LocalAp
    plicationSentry.java:156)
    [hostcontext.hostcontext] [main]    at
    com.q1labs.frameworks.naming.FrameworksNaming.initializeNewCompo
    nent(FrameworksNaming.java:916)
    [hostcontext.hostcontext] [main]    at
    com.q1labs.frameworks.naming.FrameworksNaming.getApplicationScop
    edComponent(FrameworksNaming.java:897)
    [hostcontext.hostcontext] [main]    at
    com.q1labs.frameworks.core.FrameworksContext.getSingletonInstanc
    e(FrameworksContext.java:1404)
    [hostcontext.hostcontext] [main]    at
    com.q1labs.hostcontext.app.LocalApplicationSentry.getInstance(Lo
    calApplicationSentry.java:68)
    [hostcontext.hostcontext] [main]    at
    com.q1labs.hostcontext.HostContext.init(HostContext.java:336)
    [hostcontext.hostcontext] [main]    at
    com.q1labs.hostcontext.HostContext.main(HostContext.java:1300)
    [hostcontext.hostcontext] [main]
    com.ibm.si.application.platform.AppPlatformManager: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]An error occurred
    initializing app platform manager.
    [hostcontext.hostcontext] [main]
    com.q1labs.frameworks.exceptions.FrameworksNamingException:
    Failed to initialize component: AppPlatformManager
    [hostcontext.hostcontext] [main]    at
    com.q1labs.frameworks.naming.FrameworksNaming.initializeNewCompo
    nent(FrameworksNaming.java:920)
    [hostcontext.hostcontext] [main]    at
    com.q1labs.frameworks.naming.FrameworksNaming.getApplicationScop
    edComponent(FrameworksNaming.java:897)
    [hostcontext.hostcontext] [main]    at
    com.q1labs.frameworks.core.FrameworksContext.getSingletonInstanc
    e(FrameworksContext.java:1404)
    [hostcontext.hostcontext] [main]    at
    com.ibm.si.application.platform.AppPlatformManager.getInstance(A
    ppPlatformManager.java:80)
    [hostcontext.hostcontext] [main]    at
    com.q1labs.hostcontext.app.LocalApplicationSentry.onInit(LocalAp
    plicationSentry.java:156)
    [hostcontext.hostcontext] [main]    at
    com.q1labs.frameworks.naming.FrameworksNaming.initializeNewCompo
    nent(FrameworksNaming.java:916)
    [hostcontext.hostcontext] [main]    at
    com.q1labs.frameworks.naming.FrameworksNaming.getApplicationScop
    edComponent(FrameworksNaming.java:897)
    [hostcontext.hostcontext] [main]    at
    com.q1labs.frameworks.core.FrameworksContext.getSingletonInstanc
    e(FrameworksContext.java:1404)
    [hostcontext.hostcontext] [main]    at
    com.q1labs.hostcontext.app.LocalApplicationSentry.getInstance(Lo
    calApplicationSentry.java:68)
    [hostcontext.hostcontext] [main]    at
    com.q1labs.hostcontext.HostContext.init(HostContext.java:336)
    [hostcontext.hostcontext] [main]    at
    com.q1labs.hostcontext.HostContext.main(HostContext.java:1300)
    [hostcontext.hostcontext] [main] Caused by:
    [hostcontext.hostcontext] [main]
    com.ibm.si.application.platform.exception.ApplicationPlatformSer
    viceException: java.lang.Exception: Failed to read workloads
    host from database using cached id [53].
    [hostcontext.hostcontext] [main]    at
    com.ibm.si.application.platform.AppPlatformManager.refresh(AppPl
    atformManager.java:193)
    [hostcontext.hostcontext] [main]    at
    com.ibm.si.application.platform.AppPlatformManager.onInit(AppPla
    tformManager.java:94)
    [hostcontext.hostcontext] [main]    at
    com.q1labs.frameworks.naming.FrameworksNaming.initializeNewCompo
    nent(FrameworksNaming.java:916)
    [hostcontext.hostcontext] [main]    ... 10 more
    [hostcontext.hostcontext] [main] Caused by:
    [hostcontext.hostcontext] [main] java.lang.Exception: Failed to
    read workloads host from database using cached id [53].
    [hostcontext.hostcontext] [main]    at
    com.ibm.si.application.platform.AppPlatformManager.createConManC
    lient(AppPlatformManager.java:330)
    [hostcontext.hostcontext] [main]    at
    com.ibm.si.application.platform.AppPlatformManager.initLocal(App
    PlatformManager.java:209)
    [hostcontext.hostcontext] [main]    at
    com.ibm.si.application.platform.AppPlatformManager.refresh(AppPl
    atformManager.java:175)
    [hostcontext.hostcontext] [main]    ... 12 more
    [hostcontext.hostcontext] [main]
    com.q1labs.hostcontext.app.LocalApplicationSentry: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]An error occurred
    initializing application sentry.
    [hostcontext.hostcontext] [main]
    com.q1labs.frameworks.exceptions.FrameworksNamingException:
    Failed to initialize component: LocalApplicationSentry
    [hostcontext.hostcontext] [main]    at
    com.q1labs.frameworks.naming.FrameworksNaming.initializeNewCompo
    nent(FrameworksNaming.java:920)
    [hostcontext.hostcontext] [main]    at
    com.q1labs.frameworks.naming.FrameworksNaming.getApplicationScop
    edComponent(FrameworksNaming.java:897)
    [hostcontext.hostcontext] [main]    at
    com.q1labs.frameworks.core.FrameworksContext.getSingletonInstanc
    e(FrameworksContext.java:1404)
    [hostcontext.hostcontext] [main]    at
    com.q1labs.hostcontext.app.LocalApplicationSentry.getInstance(Lo
    calApplicationSentry.java:68)
    [hostcontext.hostcontext] [main]    at
    com.q1labs.hostcontext.HostContext.init(HostContext.java:336)
    [hostcontext.hostcontext] [main]    at
    com.q1labs.hostcontext.HostContext.main(HostContext.java:1300)
    [hostcontext.hostcontext] [main] Caused by:
    [hostcontext.hostcontext] [main] java.lang.NullPointerException
    [hostcontext.hostcontext] [main]    at
    com.q1labs.hostcontext.app.LocalApplicationSentry.onInit(LocalAp
    plicationSentry.java:157)
    [hostcontext.hostcontext] [main]    at
    com.q1labs.frameworks.naming.FrameworksNaming.initializeNewCompo
    nent(FrameworksNaming.java:916)
    [hostcontext.hostcontext] [main]    ... 5 more
    [hostcontext.hostcontext] [main]
    com.q1labs.hostcontext.HostContext: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]error occured while
    initializing hostcontext
    [hostcontext.hostcontext] [main] java.lang.NullPointerException
    [hostcontext.hostcontext] [main]    at
    com.q1labs.hostcontext.HostContext.init(HostContext.java:343)
    [hostcontext.hostcontext] [main]    at
    com.q1labs.hostcontext.HostContext.main(HostContext.java:1300)
    [hostcontext.hostcontext] [main]
    com.q1labs.frameworks.core.ThreadExceptionHandler: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Exception was uncaught
    in thread: main
    08 November 2019
    FLOWS IJ18233 A MANUALLY ADDED OR EDITED FLOW SOURCE ALIAS DOES NOT WORK AS EXPECTED CLOSED Resolved in QRadar 7.4.1 (7.4.1.20200716115107)

    Workaround
    Contact Support for a possible workaround that might address this issue in some instances.

    Issue
    It has been identified that a manually added or edited Flow Source alias does not work as expected.

    When a flow source alias is manually created or edited, the flow collector component is not being properly populated on the associated managed host and the edited alias is not listed in the search filter for the flow interface. Associated flows are not received when this issue occurs.
    19 August 2019
    FLOWS IJ20453 REFERENCE DATA CAN FAIL TO BE UPDATED WHEN REFERENCEDATA.TIMETOLIVE.PERIOD IS SET TO 0 CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

    Workaround
    Contact Support for a possible workaround that might address this issue in some instances.

    Issue
    It has been identified that in some instances referencedata.timetolive.period is set to 0 in /opt/qradar/conf/frameworks.properties. When this issue occurs, a failed reference data manager initialization can be experienced causing reference data not tobe updated. This can also affect some application functionality (eg. Reference data not being updated by UBA as expected).

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [tomcat.tomcat] [ReferenceDataUpdateServiceThread_1]
    com.q1labs.core.shared.referencedata.ReferenceDataUpdateServiceT
    hread: [ERROR] [NOT:0000003000][xxxxx/- -] [-/-
    -]ReferenceDataUpdateServiceThread An unexpected exception was
    encountered processing name=UBA : User Accounts, Successful,
    Recent size=6 {shared:[host/xxxxxxxxxxxxxx]} Jun 11 14:04:59
    ::ffff: [tomcat.tomcat] [ReferenceDataUpdateServiceThread_1]
    java.lang.NullPointerException Jun 11 14:04:59 ::ffff:xxxxxxx
    [tomcat.tomcat] [ReferenceDataUpdateServiceThread_1] at
    com.q1labs.core.shared.referencedata.ReferenceDataUpdateServiceT
    hread.run(ReferenceDataUpdateServiceThread.java:100)
    tomcat[5690]: 11-Jun-2019 14:09:13.428 WARNING [xxxxxx(7157925)
    /console/do/rulewizard]
    com.sun.messaging.jmq.jmsclient.ExceptionHandler.logCaughtExcept
    ion [I500]: Caught JVM Exception: com.s
    un.messaging.jms.JMSException: [ADD_PRODUCER_REPLY(19)]
    [C4036]: A broker error occurred. :[409] [B4183]: Producer can
    not be added to destination ReferenceDataUpdates [Topic], limit
    of 100 producers would be exceeded user=qradar, broker
    =127.0.0.1:7676(7677) Jun 11 14:09:13
    ::ffff:xxxxxxx[tomcat.tomcat] [xxxx@xxxxx (7157925)
    /console/do/rulewizard]
    com.q1labs.core.shared.referencedata.ReferenceDataManager:
    [ERROR] [NOT:0000003000][xxxxxxx/- -] [-/- -]Unable to initiali
    ze Reference Data Manager
    [tomcat.tomcat] [Token: SIRT_Script_access@xxxxx(519)
    /console/restapi/api/reference_data/sets/ThreatIntel_False_Posit
    ives_IP] Caused by:
    Jun 28 08:59:34 ::ffff:xxxxxxx [tomcat.tomcat] [Token:
    SIRT_Script_access@xxxxx(519)
    /console/restapi/api/reference_data/sets/ThreatIntel_False_Posit
    ives_IP] java.lang.IllegalArgumentException: Non-positive
    period.
    [tomcat.tomcat] [Token: SIRT_Script_access@xxxx(519)
    /console/restapi/api/reference_data/sets/ThreatIntel_False_Posit
    ives_IP]    at java.util.Timer.schedule(Timer.java:297)
    [tomcat.tomcat] [Token: SIRT_Script_access@xxxx (519)
    /console/restapi/api/reference_data/sets/ThreatIntel_False_Posit
    ives_IP]    at
    com.q1labs.frameworks.events.timer.TimerEventGenerator.addListen
    er(TimerEventGenerator.java:102)
    [tomcat.tomcat] [Token: SIRT_Script_access@xxxx(519)
    /console/restapi/api/reference_data/sets/ThreatIntel_False_Posit
    ives_IP]    at
    com.q1labs.frameworks.session.SessionContext.addTimerEventListen
    er(SessionContext.java:778)
    [tomcat.tomcat] [Token: SIRT_Script_access@xxxx(519)
    /console/restapi/api/reference_data/sets/ThreatIntel_False_Posit
    ives_IP]    at
    com.q1labs.core.shared.referencedata.ReferenceDataManager.onInit
    (ReferenceDataManager.java:136)
    [tomcat.tomcat] [Token: SIRT_Script_access@xxxx(519)
    /console/restapi/api/reference_data/sets/ThreatIntel_False_Posit
    ives_IP]    at
    com.q1labs.frameworks.naming.FrameworksNaming.initializeNewCompo
    nent(FrameworksNaming.java:916)
    29 October 2019
    QRADAR RISK MANAGER IJ12227 RISK_MANAGER_BACKUP.SH CREATES TARBALL FILES IN /STORE/QRM_BACKUPS/ DIRECTORY ON QRADAR CONSOLE CLOSED Resolved in QRadar 7.4.1 (7.4.1.20200716115107)

    Workaround
    Contact Support for a possible workaround that might address this issue in some instances.

    Issue
    It has been identified that /opt/qradar/bin/dbmaint/risk_manager_backup.sh runs on the QRadar Console when it should only run on the QRadar Risk Manager (QRM) managed host.

    When the script runs (daily), it produces tarball files in /store/qrm_backups.

    Example output when running the following command on the QRadar Console:
    # ls -l /store/qrm_backups
    -rw-r--r-- 1 root root 245 Dec 12 04:01 backup-2018-11-25-04-00-58.tgz
    02 January 2019
    DEPLOY CHANGES IJ11784 DEPLOY FULL CONFIGURATION FUNCTION DOES NOT PROGRESS PAST "PREPARING FOR DEPLOYMENT" MESSAGE CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.3.3 Fix Pack 5 (7.3.3.20200929154613)

    Workaround
    Contact Support for a possible workaround that might address this issue in some instances.

    Issue
    It has been identified that a Deploy Full Configuration function (Admin > Advanced drop down) can sometimes stall at the message "Preparing for deployment".
    31 December 2018
    UPGRADE IJ11530 DRACUT ERROR 'WARNING:DRACUT-INITQUEUE TIMEOUT STARTING TIMEOUT SCRIPTS' DURING UPGRADE CLOSED Resolved in QRadar 7.4.1 (7.4.1.20200716115107)

    Workaround
    To workaround this issue, add rd.bootif=0 to /etc/default/grub For example:
    # cat /etc/default/grub
    GRUB_CMDLINE_LINUX="biosdevname=0 ethdevice-timeout=60
    nicdelay=30 linksleep=30 console=ttyS0,9600 console=tty1
    rd.bootif=0 ip=dhcp BOOTIF=MAC_address"

    Issue
    It has been identified that in some instances, a dracut error similar to the following can be observed during a QRadar upgrade.

    "Warning : dracut-initqueue timeout starting timeout scripts" The upgrade then fails and kicks out to a dracut emergency shell.

    This has been observed on appliances that were initally built/configured using PXE boot with a DHCP server that is no longer reachable.
    31 December 2018
    QRADAR NETWORK INSIGHTS / DISK SPACE IJ10391 [QNI] THE /TMP PARTITION CAN RUN OUT OF FREE SPACE DUE TO THE IMGCTR.LOG FILE CLOSED Resolved in QRadar 7.4.1 (7.4.1.20200716115107)

    Workaround
    Moving the imgctr.log file out of the /tmp directory to a directory with more available free space addresses this issue until this APAR is addressed.

    Issue
    It has been identified that the /tmp partition can run out of free disk space due to the imgctr.log file growing too large in size.
    31 October 2018
    FIREWALL / ADMINISTRATION IJ05865 FIREWALL RULE CHANGES PERFORMED IN THE UI WHEN IPV6 IS ENABLED GENERATE AN ERROR: 'UNEXPECTED SERVER ERROR OCCURS.' CLOSED Resolved in QRadar 7.4.1 (7.4.1.20200716115107)

    Workaround
    Contact Support for a possible workaround that might address this issue in some instances.

    Issue
    It has been identified that attempting to make Firewall changes using the QRadar User Interface (System and License Management), when IPv6 is enabled, can generate an error: "Unexpected server error occurs. Try at later time."

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    lsdep1 [IPTABLES] [17677] ERROR: Failed to apply ip6tables
    rules! The offending line is 34 or: -A QChain -m udp -p udp
    --dport 512:65535 --sport 3333 ! --syn -j ACCEPT
    [hostcontext.hostcontext] [pool-1-thread-4]
    com.ibm.si.hostcontext.task.SetAccessControlIptableRulesTask:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Failed to run
    /bin/bash -c echo "QRADAR=ANY : UDP : 3333"
    >/opt/qradar/conf/access.conf ;
    /opt/qradar/bin/iptables_update.pl
    [hostcontext.hostcontext] [pool-1-thread-4]
    com.ibm.si.hostcontext.task.SetAccessControlIptableRulesTask:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Failed to update
    access control iptable rules
    [hostcontext.hostcontext] [pool-1-thread-4]
    java.lang.Exception: Failed to run /bin/bash -c echo
    "QRADAR=ANY : UDP : 3333" >/opt/qradar/conf/access.conf ;
    /opt/qradar/bin/iptables_update.pl
    [hostcontext.hostcontext] [pool-1-thread-4] at
    com.ibm.si.hostcontext.task.SetAccessControlIptableRulesTask.run
    Task(SetAccessControlIptableRulesTask.java:154)
    [hostcontext.hostcontext] [pool-1-thread-4] at
    com.ibm.si.frameworks.taskmanagement.Task.run(Task.java:108)
    [hostcontext.hostcontext] [pool-1-thread-4] at
    java.util.concurrent.Executors$RunnableAdapter.call(Executors.java)
    [hostcontext.hostcontext] [pool-1-thread-4] at
    java.util.concurrent.FutureTask.run(FutureTask.java:277)
    [hostcontext.hostcontext] [pool-1-thread-4] at
    java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec
    utor.java:1160)
    [hostcontext.hostcontext] [pool-1-thread-4] at
    java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe
    cutor.java:635)
    [hostcontext.hostcontext] [pool-1-thread-4] at
    java.lang.Thread.run(Thread.java:785)
    31 October 2018
    HISTORICAL CORRELATION RULES IJ05099 HISTORICAL CORRELATION CAN COMPLETE WITH ERRORS WHEN USING 'COMMON RULES' CLOSED Resolved in QRadar 7.4.1 (7.4.1.20200716115107)

    Workaround
    No workaround available.

    Issue
    It has been identified that Historical Correlation using 'Common Rules' can sometimes use tests that are not applicable to the database that the Historical Correlation is being run against. When this occurs, the Historical Correlation being run fails to complete successfully (completes with errors).Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs:
    [historical_correlation_server.historical_correlation_server]
    [Thread-169061] com.q1labs.semsources.cre.CustomRuleReader:
    [ERROR] [NOT:0040023100][127.0.0.1/- -] [-/- -]Unknown
    exception occurred while reading CRE rules. To see the
    exceptions which caused this, view the error log. If this
    problem persists, please contact customer support.
    [historical_correlation_server.historical_correlation_server]
    [Thread-169061] com.q1labs.semsources.cre.CustomRuleReader:
    [ERROR] [NOT:0000003000][9.180.225.71/- -] [-/-
    -]Historical::Real exception
    [historical_correlation_server.historical_correlation_server]
    [Thread-169061] java.util.ConcurrentModificationException
    [historical_correlation_server.historical_correlation_server]
    [Thread-169061]    at
    java.util.ArrayList$Itr.checkForComodification(ArrayList.java:91)
    [historical_correlation_server.historical_correlation_server]
    [Thread-169061]    at
    java.util.ArrayList$Itr.next(ArrayList.java:862)
    [historical_correlation_server.historical_correlation_server]
    [Thread-169061]    at
    com.q1labs.semsources.cre.CustomRuleReader.setListenerRules(Cust
    omRuleReader.java:591)
    [historical_correlation_server.historical_correlation_server]
    [Thread-169061]    at
    com.q1labs.semsources.cre.CustomRuleReader.readRules(CustomRuleR
    eader.java:353)
    [historical_correlation_server.historical_correlation_server]
    [Thread-169061]    at
    com.q1labs.semsources.cre.CustomRuleReader.readRules(CustomRuleR
    eader.java:288)
    [historical_correlation_server.historical_correlation_server]
    [Thread-169061]    at
    com.q1labs.semsources.cre.CustomRuleReader.run(CustomRuleReader.
    java:213)
    23 March 2018
    FLOWS IJ25586 'QFLOW: [ERROR] NETFLOW V9 FLOW SET HAS A LENGTH OF STARTING AT OFFSET ' BUFFER ERRORS IN QRADAR LOGGING CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 1 (7.4.1.20200915010309)

    Reported in
    QRadar 7.2.8 and later.

    Workaround
    No workaround available.

    Issue
    Changes have been made to the IPFIX code path to correctly handle padding at the end of flow sets. Netflow v9 records do not have these same changes, and therefore Netflow v9 errors similar to the following might be observed in /var/log/qradar.log:
    [QRADAR] [10831] qflow: [WARNING] default_Netflow: Missed 224
    flows from 127.0.0.1:6 (794335908,794336132)
    [QRADAR] [10831] qflow: [ERROR] NetFlow v9 flow set 0 has a
    length of 256 starting at offset 249 which exceeds the length
    of the buffer 250. Skipping flow set.
    [QRADAR] [10831] qflow: [ERROR] NetFlow v9 flow set 53 has a
    length of 47620 starting at offset 139 which exceeds the length
    of the buffer 140. Skipping flow set.
    [QRADAR] [10831] qflow: [ERROR] NetFlow v9 flow set 160 has a
    length of 256 starting at offset 127 which exceeds the length
    of the buffer 128. Skipping flow set.
    [QRADAR] [10831] qflow: [ERROR] NetFlow v9 flow set 0 has a
    length of 4416 starting at offset 139 which exceeds the length
    of the buffer 140. Skipping flow set.
    26 November 2020
    ADAPTER / QRADAR RISK MANAGER IJ24757 CISCO ASA ADAPTER BACKUP FAILS WITH 'CAN'T MIX 128 AND 32 BIT ADDRESSES' CLOSED Resolved in
    QRadar Risk Manager Adapter Bundle 13.1 (2019.06-20000000)

    Workaround
    No workaround available.

    Issue
    A Cisco ASA device backup can fail when a crypto map references an access control list rule that contains an IPv6 address. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    Caused by: javax.xml.ws.soap.SOAPFaultException: Can't mix 128 and 32 bit addresses at
    /usr/share/ziptie-server/adapters/ziptie.adapters.cisco.security
    appliance_2019.06.17062537/scripts/ZipTie/Adapters/Cisco/SecurityAppliance/AclToRoute.pm line 47.
    at com.sun.xml.ws.fault.SOAP11Fault.getProtocolException(SOAP11Fault.java)
    at com.sun.xml.ws.fault.SOAPFaultBuilder.createException(SOAPFaultBuilder.java)
    at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java)
    at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java)
    at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java)
    at com.sun.proxy.$Proxy95.backup(Unknown Source)
    at org.ziptie.server.job.backup.BackupTask.performTask(BackupTask.java)
    at org.ziptie.server.job.AbstractAdapterTask.execute(AbstractAdapterTask.java) 
    
    07 July 2020
    ADAPTER / QRADAR RISK MANAGER IJ23722 CISCO IOS RULES CONTAINING MULTIPLE PORTS OR SERVICES ARE NOT PROCESSED CORRECTLY CLOSED Resolved in
    QRadar Risk Manager Adapter Bundle 13.1 (2019.06-20000000)

    Workaround
    No workaround available.

    Issue
    A Cisco IOS rule that contains multiple ports or services is not processed correctly. The rule is incorrectly displayed on the Configuration Monitor > Device List > Rules screen. Path searches that involve the rule do not work as expected. The device backup log on the Recent Activity screen might contain entries similar to the following when this issue occurs:
    FAILED to process rule - skipping rule with error [ FAILED to
    parse host address - 443 ]
    07 July 2020
    ADAPTER / QRADAR RISK MANAGER IJ20463 IP ADDRESS CAN SOMETIMES NOT BE ASSIGNED TO A CHECK POINT HTTPS DEVICE CLOSED Resolved in
    QRadar Risk Manager Adapter Bundle 13.1 (2019.06-20000000)

    Workaround
    No workaround available.

    Issue
    It has been identified that in some instances an IP address might not be assigned to an interface on a Check Point HTTPS device.

    This can result in the Topology screen displaying an unclassified device against other devices that have a route to the IP address, path searches through the Check Point device failing, and interfaces not being displayed when attempting to create a network link between the Check Point device and another device.

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    Jul 18 12:20:37 ::ffff:127.0.0.1 [tomcat-rm.tomcat-rm]
    [nobody@xx.xx.xx.xx (6683080)
    /console/JSON-RPC/SRM.getDeviceInterfacesByAdminIpSRM.getDeviceInterfacesminIp]
    com.q1labs.simulator.util.model.TopologyService: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Device [x.x.x.x] is an
    unclassified device - not fetching ifaces
    07 July 2020
    ADAPTER / QRADAR RISK MANAGER IJ18490 BACKUP OF CISCO NEXT-GENERATION INTRUSION PREVENTION SYSTEM DEVICE CAN FAIL DUE TO A COMMAND TIMEOUT CLOSED Resolved in
    QRadar Risk Manager Adapter Bundle 13.1 (2019.06-20000000)

    Workaround
    No workaround available.

    Issue
    A Cisco Next-Generation Intrusion Prevention System device backup can fail with the following error appearing on the Configuration Source Management User Interface window:
    IPC::Run: timeout on timer #1 at
    /usr/share/perl5/vendor_perl/IPC/Run.pm line 2956.
    at /usr/share/ziptie-server/core/org.ziptie.adapters.common_2019.06
    _04-17062537/scripts/ZipTie/SSH.pm line 473.
    at org.ziptie.server.job.PerlErrorParserElf.parse(PerlErrorParserElf.java)
    at org.ziptie.server.job.AbstractAdapterTask.execute(AbstractAdapterTask.java)
    at org.ziptie.server.dispatcher.Operation.execute(Operation.java)
    at org.ziptie.server.dispatcher.OperationExecutor$JobThread.runJob(
    OperationExecutor.java)
    at org.ziptie.server.dispatcher.OperationExecutor$JobThread.run(Ope
    rationExecutor.java)

    This occurs when the adapter receives a response that ends with the "--More--" prompt and it fails to recognize the format of the control characters that are embedded within the "--More--" prompt. This results in a command timing out, and the backup failing.
    07 July 2020
    SECURITY BULLETIN CVE-2020-4510 IBM QRADAR SIEM IS VULNERABLE TO AN XML EXTERNAL ENTITY INJECTION (XXE) ATTACK CLOSED Resolved in
    QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505)
    QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002)

    Affected versions
    • IBM QRadar SIEM 7.4.0 to 7.4.0 Patch 2
    • IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 3
    Issue
    IBM QRadar is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. CVSS Base score: 7.6
    13 July 2020
    SECURITY BULLETIN CVE-2020-4511 IBM QRADAR SIEM IS VULNERABLE TO DENIAL OF SERVICE CLOSED Resolved in
    QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505)
    QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002)

    Affected versions
    • IBM QRadar SIEM 7.4.0 to 7.4.0 Patch 2
    • IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 3
    Issue
    IBM QRadar could allow an authenticated user to cause a denial of service of the qflow process by sending a malformed sflow. CVSS Base score: 7.6
    13 July 2020
    SECURITY BULLETIN CVE-2020-4513 IBM QRADAR SIEM IS VULNERABLE TO CROSS-SITE SCRIPTING CLOSED Resolved in
    QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505)
    QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002)

    Affected versions
    • IBM QRadar SIEM 7.4.0 to 7.4.0 Patch 2
    • IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 3
    Issue
    IBM QRadar is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. CVSS Base score: 6.1
    13 July 2020
    SECURITY BULLETIN CVE-2020-4364 IBM QRADAR SIEM IS VULNERABLE TO CROSS-SITE SCRIPTING CLOSED Resolved in
    QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505)
    QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002)

    Affected versions
    • IBM QRadar SIEM 7.4.0 to 7.4.0 Patch 2
    • IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 3
    Issue
    IBM QRadar is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. CVSS Base score: 5.4
    13 July 2020
    SECURITY BULLETIN CVE-2020-1951
    CVE-2020-1950
    APACHE TIKA AS USED BY IBM QRADAR SIEM IS VULNERABLE TO A DENIAL OF SERVICE CLOSED Resolved in
    QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505)
    QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002)

    Affected versions
    • IBM QRadar SIEM 7.4.0 to 7.4.0 Patch 2
    • IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 3
    Issue
    • CVE-2020-1951: Apache Tika is vulnerable to a denial of service, caused by an error in the PSDParser. By persuading a victim to open a specially-crafted PSD file, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop. CVSS Base score: 3.3
    • CVE-2020-1950: Apache Tika is vulnerable to a denial of service, caused by an excessive memory usage flaw in the PSDParser. By persuading a victim to open a specially-crafted PSD file, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 3.3
    13 July 2020
    SECURITY BULLETIN CVE-2019-15090
    CVE-2019-15098
    CVE-2019-15099
    CVE-2019-15117
    CVE-2019-15118
    IBM QRADAR SIEM IS VULNERABLE TO USING COMPONENTS WITH KNOWN VULNERABILITIES CLOSED Resolved in
    QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505)
    QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002)

    Affected versions
    • IBM QRadar SIEM 7.4.0 to 7.4.0 Patch 2
    • IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 3
    Issue
    • CVE-2019-15090: Linux Kernel could allow a local attacker to obtain sensitive information, caused by an out-of-bounds read in the drivers/scsi/qedi/qedi_dbg.c. A local attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 4
    • CVE-2019-15098: Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference in drivers/net/wireless/ath/ath6kl/usb.c. By using an incomplete address in an endpoint descriptor, a local attacker could exploit this vulnerability to cause the system/software/application to crash. CVSS Base score: 4
    • CVE-2019-15099: Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference in drivers/net/wireless/ath/ath10k/usb.c. By using an incomplete address in an endpoint descriptor, a local attacker could exploit this vulnerability to cause the system/software/application to crash. CVSS Base score: 4
    • CVE-2019-15117: Linux Kernel could allow a local attacker to obtain sensitive information, caused by an out-of-bounds memory access flaw in the parse_audio_mixer_unit function in mixer.c. By using a short descriptor, an attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service condition. CVSS Base score: 7.7
    • CVE-2019-15118: Linux Kernel is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the check_input_term function in mixer.c. By sending a specially-crafted request, a local attacker could overflow a buffer and execute arbitrary code on the system. CVSS Base score: 8.4
    13 July 2020
    SECURITY BULLETIN CVE-2020-4512 IBM QRADAR SIEM IS VULNERABLE TO COMMAND INJECTION CLOSED Resolved in
    QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505)
    QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002)

    Affected versions
    • IBM QRadar SIEM 7.4.0 to 7.4.0 Patch 2
    • IBM QRadar SIEM 7.3.0 to 7.3.3 Patch 3
    Issue
    IBM QRadar SIEM could allow a remote privileged user to execute commands. CVSS Base score: 9.1
    13 July 2020
    UPGRADE / APPS IJ25734 QRADAR APP VERSIONS CAN DOWNGRADE DURING A QRADAR PATCH CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 (7.4.1.20200716115107)

    Workaround
    Verify you have the latest app versions installed after the patch is completed by navigating to Admin tab > Extensions Management.
    Issue
    After installing a QRadar patch, any QRadar Apps already installed and that are included by default within the QRadar patch (eg. Log Source Managment App) should be verified for it's version and updated (if needed) as the QRadar patch can downgrade installed Apps to the version contained within the patch.
    12 August 2020
    SYSTEM NOTIFICATIONS IJ25886 QRADAR SYSTEM NOTIFICATIONS THAT CONTAIN QIDS WITH URL LINKS CAN DISPLAY INCORRECTLY AFTER PATCHING QRADAR CANCELLED This QRadar System Notification APAR is replaced with IJ26118.
    27 June 2020
    PROTOCOL IJ22340 THE REST API WITHIN QRADAR-PROTOCOL-OKTARESTAPI CAN HANG CAUSING OKTA LOG SOURCES TO STOP RECEIVING EVENTS OPEN Workaround
    Disable and enable any Okta Identity Management log sources that stop receiving events.

    Issue
    Okta Log Sources can stop receiving events due to the Okta Rest API experiencing a hang condition when calling executeMethod for HTTPClient.
    18 March 2020
    AQL / REPORTS IJ25142 SOME REPORTS GENERATED FROM AN ADVANCED SEARCH (AQL) THAT USES A MATHEMATICAL EXPRESSION DISPLAY INCORRECT OUTPUT OPEN Technical write-up available
    A technical write-up is included for IJ25142 to assist administrators further. Workaround
    The issue described above is caused by a failure with aggregated data. Reports run manually or hourly, or on raw data should not be affected.

    Issue
    Daily, Weekly, or Monthly (aggregated data) reports generated from an Advanced Search (AQL) that uses mathematical expressions can ignore the calculations and instead display the data for each property on a separate column. The name of the column is the alias given to the calculated value. To replicate this issue:
    1. Create an AQL based search that uses mathematical functions, such as:
      SELECT sourceip, (AVG(magnitude) - MIN(magnitude)) AS MAGDIFF
      FROM events GROUP BY sourceip
    2. Use the search in a report and set the report to run either Daily, Weekly, or Monthly.
    3. Check the generated report.

      Results
      Report shows data for AVG(magnitude) and MIN(magnitude) and the column name will be MAGDIFF for both of them.
    24 June 2020
    UPGRADE / KERNEL BOOT IJ25612 KERNEL 3.10.0-1127.EL7.X86_64 CAN CAUSE FILESYSTEM MOUNT FAILURE AND THE QRADAR APPLIANCE WILL FAIL TO BOOT CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.0 Fix Pack 4 (7.4.0.20200629201233)
    QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002)

    Tools available
    A troubleshooting tool is available to help administrators identify IJ25612. Workaround
    At the grub prompt, choose the previous kernel version.

    For more information, see: https://www.ibm.com/support/pages/node/6235774

    Issue
    Upgrade or patch to QRadar 7.4.0 Fix Pack 3 can result in failure to mount filesystem and cause the QRadar appliance to fail to boot. This is due to the use of kernel 3.10.0-1127.el7.x84_64 as identified in the following note: https://access.redhat.com/solutions/5075561
    17 June 2020
    RULES / IBM X-FORCE IJ25352 QRADAR CUSTOM RULE ENGINE CAN EXPERIENCE PERFORMANCE DEGRADATION WHEN USING X-FORCE RULES' CLOSED Resolved in
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)

    Workaround
    No workaround available.

    Issue
    The QRadar custom rule engine (CRE) can experience performance degradation when X-Force rules are in use. When this occurs, System Notification messages similar to 'Performance degradation has been detected in the event pipeline. Event(s) were routed directly to storage' can sometimes be observed if the CRE can no longer keep up with the processing of events due. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [ecs-ep.ecs-ep] [CRE Processor [5]]
    java.nio.BufferUnderflowException
    [ecs-ep.ecs-ep] [CRE Processor [5]]    at
    java.nio.DirectByteBuffer.get(DirectByteBuffer.java:271)
    [ecs-ep.ecs-ep] [CRE Processor [5]]    at
    java.nio.ByteBuffer.get(ByteBuffer.java:715)
    [ecs-ep.ecs-ep] [CRE Processor [5]]    at
    com.q1labs.frameworks.cache.GenericSerializer.objectFromByteBuff
    er(GenericSerializer.java:33)
    [ecs-ep.ecs-ep] [CRE Processor [5]]    at
    com.q1labs.frameworks.cache.GenericSerializer.get(GenericSeriali
    zer.java:74)
    [ecs-ep.ecs-ep] [CRE Processor [5]]    at
    com.q1labs.frameworks.cache.GenericSerializer.get(GenericSeriali
    zer.java:17)
    [ecs-ep.ecs-ep] [CRE Processor [5]]    at
    com.q1labs.frameworks.cache.ChainAppendCache$InsertionChainEntry
    .deserialize(ChainAppendCache.java:320)
    [ecs-ep.ecs-ep] [CRE Processor [5]]    at
    com.q1labs.frameworks.cache.ChainAppendCache$ChainEntry.read(Cha
    inAppendCache.java:241)
    [ecs-ep.ecs-ep] [CRE Processor [5]]    at
    com.q1labs.frameworks.cache.ChainAppendCache.readChainEntry(Chai
    nAppendCache.java:1211)
    [ecs-ep.ecs-ep] [CRE Processor [5]]    at
    com.q1labs.frameworks.cache.ChainAppendCache.findOnDisk(ChainApp
    endCache.java:1162)
    [ecs-ep.ecs-ep] [CRE Processor [5]]    at
    com.q1labs.frameworks.cache.ChainAppendCache.findOnDisk(ChainApp
    endCache.java:1148)
    [ecs-ep.ecs-ep] [CRE Processor [5]]    at
    com.q1labs.frameworks.cache.ChainAppendCache.get(ChainAppendCach
    e.java:1000)
    [ecs-ep.ecs-ep] [CRE Processor [5]]    at
    com.q1labs.core.aql.XForceFunctions.getCategorization(XForceFunc
    tions.java:278)
    [ecs-ep.ecs-ep] [CRE Processor [5]]    at
    com.q1labs.core.aql.XForceManager.getCategorization(XForceManage
    r.java:268)
    AND
    [ecs-ep.ecs-ep] [CRE Processor [0]]
    java.lang.NegativeArraySizeException
    [ecs-ep.ecs-ep] [CRE Processor [0]]    at
    com.q1labs.frameworks.cache.GenericSerializer.objectFromByteBuff
    er(GenericSerializer.java:32)
    [ecs-ep.ecs-ep] [CRE Processor [0]]    at
    com.q1labs.frameworks.cache.GenericSerializer.get(GenericSeriali
    zer.java:74)
    [ecs-ep.ecs-ep] [CRE Processor [0]]    at
    com.q1labs.frameworks.cache.GenericSerializer.get(GenericSeriali
    zer.java:17)
    [ecs-ep.ecs-ep] [CRE Processor [0]]    at
    com.q1labs.frameworks.cache.ChainAppendCache$InsertionChainEntry
    .deserialize(ChainAppendCache.java:320)
    [ecs-ep.ecs-ep] [CRE Processor [0]]    at
    com.q1labs.frameworks.cache.ChainAppendCache$ChainEntry.read(Cha
    inAppendCache.java:241)
    [ecs-ep.ecs-ep] [CRE Processor [0]]    at
    com.q1labs.frameworks.cache.ChainAppendCache.readChainEntry(Chai
    nAppendCache.java:1211)
    [ecs-ep.ecs-ep] [CRE Processor [0]]    at
    com.q1labs.frameworks.cache.ChainAppendCache.findOnDisk(ChainApp
    endCache.java:1162)
    [ecs-ep.ecs-ep] [CRE Processor [0]]    at
    com.q1labs.frameworks.cache.ChainAppendCache.findOnDisk(ChainApp
    endCache.java:1148)
    [ecs-ep.ecs-ep] [CRE Processor [0]]    at
    com.q1labs.frameworks.cache.ChainAppendCache.get(ChainAppendCach
    e.java:1000)
    [ecs-ep.ecs-ep] [CRE Processor [0]]    at
    com.q1labs.core.aql.XForceFunctions.getCategorization(XForceFunc
    tions.java:278)
    [ecs-ep.ecs-ep] [CRE Processor [0]]    at
    com.q1labs.core.aql.XForceManager.getCategorization(XForceManage
    r.java:268)
    16 November 2020
    UPGRADE IJ25396 PATCHING CAN SUCCEED ON THE CONSOLE BUT FAIL AND ROLL BACK ON MANAGED HOSTS CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505)

    Workaround
    Contact Support for a possible workaround that might address this issue in some instances if you cannot upgrade to QRadar 7.4.0 Fix Pack 3.

    Issue
    Patching to QRadar 7.4 can succeed on the Console appliance but fail on Managed Hosts due to the patch not finding some database columns and also failing to remove duplicates. Messages similar to the following might be visible in the associated /var/log/setup-#####/patches.log when this issue occurs:
    4 SQL script errors were detected; Error applying script [38/53]
    '/media/updates/opt/qradar/conf/templates/db_update_offense.inet
    .1.sql' for Test_qradar database.; details:
    WARNING:  SET TRANSACTION can only be used in transaction blocks
    ERROR:  could not create unique index "attacker_ipaddress_key"
    16 June 2020
    DASHBOARD IJ24884 DASHBOARD DATA (INCLUDING TIME SERIES) CAN FAIL TO LOAD CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505)

    Workaround
    Contact Support for a possible workaround that might address this issue in some instances if you cannot upgrade to QRadar 7.4.0 Fix Pack 3.

    Issue
    Dashboard data (including time series) can fail to load after patching to QRadar 7.4.0 FP1 or higher. This behavior has been identified as being caused by incompatible changes within a jar file contained in the patching process.

    Messages similar to the following might be visible within /var/log/qradar.log when this issue occurrs:
    [accumulator_rollup.accumulator_rollup] [main]
    com.q1labs.frameworks.core.JMSFactory: [WARN]
    [NOT:0000004000][x.x.x.x/- -] [-/- -]message.queue.serviceport
    property not found, defaulting to 7677
    [accumulator_rollup.accumulator_rollup] [main]
    com.q1labs.cve.accumulation.definition.GlobalViewConfiguration:
    [ERROR] [NOT:0000003000][x.x.x.x/- -] [-/- -]Unable to read
    Global View Definitions.
    [accumulator_rollup.accumulator_rollup] [main]
    com.thoughtworks.xstream.converters.ConversionException: 
    Failed calling method
    27 May 2020
    OFFENSES IJ24819 OFFENSE PURGING CAN FAIL IN QRADAR 7.4.0 FP1 IF01 OR 7.4.0 FP2 WHEN THE PATCHING PATH BEGAN AT QRADAR 7.3.3 FP3 CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505)
    QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002)

    Workaround
    No workaround available.

    Issue
    The purging (removal) of Offenses within QRadar fails when QRadar has been patched to version 7.4.0 FP1 IF01 or 7.4.0 FP2 from QRadar 7.3.3 FP3 specificallly due to an issue with database column ordering.

    Upgrade paths affected: 1) QRadar 7.3.3 FP3 upgraded to 7.4.0 FP2 2) QRadar 7.3.3 FP3 upgraded to 7.4.0 FP1 and applied IF01

    Note: Customers who patch from QRadar versions prior to 7.3.3 FP3 (eg. 7.3.3 FP2) to 7.4.0 FP1 IF01 or 7.4.2 FP2 should not be affected by this Offense purging failure issue.

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]
    com.ibm.si.mpc.magi.contrib.commands.offense.OffensePurgeCommand: 
    [INFO] [NOT:0000006000][x/- -] [-/- -]Found 100 offense to
    purge in this transaction. The specified transaction size is
    100 and retention period is 2592000 seconds.
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]
    com.ibm.si.mpc.magi.contrib.commands.offense.OffensePurgeCommand: 
    [ERROR] Chained SQL Exception [1/2]: Batch entry 0 select *
    from purge_offense(10499) as result was aborted: ERROR: column
    "first_target_ipaddress" is of type inet but expression is of
    type bigint
      Hint: You will need to rewrite or cast the expression.
      Where: PL/pgSQL function purge_offense(bigint) line 6 at SQL
    statement  Call getNextException to see other errors in the
    batch.
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]
    com.ibm.si.mpc.magi.contrib.commands.offense.OffensePurgeCommand: 
    [ERROR] [NOT:03000][-/- -] [-/- -]database executing purge command failed.
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]
    java.sql.BatchUpdateException: Batch entry 0 select * from
    purge_offense(10499)  as result was aborted: ERROR: column
    "first_target_ipaddress" is of type inet but expression is of
    type bigint
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    Hint: You
    will need to rewrite or cast the expression.
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    Where:
    PL/pgSQL function purge_offense(bigint) line 6 at SQL statement
    Call getNextException to see other errors in the batch.
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    org.postgresql.jdbc.BatchResultHandler.handleError(BatchResultHa
    ndler.java:148)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExe
    cutorImpl.java:2184)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorIm
    pl.java:481)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    org.postgresql.jdbc.PgStatement.executeBatch(PgStatement.java:840)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    org.postgresql.jdbc.PgPreparedStatement.executeBatch(PgPreparedS
    tatement.java:1538)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    com.ibm.si.mpc.magi.contrib.commands.base.BasePurgeCommand.execu
    te(BasePurgeCommand.java:93)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    com.ibm.si.mpc.magi.contrib.ModelPersister.processCommands(Model
    Persister.java:2528)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    com.ibm.si.mpc.magi.contrib.ModelPersister.processCommands(Model
    Persister.java:2492)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    com.ibm.si.mpc.magi.contrib.ModelPersister.executePurgeCommands(
    ModelPersister.java:833)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    com.ibm.si.mpc.magi.contrib.ModelPersister.process(ModelPersiste
    r.java:1258)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    com.ibm.si.mpc.magi.contrib.ModelPersister.processCurrentTransac
    tion(ModelPersister.java:579)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    com.ibm.si.mpc.magi.contrib.ModelPersister.processCommands(Model
    Persister.java:453)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    com.ibm.si.mpc.magi.contrib.ModelPersister.process(ModelPersiste
    r.java:293)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    com.ibm.si.mpc.magi.contrib.TxStateManager.playCurrent(TxStateMa
    nager.java:259)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    com.ibm.si.mpc.magi.contrib.ModelPersister$Persister.playCurrent
    (ModelPersister.java:2918)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    com.ibm.si.mpc.magi.contrib.ModelPersister$Persister.run(ModelPe
    rsister.java:2874)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] Caused by:
    org.postgresql.util.PSQLException: ERROR: column
    "first_target_ipaddress" is of type inet but expression is of
    type bigint
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    Hint: You
    will need to rewrite or cast the expression.
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    Where:
    PL/pgSQL function purge_offense(bigint) line 6 at SQL statement
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(Qu
    eryExecutorImpl.java:2440)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExe
    cutorImpl.java:2183)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    ... 14 more
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]
    com.ibm.si.mpc.magi.contrib.ModelPersister: [WARN]
    [NOT:0180002100][x/- -] [-/- -]Exception encounted when
    executing transaction 54069.
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]
    com.ibm.si.mpc.magi.contrib.PersistenceException: Failed to
    persist sem model
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    com.ibm.si.mpc.magi.contrib.ModelPersister.processCurrentTransac
    tion(ModelPersister.java:676)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    com.ibm.si.mpc.magi.contrib.ModelPersister.processCommands(Model
    Persister.java:453)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    com.ibm.si.mpc.magi.contrib.ModelPersister.process(ModelPersiste
    r.java:293)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    com.ibm.si.mpc.magi.contrib.TxStateManager.playCurrent(TxStateMa
    nager.java:259)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    com.ibm.si.mpc.magi.contrib.ModelPersister$Persister.playCurrent
    (ModelPersister.java:2918)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    com.ibm.si.mpc.magi.contrib.ModelPersister$Persister.run(ModelPe
    rsister.java:2874)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] Caused by:
    java.sql.BatchUpdateException: Batch entry 0 select * from
    purge_offense(10499)  as result was aborted: ERROR: column
    "first_target_ipaddress" is of type inet but expression is of
    type bigint
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    Hint: You
    will need to rewrite or cast the expression.
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    Where:
    PL/pgSQL function purge_offense(bigint) line 6 at SQL statement
     Call getNextException to see other errors in the batch.
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    org.postgresql.jdbc.BatchResultHandler.handleError(BatchResultHa
    ndler.java:148)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExe
    cutorImpl.java:2184)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorIm
    pl.java:481)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    org.postgresql.jdbc.PgStatement.executeBatch(PgStatement.java:840)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    org.postgresql.jdbc.PgPreparedStatement.executeBatch(PgPreparedS
    tatement.java:1538)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    com.ibm.si.mpc.magi.contrib.commands.base.BasePurgeCommand.execu
    te(BasePurgeCommand.java:93)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    com.ibm.si.mpc.magi.contrib.ModelPersister.processCommands(Model
    Persister.java:2528)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    com.ibm.si.mpc.magi.contrib.ModelPersister.processCommands(Model
    Persister.java:2492)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    com.ibm.si.mpc.magi.contrib.ModelPersister.executePurgeCommands(
    ModelPersister.java:833)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    com.ibm.si.mpc.magi.contrib.ModelPersister.process(ModelPersiste
    r.java:1258)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    com.ibm.si.mpc.magi.contrib.ModelPersister.processCurrentTransac
    tion(ModelPersister.java:579)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    ... 5 more
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069] Caused by:
    org.postgresql.util.PSQLException: ERROR: column
    "first_target_ipaddress" is of type inet but expression is of
    type bigint
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    Hint: You
    will need to rewrite or cast the expression.
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    Where:
    PL/pgSQL function purge_offense(bigint) line 6 at SQL statement
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(Qu
    eryExecutorImpl.java:2440)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    at
    org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExe
    cutorImpl.java:2183)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000054069]    ... 14 more
    08 May 2020
    UPGRADE / APPLICATION FRAMEWORK IJ24903 QRADAR APPLICATIONS CAN BE MISSING AFTER PATCHING QRADAR TO 7.4.0 FP1 OR NEWER CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505)

    Workaround
    Contact Support for a possible workaround that might address this issue in some instances.

    Issue
    After patching QRadar to 7.4.0 FP1 or newer, some QRadar applications can be missing in the User Interface.
    27 May 2020
    APPLICATION FRAMEWORK / DISK SPACE IJ23680 QRADAR APP INSTALLATION OR REMOVAL CAN GENERATE REPEATED LOG WRITES 'USING GETRESPONSEBODYASSTREAM INSTEAD IS RECOMMENDED' CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505)
    QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002)

    Workaround
    No workaround available.

    Issue
    When QRadar Apps are installed or uninstalled, repeated messages similar to the following can sometimes be continually written to the QRadar log. This issue is benign and only writes data to the logs, but these repeated messages and consume extra isk space. When this issue occurs, the following message is displayed in /var/log/qradar.log:
    tomcat[14713]: 2019-12-11 10:26:09,615 [QRADAR]
    [admin@127.0.0.1] org.apache.commons.httpclient.HttpMethodBase:
    [WARN] Going to buffer response body of large or unknown size.
    Using getResponseBodyAsStream instead is recommended.
    23 March 2020
    AQL / ADVANCED SEARCH IJ23387 AQL QUERIES WITH SUBQUERIES CAN CAUSE A FILE HANDLE LEAK THAT LEADS TO ARIEL SERVICE OUTAGES CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505)
    QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002)

    Workaround
    A restart of the ariel_proxy_server on the QRadar console can temporarily alleviate this issue, but the issue can re-occur.
    systemctl restart ariel_proxy_server


    Issue
    AQL Queries with subqueries can result in a file handle leak which can cause ariel process to run out of file handles over time.

    When there are no more available file handles, ariel outages can occur over a period of time when the handles exceed the maximum for that process until the process is restarted.

    For example, the following sample AQL query can cause this file handle leak to occur in QRadar:
    select qid from events where username in (select username from
    events limit 3) limit 3
    18 March 2020
    OFFENSES / DASHBOARD IJ23415 'APPLICATION ERROR' WHEN ATTEMPTING TO CLOSE OPEN OFFENSES USING DASHBOARD WIDGET CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505)
    QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002)

    Workaround
    Close the Offense through the QRadar Offenses tab in the user interface.

    Issue
    'Application Error' can occur when attempting to close open offenses using Dashboard widget. Application Error example

    For Example:
    1. Navigate to Dashboard tab.
    2. In the Show dashboard menu, select Threat and Security Monitoring.
    3. Select any offense from a Dashboard widget, such as Most recent/Most severe offenses (example).
      The Offense details are displayed.
    4. Select Actions > Close (image).
    5. Provide an offense closing reason.
    6. Click OK.
    7. An application error is displayed to the user.

    Messages similar to the following might be visible in /car/log/qradar.log when this issue occurs:
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]
    com.q1labs.uiframeworks.action.ExceptionHandler: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]An exception occurred
    while processing the request:
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]
    com.ibm.si.content_management.utils.ApplicationErrorStateException
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    com.q1labs.sem.ui.action.MaintainProperties.findNextForward(Main
    tainProperties.java:230)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    com.q1labs.sem.ui.action.MaintainProperties.updatePropertiesSecu
    re(MaintainProperties.java:80)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    com.q1labs.sem.ui.action.MaintainProperties.updateProperties(Mai
    ntainProperties.java:213)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod
    AccessorImpl.java:55)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    java.lang.reflect.Method.invoke(Method.java:508)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.struts.actions.DispatchAction.dispatchMethod(Dispatch
    Action.java:280)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.struts.actions.DispatchAction.execute(DispatchAction.java)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    com.q1labs.uiframeworks.actions.DispatchAction.execute(DispatchA
    ction.java:64)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.struts.action.RequestProcessor.processActionPerform(R
    equestProcessor.java:484)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    com.q1labs.uiframeworks.action.RequestProcessor.processActionPer
    form(RequestProcessor.java:101)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.struts.action.RequestProcessor.process(RequestProcess
    or.java:275)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.struts.action.ActionServlet.process(ActionServlet.java)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    com.q1labs.uiframeworks.action.ActionServlet.process(ActionServl
    et.java:122)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.struts.action.ActionServlet.doPost(ActionServlet.java)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    javax.servlet.http.HttpServlet.service(HttpServlet.java:661)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
    (ApplicationFilterChain.java:231)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
    tionFilterChain.java:166)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
    (ApplicationFilterChain.java:193)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
    tionFilterChain.java:166)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    com.q1labs.uiframeworks.servlet.AddUserHeaderFilter.doFilter(Add
    UserHeaderFilter.java:86)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
    (ApplicationFilterChain.java:193)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
    tionFilterChain.java:166)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    com.q1labs.uiframeworks.servlet.ThreadNameFilter.doFilter(Thread
    NameFilter.java:53)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
    (ApplicationFilterChain.java:193)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
    tionFilterChain.java:166)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    com.q1labs.core.ui.filters.StrutsParamFilter.doFilter(StrutsPara
    mFilter.java:41)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
    (ApplicationFilterChain.java:193)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
    tionFilterChain.java:166)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    com.q1labs.uiframeworks.postauthredirect.PostLoginRedirectFilter
    .doFilter(PostLoginRedirectFilter.java:70)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
    (ApplicationFilterChain.java:193)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
    tionFilterChain.java:166)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    com.q1labs.uiframeworks.auth.AuthenticationVerificationFilter.do
    Filter(AuthenticationVerificationFilter.java:304)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
    (ApplicationFilterChain.java:193)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
    tionFilterChain.java:166)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    com.q1labs.uiframeworks.auth.PersistentSessionFilter.doFilter(Pe
    rsistentSessionFilter.java:89)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
    (ApplicationFilterChain.java:193)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
    tionFilterChain.java:166)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    com.q1labs.uiframeworks.auth.SecAuthenticationFilter.doFilter(Se
    cAuthenticationFilter.java:132)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
    (ApplicationFilterChain.java:193)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    com.ibm.si.console.cors.ProcessCorsFilter.doFilter(ProcessCorsFi
    lter.java:159)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
    tionFilterChain.java:166)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
    (ApplicationFilterChain.java:193)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
    tionFilterChain.java:166)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    com.q1labs.uiframeworks.encoding.AddEncodingToRequestFilter.doFi
    lter(AddEncodingToRequestFilter.java:56)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
    (ApplicationFilterChain.java:193)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
    tionFilterChain.java:166)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    com.q1labs.uiframeworks.servlet.DestroySessionFilter.doFilter(De
    stroySessionFilter.java:26)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
    (ApplicationFilterChain.java:193)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
    tionFilterChain.java:166)
    [tomcat.tomcat] [user@127.0.0.1 (8795)
    /console/do/sem/properties]    at
    com.q1labs.uiframeworks.servlet.AddHSTSHeaderFilter.doFilter(Add
    HSTSHeaderFilter.java:22)
    11 March 2020
    DSM EDITOR IJ25156 'NO EVENTS WERE PARSED' MESSAGE AND BLANK LOG ACTIVITY PREVIEW WHEN USING THE DSM EDITOR TO CONFIGURE EVENT PARSING CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505)
    QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002)

    Workaround
    No workaround available.
    systemctl restart ariel_proxy_server

    Issue
    When using the DSM Editor to configure event parsing, a message similar to "No events were parsed" can be generated and the Log Activity Preview window remains blank. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [tomcat.tomcat] [/console/restapi/api/application/data_ingestion/simulate] 
    com.q1labs.restapi.servlet.apidelegate.APIDelegate:  
    [ERROR] Request Exception [tomcat.tomcat] [/console/restapi/api/application/ 
    data_ingestion/simulate] com.q1labs.restapi_annotations.content.exceptions. 
    APIMappedException: Unable to complete parsing simulation
    [tomcat.tomcat] [/console/restapi/api/application/data_ingestion/simulate] 
     at com.q1labs.restapi_annotations.content.exceptions.APIMappedExcep
    tion.{init}(APIMappedException.java:131)
    [tomcat.tomcat] [/console/restapi/api/application/data_ingestion/simulate] 
    Caused by:
    [tomcat.tomcat] [/console/restapi/api/application/data_ingestion/simulate] 
    java.lang.IllegalArgumentException: Comparison method violates
    its general contract!
    [tomcat.tomcat] [/console/restapi/api/application/data_ingestion/simulate] 
    at java.util.TimSort.mergeLo(TimSort.java:788)
    [tomcat.tomcat] [/console/restapi/api/application/data_ingestion/simulate] 
    at java.util.TimSort.mergeAt(TimSort.java:525)
    [tomcat.tomcat] [/console/restapi/api/application/data_ingestion/simulate] 
    at java.util.TimSort.mergeCollapse(TimSort.java:452)
    [tomcat.tomcat] [/console/restapi/api/application/data_ingestion/simulate] 
    at java.util.TimSort.sort(TimSort.java:256)
    [tomcat.tomcat] [/console/restapi/api/application/data_ingestion/simulate] 
    at java.util.Arrays.sort(Arrays.java:1856)
    [tomcat.tomcat] [/console/restapi/api/application/data_ingestion/simulate] 
    at java.util.ArrayList.sort(ArrayList.java:1473)
    [tomcat.tomcat] [/console/restapi/api/application/data_ingestion/simulate] 
    at com.ibm.si.data_ingestion.dsm_simulator.ParserSimulator.setPrope
    rtyParsers(ParserSimulator.java:112)
    [tomcat.tomcat] [/console/restapi/api/application/data_ingestion/simulate] 
    at com.ibm.si.data_ingestion.api.impl.application.ApplicationAPIImp
    l.simulateParse(ApplicationAPIImpl.java:1060)
    27 May 2020
    OFFENSES IJ24334 OFFENSE PURGING CAN SOMETIMES FAIL WITH A BATCHUPDATEEXCEPTION CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505)
    QRadar 7.4.0 Fix Pack 2(7.4.0.20200426161706)
    QRadar 7.4.0 Fix Pack 1 Interim Fix 01(7.4.0.20200424160445)
    QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002)
    QRadar 7.3.3 Fix Pack 3 Interim Fix 01(7.3.3.20200427135149)

    Workaround
    No workaround available.

    Issue
    In some instances, Offense purging (removal) can fail with an BatchUpdateException being written to QRadar logging. The Offense model within QRadar can experience unnecessary bloat as offenses are unable to be removed from the system. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127]
    com.ibm.si.mpc.magi.contrib.commands.offense.OffensePurgeCommand: 
    [ERROR] Chained SQL Exception [1/2]: Batch entry 0 select *
    from purge_offense(1338)  as result was aborted: ERROR: INSERT
    has more expressions than target columns
    Where: PL/pgSQL function purge_offense(bigint) line 6 at SQL
    statement  Call getNextException to see other errors in the batch.
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127]
    com.ibm.si.mpc.magi.contrib.commands.offense.OffensePurgeCommand: 
    [ERROR] Chained SQL Exception [2/2]: ERROR: INSERT has more
    expressions than target columns
    Where: PL/pgSQL function purge_offense(bigint) line 6 at SQL
    statement
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127]
    com.ibm.si.mpc.magi.contrib.commands.offense.OffensePurgeCommand: 
    [ERROR] [NOT:0000003000][X.X.X.X/- -] [-/- -]database
    executing purge command failed.
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127]
    java.sql.BatchUpdateException: Batch entry 0 select * from
    purge_offense(1338)  as result was aborted: ERROR: INSERT has
    more expressions than target columns
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] Where: 
    PL/pgSQL function purge_offense(bigint) line 6 at SQL statement
     Call getNextException to see other errors in the batch.
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at 
    org.postgresql.jdbc.BatchResultHandler.handleError
    (BatchResultHandler.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at 
    org.postgresql.core.v3.QueryExecutorImpl.processResults
    (QueryExecutorImpl.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at 
    org.postgresql.core.v3.QueryExecutorImpl.execute
    (QueryExecutorImpl.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at 
    org.postgresql.jdbc.PgStatement.executeBatch(PgStatement.
    java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at
    org.postgresql.jdbc.PgPreparedStatement.executeBatch(PgPrepared 
    Statement.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at
    com.ibm.si.mpc.magi.contrib.commands.base.BasePurgeCommand. 
    execu te(BasePurgeCommand.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at
    com.ibm.si.mpc.magi.contrib.ModelPersister.processCommands 
    (Model Persister.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at
    com.ibm.si.mpc.magi.contrib.ModelPersister.processCommands 
    (ModelPersister.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at
    com.ibm.si.mpc.magi.contrib.ModelPersister.executePurgeCommands 
    (ModelPersister.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at
    com.ibm.si.mpc.magi.contrib.ModelPersister.process(ModelPersister 
    .java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at
    com.ibm.si.mpc.magi.contrib.ModelPersister.processCurrent 
    Transaction(ModelPersister.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at
    com.ibm.si.mpc.magi.contrib.ModelPersister.processCommands 
    (Model Persister.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at
    com.ibm.si.mpc.magi.contrib.ModelPersister.process 
    (ModelPersister.java) 
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at
    com.ibm.si.mpc.magi.contrib.TxStateManager.playCurrent 
    (TxStateManager.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127]  at
    com.ibm.si.mpc.magi.contrib.ModelPersister$Persister.playCurrent 
    (ModelPersister.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127]    at
    com.ibm.si.mpc.magi.contrib.ModelPersister$Persister.run 
    (ModelPersister.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] Caused by:
    org.postgresql.util.PSQLException: ERROR: INSERT has more 
    expressions than target columns
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127]    Where:
    PL/pgSQL function purge_offense(bigint) line 6 at SQL statement 
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at
    org.postgresql.core.v3.QueryExecutorImpl.receiveError 
    Response(QueryExecutorImpl.java:2440)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at
    org.postgresql.core.v3.QueryExecutorImpl.processResults 
    (QueryExecutorImpl.java:2183)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127]... 14 more
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127]
    com.ibm.si.mpc.magi.contrib.ModelPersister: [WARN]
    [NOT:0180002100][X.X.X.X/- -] [-/- -]Exception encounted when
    executing transaction 753127.
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127]
    com.ibm.si.mpc.magi.contrib.PersistenceException: Failed to  
    persist sem model
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at
    com.ibm.si.mpc.magi.contrib.ModelPersister.processCurrent 
    Transaction(ModelPersister.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at
    com.ibm.si.mpc.magi.contrib.ModelPersister.processCommands(Model 
    Persister.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at
    com.ibm.si.mpc.magi.contrib.ModelPersister.process(ModelPersister.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at
    com.ibm.si.mpc.magi.contrib.TxStateManager.playCurrent
    (TxStateManager.java:259)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at
    com.ibm.si.mpc.magi.contrib.ModelPersister$Persister.play 
    Current(ModelPersister.java:2918)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at
    com.ibm.si.mpc.magi.contrib.ModelPersister$Persister.run 
    (ModelPersister.java:2874)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] Caused by:
    java.sql.BatchUpdateException: Batch entry 0 select * from
    purge_offense(1338)  as result was aborted: ERROR: INSERT has
    more expressions than target columns
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127]    Where:
    PL/pgSQL function purge_offense(bigint) line 6 at SQL statement 
    Call getNextException to see other errors in the batch.
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127]    at
    org.postgresql.jdbc.BatchResultHandler.handleError(BatchResult 
    Handler.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at
    org.postgresql.core.v3.QueryExecutorImpl.processResults(Query 
    ExecutorImpl.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at
    org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutor 
    Impl.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at
    org.postgresql.jdbc.PgStatement.executeBatch(PgStatement.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at
    org.postgresql.jdbc.PgPreparedStatement.executeBatch 
    (PgPreparedStatement.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at
    com.ibm.si.mpc.magi.contrib.commands.base.BasePurgeCommand. 
    execute(BasePurgeCommand.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at
    com.ibm.si.mpc.magi.contrib.ModelPersister.processCommands 
    (ModelPersister.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at
    com.ibm.si.mpc.magi.contrib.ModelPersister.processCommands 
    (ModelPersister.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at
    com.ibm.si.mpc.magi.contrib.ModelPersister.executePurgeCommands 
    (ModelPersister.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at
    com.ibm.si.mpc.magi.contrib.ModelPersister.process 
    (ModelPersister.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] at
    com.ibm.si.mpc.magi.contrib.ModelPersister.processCurrentTransac
    tion(ModelPersister.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127]    ... 5 more
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127] Caused by:
    org.postgresql.util.PSQLException: ERROR: INSERT has more
    expressions than target columns
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127]    Where:
    PL/pgSQL function purge_offense(bigint) line 6 at SQL statement
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127]    at
    org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(Qu
    eryExecutorImpl.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127]    at
    org.postgresql.core.v3.QueryExecutorImpl.processResults 
    (QueryExecutorImpl.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000753127]... 14 more
    23 May 2020
    UPGRADE IJ24630 PATCHING PROCESS TO QRADAR 7.4 CAN FAIL WHEN ATTACKER_HISTORY DATABASE TABLE CONTAINS DUPLICATE VALUES CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505)
    QRadar 7.4.0 Fix Pack 2 (7.4.0.20200426161706)

    Workaround
    No workaround available.

    Issue
    QRadar patching process on Consoles and Managed Hosts can fail if the database attacker_history table has duplicate values. Messages similar to the following might be visible during the patching process when this issue occurs:
    ERROR: could not create unique index
    "attacker_history_ipaddress_key"
    DETAIL: Key (ipaddress, domain_id)=(X.X.X.X, 0) is duplicated.
    CONTEXT: SQL statement "ALTER TABLE public.attacker_history ADD
    CONSTRAINT attacker_history_ipaddress_key UNIQUE(ipaddress,
    domain_id) WITH (fillfactor='50');"
    PL/pgSQL function create_inet_index(character varying,character
    varying,character varying,character varying,character varying)
    line 12 at EXECUTE
    SQL statement "SELECT create_inet_index(
    'attacker_history_ipaddress_key', 'attacker_history', 'public',
    'ipaddress', 'domain_id')"
    PL/pgSQL function create_offense_inet_indexes() line 6 at
    PERFORMError applying script [70/87]
    '/media/updates/opt/qradar/conf/templates/db_update_offense.inet
    .2.sql' for Test_qradar database.; details:
    02 May 2020
    SCAN TOOLS / QRADAR VULNERABILITY MANAGER IJ24430 QRADAR VULNERABILITY MANAGER SCANNER REVERSE TUNNELS ARE NOT BEING CREATED WHEN THE QVM PROCESSOR IS LOCATED ON THE QRADAR CONSOLE CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 2 (7.4.0.20200426161706)

    Workaround
    Where possible, disable encryption to QVM hosts and perform a Deploy Full Configuration.

    Issue
    QRadar Vulnerability Manager reverse tunnels are not being created to QVM scanners when the QVM processor is located on the QRadar Console.

    No scan tools will run when this issue is occurring. Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs:
    [7171]: WARNING: Interceptor for
    {http://processor.workflow.qvm.q1labs.com/}IProcessorEndpointSer
    vice#{http://processor.workflow.qvm.q1labs.com/}getScans has
    thrown exception, unwinding now
    [7171]: org.apache.cxf.interceptor.Fault: Could not send Message.
    [7171]: at
    org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSende
    rEndingInterceptor.handleMessage(MessageSenderInterceptor.java)
    [7171]: at
    org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInte
    rceptorChain.java:308)
    [7171]: at
    org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:531)
    [7171]: at
    org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:440)
    [7171]: at
    org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:355)
    [7171]: at
    org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:313)
    [7171]: at
    org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java)
    [7171]: at
    org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java)
    [7171]: at com.sun.proxy.$Proxy59.getScans(Unknown Source)
    [7171]: at
    com.q1labs.qvm.workflow.scan.gateway.ws.ProcessorServiceGatewayW
    ebServiceImpl.getQueuedJobs(ProcessorServiceGatewayWebServiceImp
    l.java:53)
    [7171]: at
    com.q1labs.qvm.workflow.scan.ScanToolProcess.exec(ScanToolProcess.java)
    [7171]: at
    com.q1labs.qvm.workflow.AbstractWorkflowProcess.run(AbstractWork
    flowProcess.java:160)
    [7171]: at java.lang.Thread.run(Thread.java:818)
    [7171]: Caused by: java.net.ConnectException: ConnectException
    invoking https://127.0.0.1:9999/processor: Connection refused
    (Connection refused)
    [7171]: at
    sun.reflect.GeneratedConstructorAccessor59.newInstance(Unknown
    Source)
    [7171]: at
    sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Delega
    tingConstructorAccessorImpl.java:57)
    [7171]: at
    java.lang.reflect.Constructor.newInstance(Constructor.java:437)
    [7171]: at
    org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.ma
    pException(HTTPConduit.java:1402)
    [7171]: at
    org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.cl
    ose(HTTPConduit.java:1386)
    [7171]: at
    org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java)
    [7171]: at
    org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java)
    [7171]: at
    org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSende
    rEndingInterceptor.handleMessage(MessageSenderInterceptor.java)
    [7171]: ... 12 more
    [7171]: Caused by: java.net.ConnectException: Connection
    refused (Connection refused)
    [7171]: at
    java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java)
    [7171]: at
    java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainS
    ocketImpl.java:236)
    [7171]: at
    java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java)
    [7171]: at
    java.net.SocksSocketImpl.connect(SocksSocketImpl.java:374)
    [7171]: at java.net.Socket.connect(Socket.java:666)
    [7171]: at
    sun.net.NetworkClient.doConnect(NetworkClient.java:187)
    [7171]: at
    sun.net.www.http.HttpClient.openServer(HttpClient.java:494)
    [7171]: at
    sun.net.www.http.HttpClient.openServer(HttpClient.java:589)
    [7171]: at
    com.ibm.net.ssl.www2.protocol.https.c.(c.java:56)
    [7171]: at com.ibm.net.ssl.www2.protocol.https.c.a(c.java:222)
    [7171]: at
    com.ibm.net.ssl.www2.protocol.https.d.getNewHttpClient(d.java:25)
    [7171]: at
    sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpUR
    LConnection.java:1217)
    [7171]: at
    sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURL
    Connection.java:1068)
    [7171]: at
    com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:78)
    [7171]: at
    sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(Htt
    pURLConnection.java:1352)
    [7171]: at
    sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Http
    URLConnection.java:1327)
    [7171]: at
    com.ibm.net.ssl.www2.protocol.https.b.getOutputStream(b.java:87)
    [7171]: at
    org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnec
    tionWrappedOutputStream.setupWrappedStream(URLConnectionHTTPCond
    uit.java:275)
    [7171]: at
    org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.ha
    ndleHeadersTrustCaching(HTTPConduit.java:1345)
    [7171]: at
    org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.on
    FirstWrite(HTTPConduit.java:1306)
    [7171]: at
    org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnec
    tionWrappedOutputStream.onFirstWrite(URLConnectionHTTPConduit.ja
    va:307)
    [7171]: at
    org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrap
    pedOutputStream.java:47)
    [7171]: at
    org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractTh
    resholdOutputStream.java:69)
    [7171]: at
    org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.cl
    ose(HTTPConduit.java:1358)
    [7171]: ... 15 more
    02 May 2020
    OFFENSES IJ24275 EXPORTING OFFENSES CAN FAIL WITH AN ERROR 'THERE WAS A PROBLEM COMPLETING YOUR EXPORT. PLEASE TRY AGAIN LATER' CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505)
    QRadar 7.4.0 Fix Pack 2 (7.4.0.20200426161706)

    Workaround
    No workaround available.

    Issue
    Exporting offenses to .csv or XML can sometimes fail with error "There was a problem completing your export. Please try again later."

    Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs:
    [tomcat.tomcat] [ExportJob-admin-10b9e80c-2622-44ad-b156-7efbf677d2ae]
    com.q1labs.core.ui.coreservices.export.ExportJobProcessor:
    [ERROR] [NOT:0000003000][X.X.X.X/- -] [-/- -]Error invoking
    setFirstTargetIPAddress with data Z.Z.Z.Z
    [tomcat.tomcat]
    [ExportJob-admin-10b9e80c-2622-44ad-b156-7efbf677d2ae]
    com.q1labs.core.ui.coreservices.export.ExportJobProcessor:
    [ERROR] [NOT:0000003000][X.X.X.X/- -] [-/- -]Error exporting data
    [tomcat.tomcat]
    [ExportJob-admin-10b9e80c-2622-44ad-b156-7efbf677d2ae]
    java.lang.IllegalArgumentException:
    java.lang.ClassCastException@70f49eb7
    [tomcat.tomcat]
    [ExportJob-admin-10b9e80c-2622-44ad-b156-7efbf677d2ae]    at
    sun.reflect.GeneratedMethodAccessor827.invoke(Unknown Source)
    [tomcat.tomcat]
    [ExportJob-admin-10b9e80c-2622-44ad-b156-7efbf677d2ae]    at
    sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod
    AccessorImpl.java:55)
    [tomcat.tomcat]
    [ExportJob-admin-10b9e80c-2622-44ad-b156-7efbf677d2ae]    at
    java.lang.reflect.Method.invoke(Method.java:508)
    [tomcat.tomcat]
    [ExportJob-admin-10b9e80c-2622-44ad-b156-7efbf677d2ae]    at
    com.q1labs.core.ui.coreservices.export.ExportJobProcessor.export
    JDBCSearch(ExportJobProcessor.java:1013)
    [tomcat.tomcat]
    [ExportJob-admin-10b9e80c-2622-44ad-b156-7efbf677d2ae]    at
    com.q1labs.core.ui.coreservices.export.ExportJobProcessor.run(Ex
    portJobProcessor.java:221)
    [tomcat.tomcat]
    [ExportJob-admin-10b9e80c-2622-44ad-b156-7efbf677d2ae]
    com.q1labs.core.ui.coreservices.export.ExportJobProcessor:
    [ERROR] [NOT:0090003100][X.X.X.X/- -] [-/- -]The following
    error was encountered while performing a data export:
    java.lang.IllegalArgumentException:
    java.lang.ClassCastException@70f49eb7
    at sun.reflect.GeneratedMethodAccessor827.invoke(Unknown Source) at
    sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod
    AccessorImpl.java:55)
    at java.lang.reflect.Method.invoke(Method.java:508) at
    com.q1labs.core.ui.coreservices.export.ExportJobProcessor.export
    JDBCSearch(ExportJobProcessor.java:1013) at
    com.q1labs.core.ui.coreservices.export.ExportJobProcessor.run(Ex
    portJobProcessor.java:221)
    02 May 2020
    SECURITY BULLETIN CVE-2020-4294 IBM QRADAR SIEM IS VULNERABLE TO SERVER-SIDE REQUEST FORGERY (SSRF) CLOSED Resolved in
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)
    QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)
    QRadar Incident Forensics 7.4.0 (SFS) (7.4.0.20200304205308)
    QRadar Incident Forensics 7.4.0 (ISO) (7.4.0.20200304205308)

    Affected versions
    IBM QRadar 7.3.0 to 7.3.3 Patch 2

    Issue
    IBM QRadar SIEM is vulnerable to Server Side Request Forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks.
    14 April 2020
    SECURITY BULLETIN CVE-2020-4274 IBM QRADAR SIEM IS VULENRABLE TO AUTHORIZATION BYPASS CLOSED Resolved in
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)
    QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)
    QRadar Incident Forensics 7.4.0 (SFS) (7.4.0.20200304205308)
    QRadar Incident Forensics 7.4.0 (ISO) (7.4.0.20200304205308)

    Affected versions
    IBM QRadar 7.3.0 to 7.3.3 Patch 2

    Issue
    IBM QRadar SIEM could allow an authenticated user to access data and perform unauthorized actions due to inadequate permission checks.
    14 April 2020
    SECURITY BULLETIN CVE-2020-4272 IBM QRADAR SIEM IS VULNERABLE TO INSTANTIATION OF ARBITRARY OBJECTS CLOSED Resolved in
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)
    QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)
    QRadar Incident Forensics 7.4.0 (SFS) (7.4.0.20200304205308)
    QRadar Incident Forensics 7.4.0 (ISO) (7.4.0.20200304205308)

    Affected versions
    IBM QRadar 7.3.0 to 7.3.3 Patch 2

    Issue
    IBM QRadar could allow a remote attacker to include arbitrary files. A remote attacker could send a specially-crafted request specify a malicious file from a remote system, which could allow the attacker to execute arbitrary code on the vulnerable server.
    14 April 2020
    SECURITY BULLETIN CVE-2020-4271 IBM QRADAR SIEM IS VULNERABLE TO PHP OBJECT INJECTION CLOSED Resolved in
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)
    QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)
    QRadar Incident Forensics 7.4.0 (SFS) (7.4.0.20200304205308)
    QRadar Incident Forensics 7.4.0 (ISO) (7.4.0.20200304205308)

    Affected versions
    IBM QRadar 7.3.0 to 7.3.3 Patch 2

    Issue
    IBM QRadar could allow an authenticated user to send a specially crafted command which would be executed as a lower privileged user.
    14 April 2020
    SECURITY BULLETIN CVE-2020-4270 IBM QRADAR SIEM IS VULNERABLE TO PRIVILEGE ESCALATION CLOSED Resolved in
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)
    QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)
    QRadar Incident Forensics 7.4.0 (SFS) (7.4.0.20200304205308)
    QRadar Incident Forensics 7.4.0 (ISO) (7.4.0.20200304205308)

    Affected versions
    IBM QRadar 7.3.0 to 7.3.3 Patch 2

    Issue
    IBM QRadar could allow a local user to gain escalated privileges due to weak file permissions.
    14 April 2020
    SECURITY BULLETIN CVE-2020-4269 IBM QRADAR SIEM CONTAINS HARD-CODED CREDENTIALS CLOSED Resolved in
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)
    QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)
    QRadar Incident Forensics 7.4.0 (SFS) (7.4.0.20200304205308)
    QRadar Incident Forensics 7.4.0 (ISO) (7.4.0.20200304205308)

    Affected versions
    IBM QRadar 7.3.0 to 7.3.3 Patch 2

    Issue
    IBM QRadar contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
    14 April 2020
    SECURITY BULLETIN CVE-2020-4151 IBM QRADAR SIEM IS VULNERABLE TO IMPROPER INPUT VALIDATION CLOSED Resolved in
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)
    QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)
    QRadar Incident Forensics 7.4.0 (SFS) (7.4.0.20200304205308)
    QRadar Incident Forensics 7.4.0 (ISO) (7.4.0.20200304205308)

    Affected versions
    IBM QRadar 7.3.0 to 7.3.3 Patch 2

    Issue
    IBM QRadar SIEM is vulnerable to improper input validation, allowing an authenticated attacker to perform unauthorized actions.
    14 April 2020
    SECURITY BULLETIN CVE-2019-2989
    CVE-2019-2975
    CVE-2019-2981
    CVE-2019-2973
    CVE-2019-2964
    MULTIPLE VULNERABILITIES IN IBM JAVA SDK AND IBM JAVA RUNTIME AFFECT IBM QRADAR SIEM CLOSED Resolved in
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Fix Pack 2 (7.3.3.20200208135728)
    QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)
    QRadar Incident Forensics 7.4.0 (SFS) (7.4.0.20200304205308)
    QRadar Incident Forensics 7.4.0 (ISO) (7.4.0.20200304205308)

    Affected versions
    IBM QRadar 7.3.0 to 7.3.3 Patch 1

    Issue
    There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 8 and IBM® Runtime Environment Java™ Version 8 used by IBM QRadar SIEM. IBM QRadar SIEM has addressed the applicable CVEs.
    14 April 2020
    SECURITY BULLETIN 2019-4654 IBM QRADAR SIEM IS VULNERABLE TO INVALID CERTIFICATE VALIDATION CLOSED Resolved in
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)
    QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)
    QRadar Incident Forensics 7.4.0 (SFS) (7.4.0.20200304205308)
    QRadar Incident Forensics 7.4.0 (ISO) (7.4.0.20200304205308)

    Affected versions
    IBM QRadar 7.3.0 to 7.3.3 Patch 2

    Issue
    IBM QRadar does not validate, or incorrectly validates, a certificate which could allow an attacker to spoof a trusted entity by using a man-in-the-middle (MITM) attack.
    14 April 2020
    SECURITY BULLETIN CVE-2019-4593 IBM QRADAR SIEM IS VULNERABLE TO INFORMATION EXPOSURE CLOSED Resolved in
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Fix Pack 2 (7.3.3.20200208135728)
    QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)
    QRadar Incident Forensics 7.4.0 (SFS) (7.4.0.20200304205308)
    QRadar Incident Forensics 7.4.0 (ISO) (7.4.0.20200304205308)

    Affected versions
    IBM QRadar 7.3.0 to 7.3.3 Patch 2

    Issue
    IBM QRadar generates an error message that includes sensitive information that could be used in further attacks against the system.
    14 April 2020
    SECURITY BULLETIN CVE-2019-4594 IBM QRADAR SIEM IS VULNERABLE TO INFORMATION EXPOSURE CLOSED Resolved in
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Fix Pack 2 (7.3.3.20200208135728)
    QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)
    QRadar Incident Forensics 7.4.0 (SFS) (7.4.0.20200304205308)
    QRadar Incident Forensics 7.4.0 (ISO) (7.4.0.20200304205308)

    Affected versions
    IBM QRadar 7.3.0 to 7.3.3 Patch 1

    Issue
    IBM QRadar could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques.
    14 April 2020
    SECURITY BULLETIN CVE-2017-3164 IBM QRADAR SIEM IS VULNERABLE TO USING COMPONENTS WITH KNOWN VULNERABILITIES CLOSED Resolved in
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Fix Pack 2 (7.3.3.20200208135728)
    QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)
    QRadar Incident Forensics 7.4.0 (SFS) (7.4.0.20200304205308)
    QRadar Incident Forensics 7.4.0 (ISO) (7.4.0.20200304205308)

    Affected versions
    IBM QRadar 7.3.0 to 7.3.3 Patch 1

    Issue
    Apache Solr is vulnerable to server-side request forgery, caused by not having corresponding whitelist mechanism in the shards parameter. By using a specially-crafted argument, an attacker could exploit this vulnerability to conduct SSRF attack.
    14 April 2020
    RULES IJ20330 RULES THAT COMPARE FIELD 'SOURCE OR DESTINATION IP' AGAINST IP TYPE REFERENCE DATA FOR SUPERFLOWS FAIL CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
    QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)

    Workaround
    Use a hard-coded IP in the rule test instead of using a reference set.

    Issue
    It has been identified that a rule that tests for the presence of source/destination IP against an IP type reference set for superflows fails with exception: Failed to parse IP address: Multiple (X)
    13 December 2019
    FLOWS / QRADAR NETWORK INSIGHTS (QNI) IJ20540 QRADAR NETWORK INSIGHTS (QNI) FLOWS INTO QRADAR ARE DECREASED AND/OR STOP SENDING ENTIRELY CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
    QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)

    Workaround
    Temporarily change from Advanced (High) inspection to Enriched (Med) inspection.

    Issue
    It has been identified that in some instances QRadar Network Insights can decrease and/or stop sending flows into QRadar when associated decapper/tika threads are in a stuck state.
    27 March 2020
    BACKUP / RECOVERY IJ21252 BACKUP/RESTORE PAGE IN THE QRADAR USER INTERFACE CAN FAIL TO LOAD 'PLEASE WAIT WHILE THE REQUESTED INFORMATION IS GATHERED' CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
    QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)

    Workaround
    Reduce the number of backups available to the QRadar system.

    Issue
    It has been identified that the QRadar User Interface "Backup and Recovery" page in environments with a very large number of backups (multiple thousand) hangs while loading for an extended period of time. The page partially loads with a message similar to the following "Please wait while the requested information is gathered...".
    09 December 2019
    INSTALL / UPGRADE IJ23224 IPV6 MANAGED HOSTS DO NOT AUTOMATICALLY PATCH WHEN USING THE "PATCH ALL" OPTION CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
    QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)

    Workaround
    After verifiying the Console is successfully patched, copy the patch SFS to the Managed Host, and perfrom the patch process steps manually on affected Managed Hosts.

    Issue
    Managed Hosts configured with IPV6 addresses fail to patch automatically when the "Patch All" option is selected for the patching process.
    Status Summary of Hosts
    +---------+-------------------+
    |Hostname |Status             |
    |---------+-------------------|
    |{hostname}|No Action Performed|
    |{hostname}|Patch Successful   |
    +---------+-------------------+
    Sep 26 11:17:05 2018: Sep 26 11:17:05 2018:[DEBUG](posthost)
    ip=ipv6address
    Sep 26 11:17:05 2018: Sep 26 11:17:05 2018:[DEBUG](posthost)
    starting
    Sep 26 11:17:05 2018: Sep 26 11:17:05 2018:[DEBUG](posthost)
    Found 0 patch report files.
    Sep 26 11:17:05 2018: Sep 26 11:17:05 2018:[DEBUG](posthost)
    Patch Report for ipv6address, appliance type: 3199
    {hostname} :  patch test succeeded.
    {hostname}-secondary :  patch test succeeded.
    {hostname} :  patch succeeded.
    {hostname}-secondary :  patch succeeded.
    Tried 3 times to copy file but md5 sums never matched after
    copy operations.
    Sep 26 11:17:05 2018: Sep 26 11:17:05 2018:[DEBUG](posthost) pr=
    Patch Report for (ipv6_address),
    appliance type: 3199
    {hostname} :  patch test succeeded.
    {hostname}-secondary :  patch test succeeded.
    {hostname} :  patch succeeded.
    {hostname}-secondary :  patch succeeded.
    Tried 3 times to copy file but md5 sums never matched after
    copy operations.
    13 March 2020
    INSTALL / UPGRADE IJ23465 PATCH PRETEST VALIDATE_HOSTNAME.SH CAN FAIL ON A SECONDARY MANAGED HOST APPLIANCE CAUSING PATCH PROCESS TO FAIL CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
    QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)

    Workaround
    Contact Support for a possible workaround that might address this issue in some instances.

    Issue
    During the QRadar patch pretest, the validate_hostname.sh script can fail when running on a Secondary Managed Host appliance in a High Availability pair causing the patch to fail. Messages similar to the following might be visible when this issue occurs:
    [INFO](testmode) Running pretest 7/8: Validate deployment
    hostnames
    ERROR: This patch requires SSH access to all Managed Hosts to
    validate hostnames.
    ERROR: The following Managed Hosts are not accessible via SSH:
    - {appliance}
    [ERROR](testmode) Patch pretest 'Validate deployment hostnames'
    failed. (validate_hostname.sh)
    [INFO](testmode) Running pretest 8/8: Check for QIF appliances
    in deployment
    [ERROR](testmode) Failed 1/8 pretests. Aborting the patch.
    [ERROR](testmode) Failed pretests
    [ERROR](testmode) Pre Patch Testing shows a configuration
    issue. Patching this host cannot continue.
    [INFO](testmode) Set ip-135-56 status to 'Patch Test Failed'
    [ERROR](testmode) Patching can not continue
    Status Summary of Hosts
    +----------+-------------------+
    |Hostname  |Status             |
    |----------+-------------------|
    |appliance |Patch Test Failed  |
    |appliance |No Action Performed|
    +----------+-------------------+
    Patch Report for {ipaddress}, appliance type: 500
    Patch pretest 'Validate deployment hostnames' failed.
    (validate_hostname.sh)
    {appliance}:  patch test failed.
    23 March 2020
    RULES IJ23642 PERFORMANCE IMPROVEMENTS WITH REFERENCE DATA AND CUSTOM RULE ENGINE PROCESSING CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
    QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)

    Workaround
    No workaround available.

    Issue
    QRadar requires an improvement with the performance of Custom Rule Engine processing of Reference Data.
    17 March 2019
    INSTALL / UPGRADE IJ23684 QRADAR PATCHING PROCESS CAN FAIL ON DB_UPDATE.187085.HOSTNAMETYPE_UPDATE.SQL CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
    QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)

    Workaround
    Contact Support for a possible workaround that might address this issue in some instances.

    Issue
    QRadar patching process can fail on db_update.187085.hostnametype_update.sql
    23 March 2020
    INSTALL / UPGRADE IJ23685 QRADAR PATCHING PROCESS CAN FAIL ON DB_UPDATE_740.ARIEL_GENERICLIST_PROPERTY_EXPRESSION.SQL CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
    QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)

    Workaround
    Contact Support for a possible workaround that might address this issue in some instances.

    Issue
    QRadar patching process can fail on db_update_740.ariel_genericlist_property_expression.sql
    23 March 2020
    LICENSE IJ21568 NO WARNING OF UPCOMING EPS/FPS LICENSE EXPIRING CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
    QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002)

    Workaround
    Contact Support for a possible workaround that might address this issue in some instances.

    Issue
    No warning message for a QRadar license nearing expiration for an Event Processor when the EPS/FPM expires. This causes the license pool to become over-allocated without appropriate notice.

    For example:
    There is no warning message that the license is going to expire soon. Only a message that the license is expired. Current behavior: License "{LicenseIdentity}" allocated to host {IP ADDRESS} has expired.
    20 December 2019
    AUTHENTICATION / LDAP IJ20982 QRADAR LDAP AUTHENTICATION CAN FAIL DUE TO SHA1 CERTIFICATES BEING BLOCKED CLOSED Resolved in
    QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)

    Workaround
    Contact Support for a possible workaround that might address this issue in some instances.

    Issue
    It has been identified that SHA1 certificates can be blocked due to invalid algorithms. QRadar LDAP authentication can fail when this issue occurs. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    tomcat[25530]: at
    org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
    tomcat[25530]: at
    org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java)
    tomcat[25530]: at
    org.apache.coyote.AbstractProcessorLight.process(AbstractProcess
    orLight.java:66)
    tomcat[25530]: at
    org.apache.coyote.AbstractProtocol$ConnectionHandler.process(Abs
    tractProtocol.java:806)
    tomcat[25530]: at
    org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(Nio
    Endpoint.java:1498)
    tomcat[25530]: at
    org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcess
    orBase.java:49)
    tomcat[25530]: at
    java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec
    utor.java:1160)
    tomcat[25530]: at
    java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe
    cutor.java:635)
    tomcat[25530]: at
    org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(T
    askThread.java:61)
    tomcat[25530]: at java.lang.Thread.run(Thread.java:812)
    tomcat[25530]: Caused by:
    tomcat[25530]: javax.net.ssl.SSLHandshakeException:
    java.security.cert.CertificateException: Certificates does not
    conform to algorithm constraints
    tomcat[25530]: at com.ibm.jsse2.k.a(k.java:42)
    tomcat[25530]: at com.ibm.jsse2.av.a(av.java:688)
    tomcat[25530]: at com.ibm.jsse2.D.a(D.java:495)
    tomcat[25530]: at com.ibm.jsse2.D.a(D.java:534)
    tomcat[25530]: at com.ibm.jsse2.E.a(E.java:151)
    tomcat[25530]: at com.ibm.jsse2.E.a(E.java:401)
    tomcat[25530]: at com.ibm.jsse2.D.r(D.java:444)
    tomcat[25530]: at com.ibm.jsse2.D.a(D.java:399)
    tomcat[25530]: at com.ibm.jsse2.av.a(av.java:1006)
    tomcat[25530]: at com.ibm.jsse2.av.i(av.java:574)
    tomcat[25530]: at com.ibm.jsse2.av.a(av.java:468)
    tomcat[25530]: at com.ibm.jsse2.i.write(i.java:17)
    tomcat[25530]: at
    java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java)
    tomcat[25530]: at
    java.io.BufferedOutputStream.flush(BufferedOutputStream.java)
    tomcat[25530]: at
    com.sun.jndi.ldap.Connection.writeRequest(Connection.java:455)
    tomcat[25530]: at
    com.sun.jndi.ldap.Connection.writeRequest(Connection.java:428)
    tomcat[25530]: at
    com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:371)
    tomcat[25530]: at
    com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:226)
    tomcat[25530]: ... 84 more
    tomcat[25530]: Caused by:
    tomcat[25530]: java.security.cert.CertificateException:
    Certificates does not conform to algorithm constraints
    tomcat[25530]: at com.ibm.jsse2.aB.a(aB.java:18)
    tomcat[25530]: at com.ibm.jsse2.aB.a(aB.java:82)
    tomcat[25530]: at
    com.ibm.jsse2.aB.checkServerTrusted(aB.java:45)
    tomcat[25530]: at com.ibm.jsse2.E.a(E.java:757)
    tomcat[25530]: ... 97 more
    13 November 2019
    ROUTING RULES / FORWARDED EVENTS IJ22899 OFFLINE FORWARDED NORMALIZED EVENTS DO NOT HAVE ASSOCIATED EVENT PROCESSOR ID IN LOG ACTIVITY OF DESTINATION HOST CLOSED Resolved in
    QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
    QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)

    Workaround
    No workaround available.

    Issue
    Offline forwarded normalized events display unknown Event Processor (EP) in the Log Activity of the destination host. As there is no associated Event Processor ID, this can cause event investigation issues during drill down in Offenses, rule triggering correlation, etc.
    14 February 2020
    QRADAR DEPLOYMENT INTELLIGENCE APP (QDI) IJ22709 QRADAR DEPLOYMENT INTELLIGENCE (QDI) APP ADVANCED HEALTH QUERY DISPLAYS BLANK GRAPHS FOR ENCRYPTED MANAGED HOSTS OPEN: Reported as an issue in QRadar 7.3.2 Patch 6 and later. Workaround
    No workaround available.

    Issue
    The QRadar Deployment Intelligence (QDI) App displays blank graphs when attempting to perform an advanced health query on an encrypted Managed Host.

    This is caused by the advanced health querying using the Managed Host primary IP instead of the VIP (tunnel IP).
    14 February 2020
    SYSTEM NOTIFICATIONS IJ22344 'NO SEARCH WAS FOUND WITH ID SYSTEM-LOGS. DROPPING BACK TO DEFAULT SEARCH' IN SYSTEM NOTIFICATIONS AND LOGGING OPEN: Reported as an issue in QRadar 7.3.2 Patch 5 and later. Workaround
    No workaround available.

    Issue
    Messages similar to the following might be visible in QRadar System Notifications and in /var/log/qradar.error after applying a QRadar patch:
    [tomcat.tomcat] [admin@xx.xx.xx.xx(8380)
    /console/do/ariel/arielSearch]
    com.q1labs.ariel.ui.action.ArielSearch: [WARN]
    [NOT:0000004000][xx.xx.xx.xx/- -] [-/- -]No search was found
    with id SYSTEM-LOGS. Dropping back to default search.
    14 February 2020
    RULES / PEFORMANCE VISUALIZATION IJ22339 RULE PERFORMANCE INFORMATION FOR MODIFIED DEFAULT/SYSTEM RULES IS STORED IN THE ORIGINAL RULE NOT IN THE UPDATED RULE OPEN: Reported as an issue in QRadar 7.3.2 and later. Workaround
    No workaround available.

    Issue
    Rule performance data for modified System/Default Rules is stored in the original rule, not the modified rule. This can lead to incorrect Rule Performance visualization data.
    14 February 2020
    AUDIT LOG IJ22766 EVENT MAPPING ADDS OR EDITS PERFORMED USING THE 'MAP EVENT' BUTTON IN LOG ACTIVITY ARE NOT AUDITED CLOSED Resolved in QRadar 7.4.1 (7.4.1.20200716115107)

    Workaround
    No workaround available.

    Issue
    Event mapping adds or edits performed using Log Activity -> View Event Information -> Click on Map Event are not audited in /var/log/audit/audit.log
    14 February 2020
    JDBC PROTOCOL / LOG SOURCE MANAGEMENT APP IJ20450 LOG SOURCE MANAGEMENT APP IS NOT ABLE TO CREATE JDBC LOG SOURCE WHEN 'NONE' IS CHOSEN FROM THE 'QUERYLIST' CLOSED Resolved in
    PROTOCOL-JDBC-7.3-20200110201324.noarch.rpm or later. This protocol update is available through QRadar weekly auto updates.

    Workaround
    Use the legacy Log Source management user interface to create JDBC log sources where the Predefined Query field must be set to None.

    Issue
    It has been identified that creating a JDBC Log Source using the Log Source Management app fails when 'none' is chosen from the Predefined Query field. Using the legacy Log Source User Interface (UI) to create the same Log Source works as expected.
    23 October 2019
    ORACLE DATABASE LISTENER PROTOCOL IJ22710 REPEATED 'CAUGHT SIGPIPE, RESET CONNECTION' EVENTS BEING GENERATED WHEN USING PROTOCOL ORACLE DATABASE LISTENER OPEN: Reported in QRadar 7.3.1 Patch 8 and later. Workaround
    No workaround available.

    Issue
    When using Log Sources configured with the Oracle Database Listener Protocol, the oracle_osauditlog_fwdr.pl script is causing repeated "caught sigpipe, reset connection" events to be generated.
    19 February 2020
    LOG ACTIVITY IJ22898 POPUP "ERROR! NO NODE SENT TO TREE METHOD'EXPANDNODE()" IN LOG ACTIVITY TAB WHEN USING DOUBLE BYTE CHARACTER SET LOCALE OPEN: Reported in QRadar 7.3.2 Patch 6 and later. Workaround
    No workaround available.
    Note: This does not occur when using the English locale in QRadar.

    Issue
    A Client Exception popup message can occur in the QRadar User Interface on the Log Activity tab when QRadar is configured to use double byte character set locales and attempting a navigation path as follows:
    1. Click the Log Activity tab.
    2. From the navigation menu, select Search > New Search
    3. In the Search Parameters field, select Source Network.
    4. From the Operator drop-down, select Equals.
    5. In the Value drop-down, attempt to select a value entry. Results
      The following error popup is generated:
      Client Exception
      The following client exception occurred while handling the server response:
      {0} Error: ERROR! No node sent to Tree method "expandNode()"
    28 February 2020
    APACHE KAFKA / LOG SOURCE MANAGEMENT APP IJ22711 MULTILINE LOG SOURCE IDENTIFIER PATTERN FOR APACHE KAFKA PROTOCOL NOT WORKING WITH LOG SOURCE MANAGEMENT APP OPEN: Reported in QRadar 7.3.2 Patch 4 and later. Workaround
    Use the legacy Log Sources User Interface instead of the Log Source Management App.

    Issue
    The Log Source Management App saves Multiline Log Source Identifier Pattern without valid line break regex for the Apache Kafka Protocol.
    28 February 2020
    APPLICATION FRAMEWORK / CERTIFICATES IJ23059 APPS CAN FAIL TO LOAD DUE TO CERTIFICATES NOT BEING RENEWED AS EXPECTED WHEN THE QRADARCA-MONITOR SERVICE HANGS CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
    QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)

    Workaround
    A restart of the qradarca-monitor service running on the QRadar Console can often correct the stuck service.
    # systemctl restart qradarca-monitor


    Issue
    QRadar Apps can fail to load due to expired certificates not being renewed if the qradarca-monitor service is in a stuck state. Messages similar to the following might be visible in /var/log/messages when this issue occurs:
    bash[119986]: net.runtime_pollWait(0x7f9c451ffe70, 0x72, 0x8)
    bash[119986]:
    /root/.gradle/go/binary/1.8.3/go/src/runtime/netpoll.go:164 +0x59
    bash[119986]: net.(*pollDesc).wait(0xc4202a81b8, 0x72, 0x8cdfc0, 
    0x8ca560)
    bash[119986]: /root/.gradle/go/binary/1.8.3/go/src/net/fd_poll_
    runtime.go:75+0x38
    bash[119986]: net.(*pollDesc).waitRead(0xc4202a81b8,0xc42028eab8,0x1)
    bash[119986]: /root/.gradle/go/binary/1.8.3/go/src/net/fd_poll_
    runtime.go:80+0x34
    bash[119986]: net.(*netFD).Read(0xc4202a8150, 0xc42028eab8,
    0x1, 0x1, 0x0, 0x8cdfc0, 0x8ca560)
    bash[119986]: /root/.gradle/go/binary/1.8.3/go/src/net/fd_unix.
    go:250 +0x1b7
    bash[119986]: net.(*conn).Read(0xc4202aa038, 0xc42028eab8,
    0x1, 0x1, 0x0, 0x0, 0x0)
    bash[119986]: /root/.gradle/go/binary/1.8.3/go/src/net/net.go:
    181 +0x70
    bash[119986]: io.ReadAtLeast(0x7f9c45200170, 0xc4202aa038,
    0xc42028eab8, 0x1, 0x1, 0x1, 0x6f3a40, 0x1, 0xc42028eab8)
    bash[119986]: /root/.gradle/go/binary/1.8.3/go/src/io/io.go:307 
    +0xa9
    bash[119986]: io.ReadFull(0x7f9c45200170, 0xc4202aa038,
    0xc42028eab8, 0x1, 0x1, 0x40, 0x53c8e0, 0x7f9c45200170)
    bash[119986]: /root/.gradle/go/binary/1.8.3/go/src/io/io.go:325 
    +0x58
    bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/vendor/golang.
    org/x/crypto/s
    sh.readVersion(0x7f9c45200170, 0xc4202aa038, 0xc4202aa038,
    0x7f9c45200170, 0xc4202aa038, 0x0, 0x0)
    bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/
    q1git.canlab.ibm.com/pi/si-qradarca/vendor/golang.org/x/crypto/ssh/
    transport.go:317 +0x101
    bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/vendor/golang.org
    /x/crypto/ssh.exchangeVersions(0x8ced40, 0xc4202aa038, 0xc42028ead0,
    0xa, 0x10, 0x10, 0x0, 0x8, 0x5, 0x8)
    bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/
    q1git.canlab.ibm.com/pi/si-qradarca/vendor/golang.org/x/crypto/
    ssh/transport.go:301 +0x111
    bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/vendor/golang.
    org/x/crypto/ssh.(*connection).clientHandshake(0xc4202a4a80, 
    0xc42028ea80, 0x10, 0xc420322a90, 0x0, 0x0)
    bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/
    q1git.canlab.ibm.com/pi/si-qradarca/vendor/golang.org/x/crypto/
    ssh/client.go:100 +0xf7
    bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/vendor/golang.org
    /x/crypto/ssh.NewClientConn(0x8d2ee0, 0xc4202aa038, 0xc42028ea80, 0x10,
    0xc42016c230, 0x8d2ee0, 0xc4202aa038, 0x0, 0x0, 0xc42028ea80,...)
    bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/
    q1git.canlab.ibm.com/pi/si-qradarca/vendor/golang.org/x/crypto/
    ssh/client.go:83 +0x103
    bash[119986] q1git.canlab.ibm.com/pi/si-qradarca/vendor/golang.org/
    x/crypto/ssh.Dial(0x764983, 0x3, 0xc42028ea80, 0x10, 0xc42016c230,
    0xc42028ea80, 0x10, 0xc42031e000)
    bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/
    q1git.canlab.ibm.com/pi/si-qradarca/vendor/golang.org/x/crypto/ssh/
    client.go:177 +0xb3
    bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/localca.connectToHost
    (0x764c0e, 0x4, 0xc42019ca86, 0xd, 0x1, 0xc420292840, 0x31, 0xdd)
    bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/
    q1git.canlab.ibm.com/pi/si-qradarca/localca/util.go:281 +0x260
    bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/localca.CheckRemote
    FileExisted(0x764c0e, 0x4, 0xc42019ae80, 0x20, 0xc42019ca86, 0xd,
    0xc42016c400, 0x0, 0x0)
    bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/
    q1git.canlab.ibm.com/pi/si-qradarca/localca/remote.go:62 +0x136
    bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/localca.checkCertifi
    cateOnRemote(0xc42019ca86, 0xd, 0xc4201937d0, 0x9, 0xc42019ae60, 0x12,
    0xc4201937e0, 0x9, 0x764b6a, 0x4, ...)
    bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/
    q1git.canlab.ibm.com/pi/si-qradarca/localca/check.go:94 +0x2a6
    bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/localca.regenerate
    CertFromCSR(0x3, 0xc4201506b8, 0x6, 0xc4201423c0, 0x29, 0xc4201426f0,
    0x21, 0x2, 0x9211a0, 0x0, ...)
    bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/
    q1git.canlab.ibm.com/pi/si-qradarca/localca/monitor.go:228 +0x421
    bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/localca.(*checkmap).
    monitorAndRegenerateCert(0xc42016d978, 0x3, 0xc4201506b8, 0x6,
    0xc4201423c0, 0x29, 0xc4201426f0, 0x21, 0x2, 0x9211a0, ...)
    bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/
    q1git.canlab.ibm.com/pi/si-qradarca/localca/monitor.go:177 +0x307
    bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/localca.monitor
    Cert(0xc4201500a0, 0x0, 0x1, 0xc420164000)
    bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/
    q1git.canlab.ibm.com/pi/si-qradarca/localca/monitor.go:228 +0x421
    bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/localca.(*checkmap).
    monitorAndRegenerateCert(0xc42016d978, 0x3, 0xc4201506b8, 0x6,
    0xc4201423c0, 0x29, 0xc4201426f0, 0x21, 0x2, 0x9211a0, ...)
    bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/
    q1git.canlab.ibm.com/pi/si-qradarca/localca/monitor.go:177 +0x307
    bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/localca.monitor
    Cert(0xc4201500a0, 0x0, 0x1, 0xc420164000)
    bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/
    q1git.canlab.ibm.com/pi/si-qradarca/localca/monitor.go:197 +0x49e
    bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/localca.(*monitor).
    MonitorCertificates(0x9211a0, 0xc4201500a0, 0x0, 0xc4201500b0, 0x0)
    bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/
    q1git.canlab.ibm.com/pi/si-qradarca/localca/monitor.go:46 +0x41
    bash[119986]: main.cmdExecutor(0x4062fc, 0xc4200b2058)
    bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/
    q1git.canlab.ibm.com/pi/si-qradarca/main.go:462 +0x3d79
    bash[119986]: main.main(
    bash[119986]: goroutine 9 [select, 46859 minutes]:
    bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/vendor/golang.org/
    x/crypto/ssh.(*handshakeTransport).kexLoop(0xc4200d09a0)
    bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/
    q1git.canlab.ibm.com/pi/si-qradarca/vendor/golang.org/x/crypto/ssh/
    handshake.go:268 +0x823
    bash[119986]: created by
    q1git.canlab.ibm.com/pi/si-qradarca/vendor/golang.org/x/
    crypto/ssh.newClientTransport
    bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/
    q1git.canlab.ibm.com/pi/si-qradarca/vendor/golang.org/x/crypto/ssh/
    handshake.go:135 +0x1c8
    bash[119986]: goroutine 25 [chan receive, 46859 minutes]:
    bash[119986]: q1git.canlab.ibm.com/pi/si-qradarca/vendor/golang.org/
    x/crypto/ssh.(*Client).handleChannelOpens(0xc4201c0580, 0xc4201e8300)
    bash[119986]: /builds/pi/si-qradarca/.gogradle/project_gopath/src/
    q1git.canlab.ibm.com/pi/si-qradarca/vendor/golang.org/x/crypto/
    ssh/client.go:147 +0x68
    28 February 2020
    EVENT PIPELINE / DISK SPACE IJ23194 EVENT COLLECTION ON APPLIANCES CAN STOP DUE TO AN INCORRECT PIPELINEDISKMONITOR FREE SPACE CALCULATION CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
    QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)

    Workaround
    Run the following from the command line on all QRadar appliances:
    # sed -i.bak 's/du -sB/du -xsB/' /opt/qradar/bin/pipelineDiskMonitor.py

    Issue
    The event collection service ecs-ec-ingress on QRadar appliances can stop sending events as a result of an incorrect calculation performed by the pipelineDiskMonitor.py script not taking into account that there can be filesystems mounted under store.

    Note: Seeing "percents=" in the error message below with a value greater than 100% is an indication that this can be the cause for event collection stopping. Example below: "percents=148%"

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [ecs-ec-ingress.ecs-ec-ingress] [PipelineDiskMonitor]
    com.ibm.si.ecingress.destinations.SECStoreForwardDestination(ecs
    -ec-ingress/EC_Ingress/TCP_TO_ECParse): [WARN]
    [NOT:0060005100][10.1.17.76/- -] [-/- -]PipelineDiskMonitor has
    detected that spillover queue threshold is crossed
    (total=70252554 MB, used=103749251  MB, free=-33496697  MB,
    percents=148%, ingress=1%, ec=1%). The ecs-ec-ingress starts
    dropping events until disk issue resolved.
    13 March 2020
    OUTPOST24 VULNERABILITY SCANNER IJ23038 LAST SCAN DATE DISPLAYED FOR OUTPOST24 VULNERABILITY SCANNER WITHIN QRADAR CAN BE INCORRECT OPEN: Reported in QRadar 7.3.2 Patch 5 and later. Workaround
    No workaround available.

    Issue
    Incorrect Last Scan date value is displayed in QRadar for an Outpost24 vulnerability scan.

    To replication this reported issue:
    1. Configure Outpost24 to run on date Jan 20, 2020 and get the scan results into QRadar.
    2. Run a new scan on Outpost24 on Feb 20, 2020 and get the scan results in QRadar.

      Results
      QRadar does not update the lastSan date value to the appropriate date.
    06 March 2020
    OFFENSES / EMAIL ALERTS IV49730 IT IS NOT POSSIBLE TO CUSTOMIZE OFFENSE RULE EMAIL ALERTS CLOSED Resolved in
    QRadar 7.4.0 (7.4.0.20200304205308)

    Workaround
    Install QRadar 7.4 where features added in this version resolve this reported APAR.

    Issue
    Currently you can modify email alerts for event and flow rules using /store/configservices/staging/globalconfig/templates/ custom_alerts/alert-config.xml but it is not possible to customize the email alerts for offense based rules.
    21 April 2015
    CONTENT MANAGEMENT TOOL (CMT) IV80631 CONTENT MANAGEMENT TOOL IMPORTS CAN SOMETIMES TAKE LONGER THAN EXPECTED AND/OR FAIL AFTER RUNNING FOR A LONG PERIOD OF TIME CLOSED Note: This issue is currently tagged closed as a suggestion for a future release.
    In the current implementation we are not looking to maintain the legacy CMT. Performance is a paramount concern in our rewrite of the CMT so this type of issue should not re-occur when support for import is written in the new implementation.

    Workaround
    If possible, do not have Reference Set elements in the Content Management Tool (CMT) export prior to attempting the bundled CMT import.

    Issue
    Content Management Tool imports that include Reference Set elements can sometimes run for an unexpectedly long period of time. In some instances, it has been known cause an Out Of Memory occurance after attempting to complete the import over a period of multiple days.
    03 January 2020
    DEPLOY CHANGES IV87562 A QRADAR 'DEPLOY' FUNCTION CAN RESTART TUNNELS UNEXPECTEDLY CLOSED Resolved in
    QRadar 7.4.0 (7.4.0.20200304205308)

    Workaround
    No workaround available.

    Issue
    It has been observed that a QRadar 'Deploy' function can sometimes restart tunnels unnecessarily when changes are made in the User Interface that should not require a tunnel restart.

    For example, tunnels restart after a regular 'Deploy Changes with the following user actions':
    1. When adding a new user
    2. After updating the Network Hierarchy
    04 August 2016
    DASHBOARD IV94448 DASHBOARDS ELEMENTS/WIDGETS THAT HAVE BEEN SHARED CAN SOMETIMES FAIL TO LOAD IN THE QRADAR USER INTERFACE CLOSED Resolved in
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.2 (7.3.2.20190201201121).

    Issue
    After sharing Dashboards, it has been observed that some of the shared Dashboard elements/widgets can fail to load and exceptions in /var/log/qradar.error similar to the following might be visible upon user login:
    [tomcat] [admin@127.0.0.1 (3814)
    /console/JSON-RPC/QRadar.getDashboardSearch
    QRadar.getDashboardSearch]
    com.q1labs.qradar.ui.widget.graph.ArielSearchGraphWidget:
    [WARN] [NOT:0000004000][127.0.0.1/- -] [-/- -]Could not parse
    'items to graph' from user data:
    [tomcat] admin@127.0.0.1 (3814)
    /console/JSON-RPC/QRadar.getDashboardSearch
    QRadar.getDashboardSearch] java.lang.NumberFormatException: For
    input string: ""
    [tomcat] [admin@127.0.0.1 (3814)
    /console/JSON-RPC/QRadar.getDashboardSearch
    QRadar.getDashboardSearch]    at
    java.lang.NumberFormatException.forInputString(NumberFormatException.java)
    03 January 2020
    DASHBOARD IV96788 SETTING UP DISPLAYED DASHBOARD RESTRICTIONS BY USER ROLE IS NOT HONORED CLOSED Note: This issue is currently tagged closed as a suggestion for a future release.

    When a user is created/deployed, they inherit a copy of the out-of-the-box dashboard templates. These are modifiable because they are a user-owned copy of the template. The User Role dashboard sharing feature only applies to user-created dashboards. When shared using 'Share' option, the dashboards are read-only (if you are not the owner, you should not be able to delete it). In the future dashboard will be moved to Pulse app.

    Issue
    It has been observed after configuring Dashboards for QRadar users, and attempting to restrict the Available Dashboards by User Role, that the Dashboard viewing restrictions are not honored.
    05 June 2018
    QRADAR VULNERABILITY MANAGER / SCAN REPORT IV98492 QRADAR VULNERABILITY MANAGER SCAN CAN SOMETIMES NOT DETECT MS17-010 VULNERABILITY CLOSED Resolved in
    QRadar 7.4.0 (7.4.0.20200304205308)

    Workaround
    Create a scan policy and include only the netbios tool group.

    Issue
    It has been identified that QVM vulnerability scans do not detect the "CVE-2017-0143 - MS17-010 - Microsoft - Windows - EternalBlue Issue" vulnerability when a scan policy contains only the "smb - EternalBlue - MS17-010" tool.
    31 July 2017
    MANAGED HOST / HOSTCONEXT SERVICES IJ02072 QRADAR LOGGING REPORTS HOSTCONTEXT '...TOO MANY OPEN FILES' MESSAGES CLOSED Resolved in
    QRadar 7.4.0 (7.4.0.20200304205308)

    Workaround
    No workaround available.

    The file handle issue was partially addressed in APAR IV94782, but an outstanding issue causing the same behavior could still be present.

    Issue
    It has been observed in some customer environments that Hostcontext can run out of available file handles due to code relating to nva.conf.

    Repetitive messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [hostcontext.hostcontext] [ProcessMonitor] java.io.IOException:
    error=24, Too many open files
    13 December 2017
    DEPLOY CHANGES IJ02476 REMOVING ENCRYPTION FROM A MANAGED HOST CAUSES DEPLOY FUNCTION TO FAIL TO THAT MANAGED HOST CLOSED Resolved in
    QRadar 7.4.0 (7.4.0.20200304205308)

    Workaround
    From the System and License Management interface, encrypt the host connection on the Managed Host and Deploy changes.

    Issue
    It has been identified that the QRadar deploy function to a Managed Host fails (times out) after removing encryption from that Managed Host (Encrypt Host Connection option).

    To replicate this issue:
    1. Click the Admin tab.
    2. Click the System and License Management icon.
    3. Click on the Managed Host and then Deployment Actions.
    4. Click Edit Host.
    5. Un-check Encrypt Host Connection and save the changes.
    6. Click Deploy Changes.

      Results
      The Deploy Changes function for that Managed Host times out.


    7. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurrs:
      [hostcontext.hostcontext]
      [f83a84ed-53ae-4592-ade5-8fa6ee3f1620/SequentialEventDispatcher] at
      com.q1labs.frameworks.events.SequentialEventDispatcher$DispatchT
      hread.run(SequentialEventDispatcher.java)
      [hostcontext.hostcontext]
      [f83a84ed-53ae-4592-ade5-8fa6ee3f1620/SequentialEventDispatcher]
      Caused by:
      [hostcontext.hostcontext]
      [f83a84ed-53ae-4592-ade5-8fa6ee3f1620/SequentialEventDispatcher]
      com.q1labs.hostcontext.exception.HostContextConfigException:
      Failed to download new configuration set
      [hostcontext.hostcontext]
      [f83a84ed-53ae-4592-ade5-8fa6ee3f1620/SequentialEventDispatcher] at
      com.q1labs.hostcontext.configuration.ConfigSetUpdater.downloadAn
      dProcessGlobalSets(ConfigSetUpdater.java)
      [hostcontext.hostcontext]
      [f83a84ed-53ae-4592-ade5-8fa6ee3f1620/SequentialEventDispatcher] at
      com.q1labs.hostcontext.configuration.ConfigSetUpdater.prepareNon
      ConsoleGlobalSets(ConfigSetUpdater.java)
      [hostcontext.hostcontext]
      [f83a84ed-53ae-4592-ade5-8fa6ee3f1620/SequentialEventDispatcher] ... 10 more
      [hostcontext.hostcontext]
      [f83a84ed-53ae-4592-ade5-8fa6ee3f1620/SequentialEventDispatcher]
      Caused by:
      [hostcontext.hostcontext]
      [f83a84ed-53ae-4592-ade5-8fa6ee3f1620/SequentialEventDispatcher]
      com.q1labs.hostcontext.exception.HostContextConfigException:
      Timeout on deployment token synchronization
      [hostcontext.hostcontext]
      [f83a84ed-53ae-4592-ade5-8fa6ee3f1620/SequentialEventDispatcher] at
      com.q1labs.hostcontext.configuration.ConfigSetUpdater.downloadAn
      dProcessGlobalSets(ConfigSetUpdater.java)
      [hostcontext.hostcontext]
      [f83a84ed-53ae-4592-ade5-8fa6ee3f1620/SequentialEventDispatcher] ... 11 more
      [hostcontext.hostcontext]
      [f83a84ed-53ae-4592-ade5-8fa6ee3f1620/SequentialEventDispatcher]
      com.q1labs.hostcontext.util.HostContextUtilities: [INFO]
      [NOT:0000006000][127.0.0.1/- -] [-/- -]Removing file hostcontext.NODOWNLOAD
      [hostcontext.hostcontext]
      [f83a84ed-53ae-4592-ade5-8fa6ee3f1620/SequentialEventDispatcher]
      com.q1labs.hostcontext.configuration.ConfigChangeObserver:
      [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Following message
      suppressed 1 times in 300000 milliseconds
      [hostcontext.hostcontext]
      [f83a84ed-53ae-4592-ade5-8fa6ee3f1620/SequentialEventDispatcher]
      com.q1labs.hostcontext.configuration.ConfigChangeObserver:
      [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Failed to
      download and apply new configuration
      [hostcontext.hostcontext]
      [f83a84ed-53ae-4592-ade5-8fa6ee3f1620/SequentialEventDispatcher]
      com.q1labs.hostcontext.exception.HostContextConfigException:
      Unable to create flag file to denote a hostcontext restart to
      create tunneled frameworks connections
    12 December 2017
    OFFENSES IJ02571 OFFENSE RULE SNMP RESPONSES DO NOT REFLECT THE OFFENSE DATA CLOSED This issue has been closed as an expired issue and no fix is planned at this time.

    Workaround
    No workaround available.

    Issue
    It has been observed, that after an offense rule is created and an SNMP response is configured for that rule to modify the offenseCRE.snmp.xml file to configure OIDs (properties) that are sent in the SNMP trap, the response coding in QRadar uses the asset model to attempt to populate these values for the Offense.

    When this occurs, the SNMP trap does not always contain the expected data that is visible in the Offense.
    12 December 2017
    LOG ACTIVITY / SEARCH IJ05192 LOG ACTIVITY SEARCH ERRORS '...PROBLEM CONNECTING TO THE QUERY SERVER' AND '...INVALID WHITE SPACE CHARACTER...' IN THE LOGS CLOSED Resolved in
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)

    Workaround
    No workaround available.

    Issue
    It has been observed that Log Activity searches can sometimes fail with a message similar to: "There was a problem connecting to the query server. please try again later"

    This error message and coincide with error messages in /var/log/qradar.error:
    [ariel.ariel_proxy_server]
    [ariel_query_13:cf3b383b-17ba-4895-a0ef-ef31b99c12f7]
    com.thoughtworks.xstream.io.StreamException:
    [ariel.ariel_proxy_server]
    [ariel_query_13:cf3b383b-17ba-4895-a0ef-ef31b99c12f7] Caused by:
    [ariel.ariel_proxy_server]
    [ariel_query_13:cf3b383b-17ba-4895-a0ef-ef31b99c12f7]
    com.ctc.wstx.exc.WstxIOException: Invalid white space character
    (0x11) in text to output
    [ariel.ariel_proxy_server]
    [ariel_query_13:cf3b383b-17ba-4895-a0ef-ef31b99c12f7] at
    com.ctc.wstx.sw.BaseStreamWriter.writeCharacters(BaseStreamWriter.java)
    [ariel.ariel_proxy_server]
    [ariel_query_13:cf3b383b-17ba-4895-a0ef-ef31b99c12f7] at
    com.thoughtworks.xstream.io.xml.StaxWriter.setValue(StaxWriter.java)
    [ariel.ariel_proxy_server]
    [ariel_query_13:cf3b383b-17ba-4895-a0ef-ef31b99c12f7] ... 77 more
    10 February 2020
    OFFENSES / PERFORMANCE IJ09192 OFFENSE SUMMARY PAGE CAN SOMETIMES TAKE LONGER THAN EXPECTED TO LOAD FOR OFFENSES WITH A LARGE NUMBER OF ATTACKERS CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 (7.4.0.20200304205308)

    Workaround
    No workaround available.

    Issue
    It has been identified that loading the offense summary of a single offense can sometimes take longer than expected (multiple minutes) for Offenses with a large number of attackers.
    04 December 2018
    DEPLOYMENT / REMOVE HOST IJ12277 PROCESSOR MANAGED HOSTS INSTALLED AS TYPE "SOFTWARE" GENERATE ERROR WHEN ATTEMPTING TO BE REMOVED FROM DEPLOYMENT CLOSED Resolved in
    QRadar 7.4.0 (7.4.0.20200304205308)

    Workaround
    Install the latest software version or contact Support for a possible workaround that might address this issue if you cannot upgrade at this time.

    Issue
    It has been identified that attempting to a remove a QRadar processor (Event or Flow) from a QRadar deployment can fail and generate an error similar to the following if they if was built as type "Software" at version 7.2.x and then upgraded to 7.3.1.

    When this issue occurs, the following error messages can be displayed in the user interface:

    • There are not enough unallocated EPS in the pool to maintain the event rate limits that are assigned to managed hosts
      or
    • There are not enough unallocated FPM in the pool to maintain the flow rate limits that are assigned to managed hosts
    16 September 2019
    VULNERABILITY SCAN / QRADAR VULNERABILITY MANAGER IJ19254 TXSENTRY ERRORS CAN OCCUR DURING VULNERABILITY IMPORTS OF A LARGE NUMBER OF ASSETS WITH VULNERABILITY EXCEPTIONS CLOSED Resolved in
    QRadar 7.4.0 (7.4.0.20200304205308)

    Workaround
    Avoid importing thousands of assets that require the same vulnerability exception at once by staggering the vulnerability imports.

    Issue
    It has been identified that a TxSentry can occur during vulnerability imports of a large number of assets (multiple thousand) with vulnerability exceptions. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    com.q1labs.hostcontext.tx.TxSentry: [WARN]
    [NOT:0000004000][127.0.0.1/- -] [-/- -]  Lock acquired on host
    127.0.0.1: rel=vulninstance age=623 granted=t mode=RowShareLock
    query='SELECT exception_rule.config_update();
    16 September 2019
    RULES / RULES WIZARD IJ19268 LOADING RULES FROM EVENTS GENERATES '[UNKNOWN RULE NAME]' AND 'INVALID XML CONTENT' MESSAGES IN QRADAR LOGGING CLOSED Resolved in
    QRadar 7.4.0 (7.4.0.20200304205308)

    Workaround
    Upgrade to the latest software version or contact Support for a possible workaround that might address this issue in some instances if you are unable to upgrade at this time.

    Issue
    It has been identified that when loading Rules from within events, messages containing "UNKNOWN RULE NAME" might be displayed. These errors have been observed when control characters are present in data within the rule_data database table.

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069)
    /console/restapi/api/analytics/rules] Caused by:
    [tomcat.tomcat]
    [Token: UBA@127.0.0.1 (24205069)
    /console/restapi/api/analytics/rules] com.q1labs.restapi_annotat
    ions.content.exceptions.endpointExceptions.ServerProcessingExcep
    tion: An error occured while trying to retrieve the
    rule
    [tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069)
    /console/restapi/api/analytics/rules] at com.q1labs.core.api.imp
    l.customrule.CustomRuleAPIImpl.getCustomRules(CustomRuleAPIImpl.java)
    [tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069)
    /console/restapi/api/analytics/rules] at com.q1labs.core.api.R2_
    2016.customrule.CustomRuleAPI.getCustomRules(CustomRuleAPI.java)
    [tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069)
    /console/restapi/api/analytics/rules] at
    sun.reflect.GeneratedMethodAccessor526.invoke(Unknown Source)
    [tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069)
    /console/restapi/api/analytics/rules] at sun.reflect.DelegatingM
    ethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java)
    [tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069)
    /console/restapi/api/analytics/rules] at
    java.lang.reflect.Method.invoke(Method.java:508)
    [tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069)
    /console/restapi/api/analytics/rules] at com.q1labs.restapi.serv
    let.utilities.APIRequestHandler.invokeMethod(APIRequestHandler.java)
    [tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069)
    /console/restapi/api/analytics/rules] at com.q1labs.restapi.serv
    let.utilities.APIRequestHandler.redirectRequest(APIRequestHandler.java)
    [tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069)
    /console/restapi/api/analytics/rules] ... 46 more
    [tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069)
    /console/restapi/api/analytics/rules] Caused by:
    [tomcat.tomcat] [Token: UBA@127.0.0.1 (24205069)
    /console/restapi/api/analytics/rules]
    [openjpa-2.2.2-r422266:1468616 fatal general error]
    org.apache.openjpa.persistence.PersistenceException: ERROR:
    invalid XML content
     Detail: line 1: xmlParseCharRef: invalid xmlChar value 6
    lt;a href='javascript:editParameter("12", "3")'
    class='dynamic'>metadata
     ^
    line 1: xmlParseCharRef:
    invalid xmlChar value 6
    ns multiselect="false" source="user"
    format="user"/][userSelection]metadata
     ^
    line 1: chunk is
    not well balanced {prepstmnt 1473478204 SELECT * FROM
    custom_rule WHERE (CAST( xpath( '/rule[@buildingBlock="false"]',
    CAST( (encode(rule_data, 'escape')) AS XML)) AS text ARRAY) !=
    '{}' AND rule_type NOT IN (6, 7, 8)) ORDER BY id ASC} 
    
    26 September 2019
    RULES / RULES WIZARD IJ20232 ' ? ' CHARACTERS DISPLAYED AT THE END OF EACH LINE OF "RULE NOTES" THAT CONTAIN LINE BREAKS CLOSED Resolved in
    QRadar 7.4.0 (7.4.0.20200304205308)

    Workaround
    No workaround available.

    Issue
    It has been identified that when configuring a rule that includes a line break in the "Rule Notes" section, question mark '?' characters are displayed at the end of each line.
    17 October 2019
    ROUTING RULES IJ20466 EVENTS CONFIGURED TO BE DROPPED BY ROUTING RULES ARE NOT BEING DROPPED DURING A HOSTCONTEXT RESTART OPEN: Reported in QRadar 7.3.2 versions Workaround
    Contact Support for a possible workaround that might address this issue in some instances.

    Issue
    It has been identified that Events which are configured to be dropped by routing rules are not being dropped during a hostcontext restart.
    08 November 2019
    RULES / RULES WIZARD IJ20767 'AN ERROR HAS OCCURRED SAVING YOUR RULE. PLEASE TRY AGAIN LATER' WHEN ATTEMPTING TO SAVE A RULE CLOSED Resolved in
    QRadar 7.4.0 (7.4.0.20200304205308)

    Workaround
    No workaround available.

    Issue
    It has been identified that when saving a Rule, the following message might be observed due to rule_data not being validated prior to persisting it to the database: "An error has occurred saving your rule. Please try again later."

    To replicate this issue:
    1. Use "sss" as a rule's Annotate event under Rule Action.
    2. Click Next until the Summary page, and click Finish.

      Results
      The save rule error is displayed in the user interface and the following messages are /var/log/qradar.log when this issue occurs: [tomcat.tomcat] [admin@127.0.0.1 (9437) /console/do/rulewizard] com.q1labs.sem.ui.action.RuleWizard: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Unable to save rule. Reason: Invalid control character(s) found in the xml object representing the rule sss. This will prevent the rule from being loaded to CRE. [tomcat.tomcat] [admin@127.0.0.1 (9437) /console/do/rulewizard] com.q1labs.sem.ui.action.RuleWizard: [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Failed to Save rule [tomcat.tomcat] [admin@127.0.0.1 (9437) /console/do/rulewizard] java.lang.RuntimeException: Invalid control character(s) found in the xml object representing the rule sss. This will prevent the rule from being loaded to CRE. [tomcat.tomcat] [admin@127.0.0.1 (9437) /console/do/rulewizard] at com.q1labs.core.shared.cre.CREServices.validateRuleData(CREServi ces.java) [tomcat.tomcat] [admin@127.0.0.1 (9437) /console/do/rulewizard] at com.q1labs.core.shared.cre.CREServices.updateRule(CREServices.java) [tomcat.tomcat] [admin@127.0.0.1 (9437) /console/do/rulewizard] at com.q1labs.core.shared.cre.CREServices.updateRule(CREServices.java) [tomcat.tomcat] [admin@127.0.0.1 (9437) /console/do/rulewizard] at com.q1labs.sem.ui.action.RuleWizard.saveWizard(RuleWizard.java) [tomcat.tomcat] [admin@127.0.0.1 (9437) /console/do/rulewizard] at com.q1labs.sem.ui.action.RuleWizard.executeAction(RuleWizard.java) [tomcat.tomcat] [admin@127.0.0.1 (9437) /console/do/rulewizard] at com.q1labs.uiframeworks.actions.WizardAction.execute(WizardActio n.java) [tomcat.tomcat] [admin@127.0.0.1 (9437) /console/do/rulewizard] at org.apache.struts.action.RequestProcessor.processActionPerform(R equestProcessor.java)
    13 November 2019
    API IJ20152 NETWORK ID FETCHED BY API '/ASSET_MODEL/ASSETS" AND 'CONFIG/NETWORK_HIERARCHY/NETWORKS' ARE DIFFERENT CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 (7.4.0.20200304205308)

    Workaround
    No workaround available.

    Issue
    It has been identified that the network id fetched by the API /asset_model/assets and /config/network_hierarchy/networks are different. This can produce unexpected or incorrect data being returned for queries using the API.
    17 October 2019
    DISK SPACE IJ20632 A QRADAR APP BACKUP SCRIPT CAN SOMETIMES FAIL CAUSING /STORE PARTITION FREE SPACE ISSUES CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
    QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)
    QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)

    Workaround
    No workaround available.

    Issue
    It has been identified that in some instances the app-volume-backup.py does not clean up failed/incomplete backups. When this issue occurs, it is possible that the /store partition can fill.
    12 November 2019
    MANAGED HOST / ADD HOST IJ22140 ADD HOST CAN FAIL WITH PASSWORD DECODING ERROR CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 2 (7.3.3.20200208135728)

    Workaround
    Contact Support for a possible workaround that might address this issue in some instances.

    Issue
    The QRadar Add Host process can fail due to a password decoding issue that occurs during the Add Host processes. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
    java.lang.IllegalArgumentException: Last unit does not have
    enough valid bits
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at java.util.Base64$Decoder.decode0(Base64.java:745)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at java.util.Base64$Decoder.decode(Base64.java:537)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at java.util.Base64$Decoder.decode(Base64.java:560)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.ibm.si.mks.KeyStoreCrypto.decrypt(KeyStoreCrypto.java:98)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at com.ibm.si.mks.Crypto.decrypt(Crypto.java:55)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.frameworks.crypto.CryptoUtils.decrypt(CryptoUtils.jav
    a:46)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.frameworks.core.FrameworksContext.decrypt(FrameworksC
    ontext.java:1122)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.configservices.capabilities.AddHost.getPresenceComman
    d(AddHost.java:2143)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.configservices.capabilities.AddHost.executePresence(A
    ddHost.java:2103)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.configservices.capabilities.AddHost.add(AddHost.java:
    1530)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.configservices.capabilities.AddHost.addManagedHost(Ad
    dHost.java:324)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.hostcontext.core.executor.AddHostExecutor.addManagedH
    ost(AddHostExecutor.java:74)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.hostcontext.core.executor.AddHostExecutor.invoke(AddH
    ostExecutor.java:51)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.configservices.hostcontext.core.requests.BaseHostRequ
    est.invoke(BaseHostRequest.java:71)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.configservices.hostcontext.core.HostContextServices.m
    essageReceived(HostContextServices.java:489)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.frameworks.events.jms.JMSMessageEvent.dispatchEvent(J
    MSMessageEvent.java:107)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.frameworks.events.SequentialEventDispatcher$DispatchT
    hread.run(SequentialEventDispatcher.java:129)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
    com.q1labs.configservices.capabilities.AddHost: [ERROR]
    [NOT:0000003000][x.x.x.x/- -] [-/- -]Unable to add managed
    host. The ip of the host is: x.x.x.x
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
    com.q1labs.configservices.hostcontext.core.HostContextServices:
    [ERROR] [NOT:0000003000][x.x.x.x/- -] [-/- -]Error retrieving
    message
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
    com.q1labs.configservices.hostcontext.exception.HostContextExcep
    tion: Could not get executor object
    com.q1labs.hostcontext.core.executor.AddHostExecutor
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.configservices.hostcontext.core.requests.BaseHostRequ
    est.invoke(BaseHostRequest.java:76)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.configservices.hostcontext.core.HostContextServices.m
    essageReceived(HostContextServices.java:489)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.frameworks.events.jms.JMSMessageEvent.dispatchEvent(J
    MSMessageEvent.java:107)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.frameworks.events.SequentialEventDispatcher$DispatchT
    hread.run(SequentialEventDispatcher.java:129)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
    Caused by:
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
    com.q1labs.configservices.hostcontext.exception.HostContextExcep
    tion: Command exited with non-zero value (4): add_host
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.hostcontext.core.executor.AddHostExecutor.addManagedH
    ost(AddHostExecutor.java:80)
    17 January 2020
    ACCESS / USER LOG IN IJ21731 QRADAR USERS CAN BE UNABLE TO LOGIN TO THE USER INTERFACE WHEN MULTIPLE HOST LOCKS OCCUR AT THE SAME TIME CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 2 (7.3.3.20200208135728)
    QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)

    Workaround
    A tomcat service restart on the QRadar console via an SSH connection can be performed to enable logins to be successful again when this issue occurs:
    systemctl restart tomcat
    NOTE: The QRadar user interface becomes available again after all required process are running as expected.

    Issue
    QRadar users can be prevented from performing a successful login when the QRadar cleanup job for authentication fails to run as expected when multiple host locks occur at the same time.
    19 December 2019
    CUSTOM EVENT PROPERTIES IJ19261 JSON EXPRESSIONS CAN MATCH IN CUSTOM EVENT PROPERTY UI PAYLOAD TESTS BUT DO NOT MATCH ON RECEIVED EVENTS CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 2 (7.3.3.20200208135728)

    Workaround
    Ensure the correct expression is being used. Not all expressions that provide a result while using test button in the QRadar User Interface provide the expected results when events are processed.

    Issue
    It has been identified that putting a "/" before the index doesn't invalidate the match when testing JSON expressions in the Custom Event Property UI (CEP). This can result in false positives in the CEP user interface (Admin > Data Sources > Custom Event Properties).

    For example:
    • Correct:
      /"object"[0]/"desiredPropertyName"
    • Incorrect:
      /"object"/[0]/"desiredPropertyName"
    In this example, the second expression includes an extra forward slash "/", the Custom Event Property interface will generate a false positive match, which will result in seeing "N/A" when an event is processed through the event pipeline.
    26 September 2019
    HTTP INSPECTOR / QRADAR NETWORK INSIGHTS IJ20823 QRADAR NETWORK INSIGHTS (QNI) COREDUMP CAN OCCUR DUE TO HTTP INSPECTOR CLOSED Resolved in
    QRadar Netowrk Insights 7.4.0 (7.4.0.20200304205308)
    QRadar Netowrk Insights 7.3.3 Patch 2 (7.3.3.20200208135728)

    Workaround: No workaround available.

    Issue: It has been identified that the QRadar Network Insights (QNI) HTTP inspector component can cause QNI core dump instances in /store/jheap on the QNI appliance. QNI cannot process flow traffic as expected while the decapper service is not running.
    13 November 2019
    UPGRADE / HIGH AVAILABILITY (HA) IJ21673 HIGH AVAILABILITY (HA) CROSSOVER NO LONGER ENABLED AFTER PATCHING OPEN: Reported in QRadar 7.3.2 Patch 4 Workaround: Re-enable the crossover after the patching process is completed using the following command from an SSH session:
    /opt/qradar/ha/bin/qradar_nettune.pl crossover enable
    How to verify crossover status on HA: https://ibm.biz/BdqBSg

    Issue:
    After patching to QRadar 7.3.3, High Availability (HA) pairs configured with a crossover cable connection can have the crossover no longer enabled after the appliance reboot processes are complete.
    22 January 2020
    FLOWS IJ21657 'LAST PROXY IPV4' AND 'LAST PROXY IPV6' FLOW DATA IS NOT PARSED CORRECTLY CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
    QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)
    QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)

    Workaround
    Contact Support for a possible workaround that might address this issue in some instances.

    Issue
    At QRadar version 7.3.2+, the "Last Proxy IPv4" and "Last Proxy IPv6" fields from flows are not properly parsed. When this occurs, new and previous searches configured to use that data no longer function as expected.
    19 December 2019
    DSM EDITOR IJ21643 DSM EDITOR PAGE 'EXPORT' BUTTON IS MISSING CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 2 (7.3.3.20200208135728)

    Workaround
    Contact Support for a possible workaround that might address this issue in some instances.

    Issue
    The DSM Editor page 'Export" button is missing after upgrading to QRadar 7.3.3 from 7.3.2 p4+.
    20 December 2019
    DSM EDITOR IJ21610 DSM EDITOR USER INTERFACE REGEX VALIDATION CAN DIFFER FROM THE QRADAR PIPELINE CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 (7.4.0.20200304205308)

    Workaround
    Contact Support for a possible workaround that might address this issue in some instances or upgrade to the latest software version.

    Issue
    The DSM Editor User Interface and the Pipeline can sometimes disagree as to what constitutes a valid regex. This has been observed when a character that doesn't have any special meaning from a regex perspective is escaped unecessarly. Example: username\=(\S+) <-- the = sign here does not require to be escaped and while this would pass most regex engines, QRadar might consider this invalid regex.
    18 December 2019
    INSTALL IJ21608 QRADAR SOFTWARE INSTALL CAN FAIL DUE TO PARTITION SIZE CHECK FAILURE CLOSED Resolved in QRadar 7.4.1 (7.4.1.20200716115107)

    Workaround
    Install QRadar at an earlier version (example 7.3.1 Patch 5) and then patch up.

    Issue
    QRadar software installation with an SDA disk smaller than a certain size fails with message similar to:
    Initializing...
    Starting setup session in screen
    EULA accepted on Thu Jan  4 19:30:16 UTC 2018
    About to install QRadar version 7.3.0.20171205025101
    Install started on Thu Jan  4 19:30:17 UTC 2018 but was not
    completed.
    Attempting to continue...
    done.
    Checking that SELinux is disabled...
    OK: SELinux is disabled.
    Checking that system language is set to en_US.UTF-8...
    OK: System language is set to en_US.UTF-8
    Checking for minimum disk size...
    ERROR: Boot disk sda is only 32768 MiB but must be at least
    78125 MiB.
    ERROR: This version does not support small drives. You must
    replace the drive before trying again.
    Press enter to close screen
    20 December 2019
    QRADAR RISK MANAGER / ADAPTER BACKUP IJ21606 QRADAR RISK MANAGER (QRM) DEVICE ADAPTER BACKUPS CAN FAIL WHEN STRICT SSH KEY EXCHANGE ALGORITHMS ARE EMPLOYED TO RESTRICT COMM CLOSED Resolved in
    QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
    QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)
    QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)

    Workaround
    No workaround available.

    Issue
    QRadar Risk Manager (QRM) is unable to discover or back up devices when strict SSH key exchange algorithms are employed to restrict communication.

    "Couldn't agree a key exchange algorithm" is present on the Configuration Source Management's Backup Error Detail dialog, and if the backup was initiated on the Configuration Monitor screen, in the Recent Activity Adapter Backup log viewer.
    16 December 2019
    QRADAR VULNERABILITY INSIGHTS APP IJ21604 QRADAR VULNERABILITY INSIGHTS APP REPORT IN FAILED "ERROR" STATUS OPEN: Reported in QRadar Vulnerbility Insights App v1.1.0 Workaround: Contact Support for a possible workaround that might address this issue in some instances.

    Issue:
    QRadar Vulnerability Insights scan compare report can fail to generate with only 'error' text being shown against the report in the User Interface when vulnerability critical details contains "::" characters.
    20 December 2019
    USER INTERFACE IJ21588 "TYPEERROR: DOMAPI.GETELM IS NOT A FUNCTION" WHEN ON THE QRADAR ADMIN TAB AND USING FIREFOX WEB BROWSER OPEN: Reported in QRadar 7.3.3 Workaround: No workaround available.

    Issue:
    It is possible that clicking on the Admin tab when you are already on the Admin tab will throw a Client exception with the message similar to:
    The following client exception occurred while handling the
    server response:
    {0}
    TypeError: domapi.getElm is not a function

    This has been observed on Firefox version 68.0.1 as well as Firefox version 71.0 on Windows 10.
    20 December 2019
    AQL CUSTOM PROPERTY / USER INTERFACE IJ21571 APPLICATION ERROR IN THE UI CAN BE GENERATED WHEN OPENING AN EVENT RETURNED FROM A SEARCH WITH AQL CUSTOM PROPERTY OPEN: Reported in QRadar 7.3.1 and later Workaround: No workaround available.

    Issue:
    An Application Error can be generated in the QRadar User Interface when opening an Event returned from a search containing an AQL Custom Property. This can occur when a backend exception is generated by an AQL Custom Property that results in a divide by zero occurence. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [tomcat.tomcat] [admin@127.0.0.1(18133002)
    /console/do/ariel/arielDetails] Caused by:
    [tomcat.tomcat] [admin@127.0.0.1(18133002)
    /console/do/ariel/arielDetails] java.lang.ArithmeticException:
    divide by zero
    [tomcat.tomcat] [admin@127.0.0.1(18133002)
    /console/do/ariel/arielDetails]    at
    com.q1labs.ariel.ql.parser.ArithmeticFunctions$DivideLong.calcul
    ate(ArithmeticFunctions.java:352)
    [tomcat.tomcat] [admin@127.0.0.1(18133002)
    /console/do/ariel/arielDetails]    at
    com.q1labs.ariel.ql.parser.ArithmeticFunctions$ArithmeticFunctio
    nLong.calculate(ArithmeticFunctions.java:223)
    [tomcat.tomcat] [admin@127.0.0.1(18133002)
    /console/do/ariel/arielDetails]    at
    com.q1labs.ariel.ql.parser.ArithmeticFunctions$ArithmeticFunctio
    nLong.calculate(ArithmeticFunctions.java:205)
    [tomcat.tomcat] [admin@127.0.0.1(18133002)
    /console/do/ariel/arielDetails]    at
    com.q1labs.ariel.ql.parser.ArithmeticFunction.calculateValue(Ari
    thmeticFunctions.java:32)
    [tomcat.tomcat] [admin@127.0.0.1(18133002)
    /console/do/ariel/arielDetails]    at
    com.q1labs.ariel.ql.parser.ArithmeticFunction.calculate(Arithmet
    icFunctions.java:39)
    [tomcat.tomcat] [admin@127.0.0.1(18133002)
    /console/do/ariel/arielDetails]    at
    com.q1labs.ariel.ql.parser.ArithmeticFunction.calculate(Arithmet
    icFunctions.java:19)
    [tomcat.tomcat] [admin@127.0.0.1(18133002)
    /console/do/ariel/arielDetails]    at
    com.q1labs.ariel.metadata.Metadata$ScalarFunctionBase.call(Metad
    ata.java:71)
    [tomcat.tomcat] [admin@127.0.0.1(18133002)
    /console/do/ariel/arielDetails]    ... 65 more
    [tomcat.tomcat] [admin@127.0.0.1(18133002)
    /console/do/ariel/arielDetails]
    com.q1labs.uiframeworks.action.ExceptionHandler: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Root cause:
    [tomcat.tomcat] [admin@127.0.0.1(18133002)
    /console/do/ariel/arielDetails] java.lang.ArithmeticException:
    divide by zero
    20 December 2019
    APPLICATION FRAMEWORK IJ21569 QRADAR APP BACKUPS CAN BE LEFT IN AN UNUSABLE STATE CLOSED Resolved in
    QRadar 7.3.2 Patch 1 (7.3.2.20190410024210)

    Workaround
    No workaround available.

    Issue:
    QRadar Apps that are running can delete files from their /store/docker/volumes directory while the marathon backup script is running, creating unusable backups. The app backups will not be successful and leave a untarred directory for that day in the /store/backup/marathon directory. Messages similar to the following might be visible in QRadar logging when this issue occurs:
    Jul 13 02:31:23 **** marathon-volume-backup.py[26247]: File
    "/usr/local/bin/marathon-volume-backup.py", line 365, in
    Jul 13 02:31:23 **** marathon-volume-backup.py[26247]:
    args.function(args)
    Jul 13 02:31:23 **** marathon-volume-backup.py[26247]: File
    "/usr/local/bin/marathon-volume-backup.py", line 213, in
    backup_volumes
    Jul 13 02:31:23 **** marathon-volume-backup.py[26247]:
    tar_dir(archive_path, host_path)
    Jul 13 02:31:23 **** marathon-volume-backup.py[26247]: File
    "/usr/local/bin/marathon-volume-backup.py", line 315, in tar_dir
    Jul 13 02:31:23 **** marathon-volume-backup.py[26247]:
    tar.add(source_dir)
    Jul 13 02:31:23 **** marathon-volume-backup.py[26247]: File
    "/usr/lib64/python2.7/tarfile.py", line 1998, in add
    Jul 13 02:31:23 **** marathon-volume-backup.py[26247]:
    recursive, exclude, filter)
    Jul 13 02:31:23 **** marathon-volume-backup.py[26247]: File
    "/usr/lib64/python2.7/tarfile.py", line 1991, in add
    Jul 13 02:31:23 **** marathon-volume-backup.py[26247]:
    self.addfile(tarinfo, f)
    Jul 13 02:31:23 **** marathon-volume-backup.py[26247]: File
    "/usr/lib64/python2.7/tarfile.py", line 2020, in addfile
    Jul 13 02:31:23 **** marathon-volume-backup.py[26247]:
    copyfileobj(fileobj, self.fileobj, tarinfo.size)
    Jul 13 02:31:23 **** marathon-volume-backup.py[26247]: File
    "/usr/lib64/python2.7/tarfile.py", line 274, in copyfileobj
    Jul 13 02:31:23 **** marathon-volume-backup.py[26247]: raise
    IOError("end of file reached")
    Jul 13 02:31:23 **** marathon-volume-backup.py[26247]: IOError:
    end of file reached
    20 August 2020
    APPLICATION FRAMEWORK IJ21567 RESET OF QRADAR CERTIFICATES CAN FAIL WHEN QRADARCA-MONITOR SERVICE IS RUNNING AT THE SAME TIME CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
    QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002)

    Workaround
    Contact Support for a possible workaround that might address this issue in some instances.

    Issue
    The reset-qradar-ca.sh script can fail to reset all certificates properly if it encounters the same time as qradarca-monitor service is running.

    Messages similar to the following might be visible in /var/log/localca.log when this issue occurs:
    time="2019-10-03T12:36:57-04:00" level=debug msg="Start loading
    configurations from /opt/qradar/ca/conf.d/conman-server.json"
    time="2019-10-03T12:36:57-04:00" level=debug msg="Checking
    certificate /etc/conman/tls/conman_ca.crt expiration status for
    local host"
    time="2019-10-03T12:36:57-04:00" level=warning msg="Certificate
    /etc/conman/tls/conman_ca.crt was not found. Preparing to
    generate new certificate"
    time="2019-10-03T12:36:57-04:00" level=debug msg="Certificate
    /etc/conman/tls/conman_ca.crt is close to expire. Regenerate
    the certificate"
    time="2019-10-03T12:36:57-04:00" level=debug msg="Regenerating
    dependent certificate id=4, type=intermediate,
    file=/etc/conman/tls/conman_ca.crt,
    cfg=/opt/qradar/ca/conf.d/conman-server.json"
    time="2019-10-03T12:36:57-04:00" level=debug msg="Start loading
    configurations from /opt/qradar/ca/conf.d/conman-server.json"
    time="2019-10-03T12:36:57-04:00" level=info msg="Setup
    intermediate CA for service conman"
    time="2019-10-03T12:37:00-04:00" level=debug msg="127.0.0.1->
    {fqdn}" action=command
    time="2019-10-03T12:37:00-04:00" level=debug msg="Appliance
    Type: 4000\tProduct Version: 7.3.2.20190522204210"
    action=command
    time="2019-10-03T12:37:00-04:00" level=debug msg=" 12:36:56 up
    83 days,  1:43,  0 users,  load average: 2.33, 2.35, 2.19"
    action=command
    time="2019-10-03T12:37:00-04:00" level=debug
    msg=------------------------------------------------------------
    ------------ action=command
    time="2019-10-03T12:37:00-04:00" level=debug action=command
    time="2019-10-03T12:37:00-04:00" level=info msg="Setup CSR
    /etc/vault-qrd/tls/vault-qrd.csr for service vault-qrd under
    host IP ADDRESS"
    time="2019-10-03T12:37:01-04:00" level=debug msg="INFO:
    Retrieving /etc/vault-qrd/tls/vault-qrd.csr from each server,
    will be placed in separate from-x.x.x.x directories under
    /opt/qradar/ca/certs" action=pull
    time="2019-10-03T12:37:01-04:00" level=debug action=pull
    time="2019-10-03T12:37:01-04:00" level=debug msg="IP ADDRESS"
    -> xxxxxxx.xxxxxx.com" action=pull
    time="2019-10-03T12:37:01-04:00" level=debug msg="Appliance
    Type: 1400\tProduct Version: 7.3.2.20190522204210" action=pull
    time="2019-10-03T12:37:01-04:00" level=debug msg=" 12:37:00 up
    83 days, 14:38,  0 users,  load average: 2.45, 2.48, 2.57"
    action=pull
    time="2019-10-03T12:37:01-04:00" level=warning msg="CSR path
    /opt/qradar/ca/certs/from-IPADDRESS/vault-qrd.csr does not
    exist"
    time="2019-10-03T12:37:01-04:00" level=debug
    msg=------------------------------------------------------------
    ------------ action=pull
    time="2019-10-03T12:37:01-04:00" level=debug msg="rsync:
    change_dir \"/etc/vault-qrd/tls\" failed: No such file or
    directory (2)" action=pull
    time="2019-10-03T12:37:01-04:00" level=debug msg="rsync error:
    some files/attrs were not transferred (see previous errors)
    (code 23) at main.c(1650) [Receiver=3.1.2]" action=pull
    time="2019-10-03T12:37:01-04:00" level=debug msg="rsync:
    [Receiver] write error: Broken pipe (32)" action=pull
    time="2019-10-03T12:37:01-04:00" level=debug action=pull
    time="2019-10-03T12:37:01-04:00" level=info msg="Run command
    /opt/ibm/si/vault-qrd/bin/tls-certs-updated.sh"
    time="2019-10-03T12:37:04-04:00" level=error msg="Failed to
    generate intermediate CA for service conman" error="exit status
    1"
    time="2019-10-03T12:37:04-04:00" level=error msg="Failed to
    regenerate the intermediate certificate
    /etc/conman/tls/conman_ca.crt"
    And In the /var/log/setup-xxx/configure-qradar-ca.log:
    [configure-qradar-ca.sh] [RunAndLog] /opt/qradar/bin/si-vault
    write -format=json
    conman-int-pki/intermediate/generate/exported
    common_name="CONMAN-CA" ttl=26280h key_bits=4096
    exclude_cn_from_sans=true > /tmp/tmp.xxxxxxx
    [configure-qradar-ca.sh] Export intermediate CA key file to
    /var/tmp/qradar_int.key
    [configure-qradar-ca.sh] [RunAndLog] /opt/qradar/bin/si-vault
    write -format=json qradar-pki/root/sign-intermediate
    csr="@/var/tmp/qradar_int.csr" common_name="CONMAN-CA"
    ttl=26280h > /tmp/tmp.33wItN4riu
    Error writing data to qradar-pki/root/sign-intermediate: Error
    making API request.
    20 December 2019
    INSTALL / PRE-CHECK IJ21518 QRADAR NETWORK INSIGHTS (QNI) INSTALLATIONS CAN FAIL AT STORAGE PRE-CHECK CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)
    QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

    Workaround
    If you are unable to upgrade to QRadar 7.4.1 Fix Pack 2, you can contact QRadar Support for a possible workaround that might address this issue in some instances.

    Issue
    It has been identified that QRadar Network Insights (QNI) installations can fail at storage pre-check for one or more reasons.
    1. Large databases being replicated to the QNI managed host
    2. Coredumps
    3. QNI appliances having only 200 GB or 240 GB of storage
    4. 7.3.2 fresh install environments have 32GB in the /recovery partition which decreases the size of /store
    16 November 2020
    USERS / RULES IJ21487 RULE FIRING FALSE POSITIVE/NEGATIVE CAN OCCUR DUE TO A RULE WITH A USER THAT NO LONGER EXISTS IN THE DEPLOYMENT OPEN: Reported in QRadar 7.3.2 Patch 4 Workaround: Contact Support for a possible workaround that might address this issue in some instances.

    Issue:
    It has been identified that Rules are not being properly loaded when the origin user does not exist anymore in the QRadar deployment. This has been observed after Content Managment Tool (CMT) imports have been performed as it allows the import of data even if a user does not exist.

    False positive/negative Rule firing can be experienced when this issue occurs. Messages similar to the following might be visble in /var/log/qradar.log:
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]
    com.ibm.si.ariel.aql.metadata.exceptions.InsufficientUserCapabil
    itiesException: User "xxxxx@domain.com" does not have required
    capabilities to access catalog "events"
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    com.ibm.si.ariel.aql.metadata.MetadataFactory.createUserCatalog(
    MetadataFactory.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    com.ibm.si.ariel.aql.metadata.MetadataFactory.getCatalogByName(M
    etadataFactory.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    com.q1labs.ariel.ql.parser.Parser.getMetadata(Parser.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    com.q1labs.ariel.ql.parser.Parser.getMetadata(Parser.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    com.q1labs.ariel.protocol.ClientData.initColumns(ClientData.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    com.q1labs.ariel.protocol.SearchAlias.clientData(SearchAlias.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    com.q1labs.ariel.searches.tasks.Result.resultForAlias(Result.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    com.q1labs.ariel.protocol.SearchAlias.result(SearchAlias.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    com.q1labs.ariel.searches.AccessManager.updateResult(AccessManag
    er.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    com.q1labs.ariel.searches.AccessManager.findQueryResult(AccessMa
    nager.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    com.q1labs.ariel.ConnectedClient.findQueryResult(ConnectedClient
    .java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    com.q1labs.ariel.ConnectedClient.findQueryResult(ConnectedClient
    .java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    com.q1labs.ariel.ConnectedClient.processMessage(ConnectedClient.
    java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    com.q1labs.ariel.ConnectedClient.run(ConnectedClient.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec
    utor.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at
    java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe
    cutor.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:41338]    at java.lang.Thread.run(Thread.java)
    16 December 2019
    API / QRADAR VULNERABILITY MANAGER IJ21464 QRADAR VULNERABILITY MANAGER (QVM) API THROWS ILLEGAL ARGUMENT EXCEPTION WHEN REQUESTING VULNERABILITIES THAT HAVE A RISK OF 'CRITICAL' OPEN: Reported in QRadar 7.3.2 Patch 4 Workaround: Exception all Critical vulnerabilities in QVM or remove the critical vulnerabilities from the asset view.

    Issue:
    It has been identified that the QVM Vulninstance API throws an illegal argument exception when the vulnerability information requested includes vulnerabilities that have Critical Risk. The vulnerability content could have came from 3rd party scanner or from using the vulnerability triage feature in QVM and changing risk of some vulnerabilities to Critical. This affects Apps like QRadar Vulnerability Insights (QVI) that query vulnerabilities through the API or any other integrations that use the QVM Vulninstance API. QVI App data sync would report errors on data sync and have zero counts on the dashboard.

    Messages similar to the following might be visible in /var/log/qradar.error when an API call is made:
    [tomcat.tomcat] [pool-1-thread-1]
    java.lang.IllegalArgumentException: Invalid RiskFactor name:
    Critical
    [tomcat.tomcat] [pool-1-thread-1]    at
    com.q1labs.assetprofile.api.r1_2017.pojo.RiskFactorDTO.forName(R
    iskFactorDTO.java)
    [tomcat.tomcat] [pool-1-thread-1]    at
    com.q1labs.assetprofile.api.r1_2017.R1_2017VulnInstanceDTOAdapte
    r.doConvert(R1_2017VulnInstanceDTOAdapter.java)
    [tomcat.tomcat] [pool-1-thread-1]    at
    com.q1labs.assetprofile.api.vulninstance.common.AbstractVulnInst
    anceDTOAdapter.dtoConvert(AbstractVulnInstanceDTOAdapter.java)
    [tomcat.tomcat] [pool-1-thread-1]    at
    com.q1labs.assetprofile.api.vulninstance.common.VulninstancesAPI
    Task.runTask(VulninstancesAPITask.java)
    [tomcat.tomcat] [pool-1-thread-1]    at
    com.ibm.si.frameworks.taskmanagement.Task.run(Task.java)
    [tomcat.tomcat] [pool-1-thread-1]    at
    java.util.concurrent.Executors$RunnableAdapter.call(Executors.ja
    va)
    [tomcat.tomcat] [pool-1-thread-1]    at
    java.util.concurrent.FutureTask.run(FutureTask.java)
    [tomcat.tomcat] [pool-1-thread-1]    at
    java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec
    utor.java)
    [tomcat.tomcat] [pool-1-thread-1]    at
    java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe
    cutor.java)
    [tomcat.tomcat] [pool-1-thread-1]    at
    java.lang.Thread.run(Thread.java)
    06 December 2019
    OFFENSES IJ21461 DUPLICATE OFFENSE RULE RESPONSE CAN OCCUR 30 MINUTES AFTER INITIAL OFFENSE TRIGGERING OPEN: Reported in QRadar 7.3.1 Patch 5 and later Workaround: No workaround available.

    Issue:
    It has been identified that a duplicate Offense Rule response can sometimes unexpectedly occur 30 minutes after the initial Offense Rule response occurs.

    For example, receiving a duplicate (second) e-mail response for one time offense update 30 minutes after the first one after verifying that nothing updated in the offense (no second event that cause offense generation). In this example, second e-mail response is a false positive.
    11 December 2019
    ROUTING RULES / EVENT FORWARDING IJ21459 ONLINE AND OFFLINE TCP SELECTIVE FORWARDING CAN LOSE AN EVENT DURING A CONNECTION RESET CLOSED Resolved in QRadar 7.4.1 (7.4.1.20200716115107)

    Workaround: No workaround available.

    Issue:
    It has been identified that Online and Offline TCP selective forwarding can lose an event if the connection is reset at the remote end as QRadar views this event as received.
    16 December 2019
    CONTENT MANAGEMENT TOOL (CMT) IJ21456 CONTENT MANAGEMENT TOOL IMPORT CONTAINING A DELETED/DISABLED BULK ADD LOG SOURCE CAN FAIL CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 2 (7.3.3.20200208135728)

    Workaround
    No workaround available.

    Issue
    It has been identified that a Content Managment Tool (CMT) import with a deleted/disabled Bulk Add log source can fail with a null pointer exception. The following two conditions must be met:
    1. A deleted log source has to be the first among log sources with the same bulk_added_id.
    2. The target system has at least one bulk group in sensordevicebulkadd postgress table with the bulk_group_name same as the bulk group name of the imported log source.
    Messages such as the following might be visibile in /var/log/qradar.log when this issue occurs:
    [tomcat.tomcat] [] com.ibm.si.content_management.ContentCustom:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Failed to apply
    custom logic.
    [tomcat.tomcat] java.lang.NullPointerException
    [tomcat.tomcat]   at
    com.ibm.si.content_management.ContentCustom.importSensorDevice(C
    ontentCustom.java)
    [tomcat.tomcat]   at
    com.ibm.si.content_management.ContentCustom.importCustom(Content
    Custom.java)
    [tomcat.tomcat]   at
    com.ibm.si.content_management.Content.importCustomContent(Conten
    t.java)
    [tomcat.tomcat]   at
    com.ibm.si.content_management.ContentManager.importContent(Conte
    ntManager.java)
    [tomcat.tomcat]   at
    com.ibm.si.content_management.ContentManager.doImport(ContentMan
    ager.java)
    09 December 2019
    APPLICATION FRAMEWORK IJ21454 ERROR "SSL.CERTIFICATEERROR: HOSTNAME '{IPADDRESS}' DOESN'T MATCH '{FQDN}'" WHEN APP-VOLUME-BACKUP.PY SCRIPT RUNS OPEN: Reported in QRadar 7.3.2 Patch 2 versions Workaround: Contact Support for a possible workaround that might address this issue in some instances.

    Issue:
    It has been identified that the app-volume-backup.py backup script can fail with an error similar to:
    ssl.CertificateError: hostname '{IP Address}' doesn't match '{FQDN}'.

    When this issue occurs, QRadar App data backups do not complete successfully.

    This is caused when the script requests the IP address but it's not contained in the SAN in customer's certificate.
    16 December 2019
    REFERENCE SETS IJ21446 REFERENCE SETS INCORRECTLY DISPLAY " 0 " IN 'NUMBER OF ELEMENTS' AND 'ASSOCIATED RULES' OPEN: Reported in QRadar 7.3.2 versions Workaround: Add a value (then remove it, if desired) to the Reference Set(s). This should repair the reference set tables involved and display the proper # of Elementts or Rules associated.

    Issue:
    It has been identified that the "Associated Rules" column and the "Number of Elements" column in the Reference Set Management user interface can sometimes display " 0 " when there are rules and/or elements associated with the Reference Set.
    13 December 2019
    REPORTS IJ21445 'APPLICATION ERROR' WHEN MODIFYING REPORTS CREATED BY A DIFFERENT USER OR ASSIGNING REPORT TO A NEW GROUP CLOSED Resolved in:
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 2 (7.3.3.20200208135728)

    Workaround Either modify the report by the original user who created it without adding new groups, or while modifying the report unassign it from all existing groups

    Issue
    It has been identified that an "Application Error" can be generated when clicking the "Finish" button during modification of Reports in certain scenarios.
    1. Criteria of reports where modification can cause this issue: Report created by a different user, and the current user is modifying them for 1st time
      OR
    2. Trying to assign the report to new Group AND
    3. The report has VirtualViewReferenceID associated to it.

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [tomcat.tomcat] [ /console/do/reportwizard]
    com.q1labs.uiframeworks.action.ExceptionHandler: [ERROR]
    Chained SQL Exception [1/1]: You can't operate on a closed
    Statement!!!
    [tomcat.tomcat] [ /console/do/reportwizard]
    com.q1labs.uiframeworks.action.ExceptionHandler: [ERROR]
    [NOT:0000003000][-/- -]An exception occurred while processing
    the request:
    [tomcat.tomcat] [ /console/do/reportwizard]
    java.sql.SQLException: You can't operate on a closed
    Statement!!!
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    com.mchange.v2.sql.SqlUtils.toSQLException(SqlUtils.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    com.mchange.v2.sql.SqlUtils.toSQLException(SqlUtils.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    com.mchange.v2.c3p0.impl.NewProxyPreparedStatement.setString(New
    ProxyPreparedStatement.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.setStrin
    g(DelegatingPreparedStatement.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator$LoggingCo
    nnection$LoggingPreparedStatement.setString(LoggingConnectionDec
    orator.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.setStrin
    g(DelegatingPreparedStatement.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.setStrin
    g(DelegatingPreparedStatement.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.setStrin
    g(DelegatingPreparedStatement.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    com.q1labs.frameworks.session.PreparedStatementWrapper.setString
    (PreparedStatementWrapper.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    com.q1labs.core.shared.group.FgroupTypeFactory.assignItemsToGrou
    ps(FgroupTypeFactory.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    com.q1labs.reports.ui.util.ReportGroupFactory.assignItemsToGroup
    s(ReportGroupFactory.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    com.q1labs.reports.ui.action.ReportWizard.generateReport(ReportW
    izard.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    com.q1labs.reports.ui.action.ReportWizard.fetchPageToDisplay(Rep
    ortWizard.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    com.q1labs.reports.ui.action.ReportWizard.executeAction(ReportWi
    zard.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    com.q1labs.uiframeworks.actions.WizardAction.execute(WizardActio
    n.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.struts.action.RequestProcessor.processActionPerform(R
    equestProcessor.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    com.q1labs.uiframeworks.action.RequestProcessor.processActionPer
    form(RequestProcessor.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.struts.action.RequestProcessor.process(RequestProcess
    or.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.struts.action.ActionServlet.process(ActionServlet.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    com.q1labs.uiframeworks.action.ActionServlet.process(ActionServl
    et.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.struts.action.ActionServlet.doPost(ActionServlet.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    javax.servlet.http.HttpServlet.service(HttpServlet.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    javax.servlet.http.HttpServlet.service(HttpServlet.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
    (ApplicationFilterChain.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
    tionFilterChain.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.ja
    va)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
    (ApplicationFilterChain.java:193)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.catalina.core.ApplicationFilterChain.doFilter(Applica
    tionFilterChain.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    com.q1labs.uiframeworks.postauthredirect.PostLoginRedirectFilter
    .doFilter(PostLoginRedirectFilter.java:70)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.catalina.core.ApplicationFilterChain.internalDoFilter
    (ApplicationFilterChain.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.catalina.core.StandardHostValve.invoke(StandardHostVa
    lve.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    com.q1labs.uiframeworks.valve.ErrorReportValve.invoke(ErrorRepor
    tValve.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.catalina.core.StandardEngineValve.invoke(StandardEngi
    neValve.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapte
    r.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.coyote.AbstractProcessorLight.process(AbstractProcess
    orLight.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.coyote.AbstractProtocol$ConnectionHandler.process(Abs
    tractProtocol.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(Nio
    Endpoint.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcess
    orBase.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec
    utor.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe
    cutor.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(T
    askThread.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    java.lang.Thread.run(Thread.java)
    [tomcat.tomcat] [ /console/do/reportwizard] Caused by:
    [tomcat.tomcat] [ /console/do/reportwizard]
    java.lang.NullPointerException
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    com.mchange.v2.c3p0.impl.NewProxyPreparedStatement.maybeDirtyTra
    nsaction(NewProxyPreparedStatement.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    com.mchange.v2.c3p0.impl.NewProxyPreparedStatement.setString(New
    ProxyPreparedStatement.java:961)
    [tomcat.tomcat] [ /console/do/reportwizard]    ... 74 more
    [tomcat.tomcat] [ /console/do/reportwizard]
    com.q1labs.uiframeworks.action.ExceptionHandler: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Root cause:
    [tomcat.tomcat] [ /console/do/reportwizard]
    java.lang.NullPointerException
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    com.mchange.v2.c3p0.impl.NewProxyPreparedStatement.maybeDirtyTra
    nsaction(NewProxyPreparedStatement.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    com.mchange.v2.c3p0.impl.NewProxyPreparedStatement.setString(New
    ProxyPreparedStatement.java:961)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.setStrin
    g(DelegatingPreparedStatement.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.openjpa.lib.jdbc.LoggingConnectionDecorator$LoggingCo
    nnection$LoggingPreparedStatement.setString(LoggingConnectionDec
    orator.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.setStrin
    g(DelegatingPreparedStatement.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.setStrin
    g(DelegatingPreparedStatement.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.openjpa.lib.jdbc.DelegatingPreparedStatement.setStrin
    g(DelegatingPreparedStatement.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    com.q1labs.frameworks.session.PreparedStatementWrapper.setString
    (PreparedStatementWrapper.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    com.q1labs.core.shared.group.FgroupTypeFactory.assignItemsToGrou
    ps(FgroupTypeFactory.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    com.q1labs.reports.ui.util.ReportGroupFactory.assignItemsToGroup
    s(ReportGroupFactory.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    com.q1labs.reports.ui.action.ReportWizard.generateReport(ReportW
    izard.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    com.q1labs.reports.ui.action.ReportWizard.fetchPageToDisplay(Rep
    ortWizard.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    com.q1labs.reports.ui.action.ReportWizard.executeAction(ReportWi
    zard.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    com.q1labs.uiframeworks.actions.WizardAction.execute(WizardActio
    n.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.struts.action.RequestProcessor.processActionPerform(R
    equestProcessor.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    com.q1labs.uiframeworks.action.RequestProcessor.processActionPer
    form(RequestProcessor.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.struts.action.RequestProcessor.process(RequestProcess
    or.java)
    [tomcat.tomcat] [ /console/do/reportwizard]    at
    org.apache.struts.action.ActionServlet.process(ActionServlet.jav
    a)
    06 December 2019
    RULES IJ21420 QRADAR DEPENDENCY CHECKER SOMETIMES DOES NOT FIND DEPENDENT RULES OR BUILDING BLOCKS OPEN: Reported in multiple QRadar versions Workaround: Create a new rule test that includes the building block not being picked up by the QRadar dependency checker.

    Issue:
    It has been identified that the QRadar dependency checker does not find rules or building blocks referenced in a system rule if a newly added building block is added to an original rule test (instead of a new rule test). For example:
    1. Create a building block.
    2. Have a system rule that uses a rule test that references other rules (eg. Multiple Failed Logins to a Compliance Asset).
    3. Using that example rule, click on the rule test that references other building blocks and add the building block created in step1. Save it.
    4. Go to the building block and try to delete it. View the rule dependents.

      Results
    • Actual: The dependency checker does not include Multiple Failed Logins to a Compliance Asset rule
    • Desired: The dependency checker to also include Multiple Failed Logins to a Compliance Asset rule
    16 December 2019
    RULES IJ21352 RULE NAMES IN 'LIST OF RULES CONTRIBUTING TO OFFENSE' CAN BE INCORRECT OPEN: Reported in multiple QRadar versions Workaround: Close the original offense after modifying the rule name. The next time the rule is triggered it creates a new offense that has the updated rule name in the list.

    Note: The offense name might be different based on what option for offense naming is chosen in the Rule Wizard.

    Issue:
    It has been identified that in some instances Rule Names in "List of Rules Contributing to Offense" are incorrect. For example:
    1. Have a rule that creates an offense.
    2. Trigger the rule for the first time to create an offense.
    3. Edit the rule name.
    4. When the rule is triggered again, the rule name in the "List of Rules Contributing to Offense" page displays the old rule name.
    13 December 2019
    ROUTING RULES IJ21347 ROUTING RULES CAN FAIL TO WORK AS EXPECTED WHEN A HUNG THREAD DOES NOT RESTART AS EXPECTED OPEN: Reported in QRadar 7.3.1 Patch 8 Workaround
    From SSH command line session, restart the ecs-ec service manually using the following command:
    systemctl restart ecs-ec


    Note:
    The offense name might be different based on what option for offense naming is chosen in the Rule Wizard.

    Issue
    It has been identified that in some instances an RPC call from the event collection service can fail to restart as expected. When this issue is occuring, routing rules can fail to work as expected until the ecs-ec service is restarted successfully. Messages similar to the following might be visible in qradar logging when this issue occurs:
    "87393acc-aa0a-4cd2-97da-6c6a8a65454f/SequentialEventDispatcher"
    Id=83 in BLOCKED on lock=java.util.HashMap@8607f58e
         owned by SelectiveForwardingStatisticsReportingTimer Id=89
        at
    com.q1labs.semsources.selectiveforwarding.SelectiveForwardingCom
    municator.notifyStatisticsUpdated(SelectiveForwardingCommunicato
    r.java:268)
        at
    com.q1labs.core.shared.selectiveforwardingset.SelectiveForwardin
    gSetCache.notifyDestinationChangeListener(SelectiveForwardingSet
    Cache.java:591)
        at
    com.q1labs.core.shared.selectiveforwardingset.SelectiveForwardin
    gSetCache.messageReceived(SelectiveForwardingSetCache.java)
        at
    com.q1labs.frameworks.events.jms.JMSMessageEvent.dispatchEvent(J
    MSMessageEvent.java)
        at
    com.q1labs.frameworks.events.SequentialEventDispatcher$DispatchT
    hread.run(SequentialEventDispatcher.java:129)
    "SelectiveForwardingStatisticsReportingTimer" Id=89 in RUNNABLE
    (running in native)
        at java.net.SocketInputStream.socketRead0(Native Method)
        at
    java.net.SocketInputStream.socketRead(SocketInputStream.java)
        at
    java.net.SocketInputStream.read(SocketInputStream.java)
        at
    java.net.SocketInputStream.read(SocketInputStream.java)
        at com.ibm.jsse2.b.a(b.java:262)
        at com.ibm.jsse2.b.a(b.java:33)
        at com.ibm.jsse2.av.a(av.java:579)
          - locked java.lang.Object@47749733
        at com.ibm.jsse2.av.i(av.java:574)
          - locked java.lang.Object@91bc8eee
        at com.ibm.jsse2.av.a(av.java:280)
        at com.ibm.jsse2.av.startHandshake(av.java:431)
        at
    com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java)
        at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java)
        at
    sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(Htt
    pURLConnection.java)
          - locked com.ibm.net.ssl.www2.protocol.https.e@93c90c60
        at
    sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Http
    URLConnection.java)
          - locked com.ibm.net.ssl.www2.protocol.https.e@93c90c60
        at
    com.ibm.net.ssl.www2.protocol.https.b.getOutputStream(b.java)
          - locked com.ibm.net.ssl.www2.protocol.https.b@2111733
        at
    com.q1labs.core.shared.jsonrpc.RPC.executeMethod(RPC.java)
        at
    com.q1labs.core.shared.jsonrpc.RPC.executeMethod(RPC.java)
        at
    com.q1labs.core.shared.jsonrpc.RPC.executeMethodWithTimeout(RPC.
    java)
        at
    com.q1labs.core.shared.jsonrpc.RPC.executeMethod(RPC.java)
        at
    com.q1labs.semsources.selectiveforwarding.SelectiveForwardingCom
    municator.reportStats(SelectiveForwardingCommunicator.java)
          - locked java.util.HashMap@8607f58e
        at
    com.q1labs.semsources.selectiveforwarding.SelectiveForwardingCom
    municator$1.run(SelectiveForwardingCommunicator.java)
        at java.util.TimerThread.mainLoop(Timer.java)
        at java.util.TimerThread.run(Timer.java)
    13 December 2019
    LOG SOURCE GROUPS IJ21333 UNABLE TO DELETE LOG SOURCE GROUP DUE TO FAILED DEPENDENCY CHECK OPEN: Reported in QRadar 7.3.2 Patch 4 Workaround: Contact Support for a possible workaround that might address this issue in some instances.

    Note: The offense name might be different based on what option for offense naming is chosen in the Rule Wizard.

    Issue:
    It has ben identified that in some instances Log Source groups cannot be deleted due to dependency check failure caused by a customviewparams (SELECTIVE_FORWARDING-events-xxx) that uses arielsearchlite class. This customviewparam does not have proper database name structure.

    Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs:
    [tomcat.tomcat] [pool-1-thread-5]
    com.q1labs.core.shared.datadeletion.LogSourceGroupDeletion:
    [ERROR] [NOT:0000003000][xxx.xxx.xxx.xxx/- -] [-/- -]Error
    while getting Saved Search dependents for this Log Source
    Group: 104460
    [tomcat.tomcat] [pool-1-thread-5] java.lang.RuntimeException:
    java.lang.RuntimeException: Could not locate the configuration
    for ariel database null
    [tomcat.tomcat] [pool-1-thread-5]    at
    com.q1labs.core.shared.ariel.ArielSearchLite.toQueryParams(Ariel
    SearchLite.java:682)
    [tomcat.tomcat] [pool-1-thread-5]    at
    com.q1labs.core.shared.ariel.ArielSearchLite.toQueryParams(Ariel
    SearchLite.java:369)
    [tomcat.tomcat] [pool-1-thread-5]    at
    com.q1labs.core.shared.ariel.ArielSearchLite.toQueryParams(Ariel
    SearchLite.java:363)
    [tomcat.tomcat] [pool-1-thread-5]    at
    com.q1labs.core.shared.ariel.ArielSearchLite.toQueryParams(Ariel
    SearchLite.java:358)
    [tomcat.tomcat] [pool-1-thread-5]    at
    com.q1labs.core.shared.ariel.ArielSearchLite.toQueryParams(Ariel
    SearchLite.java:353)
    [tomcat.tomcat] [pool-1-thread-5]    at
    com.q1labs.core.shared.datadeletion.LogSourceGroupDeletion.getAr
    ielSavedSearchDependentsByGroupId(LogSourceGroupDeletion.java)
    [tomcat.tomcat] [pool-1-thread-5]    at
    com.q1labs.core.shared.datadeletion.LogSourceGroupDeletion.getUs
    age(LogSourceGroupDeletion.java:58)
    [tomcat.tomcat] [pool-1-thread-5]    at
    com.q1labs.core.shared.datadeletion.task.FindDependentsTask.getA
    ctualUsage(FindDependentsTask.java:291)
    [tomcat.tomcat] [pool-1-thread-5]    at
    com.q1labs.core.shared.datadeletion.task.FindDependentsTask.getC
    hildUsage(FindDependentsTask.java:212)
    [tomcat.tomcat] [pool-1-thread-5]    at
    com.q1labs.core.shared.datadeletion.task.FindDependentsTask.getD
    efaultUsage(FindDependentsTask.java:169)
    [tomcat.tomcat] [pool-1-thread-5]    at
    com.q1labs.core.shared.datadeletion.task.FindDependentsTask.runT
    ask(FindDependentsTask.java:122)
    [tomcat.tomcat] [pool-1-thread-5]    at
    com.ibm.si.frameworks.taskmanagement.Task.run(Task.java:108)
    [tomcat.tomcat] [pool-1-thread-5]    at
    java.util.concurrent.Executors$RunnableAdapter.call(Executors.ja
    va:522)
    [tomcat.tomcat] [pool-1-thread-5]    at
    java.util.concurrent.FutureTask.run(FutureTask.java:277)
    [tomcat.tomcat] [pool-1-thread-5]    at
    java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec
    utor.java:1160)
    [tomcat.tomcat] [pool-1-thread-5]    at
    java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe
    cutor.java:635)
    [tomcat.tomcat] [pool-1-thread-5]    at
    java.lang.Thread.run(Thread.java:812)
    [tomcat.tomcat] [pool-1-thread-5] Caused by:
    [tomcat.tomcat] [pool-1-thread-5] java.lang.RuntimeException:
    Could not locate the configuration for ariel database null
    [tomcat.tomcat] [pool-1-thread-5]    at
    com.q1labs.core.shared.ariel.ArielUtils.getProperties(ArielUtils
    .java:713)
    [tomcat.tomcat] [pool-1-thread-5]    at
    com.q1labs.core.shared.ariel.ArielSearchLite.loadProperties(Arie
    lSearchLite.java:897)
    [tomcat.tomcat] [pool-1-thread-5]    at
    com.q1labs.core.shared.ariel.ArielSearchLite.toQueryParams(Ariel
    SearchLite.java:385)
    [tomcat.tomcat] [pool-1-thread-5]    ... 16 more
    10 December 2019
    AQL IJ21332 AQL SEARCHES RETURNING INCORRECT RESULTS DUE TO CONVERT TO AQL NOT ADDING PERCENT ( % ) SYMBOL IN ILIKE STATEMENTS OPEN: Reported in QRadar 7.3.2 Patch 2 Workaround: No workaround available.

    Issue:
    It has been identified that the Convert to AQL is not adding the percent ( % ) symbol in ilike statements causing searches to return incorrect or no results in an Advanced Search (AQL). The same searches performed in the QRadar User Interface works as expected.
    09 December 2019
    DEPLOY CHANGES IJ21674 'DEPLOY' FUNCTION CAN FAIL AFTER A CONFIGURATION RESTORE IS PERFORMED OPEN: Reported in QRadar 7.3.2 Patch 4 Workaround: Contact Support for a possible workaround that might address this issue in some instances.

    Issue:
    QRadar "deploy" function can fail after a configuration restore has been performed.

    These instances of "deploy" failure occur due to missing bandwidth_egress_filter database table entries during the restore process.

    Messages similar to the following might be visible in QRadar logging when this issue occurs:
    com.q1labs.frameworks.exceptions.FrameworksException: Failed to
    get next filter ID for hostID=677 and wildcard device
      at
    com.q1labs.core.shared.bm.BandwidthConfigurationUtilities.update
    BMForAQSDeployment(BandwidthConfigurationUtilities.java:155)
      at
    com.q1labs.configservices.config.globalset.ibm.BandwidthManagerT
    ransformer.updateDeploymentAQSConfig(BandwidthManagerTransformer
    .java:110)
      ... 80 more
    Caused by:
    com.q1labs.frameworks.exceptions.FrameworksException: Failed to
    execute query for next valid class ID
      at
    com.q1labs.core.shared.bm.BandwidthConfigurationUtilities.getNex
    tValidFilterID(BandwidthConfigurationUtilities.java:942)
      at
    com.q1labs.core.shared.bm.BandwidthConfigurationUtilities.update
    BMForAQSDeployment(BandwidthConfigurationUtilities.java:151)
      ... 81 more
    Caused by:
    
    org.apache.openjpa.persistence.ArgumentException: Cannot load
    object with id
    "com.q1labs.core.dao.bm.BandwidthEgressFilter-com.q1labs.
    core.dao.bm.BandwidthEgressFilterCompKey@b055f". Instance
    "com.q1labs.core.dao.bm.BandwidthEgressFilter@31a91e2c" with
    the same id already exists in the L1 cache. This can occur when
    you assign an existing id to a new instance, and before
    flushing attempt to load the existing instance for that id.
    22 January 2020
    AQL IJ21676 QRADAR ERROR WHEN ATTEMPTING TO EXECUTE A LONG AQL QUERY OPEN: Reported in QRadar 7.3.2 Patch 4 Workaround: The problem can be avoided by reducing the length of the search criteria used (eg. reduce the number of "or" clauses").

    Issue:
    QRadar ERROR can occur when executing a long AQL query. An 'Application Error' can be generated in the QRadar User Interface when executing AQL and an API error can occur in API.

    Messages similar to the following might be visible in /var/log/httpd/error.log when this issue occurs:
    [proxy_ajp:error] [pid 4251] ajp_msg_append_cvt_string():
    BufferOverflowException 4 631
    22 January 2020
    RULES / APP CONTENT EXTENSIONS IJ21677 MODIFIED RULES FROM INSTALLED CONTENT PACK AND THEN UNINSTALLING CONTENT PACK CAUSES NULLPOINTEREXCEPTION OPEN: Reported in QRadar 7.3.2 Patch 3 and later Workaround: Contact Support for a possible workaround that might address this issue in some instances.

    Issue:
    Rules modified after installing a content pack in which they are contained, and then uninstalling that content pack can result in NullPointerException(s). Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [ecs-ep.ecs-ep] [Thread-127]
    com.q1labs.core.dao.cre.CustomRule: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Error while
    unmarshalling rule id 500 from DB table custom_rule
    [ecs-ep.ecs-ep] [Thread-127] java.lang.NullPointerException
    [ecs-ep.ecs-ep] [Thread-127]    at
    com.q1labs.core.dao.cre.CustomRule.getRule(CustomRule.java:299)
    [ecs-ep.ecs-ep] [Thread-127]    at
    com.q1labs.core.shared.cre.CREServices.getCustomRules(CREService
    s.java:1955)
    [ecs-ep.ecs-ep] [Thread-127]    at
    com.q1labs.core.shared.cre.CREServices.getCustomRules(CREService
    s.java:1974)
    [ecs-ep.ecs-ep] [Thread-127]    at
    com.q1labs.core.shared.cre.CREServices.getAllFlowAndEventRules(C
    REServices.java:1801)
    [ecs-ep.ecs-ep] [Thread-127]    at
    com.q1labs.semsources.cre.CustomRuleReader.readRules(CustomRuleR
    eader.java:332)
    [ecs-ep.ecs-ep] [Thread-127]    at
    com.q1labs.semsources.cre.CustomRuleReader.run(CustomRuleReader.
    java:225)
    02 January 2020
    SEARCH IJ21678 ARIEL SEARCHES IN QRADAR CAN TAKE LONGER THAN EXPECTED TO COMPLETE WHEN USING A LOG SOURCE TYPE FILTER OPEN: Reported in QRadar 7.3.2 Patch 4 Workaround: Contact Support for assistance in identifying if this issue is the cause of slow searches when using Log Source type filters.

    Issue:
    Searches can take longer than expected to complete when using a Log Source type filter in an Ariel search. This has been identified as being caused by ariel becoming single threaded in some instances.
    02 January 2020
    UPGRADE / APP FRAMEWORK IJ21697 DOCKER CAN FAIL TO START DURING QRADAR PATCHING PROCESSES CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

    Workaround
    Administrators can install the software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances.

    Issue:
    In some instances, Docker can fail to start during the QRadar upgrade processes. When this occurs, QRadar Apps cannot be used or installed until the issue with Docker is corrected.
    02 January 2020
    DECAPPER / SYSTEM IJ21698 QRADAR NETWORK INSIGHTS (QNI) DECAPPER CAN CRASH AND GENERATE A COREDUMP CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
    QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)

    Workaround
    No workaround available.

    Issue
    The QRadar Network Insights (QNI) decapper can crash and generate a coredump. These particular decapper coredump instances are related to a DTLS error. Support can analyze the coredump that is generated to futher determine if this is the issue affecting the QNI decapper. Messages similar to the following might be visible in /var/log/messages and /var/log/qradar.log when this issue occurs:

    Example from messages log file where multiple core dump messages appear:
    [578]: Process 5298 (decapper) of user 99 killed by SIGABRT - dumping core
    [691]: Process 8687 (decapper) of user 99 killed by SIGABRT - dumping core
    [351]: Process 5846 (decapper) of user 99 killed by SIGABRT - dumping core
    [466]: Process 4250 (decapper) of user 99 killed by SIGABRT - dumping core
    [830]: Process 4891 (decapper) of user 99 killed by SIGABRT - dumping core
    [649]: Process 4823 (decapper) of user 99 killed by SIGABRT - dumping core
    [868]: Process 6960 (decapper) of user 99 killed by SIGABRT - dumping core
    [450]: Process 7803 (decapper) of user 99 killed by SIGABRT - dumping core
    [995]: Process 9482 (decapper) of user 99 killed by SIGABRT - dumping core

    Example from qradar.log:
    decapper - INFO - rtf for rtf0 died - return code: -6
    decapper - INFO - Started rtf process for case rtf0
    decapper: [main] decapper.keybag: [INFO] Reading keybag
    configuration......
    decapper: [main] decapper.APPID: [INFO] Reading signature
    file....
    decapper: [main] decapper.yara: [INFO] YaraRules: Reading rule
    file......
    decapper: [main] decapper.yara: [WARN] YaraRules: Config file
    is empty.
    decapper: [main] decapper: [INFO] rtf0: Processing napatech
    [hostcontext.hostcontext] [Server Host Status Processor]
    com.q1labs.configservices.controller.ServerHostS
    tatusUpdater: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/-
    -]Sent update status of host 127.0.0.1 to ACTIVE
    decapper: [] decapper.capture: [INFO] rtf1: [1] Packet Capture
    Stats 60 sec: (Read: Packets(1938480, 32297/sec), Oct
    ets(909349284, 15150791/sec)) (Dropped: Packets(0, 0/sec),
    Octets(0, 0/sec))
    decapper: [] decapper.capture: [INFO] rtf1: [1] Content Scan
    Stats 60 sec: Requests(8873, 147/sec) Throttled(0, 0/se
    c) Filtered(2, 0/sec)
    decapper: [] decapper.capture: [INFO] rtf1: [1] Flow Report
    Stats 60 sec: Std(33000, 549/sec, 10406 unique) Content(
    32041, 533/sec) Dropped(0, 0/sec)
    02 January 2020
    SEARCH IJ22582 CHANGING THE DISPLAY (GROUP BY) OF AN EXISTING SEARCH CAN RETURN INACCURATE RESULTS UNTIL 'UPDATE' BUTTON SELECTED OPEN Workaround: Click the Update button to see the correct search results after grouping by a specific category.

    Issue: After executing a Search using filters and a "Results Limit", if the "Display" field is changed to a "group by" ("Low Level Category" for example), some search results are not returned until the Update button is selected/clicked.
    06 February 2020
    API IJ22370 TRAFFICANALYSIS API IN QRADAR CAN GENERATE ERROR 'CODE: 500 MESSAGE: UNEXPECTED INTERNAL SERVER ERROR' CLOSED Resolved in QRadar 7.4.0 (7.4.0.20200304205308)

    Workaround: No workaround available.

    Issue: The QRadar TrafficAnalysis API can fail with an error similar to {"http_response": {"code": 500, "message": "Unexpected internal server error"}, "code": 1020, "description": "An error occurred during the attempt to update the Autodetection Config Record.", "details": {}, "message": "An error occured while trying to update the Autodetection Config Record with id: 513"}

    Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs:
    [tomcat.tomcat] [127.0.0.1(4690)
    /console/restapi/api/config/event_sources/log_source_management/
    autodetection/config_records/43] Caused by:
    [tomcat.tomcat] [127.0.0.1(4690)
    /console/restapi/api/config/event_sources/log_source_management/
    autodetection/config_records/43]
    java.lang.IllegalArgumentException: Parameter position 1 is not
    declared in query "select MIN(a.taOrder) from
    TrafficAnalysisConfigRecord a where a.taOrder > 10000 and 0 =
    (select COUNT(b) from TrafficAnalysisConfigRecord b where
    b.taOrder = a.taOrder + 1)". Declared parameter keys are "[]".
    [tomcat.tomcat] [127.0.0.1(4690)
    /console/restapi/api/config/event_sources/log_source_management/
    autodetection/config_records/43]    at
    org.apache.openjpa.persistence.AbstractQuery.getParameter(Abstra
    ctQuery.java)
    [tomcat.tomcat] [127.0.0.1(4690)
    /console/restapi/api/config/event_sources/log_source_management/
    autodetection/config_records/43]    at
    org.apache.openjpa.persistence.AbstractQuery.setParameter(Abstra
    ctQuery.java)
    [tomcat.tomcat] [127.0.0.1(4690)
    /console/restapi/api/config/event_sources/log_source_management/
    autodetection/config_records/43]    at
    org.apache.openjpa.persistence.AbstractQuery.setParameter(Abstra
    ctQuery.java)
    [tomcat.tomcat] [127.0.0.1(4690)
    /console/restapi/api/config/event_sources/log_source_management/
    autodetection/config_records/43]    at
    com.q1labs.frameworks.session.JPASessionDelegate.namedQueryForSi
    ngleResult(JPASessionDelegate.java)
    [tomcat.tomcat] [127.0.0.1(4690)
    /console/restapi/api/config/event_sources/log_source_management/
    autodetection/config_records/43]    at
    com.q1labs.core.dao.qidmap.TrafficAnalysisConfigRecord.getTAConf
    igRecordForTAConfigRecordPrecedence(TrafficAnalysisConfigRecord.
    java)
    [tomcat.tomcat] [127.0.0.1(4690)
    /console/restapi/api/config/event_sources/log_source_management/
    autodetection/config_records/43]    at
    com.ibm.si.data_ingestion.api.impl.trafficanalysis.validation.Tr
    afficAnalysisConfigRecordValidator.validatePrecedence(TrafficAna
    lysisConfigRecordValidator.java)
    [tomcat.tomcat] [127.0.0.1(4690)
    /console/restapi/api/config/event_sources/log_source_management/
    autodetection/config_records/43]    at
    com.ibm.si.data_ingestion.api.v10_0.trafficanalysis.impl.Traffic
    AnalysisAPIImpl.updatePrecedence(TrafficAnalysisAPIImpl.java)
    [tomcat.tomcat] [127.0.0.1(4690)
    /console/restapi/api/config/event_sources/log_source_management/
    autodetection/config_records/43]    at
    com.ibm.si.data_ingestion.api.v10_0.trafficanalysis.impl.Traffic
    AnalysisAPIImpl.updateTAConfigRecordWithoutNotificationMask(Traf
    ficAnalysisAPIImpl.java)
    [tomcat.tomcat] [127.0.0.1(4690)
    /console/restapi/api/config/event_sources/log_source_management/
    autodetection/config_records/43]    at
    com.ibm.si.data_ingestion.api.v10_0.trafficanalysis.impl.Traffic
    AnalysisAPIImpl.updateTAConfigRecord(TrafficAnalysisAPIImpl.java)
    [tomcat.tomcat] [127.0.0.1(4690)
    /console/restapi/api/config/event_sources/log_source_management/
    autodetection/config_records/43]    ... 68 more
    05 February 2020
    RULES / PERFORMANCE IJ22342 QRADAR USER INTERFACE RULES PAGE CAN TAKE LONGER THAN EXPECTED TO LOAD OPEN: Reported in QRadar 7.3.2 Patch 4 Workaround: No workaround available.

    Issue: The QRadar User Interface "Rules" page can take over 20 seconds to populate due to multiple inefficiencies in how the data needed for the Rules page is gathered/loaded.
    28 January 2020
    SEARCH IJ22156 'RUNTIME EXCEPTION PROCESSING REQUEST GET QUERY STATUS - QUERYSTATUSWAIT' DURING ARIEL SEARCHES IN QRADAR LOGGING OPEN: Reported in QRadar 7.3.2 Patch 4 Workaround: No workaround available. Instances of these specific NullPointerException errors generated during Ariel searches have been investigated and found to be benign.

    Issue: A 'Runtime exception processing request Get query status - QueryStatusWait' error can be generated during the running of Ariel searches.

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:49444] com.q1labs.ariel.ConnectedClient: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Runtime exception
    processing request Get query status - QueryStatusWait
    [Id=e253ffee-2feb-4b96-89f5-825e4fa86ca3, waitMillis=0]: u=admin
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:49444] java.lang.NullPointerException
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:49444] at
    com.ibm.si.ariel.aql.metadata.CatalogDatabase.userHasAccess(Meta
    dataFactory.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:49444] at
    com.ibm.si.ariel.aql.metadata.MetadataFactory.getCatalogByName(M
    etadataFactory.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:49444] at
    com.ibm.si.ariel.aql.metadata.MetadataFactory.createUserCatalog(
    MetadataFactory.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:49444] at
    com.q1labs.ariel.ql.parser.Parser.getMetadata(Parser.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:49444] at
    com.q1labs.ariel.ql.parser.Parser.getMetadata(Parser.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:49444] at
    com.q1labs.ariel.protocol.ClientData.initColumns(ClientData.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:49444] at
    com.q1labs.ariel.protocol.SearchAlias.clientData(SearchAlias.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:49444] at
    com.q1labs.ariel.searches.tasks.Result.resultForAlias(Result.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:49444] at
    com.q1labs.ariel.protocol.SearchAlias.result(SearchAlias.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:49444] at
    com.q1labs.ariel.searches.AccessManager.updateResult(AccessManag
    er.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:49444] at
    com.q1labs.ariel.searches.AccessManager.findQueryResult(AccessMa
    nager.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:49444] at
    com.q1labs.ariel.ConnectedClient.findQueryResult(ConnectedClient
    .java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:49444] at
    com.q1labs.ariel.ConnectedClient.findQueryResult(ConnectedClient
    .java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:49444] at
    com.q1labs.ariel.ConnectedClient.processMessage(ConnectedClient.
    java:278)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:49444] at
    com.q1labs.ariel.ConnectedClient.run(ConnectedClient.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:49444] at
    java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec
    utor.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:49444] at
    java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe
    cutor.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:49444] at java.lang.Thread.run(Thread.java)
    17 January 2020
    OPERATING SYSTEM IJ22145 NEWLY CREATED QRADAR OUT OF MEMORY JAVA HEAP DUMPS DO NOT OVERWRITE PREVIOUSLY EXISTING ONES IN /STORE/JHEAP OPEN: Reported in QRadar 7.3.1 Patch 3 and later Workaround: No workaround available.

    Issue: Newly created QRadar "out of memory" java heap dumps do not overwrite older/existing heap dumps found in /store/jheap. This issue can cause an accumulation of unneeded files and file space consumed in /store/jheap on QRadar appliances.
    31 January 2020
    MANAGED HOSTS / ADD HOST IJ22140 ADD HOST CAN FAIL WITH PASSWORD DECODING ERROR OPEN: Reported in QRadar 7.3.3 initial release (GA) and later Workaround: Contact Support for a possible workaround that might address this issue in some instances.

    Issue: The QRadar Add Host process can fail due to a password decoding issue that occurs during the Add Host processes. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:

    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
    java.lang.IllegalArgumentException: Last unit does not have
    enough valid bits
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at java.util.Base64$Decoder.decode0(Base64.java)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at java.util.Base64$Decoder.decode(Base64.java)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at java.util.Base64$Decoder.decode(Base64.java)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.ibm.si.mks.KeyStoreCrypto.decrypt(KeyStoreCrypto.java)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at com.ibm.si.mks.Crypto.decrypt(Crypto.java)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.frameworks.crypto.CryptoUtils.decrypt(CryptoUtils.jav
    a)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.frameworks.core.FrameworksContext.decrypt(FrameworksC
    ontext.java)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.configservices.capabilities.AddHost.getPresenceComman
    d(AddHost.java)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.configservices.capabilities.AddHost.executePresence(A
    ddHost.java)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.configservices.capabilities.AddHost.add(AddHost.java)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.configservices.capabilities.AddHost.addManagedHost(Ad
    dHost.java:324)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.hostcontext.core.executor.AddHostExecutor.addManagedH
    ost(AddHostExecutor.java)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.hostcontext.core.executor.AddHostExecutor.invoke(AddH
    ostExecutor.java)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.configservices.hostcontext.core.requests.BaseHostRequ
    est.invoke(BaseHostRequest.java)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.configservices.hostcontext.core.HostContextServices.m
    essageReceived(HostContextServices.java)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.frameworks.events.jms.JMSMessageEvent.dispatchEvent(J
    MSMessageEvent.java)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.frameworks.events.SequentialEventDispatcher$DispatchT
    hread.run(SequentialEventDispatcher.java)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
    com.q1labs.configservices.capabilities.AddHost: [ERROR]
    [NOT:0000003000][x.x.x.x/- -] [-/- -]Unable to add managed
    host. The ip of the host is: xxx.xxx.xxx.xxx
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
    com.q1labs.configservices.hostcontext.core.HostContextServices:
    [ERROR] [NOT:0000003000][x.x.x.x/- -] [-/- -]Error retrieving
    message
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
    com.q1labs.configservices.hostcontext.exception.HostContextExcep
    tion: Could not get executor object
    com.q1labs.hostcontext.core.executor.AddHostExecutor
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.configservices.hostcontext.core.requests.BaseHostRequ
    est.invoke(BaseHostRequest.java)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.configservices.hostcontext.core.HostContextServices.m
    essageReceived(HostContextServices.java)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.frameworks.events.jms.JMSMessageEvent.dispatchEvent(J
    MSMessageEvent.java)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.frameworks.events.SequentialEventDispatcher$DispatchT
    hread.run(SequentialEventDispatcher.java)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
    Caused by:
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
    com.q1labs.configservices.hostcontext.exception.HostContextExcep
    tion: Command exited with non-zero value (4): add_host
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.hostcontext.core.executor.AddHostExecutor.addManagedH
    ost(AddHostExecutor.java)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.hostcontext.core.executor.AddHostExecutor.invoke(AddH
    ostExecutor.java)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       at
    com.q1labs.configservices.hostcontext.core.requests.BaseHostRequ
    est.invoke(BaseHostRequest.java)
    [hostcontext.hostcontext]
    [6b644ace-0cc4-4b2e-858b-7b2da2206a2a/SequentialEventDispatcher]
       ... 3 more
    17 January 2020
    PROTOCOL INSPECTOR / QRADAR NETWORK INSIGHTS (QNI) IJ22087 SOME SMTP AND FTP FLOWS RECEIVED BY QRADAR NETWORK INSIGHTS (QNI) MISCLASSIFIED AS IRC TRAFFIC CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
    QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)

    Workaround
    Contact Support for a possible workaround that might address this issue in some instances.

    Issue: Some SMTP and FTP flows received by QRadar Network Insights (QNI) are being misclassified as IRC traffic. The application "determination algorithm" for these flows displays as "QNI Inspectors".
    17 January 2020
    DEPLOY CHANGES IJ22083 'DEPLOY' BUTTON DOES NOT FUNCTION FOM THE 'ADMIN TAB > DATA SOURCES > EVENTS' WINDOW CLOSED Resolved in QRadar 7.4.1 (7.4.1.20200716115107)

    Workaround
    Navigate to another User Interface window that prompts the Deploy changes to be performed.

    Issue
    When in the Admin > Data Sources > Events view, the Deploy changes button does not function.
    17 January 2020
    AQL IJ22082 'APPLICATION ERROR' WHEN RUNNING SOME LONG AQL QUERIES USING CHROME, FIREFOX, AND SAFARI WEB BROWSERS OPEN: Reported in QRadar 7.3.1 Patch 7 and later Workaround: Shorten the AQL to see if it completes when using Chrome, Firefox, Safari or attempt the query using Internet Explorer or Edge web browser.

    Issue: Some longer AQL queries that work using the web browsers Internet Explorer and Edge can fail when using the Chrome, Firefox, and Safari Web Browsers with an 'Application Error' in the QRadar User Interface.
    31 January 2020
    SEARCH IJ22001 SEARCHES CAN CAUSE A RUNTIME EXCEPTION WITH A NULLPOINTEREXCEPTION GENERATED IN QRADAR LOGGING OPEN: Reported in QRadar 7.3.2 Patch 3 Workaround: No workaround available.

    Issue: In some instances, searches performed within QRadar can generate a NullPointerException in QRadar logging similar to:
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:35464] com.q1labs.ariel.ConnectedClient: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Runtime exception
    processing request Get query status - QueryStatusWait
    [Id=7b08480a-770f-4a0d-942f-f214e5f88660, waitMillis=0]: u=admin
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:35464] java.lang.NullPointerException
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:35464]    at
    com.ibm.si.ariel.aql.metadata.CatalogDatabase.userHasAccess(Meta
    dataFactory.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:35464]    at
    com.ibm.si.ariel.aql.metadata.MetadataFactory.createUserCatalog(
    MetadataFactory.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:35464]    at
    com.ibm.si.ariel.aql.metadata.MetadataFactory.getCatalogByName(M
    etadataFactory.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:35464]    at
    com.q1labs.ariel.ql.parser.Parser.getMetadata(Parser.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:35464]    at
    com.q1labs.ariel.ql.parser.Parser.getMetadata(Parser.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:35464]    at
    com.q1labs.ariel.protocol.ClientData.initColumns(ClientData.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:35464]    at
    com.q1labs.ariel.protocol.SearchAlias.clientData(SearchAlias.jav
    a)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:35464]    at
    com.q1labs.ariel.searches.tasks.Result.resultForAlias(Result.jav
    a)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:35464]    at
    com.q1labs.ariel.protocol.SearchAlias.result(SearchAlias.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:35464]    at
    com.q1labs.ariel.searches.AccessManager.updateResult(AccessManag
    er.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:35464]    at
    com.q1labs.ariel.searches.AccessManager.findQueryResult(AccessMa
    nager.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:35464]    at
    com.q1labs.ariel.ConnectedClient.findQueryResult(ConnectedClient
    .java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:35464]    at
    com.q1labs.ariel.ConnectedClient.findQueryResult(ConnectedClient
    .java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:35464]    at
    com.q1labs.ariel.ConnectedClient.processMessage(ConnectedClient.
    java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:35464]    at
    com.q1labs.ariel.ConnectedClient.run(ConnectedClient.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:35464]    at
    java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec
    utor.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:35464]    at
    java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe
    cutor.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:35464]    at java.lang.Thread.run(Thread.java)
    31 January 2020
    FLOWS IJ21982 FLOWS CAN CONTAIN INCORRECT VALUES FOR PACKET TIMES, IP ADDRESSES, PROTOCOLS, SIZE, SOURCE OR DESTINATION PORT CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
    QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)
    QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)

    Workaround
    Restarting the qflow process on affectd QRadar Console, Flow Processor or Flow Collector can be used to rectify this behavior temporarily, but the behavior can re-occur:
    systemctl restart qflow
    Note: Restarting qflow service results in an interruption in flow collection.

    Issue: Flows can get incorrect first packet time or unusual IP addresses, values and bytes. The source bytes or destination bytes display as either 4G in size or 0. The source and destination port displays as 0.

    This behavior has predominately been observed in flows received from QRadar Network Insights appliances.
    14 January 2020
    GEOGRAPHIC DATA IJ21884 GEODATA UPDATES NO LONGER OCCURING WITH '401 UNAUTHORIZED AT /OPT/QRADAR/BIN/GEOIPUPDATE-PUREPERL.PL' IN QRADAR LOGGING OPEN: Reported in QRadar 7.3.2 Patch 3 Workaround: Sign up for a MaxMind account and configured QRadar system settings. For more information, see: Configuring a MaxMind account for geographic data updates (APAR IJ21884)

    Issue: QRadar geographic updates for GeoLite2-City.mmdb can fail to be obtained and installed from maxmind.com due to a login failure with the default userid and license key used within QRadar.

    To verify if this issue occurs, on the QRadar Console command line, run the geodata update command:
    /opt/qradar/bin/geodata_update.sh

    Messages similar to the following are displayed:
    401 Unauthorized at /opt/qradar/bin/geoipupdate-pureperl.pl line
    222, <$fh> line 37
    06 January 2020
    SEARCH IJ21739 'PAYLOAD CONTAINS' AQL FILTER FROM A BASIC SEARCH CAN GENERATE AN ILLEGAL ARGUMENT EXCEPTION AND INCORRECT RESULTS OPEN: Reported in QRadar 7.3.2 Patch 2 Workaround: Enable store payload in the Log Sources.

    Issue: Using the 'Payload Contains' AQL filter generated from a basic search generates an illegal argument exception and has incorrect search results when compared with the results of the basic search. For example:
    1. Create a basic search
    2. Add the filter "Payload Contains" Admin
    3. Add the payload column
    4. Save the search and run it
    5. Notice the expected output of the payload column
    6. Convert the search to AQL from Log Activity > Edit Search > Show AQL
    7. Use the SHOW AQL and leverage the output in a new search:
      select "payload" as 'Payload',QIDNAME(qid) as 'Event
      Name',logsourcename(logSourceId) as 'Log Source',"eventCount"
      as 'Event Count',"startTime" as 'Start
      Time',categoryname(category) as 'Low Level Category',"sourceIP"
      as 'Source IP',"sourcePort" as 'Source Port',"destinationIP" as
      'Destination IP',"destinationPort" as 'Destination
      Port',"userName" as 'Username',"magnitude" as 'Magnitude' from
      events where icu4jsearch('Admin', payload) != -1 order by
      "startTime" desc LIMIT 1000 last 5 minutes
    8. Run the AQL search.

      Results
      An illegal argument exception is generated and the payload is incorrect.

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:

    com.q1labs.frameworks.nio.exceptions.ExtendedRuntimeException:
    Error calling function
    com.q1labs.ariel.ql.parser.ICU4jSearch([B@e6bc0507):
    java.lang.IllegalArgumentException
    at com.q1labs.frameworks.util.Utils.icu4jSearch(Utils.java)
    at com.q1labs.frameworks.util.Utils.icu4jSearch(Utils.java)
    at
    com.q1labs.ariel.ql.parser.ICU4jSearch.calculate(Functions.java)
    at
    com.q1labs.ariel.ql.parser.ICU4jSearch.calculate(Functions.java)
    31 December 2019
    OFFENSES IJ21725 QRADAR USER INTERFACE INTERRUPTION CAN OCCUR WHEN PERFORMING SEARCHES ON THE OFFENSE TAB BY 'DESTINATION IP' OPEN: Reported in QRadar 7.3.2 Patch 4 Workaround: Contact Support for a possible workaround that might address this issue in some instances.

    Issue: The QRadar User Interface can experience an interruption caused by a tomcat TxSentry occurrence after performing searches by 'Destination IP' on the Offense tab.

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [hostcontext.hostcontext]
    [78695a45-e04b-4ee0-8189-4a2b7eeb1490/SequentialEventDispatcher]
    com.q1labs.hostcontext.tx.TxSentry: [WARN]
    [NOT:0000004000][xx.xx.xx.xx/- -] [-/- -]  TX on host
    xx,xx,xx,xx: pid=25311 age=928 IP=127.0.0.1 port=48623 locks=31
    query='SELECT op.id FROM offense_properties op JOIN
    offense_target_link otl ON otl.offense_id=op.id JOIN
    target_view t ON t.id=otl.target_id JOIN offense o ON
    op.id=o.id WHERE (INET(ip2address(network)) <<=
    INET('xx.xx.xx.xx/32')) OR (INET(ip2address(network)) <<=
    INET('x..x.xx.xx/27')) OR (INET(ip2address(network)) <<=
    INET('xx.xx.xx.xx/32')) OR (INET(ip2address(network)) <<=
    INET('xx.xx.xx.xx/32')) OR (INET(ip2address(network)) <<=
    INET('xx.xx.xx.xx/27')) OR (INET(ip2address(network)) <<=
    INET('xx.xx.xxxx/32')) OR (INET(ip2address(network)) <<=
    INET('xx.xx.xx.xx/32')) OR (INET(ip2address(network)) <<=
    INET('xx.xx.xx.xx/32')) OR (INET(ip2address(network)) <<=
    INET('xx.xx.xx.xx/32')) OR (INET(ip2address(network)) <<=
    INET('xx.xx.xx.xx/32')) OR (INET(ip2address(network)) <<=
    INET('xx.xx.xx.xx/27')) OR (INET(ip2address(network)) <<=
    INET('xx.xx.xx.xx/32')) OR (INET(ip2address(network)) <<=
    INET('xx.xx.xx.xx/32')) OR (INET(ip2address(network)) <<=
    INET('xx.xx.xx.xx/27')) OR (INET(ip2address'
    [hostcontext.hostcontext]
    [78695a45-e04b-4ee0-8189-4a2b7eeb1490/SequentialEventDispatcher]
    com.q1labs.hostcontext.tx.TxSentry: [WARN]
    [NOT:0000004000][xx.xx.xx.xx/- -] [-/- -]  Lock acquired on
    host xx.xx.xx.xx: rel=domains_pkey age=928 granted=t
    mode=AccessShareLock query='SELECT op.id FROM
    offense_properties op JOIN offen'
    [hostcontext.hostcontext]
    [78695a45-e04b-4ee0-8189-4a2b7eeb1490/SequentialEventDispatcher]
    com.q1labs.hostcontext.tx.TxSentry: [WARN]
    02 January 2020
    RULES IJ21724 'WHEN THE SOURCE IP IS PART OF ANY OF THE FOLLOWING REMOTE NETWORKS / SERVICES' CAN WORK INCORRECTLY WITH DOMAINS OPEN: Reported in QRadar 7.3.2 Patch 4 Workaround: No workaround available.

    Issue: The following issue manifests when an event originates from any other domain other than the default domain.
    Rule condition (used in Building Block):
    When the source IP is part of any of the following remote networks / remote services is matching to events that should be excluded.
    When this Building Block is used in a rule with other conditions:

    The IP in question is added to the remote network with /32 cidr and it is matching the event that should be excluded based on the source ip, but when the destination ip is the one (source IP and destination IP is same) it is matching them regardless.
    19 December 2019
    AQL CUSTOM PROPERTIES IJ21723 AQL PROPERTY WITH FUNCTION CONTAINING MULTIPLE ARGUMENTS CANNOT BE USED AS AN AGGREGATED PROPERTY IN THRESHOLD RULE CREATION OPEN: Reported in QRadar 7.3.2 Patch 2 Workaround: No workaround available.

    Issue: An AQL property that has a function with multiple arguments cannot be selected as an aggregated property in a Threshold Rule in the Rule Wizard page.

    For example, the following example AQL is stored as a saved search and threshold monitoring rule is created on it.
    SELECT sourceip, SUM(LONG("eventcount") + LONG("sourceport"))
    AS total FROM events GROUP BY sourceip LAST 5 MINUTES

    When the aggregation has two components that are summarized in one value (as above), the Rule Wizard is unable to select it and it fails to save the rule configuration. The rule can be saved and it works successfully when there is only a single aggregated parameter, such as SUM(LONG("eventcount"))
    02 January 2020
    LOG SOURCES IJ21722 AUTO DISCOVERED LOG SOURCES ARE NOT AUTO DISCOVERED AGAIN IF DELETED USING THE LOG SOURCE MANAGEMENT APP CLOSED Resolved in:
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Fix Pack 2 (7.3.3.20200208135728)
    QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)

    Workaround
    1. Use Log Source legacy User Interface (UI) to delete log source(s).
      OR
    2. If the auto discovered log source has already been deleted using Log Source Management App, a tomcat restart is required to clear cached data:
      Admin tab > select Advanced > Restart Web Server

    Note: The QRadar UI only becomes available again after all required process are running as expected after a "Restart We Server" has been completed.

    Issue
    Using the Log Source Management App to delete a Log Source causes it to not be auto discovered again.
    19 December 2019
    SYSTEM NOTIFICATIONS IJ21721 REPEATED SYSTEM NOTIFICATION MESSAGES FROM MANAGED HOST(S) INDICATING SYNCHRONIZATION TO CONSOLE 'TLSDATE TIMED OUT' OPEN: Reported in multiple QRadar versions Workaround: Contact Support for a possible workaround that might address this issue in some instances.

    Repeated System Notifications can be generated from Managed Hosts regarding time synchronization to the QRadar console. time_sync.sh reports 'tlsdate timed out' when httpd does not respond within 5 seconds.

    This issue can generate a large number of events if communication to the QRadar console is unavailable for a period of time.

    Notificaiton is similar to:
    [hostcontext.hostcontext]: [ERROR] [NOT:0150003100] Time
    Synchronization to Console has failed - tlsdate timed out
    19 December 2019
    APP HOST IJ21720 QRADAR APP HOST CANNOT BE REMOVED FROM THE DEPLOYMENT IF ALL APPS HAVE BEEN UNINSTALLED CLOSED Closed as permanent restriction. Administrators can install at least one app and migrate it to the console, so the App Host appliance can be removed. Workaround
    1. Install a QRadar App.
    2. Migrate the App to the Console.
    3. Perform App Host removal.
    4. Remove the QRadar App now installed on Console, if not needed.

    Issue
    A QRadar App Host cannot be removed from the Deployment if all Apps have been uninstalled. The option Admin > System and License Management > highlight app host > Deployment Actions > 'Remove Host' is grayed out
    29 July 2020
    RULES / QRADAR ON CLOUD IJ21717 QRADAR ON CLOUD USERS ARE UNABLE TO DELETE ANOMALY DETECTION ENGINE RULES OPEN: Reported in QRadar 7.3.1 and later Workaround: Contact Support and request them to delete the appropriate ADE rule.

    QRadar on Cloud users with appropriate rights assigned are not able to delete Anomaly Detection Engine (ADE ) rules. Users are able to delete other rule types, but no pop-up window is displayed when attempting to delete an ADE rule.
    02 January 2020
    TOPOLOGY / QRADAR RISK MANAGER (QRM) IJ21704 SUBNETS CAN INTERMITTENTLY APPEAR AND DISAPPEAR ON THE QRADAR RISK MANAGER TOPOLOGY SCREEN CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
    QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)
    QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)

    Workaround
    Contact Support for a possible workaround that might address this issue if you are unable to upgrade to resolve this issue through a fix pack update.

    Issue
    Subnets can appear and disappear intermittently on the QRadar Risk Manager Topology screen.
    19 December 2019
    HIGH AVAILABILITY (HA) IJ21703 ADDED OR EDITED NTP SERVER SETTINGS ARE NOT IMPLEMENTED ON HIGH AVAILABILITY (HA) STANDBY APPLIANCE CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    Restart the chrony service manually via SSH connection command line for affected HA standy appliances:
    systemctl restart chronyd


    Issue
    After adding or updating a NTP server in QRadar for a High Availability (HA) appliance (using the steps in System and License Management on the Active HA appliance), the chrony service on the High Availability Standby appliance needs to be restarted for the chrony config change to be implemented.
    26 November 2020
    DATA OBFUSCATION IJ21702 UNABLE TO ADD NEW DATA OBFUSCATION EXPRESSION TO AN EXISTING DATA OBFUSCATION PROFILE OPEN: Reported in QRadar 7.3.2 Patch 4 Workaround:
    1. Open the Obfuscation Management Administration page.
    2. Unlock.
    3. Click add.
    4. Firefox browser use F12 and go to inspector or elements in Chrome browser.
    5. With the element selector, find the required field that is blank and fill in the proper value in the HTML (eg. manually added a -1 for {Any}).
    6. Click send.

    7. Results
      New obfuscation expression should be added.

    Issue:
    Users might be unable to add a new Data Obfuscation expression to an existing obfuscation profile in QRadar environments with a very large number of Log Sources. The error message generated in the QRadar User Interface is similar to: java.lang.NumberFormatException: empty String Example of steps that lead to this issue:
    1. Admin > Data Obfuscation
    2. Unlock the Data Obfuscation profile
    3. Click Add to add a new expression
    4. Select regex.
      Note that the Log Source type does not fully load and Log Source field is empty.
    5. Fill out all required settings, click Save.
    6. Error message is generated: java.lang.NumberFormatException: empty String
    02 January 2020
    LOG ACTIVITY / NETWORK ACTIVITY IJ21700 REGEX ' + ' (PLUS) SYMBOL TO MATCH ONE OR MORE OF ANYTHING IS HIDDEN AFTER FILTER IS APPLIED OPEN: Reported in QRadar 7.3.2 Workaround: No workaround available.

    Issue: The regex expression \w+ is being displayed in 'add filter' as \w and not \w+. For example:
    1. Click the Log Activity tab.
    2. Click Add filter.
    3. Use "Process File URL (custom)" Matches any of expressions \w+\.exe

      Result
      Displayed in the filter area of the user interface is \w \.exe rather than the expected \w+\.exe.

      NOTE: This only occurs on the QRadar Log/Network Activity User Interface windows. The filter is applied correctly otherwise. On the DSM Editor screen, the plus sign is displayed correctly.
    19 December 2019
    SECURITY BULLETIN CVE-2018-0734 OpenSSL as used in IBM QRadar SIEM is vulnerable to a timing side channel attack CLOSED Resolved in:
    QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
    QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

    The OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack. An attacker could use variations in the signing algorithm to recover the private key. Fixed in OpenSSL 1.1.1a (Affected 1.1.1). Fixed in OpenSSL 1.1.0j (Affected 1.1.0-1.1.0i). Fixed in OpenSSL 1.0.2q (Affected 1.0.2-1.0.2p).
    09 January 2020
    SECURITY BULLETIN CVE-2019-1559 OpenSSL as used by IBM QRadar SIEM is Missing a Required Cryptographic Step CLOSED Resolved in:
    QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
    QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

    If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).
    09 January 2020
    SECURITY BULLETIN CVE-2019-4508 IBM QRadar SIEM uses weak credential storage in some instances CLOSED Resolved in:
    QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
    QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

    09 January 2020
    SECURITY BULLETIN CVE-2019-2816
    CVE-2019-2762
    CVE-2019-2769
    Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM QRadar SIEM CLOSED Resolved in:
    QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
    QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

    09 January 2020
    SECURITY BULLETIN CVE-2019-4559 IBM QRadar SIEM is vulnerable to information disclosure CLOSED Resolved in:
    QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
    QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

    09 January 2020
    SECURITY BULLETIN CVE-2018-15473 OpenSSH as used by IBM QRadar SIEM is vulnerable to information exposure CLOSED Resolved in:
    QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
    QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

    09 January 2020
    USERS IJ20771 UNABLE TO REASSIGN CUSTOM EVENT PROPERTY TO ANOTHER USER WHEN DELETING A USER CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

    Workaround
    No workaround available. If the user needs to be deleted, you have to delete the Custom Event Property not reassign it.

    Issue
    It has been identified that when trying to delete a non admin/admin user who has a Custom Event Property, you cannot reassign that Custom Event Property to another user. The page hangs at the dependency reassign and does not reassign the Custom Event Property successfully.
    16 November 2020
    SYSLOG REDIRECT IJ03249 AUTODISCOVERED LOG SOURCES CREATED BY SYSLOG REDIRECT CAN HAVE INCORRECT LOG SOURCE IDENTIFIERS Closed as program error. It has been identified that autodiscovered Log Sources created using the Syslog Redirect Protocol, can have incorrect Log Source Identifiers listed due to a regex issue used within the Protocol. The issue is resolved with the following version of the Syslog Redirect RPM: 13 November 2019
    UPGRADE IJ00366 APPLYING A QRADAR .SFS PATCH CAN FAIL WHEN WGET HAS A PROXY SERVER CONFIGUREDCONFIGURED OPEN: Reported in QRadar 7.3.2 Patch 4 Workaround: Via an SSH session to the QRadar console: Temporarily disable to wget proxy settings in /etc/wgetrc

    It has been identified that the check_undeployed script used within the QRadar patch framework can fail when there is a proxy server configured for wget to use. The check_undeployed script attempts to use that proxy to reach localhost and fails.

    Messages similar to the following might be visible in the /var/log/setup-7.x.x.../patches.log when this issue occurs:
    Verifying if there are any un-deployed changes...
    ERROR: Could not determine undeployed changes, response was invalid.
    --2018-03-28 12:11:34--
    https://127.0.0.1/console/services/configservices?method=hasUndeployedChanges
    Connecting to {proxyIP:port}... connected.
    Proxy tunneling failed: Service UnavailableUnable to establish
    SSL connection.
    An error was encountered attempting to process patches.
    Please contact customer support for further assistance.
    29 March 2018
    UPGRADE / SCANNER IJ10746 QRADAR UPGRADE CAN HANG IF IT'S UNABLE TO REACH A CONFIGURED SCANNER OVER THE INTERNET CLOSED Closed as Permanent restriction. Contact Support for a possible workaround that might address this issue in some instances.

    It has been identified that a QRadar upgrade can hang at message: 'System upgrade is in progress - DO NOT REBOOT or shutdown now!' if the QRadar upgrade process is unable to reach an internet configured scanner. QRadar attempts to retrieve a certificate during the upgrade and if internet connectivity is not allowed, the upgrade cannot reach the external scanner to complete the process.
    09 December 2019
    API / OFFENSES IJ05914 OFFENSE API DOES NOT RETURN EXPECTED OFFENSES WHEN USING "ID" AND "INACTIVE" FIELD IF OFFENSE ACTIVE_CODE IS 'DORMANT' CLOSED Resolved in:
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
    QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

    Workaround
    1. Do not use the inactive attribute
    2. Use the status attribute to filter closed or non-closed offenses.
    Issue
    It has been identified that the Offense API does not return all expected offenses when using "id" and "inactive" field when the offense active_code is set as "dormant" in the database for the Offense. To further explain this reported issue, users can compare API results to the QRadar database:
    qradar=# select count(*) from offense;
    count
    -------
      1515
    (1 row)
    
    qradar=# select count(*) from offense where active_code=1;
    count
    -------
         0
    (1 row)
    
    qradar=# select count(*) from offense where active_code=2;
    count
    -------
       148
    (1 row)
    
    qradar=# select count(*) from offense where active_code=3;
    count
    -------
      1367
    (1 row)


    API results display: status = open returns 149 status = closed returns 1366 status="OPEN" and inactive=true returns 1 status="OPEN" and inactive=false returns 0

    Using inactive = false gives incorrect results. The active code value in the User Interface can be:
    • 1 (active /status open)
    • 2 (dormant, status open but inactive)
    • 3 (inactive / status closed).
    In the API you have status = OPEN, CLOSED, HIDDEN etc. and inactive = true / false
    09 December 2019
    SYSTEM NOTIFICATIONS IJ20362 'SAR SENTINEL: THRESHOLD CROSSED FOR DRBD0' SYSTEM NOTIFICATIONS CLOSED Resolved in:
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
    QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

    It has been identified that QRadar can report "SAR Sentinel: Threshold crossed for drbd0" system notifications for managed hosts in a High Availability (HA) pair.

    Investigation has determined that these messages can be excessively and erroneously generated due to a change made within the fix for APAR IJ06526.
    09 December 2019
    SEARCH / SERVICES IJ21718 ARIEL SEARCHES FAIL AND EVENTS ARE NOT PROCESSED/WRITTEN TO DISK WHEN A CONCURRENT MODIFICATION EXCEPTION OCCURS CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 2 (7.3.3.20200208135728)
    QRadar 7.3.3 Patch 1 Interim Fix 01 (7.3.3.20191220154048)
    QRadar 7.3.2 Patch 5 Interim Fix 01 (7.3.2.20191220232616)

    Workaround
    A flash notice has been issued for APAR IJ21718. For more information, see: QRadar: Custom property concurrency can cause search and ariel data loss (APAR IJ21718). Administrators can complete a Deploy Full Configuration to ensure a service restart until an interim fix is available on IBM Fix Central.

    Issue
    An uncaught ConcurrentModificationException can occur within the QRadar Ariel Writer thread. When this occurs, events received into QRadar fail to be processed and written to disk, and failure exceptions occur during ariel/event searches within QRadar.

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [ecs-ep.ecs-ep] [Ariel Writer#events]
    com.q1labs.frameworks.core.ThreadExceptionHandler: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Exception was uncaught
    in thread: Ariel Writer#events
    [ecs-ep.ecs-ep] [Ariel Writer#events]
    java.util.ConcurrentModificationException
    [ecs-ep.ecs-ep] [Ariel Writer#events] at
    gnu.trove.TPrimitiveIterator.nextIndex(TPrimitiveIterator.java)
    [ecs-ep.ecs-ep] [Ariel Writer#events] at
    gnu.trove.TIterator.hasNext(TIterator.java)
    [ecs-ep.ecs-ep] [Ariel Writer#events] at
    com.q1labs.core.types.networkevent.mapping.NetworkEventMappingUt
    ils.writeCustomProperties(NetworkEventMappingUtils.java)
    [ecs-ep.ecs-ep] [Ariel Writer#events] at
    com.q1labs.core.types.event.mapping.NormalizedEventMappingV2.put
    CustomProperties(NormalizedEventMappingV2.java)
    [ecs-ep.ecs-ep] [Ariel Writer#events] at
    com.q1labs.core.types.event.mapping.NormalizedEventMappingV2.put
    Event(NormalizedEventMappingV2.java)
    [ecs-ep.ecs-ep] [Ariel Writer#events] at
    com.q1labs.core.types.event.mapping.NormalizedEventMappings$Exlu
    deCachedResults.putData(NormalizedEventMappings.java)
    [ecs-ep.ecs-ep] [Ariel Writer#events] at
    com.q1labs.core.types.event.mapping.NormalizedEventMappingV2.put
    (NormalizedEventMappingV2.jav)
    [ecs-ep.ecs-ep] [Ariel Writer#events] at
    com.q1labs.core.types.event.mapping.NormalizedEventMappingV2.put
    (NormalizedEventMappingV2.java)
    [ecs-ep.ecs-ep] [Ariel Writer#events] at
    com.q1labs.ariel.io.NIOFileWriter.write(NIOFileWriter.java:110)
    [ecs-ep.ecs-ep] [Ariel Writer#events] at
    com.q1labs.ariel.io.SimpleWriter.writeRecord(SimpleWriter.java)
    [ecs-ep.ecs-ep] [Ariel Writer#events] at
    com.q1labs.ariel.io.BucketWriter.writeRecord(BucketWriter.java)
    [ecs-ep.ecs-ep] [Ariel Writer#events] at
    com.q1labs.ariel.io.AbstractDatabaseWriter.put(AbstractDatabaseW
    riter.java)
    [ecs-ep.ecs-ep] [Ariel Writer#events] at
    com.q1labs.ariel.DatabaseWriterAsync.processRecord(DatabaseWrite
    rAsync.java)
    [ecs-ep.ecs-ep] [Ariel Writer#events] at
    com.q1labs.ariel.ScatteringDatabaseWriter.access$401(ScatteringD
    atabaseWriter.java)
    [ecs-ep.ecs-ep] [Ariel Writer#events] at
    com.q1labs.ariel.ScatteringDatabaseWriter$Node.writeRecord(Scatt
    eringDatabaseWriter.java)
    [ecs-ep.ecs-ep] [Ariel Writer#events] at
    com.q1labs.ariel.ScatteringDatabaseWriter$Node.processRecord(Sca
    tteringDatabaseWriter.java)
    [ecs-ep.ecs-ep] [Ariel Writer#events] at
    com.q1labs.ariel.ScatteringDatabaseWriter$Node.access$1100(Scatt
    eringDatabaseWriter.java)
    [ecs-ep.ecs-ep] [Ariel Writer#events] at
    com.q1labs.ariel.ScatteringDatabaseWriter$DataNodes.processRecor
    d(ScatteringDatabaseWriter.java)
    [ecs-ep.ecs-ep] [Ariel Writer#events] at
    com.q1labs.ariel.ScatteringDatabaseWriter.processRecord(Scatteri
    ngDatabaseWriter.java)
    [ecs-ep.ecs-ep] [Ariel Writer#events] at
    com.q1labs.ariel.DatabaseWriterAsync.run(DatabaseWriterAsync.java)
    [ecs-ep.ecs-ep] [Ariel Writer#events]
    java.lang.Thread.run(Thread.java)
    19 December 2019
    APPLICATION SIGNATURES / QRADAR NETWORK INSIGHTS IJ20455 FALSE POSITIVE MATCHES FOR SIGNATURES CAN OCCUR AS QRADAR NETWORK INSIGHTS (QNI) CAN SKIPS SRC/DST PORT SPECIFIERS IN SIGNATURE.XML CLOSED Resolved in:
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
    QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

    It has been identified that the QRadar Network Insights processing of signatures.xml skips srcPort / dstPort specifiers. This can cause false positive matches for some signatures.
    09 December 2019
    ASSETS / UPGRADE IJ20458 QRADAR PATCH AND OR REPLICATION PROCESS CAN FAIL WHEN MULTIPLE DUPLICATED ASSET.ASSETVIEW DATA EXISTS CLOSED Resolved in:
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
    QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

    It has been identified that a QRadar patch and or replication process can fail when there are more than one duplicated asset.assetview database entry with the same (domain_id, network_addr and ipv6) values on the console.
    09 December 2019
    VULNERABILITY SCANS IJ21607 VULNERABILITY MANAGER (QVM) SCANS CAN STAY AT 100% AND NEVER COMPLETE CLOSED Resolved in:
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
    QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

    Vulnerability Manager scans can stay in the running state at 100% and never go to a Stopped state. Due to a timing issue, two threads try to determine if they are the last tool to run within a job and the jobtracking endtime never gets set, and the scan never finishes.
    When this occurs, the vulnerability data does not get sent to the asset DB, vulnerability counts remain at zero on screen, and the scan duration keeps increasing even though the scan has finished.
    19 December 2019
    WINCOLLECT IV99859 WINCOLLECT AGENTS ARE DOWNGRADED TO VERSION 7.2.3 AFTER A CONFIGURATION RESTORE ON THE QRADAR CONSOLE CLOSED Resolved in:
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Fix Pack 1 (7.3.3.20191203144110)
    QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)

    Issue
    It has been identified that WinCollect agents that have been upgraded above version 7.2.3 are downgraded to version 7.2.3 after performing a Configuration Restore of QRadar 7.2.8.

    This is caused by the older WinCollect 7.2.3 agent core files being installed when the Config Restore is performed.
    09 December 2019
    SYSTEM NOTIFICATIONS / LICENSE IJ07448 'THE APPLIANCE EXCEEDED THE EPS OR FPM ALLOCATION WITHIN THE LAST HOUR' MESSAGES CAN BE CAUSED BY HEALTH METRICS EVENTS CLOSED Resolved in:
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)

    Issue
    It has been identified that System Notifications similar to 'The appliance exceeded the EPS or FPM allocation within the last hour' can sometimes be caused by Health Metrics events generated/processed by QRadar. System Notifications generated by the increased number of Health Metric events in QRadar 7.3.1, are false positives. QRadar is not properly calculating the license giveback for Health Metric events in relation to EPS/FPM license warning System Notifications.
    09 December 2019
    BACKUP / RESTORE IJ14189 DATA BACKUPS CAN FAIL (TIME OUT) WHEN A BACKEND "PS" COMMAND HANGS CLOSED Resolved in QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)

    It has been identified that data backups can fail when a backend ps command hangs.

    QRadar system notifications similar to "Backup: last backup exceeded execution threshold error." and messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:

    [hostcontext.hostcontext] [Backup]
    com.q1labs.hostcontext.backup.core.BackupUtils: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Cannot execute 'ps -e -o
    pid -o ppid -o cmd'
    [hostcontext.hostcontext] [Backup]
    java.lang.InterruptedException
    [hostcontext.hostcontext] [Backup] at
    java.lang.Object.wait(Native Method)
    [hostcontext.hostcontext] [Backup] at
    java.lang.Object.wait(Object.java)
    [hostcontext.hostcontext] [Backup] at
    java.lang.UNIXProcess.waitFor(UNIXProcess.java)
    [hostcontext.hostcontext] [Backup] at
    com.q1labs.hostcontext.backup.core.BackupUtils.getPsProcesses(Ba
    ckupUtils.java)
    [hostcontext.hostcontext] [Backup] at
    com.q1labs.hostcontext.backup.BackupRecoveryEngine.cleanup(Backu
    pRecoveryEngine.java)
    [hostcontext.hostcontext] [Backup] at
    com.q1labs.hostcontext.backup.BackupRecoveryEngine$BackupThread.
    run(BackupRecoveryEngine.java)
    [hostcontext.hostcontext] [Backup]
    com.q1labs.hostcontext.backup.BackupRecoveryEngine: [INFO]
    [NOT:0000006000][127.0.0.1/- -] [-/- -]Cancel process
    '/bin/bash /opt/qradar/bin/run_command.sh
    /opt/qradar/bin/determine_partition.sh
    /store/backup/store/tmp/backup/determine_partition' if exists
    09 December 2019
    BURST DATA / EVENT COLLECTORS IJ12229 EVENT COLLECTORS CAN EXPERIENCE PIPLELINE PERFORMANCE ISSUES DUE TO NOT HAVING AN APPLIANCE CAPABILITY CONFIGURED CLOSED Resolved in QRadar 7.4.0 (7.4.0.20200304205308)

    Issue
    It has been identified that Event Collectors (EC) do not have an appliance level capability set. Because of this, QRadar pipeline processes are not protected from bursts in the incoming event rate (EPS).

    Event Collectors inherit their licensing limits from the connected Event Processor (EP) and frequently EPs have a much higher capability and license than an EC can handle. The lack of appliance capability limitiations being configured for ECs can expose them to pipeline performance issues.
    09 December 2019
    FORWARDED EVENTS / NETWORK IJ18585 SOME FORWARDED EVENTS CAN FAIL TO FORWARD SUCCESSFULLY WHEN A CONNECTION DROP OCCURS TO THE EVENT FORWARDING RECEIVER CLOSED Resolved in:
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
    QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

    It has been identified that a network device can sometimes break the long connection between QRadar and a configured event forward target. Some events are not forwarded prior to the connection being recovered.

    Warning messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [ecs-ep.ecs-ep]
    com.q1labs.sem.selectiveforwarding.SelectiveForwardingCommunicat
    orThread: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/-
    -]2019-07-15 15:50:20.0368 [:127.0.0.1:514] Exceeded
    maximum number of retries, dropping event[1].
    [ecs-ep.ecs-ep]
    com.q1labs.sem.selectiveforwarding.SelectiveForwardingCommunicat
    orThread: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/-
    -]Following message suppressed 1 times in 300000 milliseconds
    [ecs-ep.ecs-ep]
    com.q1labs.sem.selectiveforwarding.SelectiveForwardingCommunicat
    orThread: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/-
    -][:127.0.0.1:514] Exceeded Timeouts number[5], resetting
    connection.
    [ecs-ep.ecs-ep]
    com.q1labs.sem.selectiveforwarding.SelectiveForwardingCommunicat
    orThread: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/-
    -][:127.0.0.1:514] Established connection
    [ecs-ep.ecs-ep]
    com.q1labs.sem.selectiveforwarding.SelectiveForwardingCommunicat
    orThread: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/-
    -]2019-07-15 20:56:24.0403 [:127.0.0.1:514] Exceeded
    maximum number of retries, dropping event[1].
    [ecs-ep.ecs-ep]
    com.q1labs.sem.selectiveforwarding.SelectiveForwardingCommunicat
    orThread: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/-
    -]Following message suppressed 1 times in 300000 milliseconds
    [ecs-ep.ecs-ep]
    com.q1labs.sem.selectiveforwarding.SelectiveForwardingCommunicat
    orThread: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/-
    -][:127.0.0.1:514] Exceeded Timeouts number[5], resetting
    connection.
    [ecs-ep.ecs-ep]
    com.q1labs.sem.selectiveforwarding.SelectiveForwardingCommunicat
    orThread: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/-
    -][:127.0.0.1:514] Established connection
    [ecs-ep.ecs-ep]
    com.q1labs.sem.selectiveforwarding.SelectiveForwardingCommunicat
    orThread: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/-
    -]2019-07-16 00:21:29.0281 [:127.0.0.1:514] Exceeded
    maximum number of retries, dropping event[1].
    [ecs-ep.ecs-ep]
    com.q1labs.sem.selectiveforwarding.SelectiveForwardingCommunicat
    orThread: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/-
    -]Following message suppressed 1 times in 300000 milliseconds
    [ecs-ep.ecs-ep]
    com.q1labs.sem.selectiveforwarding.SelectiveForwardingCommunicat
    orThread: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/-
    -][:127.0.0.1:514] Exceeded Timeouts number[5], resetting
    connection.
    [ecs-ep.ecs-ep]
    com.q1labs.sem.selectiveforwarding.SelectiveForwardingCommunicat
    orThread: [INFO] [NOT:0000006000][127.0.0.1/- -] [-/-
    -][:127.0.0.1:514] Established connection
    09 December 2019
    DSM EDITOR IJ19112 DIFFERENCES IN HOW DSM EDITOR PARSES VERSUS HOW THE PIPELINE PARSES CAN PREVENT PROPER DSM EDITOR REGEX WRITING/TESTING CLOSED Resolved in:
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
    QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

    It has been identified that the DSM editor parses differently versus the pipeline due to a trailing LF (line feed) or a space contained in payloads.

    These differences in parsing behavior can inhibit the proper writing and testing of regex when using the DSM Editor.
    09 December 2019
    AUTHENTICATION (LDAP) / ACCESS IJ13595 LDAP LOGINS CAN FAIL IF PAGINATION IS DISABLED FOR BIND USERS CLOSED Resolved in:
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
    QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

    Workaround
    Enable paging for the bind user, or change the bind user to one that has paging allowed. It has been identified that the DSM editor parses differently versus the pipeline due to a trailing LF (line feed) or a space contained in payloads.

    Issue
    It has been identified that QRadar LDAP logins can fail if pagination is disabled for bind user. In the LDAP authentication setup, test connection to the backend server succeeds. If group authentication is used, group load fails.
    09 December 2019
    LOG SOURCES / LOG SOURCE MANAGEMENT APP IJ15429 TOMCAT OUT OF MEMORY CAN OCCUR WHEN PERFORMING AN ENABLE OR DISABLE OF A LOG SOURCE CLOSED Resolved in:
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
    QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

    It has been identified that performing an enable or disable of a Log Source using either the API (Log Source Management App) or the legacy Log Source management page can sometimes cause a tomcat out of memory in QRadar environments with a very large number of Log Sources.
    09 December 2019
    OFFENSES IJ16002 THE OFFENSE PAGE IN THE QRADAR USER INTERFACE CAN BE SLOW TO OPEN AFTER PATCHING TO QRADAR 7.3.2 CLOSED Resolved in:
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
    QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

    Issue
    It has been identified that after patching to QRadar 7.3.2, that opening the Offense page in the QRadar User Interface can take longer than expected.
    09 December 2019
    EVENT LOGS / TRAFFIC ANALYSIS IJ21155 EXCESSIVE LOGGING OF MESSAGE 'TRAFFIC ANALYSIS WILL CREATE NEW DEVICES WITH EVENT COALESCING TURNED ON' CLOSED Resolved in:
    QRadar 7.3.3 (7.3.3.20191031163225)
    QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

    Workaround: You can turn off logging for the TrafficaAnalysisFilter class from the command line of the QRadar Console to prevent it from filling the logs.
    1. To edit traffic analysis, type: /opt/qradar/support/mod_log4j.pl
    2. Type your name for audit purposes
    3. Select option 3 - Advanced Menu.
    4. Select option 2 - Add a new Logger.
    5. Type the classpath com.ibm.si.ec.filters.trafficanalysis.TrafficAnalysisFilter
    6. Select option 4 - Off
    7. Select * - All of the above

    Issue: It has been identified that excessive logs similar to the following might be visible in /var/log/qradar.log:
    [ecs-ec.ecs-ec]
    [[type=com.eventgnosis.system.ThreadedEventProcessor][parent=l3r
    tc.canlab.ibm.com:ecs-ec/EC/TrafficAnalysis1/TrafficAnalysis]]
    com.ibm.si.ec.filters.trafficanalysis.TrafficAnalysisFilter:
    [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Traffic analysis
    will create new devices with event payload storage turned on
    [ecs-ec.ecs-ec]
    [[type=com.eventgnosis.system.ThreadedEventProcessor][parent=l3r
    tc.canlab.ibm.com:ecs-ec/EC/TrafficAnalysis1/TrafficAnalysis]]
    com.ibm.si.ec.filters.trafficanalysis.TrafficAnalysisFilter:
    [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Traffic analysis
    will create new devices with event coalescing turned on
    28 November 2019
    CUSTOM PROPERTIES / SYSTEM NOTIFICATIONS IJ15775 REGEXMONITOR FEATURE CAN SOMETIMES DISABLE CUSTOM PROPERTIES WITHOUT ANY SYSTEM NOTIFICATION CLOSED Resolved in:
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
    QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

    It has been identified that in the RegexMonitor feature that is designed to automatically disable expensive custom properties to prevent performance issues can sometimes disable inexpensive custom properties and without generating a System Notification.
    09 December 2019
    DASHBOARD / USER INTERFACE IJ18066 QRADAR USER INTERFACE CAN BECOME INACCESSIBLE DUE TO TOMCAT TXSENTRY WHEN USING 'TOP CATEGORY TYPES' DASHBOARD ITEM CLOSED Resolved in:
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
    QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

    It has been identified that in some instances the "Top Category Types" Dashboard item can lead to a TXSentry killing the tomcat process. When this occurs, the QRadar User Interface can become inaccessible.

    Messages similar to the following might be visble in /var/log/qradar.log when this issue occurs:
    TX on host 1console_ip: pid=5919 age=616 IP=127.0.0.1
    port=40362 locks=42 query='SELECT id, parent_id, category_name,
    chain_name, offense_count, attacker_count, target_count,
    event_count, start_time, end_time FROM
    category_type_summary_proc(323, true, '1,2') WHERE parent_id
    NOT IN(10000,11000,14000) AND id NOT IN(10000,11000,14000) AND
    MOD(id, 1000)<>0 ORDER BY offense_count desc LIMIT 5 '
    09 December 2019
    RULES / USER INTERFACE IJ17357 HTTP 504 ERROR IN QRADAR USER INTERFACE WHEN SELECTING CUSTOM RULES OR WHEN OPENING RULES IN THE RULE WIZARD CLOSED Resolved in:
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)

    It has been identified that in some instances selecting or opening a custom rule from the Rule Wizard can fail with a 504 error being generated in the QRadar User Interface window. This can occur if you have a large number of reference data elements.
    09 December 2019
    APPLICATION FRAMEWORK IJ21495 QRADAR APPS CAN GO OUT OF MEMORY DUE TO A RHEL KERNEL BUG WITH DENTRY SLAB CACHE CLOSED Resolved in:
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)

    It has been identified that in some instances QRadar Apps can experience out of memory occurences due to Red Hat Enterprise Linux (RHEL) kernel bug with dentry slab cache where kernel memory does not get freed as expected.

    For more information, see: https://access.redhat.com/solutions/55818
    09 December 2019
    ROUTING RULES / OFFLINE FORWARDER IJ18101 CUSTOM AQL EVENT/FLOW PROPERTIES WHILE USING OFFLINE FORWARDER WITH JSON FORWARDED DESTINATIONS CAN CAUSE PERFORMANCE ISSUES CLOSED Resolved in:
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
    QRadar 7.3.2 Patch 2 (7.3.2.20190522204210)

    It has been identified that QRadar environments with custom AQL Event/Flow properties can experience system performance issues with offline forwarder when using JSON forwarded destinations after 7.3.2 p2 upgrade.
    09 December 2019
    UPGRADE / SNMP IJ17204 ECS-EP PROCESS FAILS TO START AFTER PATCHING TO QRADAR 7.3.2 (OR LATER) WHEN CUSTOM SNMP TRAP EVENTS WERE CONFIGURED CLOSED Resolved in:
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
    QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

    It has been identified that the ecs-ep service can fail to start after patching to QRadar 7.3.2 when custom snmp trap events were configured.

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [ecs-ep.ecs-ep] [ECS Runtime Thread] Caused by:
    java.io.FileNotFoundException:
    /opt/ibm/si/services/ecs-ep/current/frameworks_conf/customCRE.sn
    mp.xml (No such file or directory)
    [ecs-ep.ecs-ep] [ECS Runtime Thread] at
    java.io.FileInputStream.open(FileInputStream.java:212)
    [ecs-ep.ecs-ep] [ECS Runtime Thread] at
    java.io.FileInputStream.(FileInputStream.java:152)
    [ecs-ep.ecs-ep] [ECS Runtime Thread] at
    java.io.FileInputStream.(FileInputStream.java:104)
    [ecs-ep.ecs-ep] [ECS Runtime Thread] at
    sun.net.www.protocol.file.FileURLConnection.connect(FileURLConne
    ction.java:103)
    [ecs-ep.ecs-ep] [ECS Runtime Thread] at
    sun.net.www.protocol.file.FileURLConnection.getInputStream(FileU
    RLConnection.java:201)
    [ecs-ep.ecs-ep] [ECS Runtime Thread] at
    org.apache.xerces.impl.XMLEntityManager.setupCurrentEntity(Unkno
    wn Source)
    [ecs-ep.ecs-ep] [ECS Runtime Thread] at
    org.apache.xerces.impl.XMLVersionDetector.determineDocVersion(Un
    known Source)
    [ecs-ep.ecs-ep] [ECS Runtime Thread] at
    org.apache.xerces.parsers.XML11Configuration.parse(Unknown
    Source)
    [ecs-ep.ecs-ep] [ECS Runtime Thread] at
    org.apache.xerces.parsers.XML11Configuration.parse(Unknown
    Source)
    [ecs-ep.ecs-ep] [ECS Runtime Thread] at
    org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
    [ecs-ep.ecs-ep] [ECS Runtime Thread] at
    org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown
    Source)
    [ecs-ep.ecs-ep] [ECS Runtime Thread] at
    org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown
    Source)
    [ecs-ep.ecs-ep] [ECS Runtime Thread] at
    com.sun.xml.bind.v2.runtime.unmarshaller.UnmarshallerImpl.unmars
    hal0(UnmarshallerImpl.java:211)
    [ecs-ep.ecs-ep] [ECS Runtime Thread] ... 17 more
    09 December 2019
    OFFENSES IJ16819 OFFENSES CAN FAIL TO GENERATE AND OR UPDATE WHEN USERNAME OR HOSTNAME IN ASSET EXCEEDS 255 CHARACTERS CLOSED Resolved in:
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)

    It has been identified that Offenses can fail to generate and or Offense data can fail to update when a username or hostname in an asset exceeds 255 characters.
    When this issue occurs, the magistrate (MPC) continuously attempts to recover and repeatedly experiences a TX Sentry reported in /var/log/qradar.log with entries similar to:
    'Multiple (101) TX's found, attempting recovery'


    Messages similar to the following might be visible in qradar-sql.log when this issue occurs:
    postgres[49684]: [3-1] ERROR: value too long for type
    character varying(255)
    postgres[49684]: [3-2] CONTEXT:  SQL statement "INSERT into
    offense_target_link (offense_id, target_id, add_time,
    macaddress, hostname, username)
    postgres[49684]: [3-3] values (p_offense, v_target, extract
    (epoch from now())::int8, substring (v_identity.macaddress
    from 1 for 17), v_identity.hostname, v_identity.username)"
    postgres[49684]: [3-4] PL/pgSQL function
    link_offense_targets(bigint,character varying,integer) line 34
    at SQL statement
    postgres[49684]: [3-5] STATEMENT:  select * from
    link_offense_targets($1,$2, $3, $4)  as result
    09 December 2019
    DEPLOY CHANGES / QFLOW IJ15630 DEPLOY FUNCTION TIMEOUT CAUSED BY INCORRECT DEPLOYMENT.XML COMPONENT DATA AFTER A QFLOW SOURCE IS REMOVED CLOSED Resolved in:
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)

    It has been identified that QRadar 'Deploy' function can fail (timeout) after removing a QFlow source that has connections to QRadar Network Insights (QNI) in Deployment.xml. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [tomcat.tomcat] [user@127.0.0.1 (9488)
    /console/JSON-RPC/QRadar.scheduleDeployment
    QRadar.scheduleDeployment] at
    java.lang.Thread.run(Thread.java:812)
    [tomcat.tomcat] [user@127.0.0.1  (9488)
    /console/JSON-RPC/QRadar.scheduleDeployment
    QRadar.scheduleDeployment] Caused by:
    [tomcat.tomcat] [user@127.0.0.1  (9488)
    /console/JSON-RPC/QRadar.scheduleDeployment
    QRadar.scheduleDeployment] java.lang.NullPointerException
    [tomcat.tomcat] [user@127.0.0.1 9488)
    /console/JSON-RPC/QRadar.scheduleDeployment
    QRadar.scheduleDeployment] at
    com.q1labs.configservices.util.forensics.QniDtlsHelper.getQflowD
    tlsConnectionsList(QniDtlsHelper.java)
    [tomcat.tomcat] [user@127.0.0.1  (9488)
    /console/JSON-RPC/QRadar.scheduleDeployment
    QRadar.scheduleDeployment] at
    com.q1labs.configservices.config.globalset.forensics.QniDtlsConf
    igurationTransformer.configureDtlsConnections(QniDtlsConfigurati
    onTransformer.java)
    09 December 2019
    LOG SOURCES / USER INTERFACE IJ16162 QRADAR USER INTERFACE BECOMES UNRESPONSIVE DURING BULK CHANGES MADE TO A LARGE NUMBER OF LOG SOURCES USING THE API CLOSED Resolved in:
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)

    It has been identified that the QRadar User Interface can sometimes become unresponsive due to a session leak caused during a large amount of bulk changes made to Log Sources using the QRadar Log Source Management App (API) in QRadar environments with hundreds of thousands of Log Sources. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [tomcat.tomcat] [LogSourceServices_PersisterTimer]
    com.q1labs.rpcservices.LogSourceServices: [ERROR]
    [NOT:0000003000][IP ADDRESS/- -] [-/- -]Unable to get session
    context to update device last seen times
    [tomcat.tomcat] [LogSourceServices_PersisterTimer]
    java.util.ConcurrentModificationException
    [tomcat.tomcat] [LogSourceServices_PersisterTimer] at
    gnu.trove.impl.hash.THashIterator.nextIndex(THashIterator.java)
    [tomcat.tomcat] [LogSourceServices_PersisterTimer] at
    gnu.trove.impl.hash.THashIterator.hasNext(THashIterator.java)
    [tomcat.tomcat] [LogSourceServices_PersisterTimer] at
    java.lang.Iterable.forEach(Iterable.java:85)
    [tomcat.tomcat] [LogSourceServices_PersisterTimer] at
    com.q1labs.rpcservices.LogSourceUpdate.closePreparedStatements(L
    ogSourceUpdate.java)
    [tomcat.tomcat] [LogSourceServices_PersisterTimer] at
    com.q1labs.rpcservices.LogSourceServices$PersistLogSourceUpdateT
    ask.persistLogSourceUpdates(LogSourceServices.java)
    [tomcat.tomcat] [LogSourceServices_PersisterTimer] at
    com.q1labs.rpcservices.LogSourceServices$PersistLogSourceUpdateT
    ask.run(LogSourceServices.java)
    [tomcat.tomcat] [LogSourceServices_PersisterTimer] at
    java.util.TimerThread.mainLoop(Timer.java:566)
    [tomcat.tomcat] [LogSourceServices_PersisterTimer] at
    java.util.TimerThread.run(Timer.java)
    [tomcat.tomcat] [LogSourceServices_PersisterTimer]
    com.q1labs.frameworks.session.SessionContext: [ERROR]
    [NOT:0000003000][x.x.x.x/- -] [-/- -]28012 leak(s) detected in
    session context: 640axxxx-xxxx-xxxx-xxxx-e33fc1xxxx
    [tomcat.tomcat] [LogSourceServices_PersisterTimer]
    com.q1labs.frameworks.session.SessionContext: [ERROR]
    [NOT:0000003000][x.x.x.x/- -] [-/- -]java.sql.PreparedStatement
    leak detected. Object created in following code path
    [tomcat.tomcat] [LogSourceServices_PersisterTimer]
    java.lang.Exception
    [tomcat.tomcat] [LogSourceServices_PersisterTimer] at
    com.q1labs.frameworks.session.BaseWrapper.(BaseWrapper.java)
    [tomcat.tomcat] [LogSourceServices_PersisterTimer] at
    com.q1labs.frameworks.session.PreparedStatementWrapper.(Pr
    eparedStatementWrapper.java)
    [tomcat.tomcat] [LogSourceServices_PersisterTimer] at
    com.q1labs.frameworks.session.ConnectionWrapper.prepareStatement
    (ConnectionWrapper.java)
    [tomcat.tomcat] [LogSourceServices_PersisterTimer] at
    com.q1labs.rpcservices.LogSourceUpdate.getPreparedStatement(LogS
    ourceUpdate.java)
    [tomcat.tomcat] [LogSourceServices_PersisterTimer] at
    com.q1labs.rpcservices.LogSourceServices$PersistLogSourceUpdateT
    ask.persistLogSourceUpdates(LogSourceServices.java)
    [tomcat.tomcat] [LogSourceServices_PersisterTimer] at
    com.q1labs.rpcservices.LogSourceServices$PersistLogSourceUpdateT
    ask.run(LogSourceServices.java)
    [tomcat.tomcat] [LogSourceServices_PersisterTimer] at
    java.util.TimerThread.mainLoop(Timer.java)
    [tomcat.tomcat] [LogSourceServices_PersisterTimer] at
    java.util.TimerThread.run(Timer.java:516)
    09 December 2019
    FLOWS / USER INTERFACE IJ21572 NO FLOW SOURCE ALIAS ARE DISPLAYED IN THE QRADAR USER INTERFACE CLOSED Resolved in:
    QRadar 7.3.3 (7.3.3.20191031163225)
    QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

    A fresh install or patch to QRadar version 7.3.2 can experience an issue where no Flow Alias are displayed in the QRadar User Interface -> Admin -> Flow Source Alias page.
    19 December 2019
    ROUTING RULES IJ21049 ROUTING RULES FOR ASSET HOSTNAME FILTERING ON SPECIFIC EVENT COLLECTOR APPLIANCES DOES NOT WORK AS EXPECTED CLOSED Resolved in:
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 (7.3.3.20191031163225)

    Workaround
    Contact Support for a possible workaround that might address this issue in some instances.

    Issue
    It has been identified that Routing rule for asset hostname filtering is not working due to the asset.hostname table not being replicated to all hosts (event collectors). Creating a routing rule over the event collector around EC for destination asset hostname or source asset hostname equals hostname and selecting drop; the drop does not happen as the asset.hostname table is empty on the EC.
    06 December 2019
    CUSTOM PROPERTIES IJ21052 REPLICATION FOR ARIEL_PROPERTY_LEEF_EXPRESSION AND ARIEL_PROPERTY_CEP_EXPRESSION NOT WORKING AS EXPECTED CLOSED Resolved in:
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 (7.3.3.20191031163225)

    It has been identified that replication for ariel_property_leef_expression and ariel_property_cep_expression is not working on the Event Collector appliance as expected, as the tables are not replicated to all hosts (event collectors). This can cause routing rule drops to not work as expected as events are not parsing those fields properly.
    06 December 2019
    REFERENCE DATA IJ20134 REFERENCE SET DATA CAN BE MISSING FROM EVENT COLLECTORS DUE TO MISSING DATABASE TABLE FIELDS WITHIN REPLICATION CLOSED Resolved in:
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 (7.3.3.20191031163225)
    QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

    It has been identified that some database table fields containing Reference Set data is omitted from the data being replicated to QRadar collector managed hosts. When this issue occurs, there is Reference Set data missing on event collector appliances causing the potential for QRadar rule functionality to not work as expected.
    06 December 2019
    EVENT COLLECTOR / ROUTING RULES IJ21053 EVENT COLLECTOR IS NOT AWARE OF NETWORK NAME/RANGE AS THE TABLE IS NOT REPLICATED TO THE EVENT COLLECTOR(S) CLOSED Resolved in:
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 (7.3.3.20191031163225)
    QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

    It has been identified that Event Collector(s) are not aware of network name/range as the network database table is not replicated on the Event Collector(s). This can cause routing rules to not work as expected as Event Collector(s) do not have the appropriate database table information.
    06 December 2019
    QRADAR DEPLOYMENT INTELLIGENCE IJ20138 HEALTH METRIC DATA CAN BE MISSING FROM EVENT COLLECTORS DUE TO MISSING DATABASE TABLE FIELDS WITHIN REPLICATION CLOSED Resolved in:
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 (7.3.3.20191031163225)
    QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

    It has been identified that some database table fields containing Health Metric data is omitted from the data being replicated to QRadar collector managed hosts. When this issue occurs, there is Health Metric data missing on event collector appliances causing QRadar Deployment Intelligence (QDI) to not report any information from Event Collectors.
    06 December 2019
    DOMAINS / TENANTS IJ18325 QRADAR LOG MANAGER DOMAIN MANAGEMENT 'ADD' BUTTON DOES NOT WORK AS EXPECTED CLOSED Resolved in:
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 (7.3.3.20191031163225)
    QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

    It has been identified that within a QRadar Log Manager, the Admin -> Domain Management -> Add button does not work as expected. When the 'Add' button is selected, the next pop up window does not appear.
    06 December 2019
    TOPOLOGY / QRADAR RISK MANAGER IJ17290 'VIEW TOPOLOGY' WHEN SELECTED FROM ASSET DETAILS DIALOG NEVER COMPLETES CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225).

    Workaround: Perform a host search for the asset on the Topology screen.

    It has been identified that when "View Topology" is selected in the Asset Details dialog, no results are returned. The Network Topology dialog that is launched displays either "Wait for data to be retrieved" or "[key not defined: srm.modelDefinition.pleaseWaitForModel]" and never completes.
    06 December 2019
    FLOWS IJ15964 QFLOW CAN SOMETIMES PARSE NETFLOW/JFLOW INCORRECTLY CLOSED Resolved in:
    QRadar 7.3.3 (7.3.3.20191031163225)
    QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

    It has been identified that in some instances invalid IP data or other incorrect data can be observed for flows that are received/parsed in the Network Activity tab. When this issue occurs, the following might be displayed in the user interface when viewing NETFLOW or JFLOW records:

    • IP addresses for flows might be displayed as 0.x.x.x addresses
    • Source bytes for the flow is only 10 bytes, but there are over 4 million packets.
    06 December 2019
    DOMAINS / TENANTS IJ17186 EVENTS CAN SOMETIMES BE DROPPED WHEN AN EVENT COLLECTOR IS USED FOR MULTIPLE TENANTS CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225).

    It has been identified that events can be dropped when an Event Collector is configured for use by Log Sources for multiple tenants. Messages similar to the following might be visible in /var/log/qradar.log when this issue is occurring:
    [ecs-ec.ecs-ec]
    com.q1labs.semsources.filters.TenantQueuedEventThrottleFilter:
    [WARN] [Tenant:1:] Event dropped while attempting to add
    to Tenant Event Throttle queue. The Tenant Event Throttle queue is full.
    06 December 2019
    USER INTERFACE / PERFORMANCE IJ17018 QRADAR USER INTERFACE CAN BECOME INACCESSIBLE DUE TO AN OUT OF MEMORY OCCURING WHEN USING THE ASSET API CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225).

    It has been identiifed that in some instances the Asset API can cause tomcat to experience an Out of Memory issue. When this occurs the QRadar User Interface is inaccessible until required services are working as expected. For example, this issue has been reported cases where asset integration was completed through the Watson Advisor for QRadar application.
    06 December 2019
    MANAGE VULNERABILITIES / QRADAR VULNERABILITY MANAGER IJ16602 EXCEPTIONED VULNERABILITIES REAPPEAR IN MANAGE VULNERABILITIES TAB AFTER RESCANNING CLOSED Resolved in:
    QRadar 7.3.3 (7.3.3.20191031163225)
    QRadar 7.3.2 Patch 4 (7.3.2.20190803012943)

    It has been identified that vulnerabilities that have been exceptioned reappear in the Manage Vulnerabilities tabs after rescanning.
    06 December 2019
    DATA NODE IJ16438 DATA NODES ADDED TO AN EVENT PROCESSOR IN PROCESSING ONLY MODE SHOW AS REBALANCING COMPLETED WITHOUT REBALANCE OCCURRING SUGGESTION Note: This issue is currently tagged closed as a suggestion for a future release.

    Issue: It has been identified that after adding a Data Node to an Event Processor that is in Processing Only mode, rebalancing appears to complete quickly, but rebalancing of data to the new Data Node did not acutally happen.

    Comment: The goal of rebalancing is not to make free space % exactly equal across the cluster. The behavior mentioned works as designed.
    06 December 2019
    DEPLOY CHANGES IJ16640 QRADAR DEPLOY FUNCTIONS CAN TIMEOUT WHEN THE CERTIFICATE VALIDATOR FAILS DUE TO EMPTY CERTIFICATES BEING PRESENT CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225).

    Workaround: Remove the empty certificates from /opt/qradar/trusted_certificates and retry the deploy function. Contact Support if assistance is required with this task.

    It has been identified that test_tomcat_connection.sh can take longer than expected time to complete when empty certificates are present in /opt/qradar/trusted_certificates/. The Certificate Validator does not work and can lead to QRadar deploy functions timing out. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [tomcat.tomcat] [localhost-startStop-1]
    java.security.cert.CertificateException: Unable to initialize,
    java.io.IOException: Short read of DER length
    [tomcat.tomcat] [localhost-startStop-1] at
    com.ibm.security.x509.X509CertImpl.(X509CertImpl.java:268)
    [tomcat.tomcat] [localhost-startStop-1] at
    com.ibm.crypto.provider.X509Factory.engineGenerateCertificate(Unknown Source)
    
    06 December 2019
    ADVANCED SEARCH (AQL) IJ16172 ADVANCED SEARCH (AQL) FAILS WHEN USING THE LABELS OF A CUSTOM EVENT PROPERTY FIELDS IN A GROUP BY CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225).

    It has been identified that an Advanced Search (AQL) fails when using the labels (alias) of Custom Event Properties in a 'group by'.
    06 December 2019
    LOG SOURCE MANAGEMENT APP / USER INTERFACE IJ16160 TOMCAT OUT OF MEMORY CAN OCCUR WHEN ASSIGNING LOG SOURCES TO GROUPS IN SYSTEMS WITH VERY LARGE NUMBER OF LOG SOURCES CLOSED Resolved in:
    QRadar 7.3.3 (7.3.3.20191031163225)
    QRadar 7.3.2 Patch 5 (7.3.2.20191022133252)

    It has been identified that a Tomcat process out of memory can sometimes occur in QRadar environments with hundreds of thousands of Log Sources when assigning Log Sources to Log Source Groups using the Log Source Management App. When a Tomcat out of memory occurs, the QRadar User Interface becomes unavailable until all related services are running as expected.
    06 December 2019
    LICENSE IJ15970 QRADAR VULNERABILITY MANAGER (QVM) LICENSE WARNING BANNER CAN DISPLAY WHEN IT SHOULD NOT CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225).

    It has been identified that a QRadar Vulnerability Manager (QVM) license warning banner can be displayed when interfaces have been added to assets that have not been scanned by QVM. The asset count incorrectly includes the assets. The message appears similar to the following: WARNING: You have scanned {number} assets but are only licensed to scan {number} assets. License Update Required!
    06 December 2019
    API IJ16954 THE REST API FOR 'USERS' INCORRECTLY CHECKS USER NAMES FOR VALIDATION WHEN UPDATING FIELDS CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225).

    It has been identified that the REST API for 'users' in QRadar incorrectly checks user names for validation when updating fields. API response messages similar to the following can be observed when usernames with invalid characters (created using LDAP) exist:
    {"http_response":{"code":500,"message":"Unexpected internal
    server error"},"code":12,"description":"","details":{},"message" :
    "Endpoint invocation returned an unexpected error"}


    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [tomcat.tomcat] [admin@127.0.0.1 (942)
    /console/restapi/api/staged_config/access/users/3]
    com.q1labs.restapi.servlet.apidelegate.APIDelegate:
    [ERROR] [-/- -]Request Exception
    [tomcat.tomcat] [admin@127.0.0.1 (942)
    /console/restapi/api/staged_config/access/users/3]
    com.q1labs.restapi_annotations.content.exceptions.APIMappedExcep
    tion: Endpoint invocation returned an unexpected error
    [tomcat.tomcat] [admin@127.0.0.1 (942)
    /console/restapi/api/staged_config/access/users/3]    at
    com.q1labs.restapi.exceptionmapper.ExceptionMapper.mapException(
    ExceptionMapper.java)
    [tomcat.tomcat] [admin@127.0.0.1 (942)
    /console/restapi/api/staged_config/access/users/3]    at
    com.q1labs.restapi.servlet.utilities.APIRequestHandler.processEn
    dpointException(APIRequestHandler.java)
    06 December 2019
    USER INTERFACE / LOGIN IJ16944 QRADAR USER INTERFACE LOGIN MESSAGE LINE FORMATTING IS NOT WORKING AS EXPECTED CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225).

    It has been identified that when a line break is entered into a QRadar User Interface 'Login Message' it is converted into the line feed symbol (\n). When the request is made to generate the Console login page, the line feed remains in the html as is and no new lines are created. For example:
    1. Navigate to the Admin tab.
    2. Go to System Settings.
    3. Scroll to Login Message, and click Edit.
    4. Enter a new Login Message which contains line breaks.
    5. Save and deploy the changes.
    6. Log out of QRadar.

      Result
      The line breaks are not being detected.
    06 December 2019
    RULES / PERMISSIONS IJ16943 QRADAR USER CAN ACCESS CUSTOM RULE INFORMATION WHEN NOT GIVEN ACCESS TO 'VIEW CUSTOM RULES' AND 'MAINTAIN CUSTOM RULES' CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225).

    It has been identified that QRadar users can access custom rules even when their access has not been granted to View Custom Rules and Maintain Custom Rules.

    To replicate or validate this reported issue:
    1. Log in to the QRadar Console.
    2. Click the User Roles icon.
    3. Create a user with following user role permissions disabled:
      • View Custom Rules
      • Maintain Custom Rules
    4. Save the changes.
    5. Click Deploy Changes from the Admin tab.
    6. Login with that user.
    7. Navigate to the Offense tab.
    8. Click Offense search.

    9. Results
      The User cannot open the rules definitions or view the rules summary page but the user can view all the rule Groups and list all available rules on the system. The names of the rules can be quite informative and specific for a particular domain and tenancy and should not be exposed to a user with this specific role settings.
    06 December 2019
    BACKUP / RESTORE IJ17940 PERFORMING A RESTORE AND SELECTING 'CUSTOM RULE CONFIGURATION' ONLY DOES NOT INCLUDE REFERENCE DATA DEPENDENCIES CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225).

    It has been identified that performing a restore from a configuration backup and selecting the Custom Rule Configuration does not include reference data structures, and reference_data_rules and the restore fails. Messages similar to the following might be visible in /var/log/qradar.log when this issue is occurring:
    [hostcontext.hostcontext] [BackupServices_restore]
    com.q1labs.hostcontext.backup.BackupRecoveryEngine:
    [ERROR][127.0.0.1/- -] [-/- -]Unable to execute restore request
    [hostcontext.hostcontext] [BackupServices_restore]
    com.q1labs.configservices.hostcontext.exception.RestoreException
    : Unable to restore backup archive
    [hostcontext.hostcontext] [BackupServices_restore] at
    com.q1labs.hostcontext.backup.BackupRecoveryEngine.restore(Backu
    pRecoveryEngine.java:4423)
    [hostcontext.hostcontext] [BackupServices_restore] at
    com.q1labs.hostcontext.backup.BackupRecoveryEngine.doRestore(Bac
    kupRecoveryEngine.java:5872)
    [hostcontext.hostcontext] [BackupServices_restore] at
    com.q1labs.hostcontext.core.executor.RestoreExecutor$1.run(Resto
    reExecutor.java:70)
    [hostcontext.hostcontext] [BackupServices_restore] Caused by:
    [hostcontext.hostcontext] [BackupServices_restore]
    com.q1labs.configservices.hostcontext.exception.RestoreException:
    Test database restore failed... aborting restore process
    [hostcontext.hostcontext] [BackupServices_restore] at
    com.q1labs.hostcontext.backup.BackupRecoveryEngine.restore(Backu
    pRecoveryEngine.java:4307)
    [hostcontext.hostcontext] [BackupServices_restore] ... 2 more
    [hostcontext.hostcontext] [BackupServices_restore] Caused by:
    [hostcontext.hostcontext] [BackupServices_restore]
    com.q1labs.configservices.hostcontext.exception.RestoreException
    : Test backup failed
    [hostcontext.hostcontext] [BackupServices_restore] at
    com.q1labs.hostcontext.backup.BackupRecoveryEngine.restoreOnTopO
    fTestDb(BackupRecoveryEngine.java:2881)
    [hostcontext.hostcontext] [BackupServices_restore] at
    com.q1labs.hostcontext.backup.BackupRecoveryEngine.doTestRestore
    (BackupRecoveryEngine.java:2647)
    [hostcontext.hostcontext] [BackupServices_restore] at
    com.q1labs.hostcontext.backup.BackupRecoveryEngine.restore(Backu
    pRecoveryEngine.java:4303)
    [hostcontext.hostcontext] [BackupServices_restore] ... 2 more
    [hostcontext.hostcontext] [BackupServices_restore] Caused by:
    [hostcontext.hostcontext] [BackupServices_restore]
    com.q1labs.configservices.hostcontext.exception.RestoreException
    : Unable to restore database
    [hostcontext.hostcontext] [BackupServices_restore] at
    com.q1labs.hostcontext.backup.BackupRecoveryEngine.doDbRestore(B
    ackupRecoveryEngine.java:3007)
    [hostcontext.hostcontext] [BackupServices_restore] at
    com.q1labs.hostcontext.backup.BackupRecoveryEngine.restoreOnTopO
    fTestDb(BackupRecoveryEngine.java:2868)
    [hostcontext.hostcontext] [BackupServices_restore]... 4 more
    [hostcontext.hostcontext] [BackupServices_restore] Caused by:
    [hostcontext.hostcontext] [BackupServices_restore]
    com.q1labs.configservices.hostcontext.exception.RestoreException
    : Unable to restore database
    [hostcontext.hostcontext] [BackupServices_restore] at
    com.q1labs.hostcontext.backup.BackupRecoveryEngine.doDbRestore(B
    ackupRecoveryEngine.java:2996)
    [hostcontext.hostcontext] [BackupServices_restore]... 5 more
    [hostcontext.hostcontext] [BackupServices_restore] Caused by:
    [hostcontext.hostcontext] [BackupServices_restore]
    java.lang.Exception: unable to execute sql statement: ALTER
    TABLE public.reference_data_rules ADD CONSTRAINT
    reference_data_rules_rule_id_fkey FOREIGN KEY (rule_id)
    REFERENCES public.custom_rule(id) ON DELETE CASCADE;
    [hostcontext.hostcontext] [BackupServices_restore] at
    com.q1labs.hostcontext.capabilities.PostgresAction.executeSql(Po
    stgresAction.java:668)
    [hostcontext.hostcontext] [BackupServices_restore] at
    com.q1labs.hostcontext.capabilities.PostgresAction.applyConstrai
    nts(PostgresAction.java:287)
    [hostcontext.hostcontext] [BackupServices_restore] at
    com.q1labs.hostcontext.backup.BackupRecoveryEngine.doDbRestore(B
    ackupRecoveryEngine.java:2974)
    [hostcontext.hostcontext] [BackupServices_restore]... 5 more
    [hostcontext.hostcontext] [BackupServices_restore] Caused by:
    [hostcontext.hostcontext] [BackupServices_restore]
    org.postgresql.util.PSQLException: ERROR: insert or update on
    table "reference_data_rules" violates foreign key constraint
    "reference_data_rules_rule_id_fkey"
      Detail: Key (rule_id)=(126720) is not present in table
    "custom_rule".
    [hostcontext.hostcontext] [BackupServices_restore] at
    org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(Qu
    eryExecutorImpl.java:2440)
    [hostcontext.hostcontext] [BackupServices_restore] at
    org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExe
    cutorImpl.java:2183)
    [hostcontext.hostcontext] [BackupServices_restore] at
    org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorIm
    pl.java:308)
    [hostcontext.hostcontext] [BackupServices_restore] at
    org.postgresql.jdbc.PgStatement.executeInternal(PgStatement.java
    :441)
    [hostcontext.hostcontext] [BackupServices_restore] at
    org.postgresql.jdbc.PgStatement.execute(PgStatement.java:365)
    [hostcontext.hostcontext] [BackupServices_restore] at
    org.postgresql.jdbc.PgStatement.executeWithFlags(PgStatement.java)
    [hostcontext.hostcontext] [BackupServices_restore] at
    org.postgresql.jdbc.PgStatement.executeCachedSql(PgStatement.jav)
    [hostcontext.hostcontext] [BackupServices_restore] at
    org.postgresql.jdbc.PgStatement.executeWithFlags(PgStatement.java)
    [hostcontext.hostcontext] [BackupServices_restore] at
    org.postgresql.jdbc.PgStatement.execute(PgStatement.java)
    [hostcontext.hostcontext] [BackupServices_restore] at
    com.q1labs.hostcontext.capabilities.PostgresAction.executeSql(Po
    stgresAction.java)
    [hostcontext.hostcontext] [BackupServices_restore]... 7 more
    06 December 2019
    USER MANAGEMENT IJ16672 UNABLE TO CREATE USERNAMES CONTAINING WHITESPACE CHARACTERS AND AN INCORRECT WARNING MESSAGE IS DISPLAYED WHEN ATTEMPTED CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225).

    It has been identified that attempting to create usernames containing whitespace(s) no longer works as expected and the error message displayed when attempted does not clearly identify that is the reason for the failure to create. The message generated is similar to:
    "Username must not contain any of the following non-whitespace characters:
    / ' \ "
    06 December 2019
    LOGS / DISK SPACE IJ14984 LOGROTATE CONFIGURATION NEEDS TO BE UPDATED TO BETTER HANDLE /VAR/LOG/CRON.LOG CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225).

    It has been identified that QRadar's logrotate configuration needs to be updated to better handle rotation of the /var/log/cron.log file to prevent it from growing too large.
    06 December 2019
    REPORTS IJ15667 REPORTS WITH ONLY ONE OUTPUT COLUMN FAIL TO GENERATE IN XLS FORMAT CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225).

    Workaround: Do not use the defaults. Attempt to run the report with lower configured limits (use less than 1000).

    It has been identified that reports that only have one column when created, fail to generate in XLS format. CSV and PDF reports with one column are created without issue. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [report_runner] [main] com.q1labs.reporting.ReportServices:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]REPORT
    [MANUAL#^#admin#$#79d06981-1cca-4954-a46b-18694b6afc1c#^#1553011
    304019]: An error was encountered rendering the XLS version of the report
    [MANUAL#^#admin#$#79d06981-1cca-4954-a46b-18694b6afc1c#^#1553011
    304019].java.lang.IllegalArgumentException: Merged region A1 must contain 2 or more cells
    [report_runner] [main] com.q1labs.reporting.ReportServices:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]REPORT
    [MANUAL#^#admin#$#79d06981-1cca-4954-a46b-18694b6afc1c#^#1553011
    304019]: Report Exception:
    admin#$#79d06981-1cca-4954-a46b-18694b6afc1c.xml
    [report_runner] [main] java.lang.RuntimeException: REPORT
    [MANUAL#^#admin#$#79d06981-1cca-4954-a46b-18694b6afc1c#^#1553011
    304019]: Failed to generate report version.
    [report_runner] [main] at
    com.q1labs.reporting.Report.process(Report.java:668)
    [report_runner] [main] at
    com.q1labs.reporting.ReportRunner.main(ReportRunner.java:246)
    [report_runner] [main] com.q1labs.reporting.ReportRunner:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Run report
    "admin#$#79d06981-1cca-4954-a46b-18694b6afc1c" Error
    [report_runner] [main] java.lang.RuntimeException: REPORT
    [MANUAL#^#admin#$#79d06981-1cca-4954-a46b-18694b6afc1c#^#1553011
    304019]: Failed to run using template
    [admin#$#79d06981-1cca-4954-a46b-18694b6afc1c.xml]
    [report_runner] [main] at
    com.q1labs.reporting.Report.process(Report.java:675)
    [report_runner] [main] at
    com.q1labs.reporting.ReportRunner.main(ReportRunner.java:246)
    [report_runner] [main] Caused by:
    [report_runner] [main] java.lang.RuntimeException: REPORT
    [MANUAL#^#admin#$#79d06981-1cca-4954-a46b-18694b6afc1c#^#1553011
    304019]: Failed to generate report version.
    [report_runner] [main] at
    com.q1labs.reporting.Report.process(Report.java:668)
    [report_runner] [main] ... 1 more
    [report_runner] [main] com.q1labs.reporting.ReportRunner:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Error
    initializing ReportRunner
    [report_runner] [main] java.lang.Throwable:
    java.lang.RuntimeException: REPORT
    [MANUAL#^#admin#$#79d06981-1cca-4954-a46b-18694b6afc1c#^#1553011
    304019]: Failed to run using template
    [admin#$#79d06981-1cca-4954-a46b-18694b6afc1c.xml]
    [report_runner] [main] at
    com.q1labs.reporting.ReportRunner.main(ReportRunner.java:300)
    [report_runner] [main] Caused by:
    [report_runner] [main] java.lang.RuntimeException: REPORT
    [MANUAL#^#admin#$#79d06981-1cca-4954-a46b-18694b6afc1c#^#1553011
    304019]: Failed to run using template
    [admin#$#79d06981-1cca-4954-a46b-18694b6afc1c.xml]
    [report_runner] [main] at
    com.q1labs.reporting.Report.process(Report.java:675)
    [report_runner] [main] at
    com.q1labs.reporting.ReportRunner.main(ReportRunner.java:246)
    [report_runner] [main] Caused by:
    [report_runner] [main] java.lang.RuntimeException: REPORT
    [MANUAL#^#admin#$#79d06981-1cca-4954-a46b-18694b6afc1c#^#1553011
    304019]: Failed to generate report version.
    [report_runner] [main] at
    com.q1labs.reporting.Report.process(Report.java:668)
    [report_runner] [main]... 1 more
    06 December 2019
    SYSTEM NOTIFICATIONS / MANAGED HOSTS IV94033 MANAGED HOSTS CONFIGURED USING IPV6 CANNOT PROPERLY TIME SYNC TO THE QRADAR CONSOLE CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225).

    It has been observed that Managed Hosts that are added to a QRadar deployment and configured using IPV6 networking cannot properly time sync with their QRadar Console.

    System Notification messages similar to the following might be visible when this issue occurs:
    Low Level Category: Alert
    Payload: Aug 29 14:40:04 127.0.0.1  [ERROR] [NOT:0150003100]
    Time Synchronization to Console has failed - rdate: timeout
    08 December 2019
    UPGRADE / OFFENSES IJ14779 REQUIRED APPLIANCE REBOOT DURING QRADAR PATCHING CAN SOMETIMES CAUSE DATA LOSS, A SOFT CLEAN SIM, OR FILE CORRUPTION CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225).

    It has been identified that when a required appliance reboot occurs during QRadar patches (kernel update) there is the possibility of data loss, a corrupted offense model (forcing a Soft Clean SIM), or other file corruption. This issue can occur when QRadar processes are not allowed to shut down successfully prior to the appliance reboot.
    06 December 2019
    UPGRADE / LOG MANAGER IJ15560 UNABLE TO CONFIGURE BONDED MANAGEMENT INTERFACE USING QCHANGE AFTER MOVING FROM A 8028 TO 3128 APPLIANCE TYPE CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225).

    It has been identfied that a bonded management interface cannot be configured using qchange_netsetup after moving from a QRadar Log Manager 8028 appliance type to a QRadar 3128 appliance type.

    Following the wizard - when brought to the "assign by functionality" window by selecting the All-in-one option the following error is presented: "Cannot switch an appliance id from 8028 to 3128" By selecting Log Manager Console 8028 the error message displayed is:
    Template change from Enterprise to Logger is not supported
    06 December 2019
    ADVANCED SEARCH (AQL) IJ15467 AQL OUTPUT IS INCORRECT WHEN USING SOURCEASSETNAME FILTER BASED ON PAYLOAD CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225).

    It has been identified that performing an AQL search that contains the 'sourceassetname' filter based on payload generates incorrect AQL output when the Show AQL button output is pasted into Advanced Search.
    06 December 2019
    RULES / USER INTERFACE IJ15514 QRADAR RULES PAGE CAN TAKE LONGER THAN EXPECTED TO LOAD CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225).

    It has been identified that the QRadar Rules page in the User Interface can take longer than expected to load in instances where thousands of rules exist. Timeouts can sometimes occur while the Rules are being gathered by QRadar backend processes.

    NOTE: A duplicate APAR IJ15515 was also created and sent via IBM My Notifications. Users who received this notice should refer to IJ15514 for the resolution to this issue.
    06 December 2019
    API / LOG SOURCE IJ15494 BULK EDITING/ADDING/DELETING A LARGE NUMBER OF LOG SOURCES CAN GENERATE A JVM EXCEPTION IN QRADAR LOGGING CLOSED Resolved in:
    QRadar 7.3.3 (7.3.3.20191031163225).
    QRadar 7.3.2 Patch 4 (7.3.2.20190803012943).


    It has been identified that when performing a bulk edit (including an add or delete) on a large number of Log Sources using the API or the Log Source Management app, a message similar to the following can sometimes be generated in /var/log/qradar.log:
    tomcat[20763]: 05-Feb-2019 19:58:57.275 WARNING
    [ServerHostServices_PersisterTimer]
    com.sun.messaging.jmq.jmsclient.
    ExceptionHandler.logCaughtException [I500]: Caught JVM
    Exception: com.sun.messaging.jms.JMSException:
    [ADD_PRODUCER_REPLY(19)] [C4036]: A broker error occurr
    ed. :[409] [B4183]: Producer can not be added to destination
    objectChangeNotifications2 [Topic], limit of 100 producers
    would be exceeded user=qradar, broker
    =127.0.0.1:7676(7677)
    08 December 2019
    SEACH / REFERENCE DATA IJ14001 IDENTITY EXCLUSION RULES ARE NOT LOADED WHEN THE FILTER CONTAINS A REFERENCE DATA RELATED SEARCH CLOSED Resolved in:
    QRadar 7.3.3 (7.3.3.20191031163225)
    QRadar 7.3.2 Patch 4 (7.3.2.20190803012943)

    It has been identified that the identity exclusion rules are not loaded when the filter contains a reference data related search. For example:
    1. Run a real time search with a filter containing a reference map.
    2. Add that search to the identity exclusion from Admin > Asset Profile Configuration > Manage Identity Exclusion.
    3. Modify the search and add the hasIdentity=true filter then save it to another search.
    4. Add the saved search from step 3 to manage identity exclusion.

      Results
      Events matching the hasIdentity=true filter are not be displayed as expected.
    06 December 2019
    GEOGRAPHIC DATA / RULES IJ13413 GEOGRAPHIC RULE TESTS USING 'AND NOT WHEN THE SOURCE IS LOCATED IN OTHER' ARE NOT WORKING AS EXPECTED CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225).

    Workaround: Users can leverage the geographic rule test "and when the source IP is a part of any of the following geographic network locations" as this function works as expected.

    Issue: It has been identified that Rule tests for "and NOT when the source is located in other" matches all events, regardless of whether the Network Hierarchy has the GEO defined for the IP range or not.
    06 December 2019
    VULNERABILITY DETAILS / QRADAR VULNERABILITY MANAGER IJ16571 VULNERABILITY HISTORY LIST DATE ORDERING IS INCORRECT CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225).

    It has been identified that when viewing vulnerability history lists, the ordering by date is incorrect.
    In QRadar 7.3.1 versions an error similar to the following is written to qradar logging when this occurs:
    [tomcat.tomcat] [admin@127.0.0.1 (9556)
    /console/JSON-RPC/QVM.getVulnerabilityHistoryList
    QVM.getVulnerabilityHistoryList]
    com.q1labs.assetprofile.service.ui.UIVulnerabilityService:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Unparseable
    date: "25 May 2019, 17:05:13"
    [tomcat.tomcat] [admin@127.0.0.1 (9556)
    /console/JSON-RPC/QVM.getVulnerabilityHistoryList
    QVM.getVulnerabilityHistoryList]
    com.q1labs.assetprofile.service.ui.UIVulnerabilityService:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Unparseable
    date: "25 May 2019, 13:09:37"


    NOTE:In QRadar 7.3.2 versions, the ordering by date is also incorrect, but the error is not present in the QRadar logs.
    06 December 2019
    QRADAR VULNERABILITY MANAGER / VULNERABILITY EXPORT IJ13700 VULNERABILITY SCAN RESULT CSV FILE CAN INCORRECTLY DISPLAY IP ADDRESSES ACROSS MULTIPLE COLUMNS CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225).

    It has been identified that when a scan result is exported from the Vulnerability Tab in CSV format, the generated .csv file can somtimes contain IP addresses across multiple columns and the results are incorrect.

    When this occurs, the scan result is not readable.
    06 December 2019
    REPORTS IJ11779 QRADAR VULNERABILITY MANAGER: REPORTRUNNER OUT OF MEMORY CAN OCCUR WHEN RUNNING THE DEFAULT SCAN SUMMARY REPORT CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225).

    It has been identified that a ReportRunner Out of Memory can sometimes occur when the default Scan Summary Report is run with the default limits configured.
    06 December 2019
    REPORTS IJ12226 FAILED XLS TABLE REPORT WITH "MERGED REGION A1 MUST CONTAIN 2 OR MORE CELLS" MESSAGES IN QRADAR LOGGING CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225).

    It has been identified that when attempting to generate an XLS table report which has no data accumulated for the period it is being generated for (i.e. weekly or monthly), the report fails and generates exception messages in QRadar logging. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [report_runner] [main] com.q1labs.reporting.ReportServices:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]REPORT
    [WEEKLY#^#abc#$#09095b15-f5a3-486f-a7d7-15b57513fb3e#^#154321211
    4517]: An error was encountered rendering the XLS version of
    the report
    [WEEKLY#^#abc#$#09095b15-f5a3-486f-a7d7-15b57513fb3e#^#154321211
    4517].java.lang.IllegalArgumentException: Merged region A1 must
    contain 2 or more cells
    [report_runner] [main] com.q1labs.reporting.ReportServices:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Unable to send
    report "09095b15-f5a3-486f-a7d7-15b57513fb3e" to test@email.com
    [report_runner] [main]
    com.q1labs.frameworks.exceptions.FrameworksException: Unable to
    send mail message to: [test@email.com]
    [report_runner] [main] at
    com.q1labs.frameworks.util.SMTPMail.send(SMTPMail.java)
    [report_runner] [main] at
    com.q1labs.frameworks.util.SMTPMail.send(SMTPMail.java)
    [report_runner] [main] at
    com.q1labs.frameworks.util.SMTPMail.sendMessage(SMTPMail.java)
    [report_runner] [main] at
    com.q1labs.reporting.Report.sendMail(Report.java)
    [report_runner] [main] at
    com.q1labs.reporting.Report.process(Report.java)
    [report_runner] [main] at
    com.q1labs.reporting.ReportRunner.main(ReportRunner.java)
    [report_runner] [main] Caused by:
    [report_runner] [main] javax.mail.MessagingException:
    IOException while sending message;
      nested exception is:
        java.io.FileNotFoundException:
    /store/tmp/reporting/WEEKLY#^#abc#$#09095b15-f5a3-486f-a7d7-15b5
    7513fb3e#^#1543212114517/XLS/09095b15-f5a3-486f-a7d7-15b57513fb3
    e.xls (No such file or directory)
    [report_runner] [main] at
    com.sun.mail.smtp.SMTPTransport.sendMessage(SMTPTransport.java)
    [report_runner] [main] at
    com.q1labs.frameworks.util.SMTPMail.send(SMTPMail.java)
    [report_runner] [main] ... 5 more
    [report_runner] [main] com.q1labs.reporting.ReportServices:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]REPORT
    [WEEKLY#^#abc#$#09095b15-f5a3-486f-a7d7-15b57513fb3e#^#154321211
    4517]: Report Exception:
    abc#$#09095b15-f5a3-486f-a7d7-15b57513fb3e.xml
    [report_runner] [main] java.lang.RuntimeException: REPORT
    [WEEKLY#^#abc#$#09095b15-f5a3-486f-a7d7-15b57513fb3e#^#154321211
    4517]: Failed to generate report version.
    [report_runner] [main] at
    com.q1labs.reporting.Report.process(Report.java)
    [report_runner] [main] at
    com.q1labs.reporting.ReportRunner.main(ReportRunner.java)
    [report_runner] [main] com.q1labs.reporting.ReportRunner:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Run report
    "abc#$#09095b15-f5a3-486f-a7d7-15b57513fb3e" Error
    [report_runner] [main] java.lang.RuntimeException: REPORT
    [WEEKLY#^#abc#$#09095b15-f5a3-486f-a7d7-15b57513fb3e#^#154321211
    4517]: Failed to run using template
    [abc#$#09095b15-f5a3-486f-a7d7-15b57513fb3e.xml]
    [report_runner] [main] at
    com.q1labs.reporting.Report.process(Report.java)
    [report_runner] [main] at
    com.q1labs.reporting.ReportRunner.main(ReportRunner.java)
    [report_runner] [main] Caused by:
    [report_runner] [main] java.lang.RuntimeException: REPORT
    [WEEKLY#^#abc#$#09095b15-f5a3-486f-a7d7-15b57513fb3e#^#154321211
    4517]: Failed to generate report version.
    [report_runner] [main] at
    com.q1labs.reporting.Report.process(Report.java)
    [report_runner] [main] ... 1 more
    [report_runner] [main] com.q1labs.reporting.ReportRunner:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Error
    initializing ReportRunner
    [report_runner] [main] java.lang.Throwable:
    java.lang.RuntimeException: REPORT
    [WEEKLY#^#abc#$#09095b15-f5a3-486f-a7d7-15b57513fb3e#^#154321211
    4517]: Failed to run using template
    [abc#$#09095b15-f5a3-486f-a7d7-15b57513fb3e.xml]
    [report_runner] [main] at
    com.q1labs.reporting.ReportRunner.main(ReportRunner.java)
    [report_runner] [main] Caused by:
    [report_runner] [main] java.lang.RuntimeException: REPORT
    [WEEKLY#^#abc#$#09095b15-f5a3-486f-a7d7-15b57513fb3e#^#154321211
    4517]: Failed to run using template
    [abc#$#09095b15-f5a3-486f-a7d7-15b57513fb3e.xml]
    [report_runner] [main] at
    com.q1labs.reporting.Report.process(Report.java)
    [report_runner] [main] at
    com.q1labs.reporting.ReportRunner.main(ReportRunner.java)
    [report_runner] [main] Caused by:
    [report_runner] [main] java.lang.RuntimeException: REPORT
    [WEEKLY#^#abc#$#09095b15-f5a3-486f-a7d7-15b57513fb3e#^#154321211
    4517]: Failed to generate report version.
    06 December 2019
    LOG ACTIYITY IJ15905 USING THE 'UPDATE' BUTTON ON A LOG ACTIVITY SEARCH PAGE THE DAY OF A DST (TIME) CHANGE MOVES THE START/END TIME ONE HOUR CLOSED Resolved in:
    QRadar 7.3.3 (7.3.3.20191031163225)
    QRadar 7.3.2 Patch 4 (7.3.2.20190803012943)
    QRadar 7.3.1 Patch 8 IF03 (7.3.1.20190612151858)


    Workaround: Edit the search Start/End times to adjust for the one hour change made by clicking the update button.

    Issue: It has been observed that when the 'Update' button is clicked on a Log Activity search the day that a DST change has a occured, the 'Start Time' and 'End Time' can shift by one hour.
    06 December 2019
    PERFORMANCE / CUSTOM PROPERTIES IJ11734 SOME SPECIFIC ARIEL CUSTOM EVENT PROPERTIES INDEXING CAN CAUSE ARIEL INDEXING AND RULE EVALUATION DEGRADATION CLOSED Resolved in:
    QRadar 7.3.3 (7.3.3.20191031163225)
    QRadar 7.3.2 Patch 5 (7.3.2.20191022133252)

    It has been identified that some Custom Event Properties (CEPs) indexing functions within QRadar can cause extra CPU overhead during Ariel Indexing and rule evaluation. When this occurs, QRadar performance degradation can sometimes be observed causing events to be routed directly to storage.
    06 December 2019
    SYSTEM NOTIFICATIONS / QRADAR VULNERABILITY MANAGER IJ10950 SYSTEM NOTIFICATION 'UNABLE TO DETERMINE ASSOCIATED LOG SOURCE' CREATED FOR SOME INFORMATIONAL VULNERABILITY EVENTS CLOSED Resolved in:
    QRadar 7.3.3 (7.3.3.20191031163225)
    QRadar 7.3.2 Patch 4 (7.3.2.20190803012943)

    It has been identified that some Vulnerability Manager information events are not parsed correctly by QRadar. The information events are similar to the following:
    Message: Oct 10 10:09:28 127.0.0.1
    [[type=com.eventgnosis.system.ThreadedEventProcessor][parent={ho
    stname} : e cs-ec/EC/TrafficAnalysis1/TrafficAnalysis]]
    com.q1labs.semsources.filters.trafficanalysis.TrafficAnalysisFilter:
    [WARN][127.0.0.1/- -] [-/- -]Unable to determine associated
    log source for IP address {IP_ADDR}. Unable to automatically
    detect the associated log source for IP address.
    Messages similar to the following might be visible in
    /var/log/qradar.log when this issue is occurring:
    [qvmprocessor.qvmprocessor] [main]
    com.q1labs.qvm.workflow.util.DecryptPropertyConfigurer: [INFO]
    Loading properties file from URL
    [file:/opt/qradar/conf/frameworks.properties]
    [qvmprocessor.qvmprocessor] [main]
    com.q1labs.qvm.workflow.util.DecryptPropertyConfigurer: [INFO]
    Loading properties file from URL
    [file:/opt/qradar/conf/qvmprocessor.properties]
    [qvmprocessor.qvmprocessor] [main]
    com.q1labs.qvm.workflow.util.DecryptPropertyConfigurer: [INFO]
    Loading properties file from URL
    [file:/opt/qvm/console/conf/qvmkeystore.properties]
    [qvmprocessor.qvmprocessor] [main]
    com.q1labs.qvm.workflow.util.DecryptPropertyConfigurer: [INFO]
    Loading properties file from URL
    [file:/opt/qvm/db/conf/qvmdb.properties]
    [qvmprocessor.qvmprocessor] [main]
    com.q1labs.qvm.workflow.util.DecryptPropertyConfigurer: [INFO]
    Loading properties file from URL
    [file:/opt/qradar/conf/nva.conf]
    [qvmprocessor.qvmprocessor] [main]
    com.q1labs.qvm.workflow.util.DecryptPropertyConfigurer: [INFO]
    Loading properties file from URL
    [file:/opt/qradar/conf/nva.hostcontext.conf]
    [qvmprocessor.qvmprocessor] [main]
    com.q1labs.qvm.workflow.util.DecryptPropertyConfigurer: [INFO]
    Loading properties file from URL
    [file:/opt/qradar/conf/qvmhostedscanner.properties]
    [qvmprocessor.qvmprocessor] [main]
    com.q1labs.qvm.workflow.util.DecryptPropertyConfigurer: [INFO]
    Loading properties file from URL
    [file:/opt/qradar/conf/qvmscanner.properties]
    08 December 2019
    API IJ10417 QRADAR VULNERABILITY MANAGER: API DOES NOT FACTOR RISK SCORE FOR RETURNED RESULTS CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225)

    It has been identified that when executing saved_searches against the QVM vuln_instances API that contain the risk score search parameter, the results ignore what is set for this parameter. For example:

    If the risk score is set for greater than or equal to 7, results with risk scores less than 7 are returned when using the QVM API.
    06 December 2019
    CONNECTIONS IJ09314 QRADAR RISK MANAGER: '[REPORTING THREAD - SIMEVENT/SIMARC BUNDLE1]...PROFILER DROPPED XXXX EVENTS' MESSAGES IN QRADAR LOGGING CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225)

    It has been identified that in some instances the QRadar Risk Manager arc builder thread/queue that processes events does not remove events from the queue quickly enough to prevent the queue from filling up. Messages similar to the following are generated in /var/log/qradar.log when this issue occurs:
    [Reporting Thread - SimEvent bundle1]
    com.q1labs.semsources.filters.arc.NetworkModelsServices$SimEvent
    sBundle: [INFO] [NOT:0000006000][Oth.erE.C&EP.29/- -] [-/-
    -]Profiler stats: timestamp=1527102000000,
    numRecordsCreated=1418, numFlowsProcessed=0,
    numNormalizedEventsProcessed=3249953,
    numNormalizedEventsSeen=3252830, numFlowsSeen=0,
    numEventsDropped=23376
    [Reporting Thread - SimEvent bundle1]
    com.q1labs.semsources.filters.arc.NetworkModelsServices$SimEvent
    sBundle: [WARN] [NOT:0080004102][Oth.erE.C&EP.29/- -] [-/-
    -]profiler dropped 23376 events in the last profiling interval
    [Ariel Writer#simevent]
    com.q1labs.ariel.searches.service.io.buffers.SharedBuffers:
    [INFO] [NOT:0000006000][Oth.erE.C&EP.29/- -] [-/- -]LZ4 segment
    is set to 16 pages
    [Reporting Thread - SimArc bundle1]
    com.q1labs.semsources.filters.arc.NetworkModelsServices$ArcsBund
    le: [INFO] [NOT:0000006000][Oth.erE.C&EP.29/- -] [-/-
    -]Profiler stats: timestamp=1527102000000,
    numRecordsCreated=300000, numFlowsProcessed=0,
    numNormalizedEventsProcessed=981487,
    numNormalizedEventsSeen=9401352, numFlowsSeen=0,
    numEventsDropped=23376, numAllowArcsCreated=0,
    numDenyArcsCreated=300000
    May 23 19:53:57 ::ffff:Oth.erE.C&EP.29
    [arc_builder.arc_builder] [Reporting Thread - SimArc bundle1]
    com.q1labs.semsources.filters.arc.NetworkModelsServices$ArcsBund
    le: [WARN][Oth.erE.C&EP.29/- -] [-/-
    -]profiler dropped 23376 events in the last profiling interval
    06 December 2019
    QRADAR OPERATIONS APP IJ17924 INACTIVE REPORT CAN CAUSE A 'NULLPOINTEREXCEPTION' IN QRADAR LOGGING AND QRADAR OPERATIONS APP FAILS TO DISPLAY EPS RATE CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225)

    Workaround: Enable the inactive report identified in the error logs. For example:
    Error calling function com.q1labs.cve.aql.GlobalViewFunction({REPORT_NAME}):
    java.lang.NullPointerException


    Issue: In some instances an inactive report can cause a NullPointerException to be generated in the QRadar logs. When this issue occurs, the IBM QRadar Operations app can fail to display Event Per Second (EPS) data. Messages similar to the following might be visible in /var/log/qradar.log:
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:50872]
    com.q1labs.frameworks.nio.exceptions.ExtendedRuntimeException:
    Error calling function
    com.q1labs.cve.aql.GlobalViewFunction():
    java.lang.NullPointerException
    ......
    [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:50872] java.lang.NullPointerException
    [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:50872] at
    com.q1labs.cve.aql.GlobalViewFunction.calculate(GlobalViewFunction.java)
    or
    [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:50872] java.lang.NullPointerException
    [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:50872] at
    com.q1labs.cve.aql.GlobalViewFunction.calculate(GlobalViewFunction.java)
    06 December 2019
    ADVANCED SEACH (AQL) IJ08965 AQL QUERIES CONTAINING ASSET FUNCTIONS CAN FAIL WHEN RUN AGAINST LARGE ASSET MODELS CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225)

    It has been identified that AQL queries containing ASSET functions can fail against large asset models.

    When this occurs, applications such as UBA might display: 404 error messages, instead of usage data. Queries made on the Log Activity page might show "An error occurred during the search." instead of the intended search results. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [ariel_proxy.ariel_proxy_server]
    [ariel_query_14:0ebaccb8-e31a-44c3-90f3-5aebffcb19f5]
    com.q1labs.frameworks.nio.exceptions.ExtendedRuntimeException:
    GenericAssetFunction function: Error during initialization
    com.q1labs.core.aql.AssetUserFunction
    [ariel_proxy.ariel_proxy_server]
    [ariel_query_14:0ebaccb8-e31a-44c3-90f3-5aebffcb19f5]    at
    com.q1labs.core.aql.GenericAssetFunction.initialize(GenericAsset
    Function.java)
    06 December 2019
    DEPLOY CHANGES IJ15811 DEPLOY FULL CONFIGURATION DOES NOT COMPLETE (TIME OUT) WHEN THE FILE HOSTCONTEXT.NODOWNLOAD IS PRESENT CLOSED Resolved in:
    QRadar 7.3.2 Patch 5 (7.3.2.20191022133252).
    QRadar 7.3.3 (7.3.3.20191031163225).

    Workaround: Remove the file /opt/qradar/conf/hostcontext.NODOWNLOAD on any affected Managed Host (or Console) and attempt the Deploy Full Configuration again. For full details, review the support technical note.
    06 December 2019
    PERFORMANCE / NETWORK INTERFACE IJ14133 INCORRECT RX AND TX RING BUFFER SETTINGS CAN CAUSE PERFORMANCE ISSUES ON BOND0 OR BOND1 MANAGEMENT INTERFACES CLOSED Resolved in:
    QRadar 7.3.3 (7.3.3.20191031163225)
    QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

    It has been identified that using bond0 for a QRadar management interface or bond1 for a crossover interface can have ethtool incorrectly set hardware parameters for the NIC driver tx and rx ring buffers for the bond interface instead of the underlying slave interfaces.
    As it is the actual slave interfaces that have the hardware parameters set, and it possible to bond different NICs (Broadcom, Intel 1 GB, Intel 10Gb), etc., in some cases the hardware interfaces will default to boot up driver values. Intel NICs can sometimes default to a setting of 256 out of 4096 for both tx and rx ring buffer settings.
    When this situation occurs, SAR sentinel - threshold crossed messages referencing dropped packets or other performance related issues can sometimes be observed with QRadar.

    To read more, see this forum discussion.
    08 December 2019
    FLOWS / NETWORK ACTIVITY IJ15473 FLOW SOURCE COLUMN AND FLOW INTERFACE COLUMN CAN DISPLAY 'HOST_NAME" INSTEAD OF THE EXPECTED HOSTNAME CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225)

    It has been identified that Flow Source column and Flow Interface column in the Network Activity tab can display "HOST_NAME" instead of the expected hostname.
    08 December 2019
    UPGRADE IJ03411 POST_INSTALL.SH SCRIPT THAT RUNS DURING THE PATCH PROCESS CAN CAUSE MULTIPLE LOGROTATE FILES TO BE CREATED CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225)

    The post_install.sh script that runs during the QRadar patch updates can sometimes not complete cleanly. When this occurs, two logrotate files can be created (logrotate.orig and logrotate.rej) in the same directory.

    Having multiple logrotate files under /etc/cron.hourly can cause multiple conflicts and race conditions within QRadar.

    Messages similar to the following might be visible in the patches.log file when this issue occurs:

    Sat Dec  9 10:54:38 ADT 2017: [create_nobody_dirs] mkdir -p /store/sentry/db
    Sat Dec  9 10:54:38 ADT 2017: [create_nobody_dirs] chown nobody.nobody /store/sentry/db
    patching file /etc/cron.hourly/logrotate
    Hunk #1 succeeded at 3 with fuzz 1.
    Sat Dec  9 10:54:38 ADT 2017 [post_install.sh]: mkdir -p /tmp
    Sat Dec  9 10:54:38 ADT 2017 [post_install.sh]: mkdir -p /var/log/audit
    Sat Dec  9 10:54:38 ADT 2017 [post_install.sh]: mkdir -p /var/log/dca/old
    08 December 2019
    SCAN RESULTS / QRADAR VULNERABILITY MANAGER IJ02466 'AN ERROR OCCURRED EXECUTING THE QVM SCAN. PLEASE TRY AGAIN LATER' WHEN RUNNING ON DEMAND SCAN CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225)

    It has been identified that when the QVM processor is not running on the Console server, an asset is right-clicked and the Run Vulnerability Scan option is chosen, the scan runs as expected but an error message similar to the following might be generated in the user interface window: "An Error occurred executing the QVM Scan. Please try again. If this error persists please contact Customer Support."

    Messages similar to the following might also be visible in /var/log/qradar.log when this issue occurs:
    [tomcat] [admin@127.0.0.1 (323)
    /console/do/assetprofile/QVMScanForm]
    com.q1labs.assetprofile.bean.action.QVMScanAction:
    [ERROR][127.0.0.1/- -] [-/- -]An error occured executing QVM On-Demand Scan.
    [tomcat] [admin@127.0.0.1 (323)
    /console/do/assetprofile/QVMScanForm]
    com.q1labs.console.qvm.QVMClientException: An error occurred
    executing operation.
    [tomcat] [admin@127.0.0.1 (323)
    /console/do/assetprofile/QVMScanForm] at
    com.q1labs.console.qvm.QVMClientImpl.executeOperation(QVMClientImpl.java)
    [tomcat] [admin@127.0.0.1 (323)
    /console/do/assetprofile/QVMScanForm] at
    com.q1labs.sem.ui.semservices.QVMServicesImpl.runOnDemandScan(QV
    MServicesImpl.java)
    [tomcat] [admin@127.0.0.1 (323)
    /console/do/assetprofile/QVMScanForm] at
    com.q1labs.assetprofile.bean.action.QVMScanAction.runOnDemandSca
    n(QVMScanAction.java)
    [tomcat] [admin@127.0.0.1 (323)
    /console/do/assetprofile/QVMScanForm] at
    sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    [tomcat] [admin@127.0.0.1 (323)
    /console/do/assetprofile/QVMScanForm] at
    sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java)
    [tomcat] [admin@127.0.0.1 (323)
    /console/do/assetprofile/QVMScanForm] at
    sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod
    AccessorImpl.java)
    [tomcat] [admin@127.0.0.1 (323)
    /console/do/assetprofile/QVMScanForm] at
    java.lang.reflect.Method.invoke(Method.java)
    [tomcat] [admin@127.0.0.1 (323)
    /console/do/assetprofile/QVMScanForm] at
    org.apache.struts.actions.DispatchAction.dispatchMethod(Dispatch
    Action.java)
    [tomcat] [admin@127.0.0.1 (323)
    /console/do/assetprofile/QVMScanForm] at
    org.apache.struts.actions.DispatchAction.execute(DispatchAction.java)
    [tomcat] [admin@127.0.0.1 (323)
    /console/do/assetprofile/QVMScanForm] at
    com.q1labs.uiframeworks.actions.DispatchAction.execute(DispatchA
    ction.java)
    [tomcat] [admin@127.0.0.1 (323)
    /console/do/assetprofile/QVMScanForm] at
    org.apache.struts.action.RequestProcessor.processActionPerform(R
    equestProcessor.java)
    [tomcat] [admin@127.0.0.1 (323)
    /console/do/assetprofile/QVMScanForm] at
    com.q1labs.uiframeworks.action.RequestProcessor.processActionPer
    form(RequestProcessor.java)
    [tomcat] [admin@127.0.0.1 (323)
    /console/do/assetprofile/QVMScanForm] at
    org.apache.struts.action.RequestProcessor.process(RequestProcess
    or.java)
    [tomcat] [admin@127.0.0.1 (323)
    /console/do/assetprofile/QVMScanForm] at
    org.apache.struts.action.ActionServlet.process(ActionServlet.java)
    [tomcat] [admin@127.0.0.1 (323)
    /console/do/assetprofile/QVMScanForm] at
    com.q1labs.uiframeworks.action.ActionServlet.process(ActionServlet.java)
    [tomcat] [admin@127.0.0.1 (323)
    /console/do/assetprofile/QVMScanForm] at
    org.apache.struts.action.ActionServlet.doPost(ActionServlet.java)
    [tomcat] [admin@127.0.0.1 (323)
    /console/do/assetprofile/QVMScanForm] at
    javax.servlet.http.HttpServlet.service(HttpServlet.java)
    [tomcat] [admin@127.0.0.1 (323)
    /console/do/assetprofile/QVMScanForm] at
    javax.servlet.http.HttpServlet.service(HttpServlet.java)
    08 December 2019
    BACKUP / RESTORE IJ12106 RESTORING A CONFIGURATION BACKUP DOES NOT RESTORE CUSTOM_FUNCTION TABLES CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225)

    It has been identified that the custom_functions tables are not restored correctly when using a configuration backup on the QRadar Console.
    08 December 2019
    SCAN RESULTS / QRADAR VULNERABILITY MANAGER IV96156 PATCH SCANNING RETURNS SUGGESTION FOR AN AIX PATCH THAT DOES NOT EXIST CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225)

    It has been observed in some instances that QRadar Vulnerability Manager patch scanning can suggest patches for AIX that are not currently available.
    08 December 2019
    SCAN EXCLUSIONS IV93272 QRADAR VULNERABILITY MANAGER: SCAN EXCLUSION PAGE CAN SOMETIMES HANG FOR AN EXTENDED PERIOD OF TIME WHEN ADDING MULTIPLE, LARGE IP RANGES CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225)

    Workaround: Adding one IP range per scan exclusion can help to alleviate the User Interface page unresponsiveness.

    Issue: It has been observed when adding multiple, large IP ranges (example: x.x.x.1-255) to a Scan Exclusion belonging to a Domain containing other scanners, that the Scan Exclusion page can hang (be unresponsive) for an extended period of time.
    08 December 2019
    FORWARDED EVENTS / MANAGED HOST IV84190 EVENT/FLOW FORWARDING USING ENCRYPTED OFFSITE SOURCE AND TARGET CAN NOT BE ACCOMPLISHED SUCCESSFULLY CLOSED Resolved in QRadar 7.3.3 (7.3.3.20191031163225)

    Workaround: Where possible: Do not use the encryption option for offsite source and target event/flow forwarding until this issue is resolved.

    Issue: Forwarding normalized Events and Flows using encrypted offsite source and targets cannot be configured successfully to an event collector on a managed host.

    The initial configuration process succeeds in the User Interface, but the authorized_keys file in /root/.ssh are overwritten without including the offsite sources keys during the required Deploy changes function after configuration.
    08 December 2019
    SECURITY BULLETIN CVE-2019-4509 IBM QRadar SIEM is vulnerable to incorrect authorization in some components CLOSED Resolved in QRadar 7.3.2 Patch 5 (7.3.2.20191022133252). 06 November 2019
    SECURITY BULLETIN CVE-2019-9500
    CVE-2019-11810
    CVE-2019-11599
    CVE-2019-7222
    CVE-2019-5489
    CVE-2019-3900
    CVE-2019-3882
    CVE-2019-3460
    CVE-2019-3459
    CVE-2018-18281
    CVE-2018-16885
    CVE-2018-16658
    CVE-2018-15594
    CVE-2018-14734
    CVE-2018-14625
    CVE-2018-13095
    CVE-2018-13094
    CVE-2018-13093
    CVE-2018-13053
    CVE-2018-10853
    CVE-2018-9517
    CVE-2018-9516
    CVE-2018-9363
    CVE-2018-8087
    CVE-2018-7755
    CVE-2019-11811
    CVE-2019-11085
    CVE-2018-16884
    CVE-2018-16871
    CVE-2019-1125
    IBM QRadar SIEM is vulnerable to multiple Kernel vulnerabilities CLOSED Resolved in QRadar 7.3.2 Patch 5 (7.3.2.20191022133252). 06 November 2019
    SECURITY BULLETIN CVE-2017-7656
    CVE-2017-7657
    CVE-2017-7658
    CVE-2018-12536
    IBM QRadar SIEM is vulnerable to Jetty Vulnerabilities CLOSED Resolved in:
    QRadar 7.3.2 Patch 5 (7.3.2.20191022133252)
    QRadar 7.2.8 Patch 17 (7.2.8.20190910154321)
    06 November 2019
    SECURITY BULLETIN CVE-2019-4454 IBM QRadar SIEM is vulnerable to cross site scripting (XSS) CLOSED Resolved in QRadar 7.3.2 Patch 5 (7.3.2.20191022133252). 06 November 2019
    SECURITY BULLETIN CVE-2019-4470 IBM QRadar SIEM is vulnerable to cross site scripting (XSS) CLOSED Resolved in QRadar 7.3.2 Patch 5 (7.3.2.20191022133252). 06 November 2019
    SECURITY BULLETIN CVE-2019-4581 IBM QRadar SIEM is vulnerable to cross site scripting (XSS) CLOSED Resolved in QRadar 7.3.2 Patch 5 (7.3.2.20191022133252). 05 November 2019
    SECURITY BULLETIN CVE-2019-10088
    CVE-2019-10093
    CVE-2019-10094
    Apache Tika as used by IBM QRadar SIEM is vulnerable to denial of service CLOSED Resolved in QRadar 7.3.2 Patch 5 (7.3.2.20191022133252). 06 November 2019
    SECURITY BULLETIN CVE-2018-12126
    CVE-2018-12127
    CVE-2018-12130
    CVE-2019-11091
    IBM QRadar SIEM is vulnerable to Intel Microarchitectural Data Sampling (MDS) Vulnerabilites CLOSED Resolved in:
    QRadar 7.3.2 Patch 5 (7.3.2.20191022133252)
    QRadar 7.2.8 Patch 17 (7.2.8.20190910154321)
    06 November 2019
    SECURITY BULLETIN CVE-2019-10173 XStream as used by IBM QRadar SIEM is vulnerable to OS command injection CLOSED Resolved in QRadar 7.3.2 Patch 5 (7.3.2.20191022133252). 20 November 2019
    REPORTS IJ18488 REPORT DOES NOT CHART THE TOP 5 DESTINATION PORTS FOR TIME VS COUNT CLOSED Resolved in:
    QRadar 7.3.2 Patch 5 (7.3.2.20191022133252).
    QRadar 7.3.3 (7.3.3.20191031163225).

    It has been identified that Reports do not chart the top 5 destination ports for Time vs Count as expected. The chart is generated, but it charts 5 destination ports at random instead of the expected top 5 destination ports by Time vs Count.

    Note: Running the Saved Search on which the report is based returns the proper results, ordered by top 5 destination ports (by count).
    05 November 2019
    MANAGED HOSTS IJ10406 ATTEMPTING TO RE-ADD A MANAGED HOST (MH) THAT ORIGINALLY FAILED TO ADD DUE TO TIMEOUT CAN LEAVE THE MH IN A STUCK STATE CLOSED Resolved in:
    QRadar 7.3.2 Patch 5 (7.3.2.20191022133252).
    QRadar 7.3.3 (7.3.3.20191031163225).

    It has been identified that when a Managed Host fails to add due to timeout, re-attempting to add it again can fail and cause the Managed Host to be in a stuck state, unable to successfully add to the deployment. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [tomcat.tomcat] [IPADDRESS] com.q1labs.configservices.capabilities.CapabilitiesHandler:
    [ERROR][IPADDRESS/- -] [-/- -]Failed to inject deployment model for appliance type 1599
    [tomcat.tomcat] [127.0.0.1] com.q1labs.configservices.common.ConfigServicesException: Failed to inject deployment [default]. Managed host IPADDRESS already exists in deployment model[default].
    [tomcat.tomcat] [127.0.0.1] at com.q1labs.configservices.schemaext.DeploymentExtension.injectDeploymentModel(DeploymentExtension.java:1320)
    05 November 2019
    APPLICATION FRAMEWORK IJ20143 DOCKER IPTABLES CAN GROW UNEXPECTEDLY IN SIZE WHEN APPS ARE INSTALLED/MIGRATED/REMOVED CAUSING DEPLOYS TO FAIL CLOSED Resolved in:
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 (7.3.3.20191031163225)
    QRadar 7.3.2 Patch 5 (7.3.2.20191022133252)

    It has been identified that /etc/docker/docker_iptables.sh can grow in size unexpectedly when QRadar Apps are installed/migrated/removed. Performing QRadar Deploy functions can sometimes fail when this issue is occurring.
    05 November 2019
    UPGRADE / PRETEST IJ16960 THE QRADAR PATCH PRETEST FAILS WHEN A BACKUP IS IN 'MISSING' STATE IN THE DATABASE CLOSED Resolved in:
    QRadar 7.3.3 (7.3.3.20191031163225)
    QRadar 7.3.2 Patch 5 (7.3.2.20191022133252)

    It has been identified that /etc/docker/docker_iptables.sh can grow in size unexpectedly when QRadar Apps are installed/migrated/removed. Performing QRadar Deploy functions can sometimes fail when this issue is occurring.
    05 November 2019
    UPGRADE / INSTALL IJ16041 QRADAR INSTALLATION HANGS WHEN USING COMPRESSED IPV6 ADDRESS CLOSED Resolved in:
    QRadar 7.3.3 (7.3.3.20191031163225)
    QRadar 7.3.2 Patch 5 (7.3.2.20191022133252)

    It has been identified that when using compressed IPv6 on a QRadar installation, the installation hangs during the local CA generation.
    05 November 2019
    GEOGRAPHIC DATA IJ11947 GEOGRAPHIC LOCATION IS USING IPV4 ADDRESS WHEN CONFIGURED IN RULES INSTEAD OF THE IPV6 ADDRESS CLOSED Resolved in:
    QRadar 7.3.3 (7.3.3.20191031163225)
    QRadar 7.3.2 Patch 5 (7.3.2.20191022133252)

    It has been identified that only IPv4 addresses are being queried for source/destination geographic location under NormalizedEventProperties.java This can cause QRadar to use the geographic location of an IPv4 address for use in rules instead of the actual expected IPv6 source address location.

    For example:
    1. Have events that are sending logs containing both a source IP and source IPv6 address, and the source IP having different country as the source IPv6.
    2. Create a search, adding source geographic location column.
    3. The source geographic location should be taking source IPv6 address's country by default, but it takes the source IP's country instead.
    05 November 2019
    HIGH AVAILABILITY (HA) / PORT SCAN IJ14440 'EXCEPTION NOT HANDLED. UNDEFINED BEHAVIOR' MESSAGE IN LOGGING ON QRADAR HIGH AVAILABILITY APPLIANCES CLOSED Resolved in:
    QRadar 7.3.2 Patch 5 (7.3.2.20191022133252).
    QRadar 7.3.3 (7.3.3.20191031163225).

    It has been identified that messages similar to the following might be visilbe in /var/log/qradar.log on High Availability (HA) appliances when Qualys scanner is configured to target a wide range of ports, including port 10101:
    [ha_manager] [NIOServer:10101] com.q1labs.ha.manager.nio.NIOServer:
    [WARN][/- -] [-/- -]read socket Socket[addr=/QUALYS_SCANNER,port=57459,localport=10101] returns -1
    [ha_manager] [HeartbeatWorkerThread] com.q1labs.ha.manager.HAManager: [FATAL] [/- -] [-/- -]Exception not handled.
    Undefined behavior [ha_manager] [HeartbeatWorkerThread] com.q1labs.ha.manager.protocol.ProtocolException: Unknown protocol version -128.49
    05 November 2019
    RULES / LOG SOURCE IJ15665 DEVICE (+TYPE +GROUP) STOPPED SENDING EVENTS RULE TEST IS NO LONGER FIRING THE PROPER 'DEVICE STOPPED SENDING EVENTS' EVENT CLOSED Resolved in:
    QRadar 7.3.3 (7.3.3.20191031163225)
    QRadar 7.3.2 Patch 5 (7.3.2.20191022133252)

    It has been identified that QRadar is sometimes not generating the proper 'device stopped sending events' event when the rule test fires (QID 38750074). A new event is generated if the "new event" response is selected, but it does not contain any identifiable information about the log source that stopped sending.
    05 November 2019
    OFFENSES / DOMAIN MANAGEMENT IJ16738 USERS ASSIGNED TO A DOMAIN DO NOT HAVE ACCESS TO OFFENSES WHERE THE TARGET IS FROM THE NETWORK "OTHER" CLOSED Resolved in:
    QRadar 7.3.3 (7.3.3.20191031163225)
    QRadar 7.3.2 Patch 5 (7.3.2.20191022133252)

    It has been identified that when a user is assigned to a Domain, that user cannot view an Offense where the target is from the Network "Other".
    05 November 2019
    SCAN PROFILE / QRADAR VULNERABILITY MANAGER IJ17416 SCAN PROFILES WHICH USE PUBLIC KEY AUTHENTICATION DO NOT WORK CORRECTLY AFTER UPGRADING TO QRADAR VULNERABILITY MANAGER (QVM) 7.3.2 CLOSED Resolved in:
    QRadar 7.3.3 (7.3.3.20191031163225)
    QRadar 7.3.2 Patch 5 (7.3.2.20191022133252)

    Workaround: Edit the Scan Profiles to remove the credentials, then add new credentials containing only a user name.

    Issue: It has been identified that Scan Profiles which use public key authentication do not work correctly after upgrading to QRadar 7.3.2. The upgrade results in an invalid password being added to the Scan Profiles, resulting in authentication failures during a scan.

    When this occurs, variances in scan results prior and post application of QRadar 7.3.2 can be observed.
    05 November 2019
    DEPLOY CHANGES IJ18582 'UNABLE TO DEPLOY CHANGES, COULD NOT RETRIEVE UNDEPLOYED CHANGE LIST -- THE REQUEST TIMED OUT. CLOSED Resolved in:
    QRadar 7.3.3 (7.3.3.20191031163225)
    QRadar 7.3.2 Patch 5 (7.3.2.20191022133252)

    It has been identified that in some instances, QRadar Vulnerability Manager .rpm files contained within an AutoUpdate installation can take longer than expected to install and generate messages in the QRadar User Interface similar to:

    "Unable to deploy changes, Could not retrieve undeployed change list -- the request timed out."
    05 November 2019
    OFFENSES / USER AUTHENTICATION (LDAP) IJ17323 SOURCE IP OR DESTINATION IP FILTER IS NOT AN AVAILABLE TEST OPTION FOR 'COMMON' RULES CLOSED Resolved in:
    QRadar 7.3.3 (7.3.3.20191031163225)
    QRadar 7.3.2 Patch 5 (7.3.2.20191022133252)

    It has been identified that QRadar users (LDAP) created with invalid characters cannot assign or close Offenses. Invalid characters characters are defined as this regular expression:
    [\t\n\f\r\p{Z}-[ ]]

    A message similar to the following is generated in the QRadar User Interface:
    Application error
    An error has occurred. Return and attempt the action again. If the problem persists, please contact customer support for assistance.


    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs: [tomcat.tomcat] [admin@127.0.0.1 (1286) /console/do/sem/properties] java.lang.IllegalArgumentException: userName is not a valid user or authorized service: user@domain
    05 November 2019
    REPORTS IJ17229 SHORT REPORTS CONFIGURED WITH LINE OR BAR CHARTS CAN FAIL TO GENERATE WITH AN SQL EXCEPTION WRITTEN TO QRADAR LOGGING CLOSED Resolved in:
    QRadar 7.3.3 (7.3.3.20191031163225)
    QRadar 7.3.2 Patch 5 (7.3.2.20191022133252)

    It has been identified that short reports (hourly or manual reports that are run on raw data) return errors when executing and fail to generate when configured to use line or bar graphs. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:

    [report_runner] [main] com.q1labs.reporting.ReportServices:
    [ERROR][-/- -]Error generating SQL chart
    [report_runner] [main] java.lang.RuntimeException:
    Error generating SQL chart
    [report_runner] [main] at
    com.q1labs.dal.charts.SQLChart.getChartData(SQLChart.java)
    [report_runner] [main] at
    com.q1labs.dal.charts.AbstractChart.createChart(AbstractChart.java)
    [report_runner] [main] at
    com.q1labs.dal.charts.SQLChart.(SQLChart.java)
    [report_runner] [main] at
    com.q1labs.dal.charts.SQLChart.(SQLChart.java)
    [report_runner] [main] at
    com.q1labs.reporting.charts.ArielChart.
    processResultSet(ArielChart.java)
    [report_runner] [main] at com.q1labs.reporting.charts.ArielChart.
     getData(ArielChart.java)
    [report_runner] [main] at com.q1labs.reporting.Chart.
     getXML(Chart.java)
    [report_runner] [main] at
    com.q1labs.reporting.Report.createData(Report.java)
    [report_runner] [main] at
    com.q1labs.reporting.Report.process(Report.java)
    [report_runner] [main] at
    com.q1labs.reporting.ReportRunner.main(ReportRunner.java)
    [report_runner] [main] Caused by:
    [report_runner] [main] java.sql.SQLException: Unable get Long
    value for [com.q1labs.core.dao.util.Host]
    [report_runner] [main] at
    com.q1labs.cve.resultset.CVEResultSet.getLong(CVEResultSet.java)
    [report_runner] [main] at
    com.q1labs.cve.resultset.CVEResultSet.getLong(CVEResultSet.java)
    [report_runner] [main] at
    com.q1labs.dal.charts.SQLChart.getChartDataForTimeSeries(SQLChart.java)
    [report_runner] [main] at
    com.q1labs.dal.charts.SQLChart.getChartData(SQLChart.java:293)
    [report_runner] [main] ... 9 more
    05 November 2019
    REPORTS IJ17199 REPORT Y-AXIS VALUE PLOTTED CAN BE PULLED FROM DIFFERENT COLUMN THAN WHAT WAS CONFIGURED FOR THE REPORT CLOSED Resolved in:
    QRadar 7.3.3 (7.3.3.20191031163225)
    QRadar 7.3.2 Patch 5 (7.3.2.20191022133252)

    It has been identified that QRadar plots the 2nd column of a saved search result as the Y-axis interval in the bar chart of a report regardless of the parameter selected. To confirm or replicate this issue:

    Create a search
    1. Create a search Group By: Username.
    2. Run the search for last hour and confirm barchart Y-Axis uses the Count value.
    3. Save the search as Test2.
    4. Create an hourly report with top and bottom sections.
    5. Create a report with two contains for graph data.

    For the top chart container:
    1. Chart Type: Event/Logs
    2. Use saved search Test2
    3. Graph Type: Bar
    4. Horizontal (X) Axis: Username
    5. Vertical (Y) Axis: Count

    For the bottom chart container:
    1. Use saved search Test2
    2. Graph Type: Table

    Results
    Expected: The Y-Axis uses the values 'Count'
    Actual: Y-Axis incorrectly uses the 'Event Name (Unique Count)'
    05 November 2019
    LOG MESSAGES IJ15784 'NO JESSIONID PASSED WITH COOKIE' MESSAGES IN QRADAR LOGS CLOSED Resolved in:
    QRadar 7.3.3 (7.3.3.20191031163225)
    QRadar 7.3.2 Patch 5 (7.3.2.20191022133252)

    It has been identified that repeated messages similar to the following might be visible in /var/log/qradar.error and qradar.log:
    [hostcontext.hostcontext] [ConfigChangeObserver Timer[1]] com.q1labs.core.shared.jsonrpc.RPC:
    [WARN][127.0.0.1/- -] [-/- -]No JSESSIONID passed with cookie.
    [ecs-ec.ecs-ec] [LastEventSeenProcessor] com.q1labs.core.shared.jsonrpc.RPC:
    [WARN] [127.0.0.1/- -] [-/- -]No JSESSIONID passed with cookie.
    05 November 2019
    SYSLOG REDIRECT PROTOCOL IJ03249 AUTODISCOVERED LOG SOURCES CREATED BY SYSLOG REDIRECT CAN HAVE INCORRECT LOG SOURCE IDENTIFIERS OPEN: Reported in PROTOCOL-SyslogRedirect-7.2-20170426083458 No workaround available.

    It has been identified that autodiscovered Log Sources created using the Syslog Redirect Protocol, can have incorrect Log Source Identifiers listed due to a regex issue used within the Protocol.

    This issue is to be corrected in a future release of the SyslogRedirect Protocol.
    28 March 2018
    IPv6 / UNIVERSAL DSM / OFFENSES IJ11715 OFFENSES CAN STOP GENERATING WITH ‘FAILED TO CREATE/READ OFFENSE DEVICE FOR ID : 0’ EXCEPTION MESSAGE IN LOGS OPEN: Reported in QRadar 7.3.1 Patch 6 When Offenses are not being generated and caused by this specific issue, performing a Soft Clean of the SIM model can correct the behavior. See the following for more information regarding performing a Soft Clean of the SIM model: https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.1/com.ibm.qradar.doc/t_tuning_guide_tuning_cleaning_sim_model.html

    It has been identified that offenses can stop being generated due to the QRadar GenericDSM parsing process not handling IPv6 addresses correctly when setting host source address. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000186609]
    com.q1labs.sem.magi.contrib.commands.offense.OffenseDeviceCreateCommand:
    [ERROR] [-/- -]Failed to create/read offense device for id: 0
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000186609]
    com.q1labs.sem.magi.contrib.ModelPersister:
    [WARN] [-/- -]Exception encounted when executing transaction 186609.
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000186609] java.lang.NullPointerException
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000186609]  at
    com.q1labs.sem.magi.contrib.ModelPersister.flushDirtyLightDAOBatchUpdate(ModelPersister.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000186609]  at
    com.q1labs.sem.magi.contrib.ModelPersister.flushDirtyOffenseKeys
    (ModelPersister.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000186609]  at
    com.q1labs.sem.magi.contrib.ModelPersister.persistDirtyModel(ModelPersister.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000186609]  at
    com.q1labs.sem.magi.contrib.ModelPersister.process(ModelPersister.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000186609]  at
    com.q1labs.sem.magi.contrib.ModelPersister.processCurrentTransac
    tion(ModelPersister.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000186609]  at
    com.q1labs.sem.magi.contrib.ModelPersister.processCommands(ModelPersister.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000186609]  at
    com.q1labs.sem.magi.contrib.ModelPersister.process(ModelPersister.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000186609]  at
    com.q1labs.sem.magi.contrib.TxStateManager.playCurrent(TxStateManager.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000186609]  at
    com.q1labs.sem.magi.contrib.ModelPersister$Persister.playCurrent
    (ModelPersister.java)
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000186609]  at
    com.q1labs.sem.magi.contrib.ModelPersister$Persister.run(ModelPersister.java)
    
    03 December 2018
    DASHBOARD IJ12103 STAT FILTER INTERVAL PEAK VALUES CAN BE INCORRECT CAUSING INACCURATE EPS TO BE REPORTED CLOSED Resolved in QRadar Baseline Maintenance extension v1.0.5 or later.

    Administrators can review the official documentation for a change list of updates related to the Baseline Maintenance Content Extension.

    Issue: It has been identified that Stat Filter data values can sometimes be inaccurate on interval peak value. When this occurs, EPS values reported in QRadar can be incorrect or inconsistent with actual event counts.
    26 August 2019
    DASHBOARD IJ17440 STATFILTER EVENT PER SECOND (EPS) REPORTING CAN VARY IN ACCURACY OPEN: Reported in QRadar 7.2.8 No workaround available.

    Issue: It has been identified that due to the way StatFilter calculates Event Per Second (EPS), variances in the performance of the appliance it is running on, can cause differences in the accuracy of the EPS metrics that are calculated and reported.
    05 July 2019
    MANAGED HOST IJ07896 CONFIGSERVICES PASSWORD CONTAINING MULTI-BYTE CHARACTERS CAUSES ‘ADD HOST’ PROCESS TO FAIL CLOSED Resolved in QRadar 7.3.2 (7.3.2.20190201201121)

    It has been identified that the Add Host process (Admin > System and License Management > Deployment Actions > Add Host) fails when the configservices password (used within QRadar) has been changed to include multi-byte characters.Messages similar to the following might be visible in /var/log/qradar.error when attempting to add a Managed Host to the QRadar deployment when the configservices password includes multi-byte characters:
    [hostcontext.hostcontext]
    [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
    com.q1labs.configservices.capabilities.AddHost: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Add host failed trying to add
    [hostcontext.hostcontext]
    [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
    java.lang.ArrayIndexOutOfBoundsException
    [hostcontext.hostcontext]
    [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
    at
    javax.xml.bind.DatatypeConverterImpl.guessLength(DatatypeConverterImpl.java)
    [hostcontext.hostcontext]
    [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
    at
    javax.xml.bind.DatatypeConverterImpl._parseBase64Binary(Datatype
    ConverterImpl.java)
    [hostcontext.hostcontext]
    [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
    at
    javax.xml.bind.DatatypeConverterImpl.parseBase64Binary(DatatypeConverterImpl.java)
    [hostcontext.hostcontext]
    [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
    at
    javax.xml.bind.DatatypeConverter.parseBase64Binary(DatatypeConverter.java)
    [hostcontext.hostcontext]
    [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
    at com.ibm.si.mks.KeyStoreCrypto.decrypt(KeyStoreCrypto.java)
    [hostcontext.hostcontext]
    [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
    at com.ibm.si.mks.Crypto.decrypt(Crypto.java)
    [hostcontext.hostcontext]
    [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
    at com.q1labs.frameworks.crypto.CryptoUtils.decrypt(CryptoUtils.java)
    [hostcontext.hostcontext]
    [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
    at com.q1labs.frameworks.core.FrameworksContext.decrypt(FrameworksContext.java)
    [hostcontext.hostcontext]
    [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
    at
    com.q1labs.configservices.capabilities.AddHost.getPresenceCommand(AddHost.java)
    [hostcontext.hostcontext]
    [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
    at
    com.q1labs.configservices.capabilities.AddHost.executePresence(AddHost.java)
    [hostcontext.hostcontext]
    [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
    at com.q1labs.configservices.capabilities.AddHost.add(AddHost.java)
    [hostcontext.hostcontext]
    [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
    at com.q1labs.configservices.capabilities.AddHost.addManagedHost(AddHost.java)
    [hostcontext.hostcontext]
    [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
    at com.q1labs.hostcontext.core.executor.AddHostExecutor.addManagedHost(AddHostExecutor.java)
    [hostcontext.hostcontext]
    [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
    at com.q1labs.hostcontext.core.executor.AddHostExecutor.invoke(AddHostExecutor.java)
    [hostcontext.hostcontext]
    [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
    at com.q1labs.configservices.hostcontext.core.requests.BaseHostRequest.invoke
    (BaseHostRequest.java)
    [hostcontext.hostcontext]
    [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
    at com.q1labs.configservices.hostcontext.core.HostContextServices.m
    essageReceived(HostContextServices.java)
    [hostcontext.hostcontext]
    [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
    at
    com.q1labs.frameworks.events.jms.JMSMessageEvent.dispatchEvent(J
    MSMessageEvent.java)
    [hostcontext.hostcontext]
    [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
    at
    com.q1labs.frameworks.events.SequentialEventDispatcher$DispatchT
    hread.run(SequentialEventDispatcher.java)
    [hostcontext.hostcontext]
    [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
    com.q1labs.configservices.capabilities.AddHost:
    [ERROR] [-/- -]Unable to add managed host. The ip of the host is:a.b.a.c.dd
    [hostcontext.hostcontext]
    [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
    com.q1labs.configservices.hostcontext.core.HostContextServices:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]Error retrieving message
    [hostcontext.hostcontext]
    [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
    com.q1labs.configservices.hostcontext.exception.HostContextException:
    Could not get executor object
    com.q1labs.hostcontext.core.executor.AddHostExecutor
    [hostcontext.hostcontext]
    [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
    at
    com.q1labs.configservices.hostcontext.core.requests.BaseHostRequ
    est.invoke(BaseHostRequest.java)
    [hostcontext.hostcontext]
    [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
    at
    com.q1labs.configservices.hostcontext.core.HostContextServices.m
    essageReceived(HostContextServices.java)
    [hostcontext.hostcontext]
    [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
    at
    com.q1labs.frameworks.events.jms.JMSMessageEvent.dispatchEvent(J
    MSMessageEvent.java)
    [hostcontext.hostcontext]
    [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
    at
    com.q1labs.frameworks.events.SequentialEventDispatcher$DispatchT
    hread.run(SequentialEventDispatcher.java)
    [hostcontext.hostcontext]
    [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
    Caused by:
    [hostcontext.hostcontext]
    [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
    com.q1labs.configservices.hostcontext.exception.HostContextExcep
    tion: Command exited with non-zero value (4): add_host
    [hostcontext.hostcontext]
    [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
    at com.q1labs.hostcontext.core.executor.AddHostExecutor.addManagedH
    ost(AddHostExecutor.java)
    [hostcontext.hostcontext]
    [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
    at
    com.q1labs.hostcontext.core.executor.AddHostExecutor.invoke(AddH
    ostExecutor.java)
    [hostcontext.hostcontext]
    [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
    at
    com.q1labs.configservices.hostcontext.core.requests.BaseHostRequ
    est.invoke(BaseHostRequest.java)
    [hostcontext.hostcontext]
    [d4552232-6490-4537-9cc2-d3cf3db1fb2f/SequentialEventDispatcher]
       ... 3 more
    [tomcat.tomcat] [Thread-2051]
    com.ibm.si.configservices.api.v3_0.deployment.DeploymentAPI:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]unable to add
    managed host: null
    19 July 2018
    SECURITY BULLETIN CVE-2019-11477
    CVE-2019-11478
    CVE-2019-11479
    LINUX KERNEL AS USED IN IBM QRADAR NETWORK PACKET CAPTURE IS VULNERABLE TO DENIAL OF SERVICE CLOSED Resolved in:
    QRadar Network Packet Capture 7.3.2 Patch 2 (7.3.2.5019)
    QRadar Network Packet Capture 7.2.8 Patch 5 (7.2.8.60)
    19 September 2019
    SECURITY BULLETIN CVE-2018-12126
    CVE-2018-12127
    CVE-2018-12130
    CVE-2019-11091
    IBM QRADAR NETWORK PACKET CAPTURE IS VULNERABLE TO INTEL MICROARCHITECTURAL DATA SAMPLING (MDS) VULNERABILITES CLOSED Resolved in:
    QRadar Network Packet Capture 7.3.2 Patch 2 (7.3.2.5019)
    QRadar Network Packet Capture 7.2.8 Patch 5 (7.2.8.60)
    19 September 2019
    AMAZON AWS S3 REST API PROTOCOL IJ18861 LOGS STOP COLLECTING AND A ‘REQUESTTIMETOOSKEWED’ ERROR IN QRADAR LOGGING WHEN USING AMAZON AWS S3 REST API PROTOCOL OPEN: Reported in QRadar 7.3.1 Patch 3 and later Workaround: If possible, implement an AWS V4 REST API connection to avoid the issue.

    Issue: It has been identified that logs can stop being collected when using the Amazon AWS S3 REST API Protocol. Messages similar to the following might be visible in /var/log/qradar.log when this issue is occurs:

    [ecs-ec-ingress.ecs-ec-ingress] [Amazon AWS S3 REST API
    Protocol Provider Thread: class com.q1labs.semsources.sources.amazonawsrest.AmazonAWSRESTProvider]
    com.q1labs.semsources.sources.amazonawsrest.utils.web.SimpleRestV2InputStream:
    [ERROR][-/--] <?xml version="1.0"encoding="UTF-8"?>
    <Error><Code>RequestTimeTooSkewed</Code>
    <Message>The difference between the request time and the current time is too large.</Message>
    <RequestTime> Fri, 10 Aug 2019 24:09:49 +0000</RequestTime>
    <ServerTime> 2019-08-10T00:09:51Z</ServerTime>
    17 September 2019
    LOG SOURCE MANAGEMENT APP (LSM) / OPSEC LEA PROTOCOL IJ19050 ‘INVALID CERTIFICATE FILENAME’ WHEN USING THE LOG SOURCE MANAGEMENT APP TO CONFIGURE A CHECK POINT LOG SOURCE CLOSED Resolved in
    QRadar Weekly Auto Update for 21 July 2020 as PROTOCOL-LEA-7.3-20200521125015 and PROTOCOL-LEA-7.4-20200521125017 or later. Administrators who manually install RPM files can confirm their RPM installed version or download and install the LEA protocol for their QRadar version: Workaround
    Use the legacy Log Source User Interface to edit your Check Point log source as this issue is only seen when using the Log Source Management App.

    Issue
    It has been identified that when using the Log Source Management App to configure a Check Point Log Source, messages similar to the following might be returned on POST:

    curl -s -X POST -u user-H 'Content-Type: application/json' -H
    'Version: 9.1' -H 'Accept: application/json' --data-binary '{
    description: "New Description for CheckPoint Firewall" }'
    'https://server.domain.com/api/config/event_sources/log_source_m
    anagement/log_sources/8311'
    Response:
    {
    "http_response": {
    "code": 422,
    "message": "The request was well-formed but was unable to be
    followed due to semantic errors"
    },
    "code": 1021,
    "description": "The protocol parameter value does not match the
    allowed pattern.",
    "details": {
    "parameter_value": "opsec_cert_10.10.10.10.p12",
    "parameter_name": "certificateFilename",
    "parameter_id": 2080
    },
    "message": "Invalid certificate file name"
    }
    20 March 2020
    WINCOLLECT IJ18859 WINCOLLECT AGENT CAN STOP SENDING EVENTS UNEXPECTEDLY OPEN: Reported in WinCollect 7.2.9 Workaround: Restarting the WinCollect Agent can resume event sending processes with the affected Agent in these instances. Note: This is a temporary workaround. If the same issue arises with Microsoft Windows “EvtSubscribe”, the WinCollect Agent can stop sending events again.

    Issue: It has been identified that in some instances a WinCollect Agent can stop sending events unexpectedly when Microsoft Windows “EvtSubscribe” fails to send notifications that new events have arrived.
    09 September 2019
    UPGRADE IJ00884 WHEN PATCHING FROM 7.2.4 TO 7.2.8 OR GREATER THE PATCH MAY FAIL IF THE NON-ADMIN ROLE HAS API PERMISSIONS CLOSED This issue has been closed as a cancelled APAR.

    Workaround: Either uncheck the API permissions in all user roles that use it, or delete the roles themselves.

    When a QRadar version 7.2.4 is patched to 7.2.8 or above the patch or upgrade may fail as a result of a Non-Admin user having API permissions in their user role. To determine if you are seeing this after a failed patch or upgrade check /var/log/setup-7.x.x.x.x.x.x/qradar_setup.log for messages similar to this.
    Running pretest 'QVM Flatten Check'
    removing /tmp/qvmsqlskip if it exists
    QVM Database schema is OK - no flatten will happen during patching
    Done running pretest 'QVM Flatten Check'
    Running precheck scripts: (1/14)
    Precheck failed:
    "/media/updates/scripts/725_patch_80235.install --mode
      precheck"
    [ERROR](testmode) The patch has been aborted at the user's request.
    [ERROR](testmode) Pre Patch Testing shows a configuration issue.
    Patching this host cannot continue.
    [INFO](testmode) Set qradarconsole status to 'Patch Test Failed'
    [ERROR] Failed to apply patch on localhost, not checking any
    managed hosts.
    10 April 2018
    CUSTOM ACTION SCRIPTS IJ15444 EDITING THE CUSTOM FIXED PARAMETERS IN A CUSTOM ACTION SCRIPT CHANGES THE ORDER OF DATA OUTPUT WHEN THE SCRIPT IS RUN CLOSED Resolved in QRadar 7.3.2 Patch 2 (7.3.2.20190522204210)

    Workaround: Remove all the parameters and add them in the desired (original) order. You can also change the script variables order to match the required parameters.

    It has been identified that after editing the custom Fixed Property parameters in a custom action script, the incorrect data order is output when the custom action script is run.
    16 May 2019
    INSTALLATION IJ18833 QRADAR INSTALLATION CAN FAIL DURING GET_MYVER CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

    It has been identified that a QRadar installation can fail with an error similar to the following being displayed on screen:
    Failed. Exit code:1. Message:
    ERROR: Failed to run '/opt/qradar/bin/qradar_setup' script: 1
    Traceback (most recent call last)
      File "/opt/qradar/bin/qradar_netsetup.py", line 3913, in {module}
        main ()
      File "/opt/qradar/bin/qradar_netsetup.py", line 3910, in main
        qradarNetsetup.finalBlock(exc=e)
      File "/opt/qradar/bin/qradar_netsetup.py", line 3753, in
    finalBlock
        myvermap = get_myver()
      File "/opt/qradar/bin/ibm_os_utils.py", line 272, in get_myver
        map = eval(buffer)
      File "{string}", line 1
        Device "ens192
                               ^
    SyntaxError: EOL while scanning string literal
    System setup failed. Please logout/login on the console
    terminal to reconfigure system.
    05 September 2019
    SEARCH IJ05777 NEW ARIEL SEARCHES ARE UNABLE TO START DURING DELETE OF /TRANSIENT CURSOR FILES OPEN: Reported in QRadar 7.3.0, 7.3.1, and 7.3.2 versions No workaround available.

    It has been identified that new QRadar searches are unable to start while cursor files from /transient are currently being deleted as ariel connection issues are experienced. Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs:
    [tomcat.tomcat] [Token: Local Health Console@127.0.0.1 (60)
    /console/restapi/api/ariel/searches]
    com.q1labs.restapi_annotations.content.exceptions.APIMappedException:
    Failed to connect to ariel server. Please try again later

    During the same time stamps as the message above, messages similar to the following are being generated in /var/log/qradar.log:
    [ariel_proxy.ariel_proxy_server] [main]
    com.q1labs.ariel.searches.Locations: [INFO]
    [NOT:0000006000][127.0.0.1/- -] [-/- -]
    Data for xxxx-xxxx-xxxx-xxxxxx
    was deleted, 7 KB was freed on hard drive,
    reason: data is expired, exp.date: 18-02-19,15:49:14
    [ariel_proxy.ariel_proxy_server] [main]
    com.q1labs.ariel.searches.Locations: [INFO]
    [NOT:0000006000][127.0.0.1/- -] [-/- -]Data for
    xxxx-xxxx-xxxx-xxxxxx was deleted, 8 KB was
    freed on hard drive, reason: data is expired, exp.date:
    18-02-19,15:49:15
    17 April 2018
    PROTOCOL / AMAZON AWS REST API IJ16603 AMAZON CLOUD TRAIL LOG SOURCE UNABLE TO PULL LOGS FROM AN S3 BUCKET WHEN A TILDE ” ~ ” EXISTS IN A FILENAME OR DIRECTORIES OPEN: Reported in PROTOCOL-AmazonAWSRESTAPI-7.3-20180627173947 Workaround: Modify directories and filenames to avoid using tilde ‘~’ characters.

    It has been identified that Amazon CloudTrail Log Source type is unable to pull logs from the S3 bucket when a tilde ‘~’ is used in filenames or directories. The Log Source message when this occurs is similar to the following:
    ERROR - Error authenticating with Amazon S3 Bucket - update
    configuration and save or disable/enable the log source to retry
    ERROR - SignatureDoesNotMatch - The request signature we
    calculated does not match the signature you provided. Check
    your key and signing method.
    28 August 2019
    LOG SOURCE MANAGEMENT APP / PROTOCOL IJ15594 ‘SOURCE NAME REGEX’ AND ‘SOURCE NAME FORMATTING STRING’ DISPLAYED WHEN SHOW ADVANCED OPTIONS IS SET TO ‘NO’. OPEN: Reported in PROTOCOL-UDPMultilineSyslog-7.3-20170321173400 Contact Support for a possible workaround that might address this issue in some instances.

    It has been identified that when using the Log Source Management App, the UDP Multiline Syslog protocol type has the Source Name Regex and Source Name Formatting String displayed in the user interface when Show Advanced Options is set to No. The advanced options should only be visible to users when Show Advanced Options is set to Yes.
    28 August 2019
    REPORTS / ADVANCED SEARCH (AQL) IJ17433 ADVANCED SEARCH (AQL) THAT INCLUDES ‘HAVING’ CLAUSE GENERATES AN APPLICATION ERROR WHEN USED IN SCHEDULED REPORTS OPEN: Reported in QRadar 7.3.2 Patch 1 Workaround: Reports generate as expected when using the manual report option instead of scheduled, or using AQL without the “HAVING” clause.

    It has been identified that an ‘Application Error’ dialogue is generated in the Report Wizard when using a scheduled report with an AQL that includes “HAVING” clause.

    To recreate this issue:
    1. From the Log Activity tab, create a search using a HAVING clause in AQL. For example:
      select count(*) as '# event count', QIDNAME(qid) As 'event
      name',CATEGORYNAME(category) as
      'LLC',sourceip,destinationip,LOGSOURCENAME(logsourceid) as 'log source'
      from events where LOGSOURCENAME(logsourceid) ILIKE 'SIM Audit%'
      GROUP BY QIDNAME(qid)
      HAVING "LLC" = 'SIM User Action' and "# event count" < '10.0'
    2. From the Reports tab, click Actions -> Create -> Next, and select Weekly.
    3. Use the standard time parameters and click Next.
    4. Select a container type for the report.
    5. From the Chart Type list box, select Events/Logs, then click Define.
    6. Select the saved search that contains the AQL from Step 1, provide a name and save the container.
    7. At the end of the Report Wizard, click Finish.

      Results
      An 'Application Error' dialog pop up occurs, and does not generate the report.


    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [tomcat.tomcat] [Admin@127.0.0.1 (2727)
    /console/do/reportwizard]
    com.q1labs.reports.ui.action.ReportWizard: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Error setting chart data
    for chart Events/Logs
    [tomcat.tomcat] [Admin@127.0.0.1 (2727)
    /console/do/reportwizard] java.lang.IllegalArgumentException:
    key should not be null
    [tomcat.tomcat] [Admin@127.0.0.1 (2727)
    /console/do/reportwizard]    at
    com.q1labs.ariel.IndexTree.(IndexTree.java:166)
    [tomcat.tomcat] [Admin@127.0.0.1 (2727)
    /console/do/reportwizard]    at
    com.q1labs.ariel.IndexTree.(IndexTree.java:143)
    [tomcat.tomcat] [Admin@127.0.0.1 (2727)
    /console/do/reportwizard]    at
    com.q1labs.ariel.IndexTree.create(IndexTree.java:115)
    [tomcat.tomcat] [Admin@127.0.0.1 (2727)
    /console/do/reportwizard]    at
    com.q1labs.ariel.IndexTree.create(IndexTree.java:124)
    [tomcat.tomcat] [Admin@127.0.0.1 (2727)
    /console/do/reportwizard]    at
    com.q1labs.cve.aggregation.CVEAggregator$HavingProcessor$Criceri
    aProcessor.process(CVEAggregator.java:74)
    [tomcat.tomcat] [Admin@127.0.0.1 (2727)
    /console/do/reportwizard]    at
    com.q1labs.cve.aggregation.CVEAggregator$HavingProcessor$Criceri
    aProcessor.process(CVEAggregator.java:69)
    [tomcat.tomcat] [Admin@127.0.0.1 (2727)
    /console/do/reportwizard]    at
    com.q1labs.ariel.IndexTree.useTree(IndexTree.java:254)
    [tomcat.tomcat] [Admin@127.0.0.1 (2727)
    /console/do/reportwizard]    at
    com.q1labs.ariel.IndexTree.useTree(IndexTree.java:256)
    [tomcat.tomcat] [Admin@127.0.0.1 (2727)
    /console/do/reportwizard]    at
    com.q1labs.cve.aggregation.CVEAggregator$HavingProcessor.process
    Criceria(CVEAggregator.java:131)
    [tomcat.tomcat] [Admin@127.0.0.1 (2727)
    /console/do/reportwizard]    at
    com.q1labs.cve.accumulation.definition.VirtualViewDefinition.cre
    ateAggregator(VirtualViewDefinition.java:782)
    [tomcat.tomcat] [Admin@127.0.0.1 (2727)
    /console/do/reportwizard]    at
    com.q1labs.cve.accumulation.definition.GlobalViewConfiguration.a
    ttach2Config(GlobalViewConfiguration.java:384)
    [tomcat.tomcat] [Admin@127.0.0.1 (2727)
    /console/do/reportwizard]    at
    com.q1labs.cve.accumulation.definition.GlobalViewConfiguration.c
    reateVirtualView(GlobalViewConfiguration.java:361)
    [tomcat.tomcat] [Admin@127.0.0.1 (2727)
    /console/do/reportwizard]    at
    com.q1labs.cve.accumulation.definition.GlobalViewsManager.create
    View(GlobalViewsManager.java:312)
    [tomcat.tomcat] [Admin@127.0.0.1 (2727)
    /console/do/reportwizard]    at
    com.q1labs.cve.accumulation.definition.GlobalViewsManager.create
    ViewWithReference(GlobalViewsManager.java:392)
    [tomcat.tomcat] [Admin@127.0.0.1 (2727)
    /console/do/reportwizard]    at
    com.q1labs.reporting.charts.ArielChart.createVirtualView(ArielChart.java)
    [tomcat.tomcat] [Admin@127.0.0.1 (2727)
    /console/do/reportwizard]    at
    com.q1labs.reporting.charts.ArielChart.setData(ArielChart.java)
    [tomcat.tomcat] [Admin@127.0.0.1 (2727)
    /console/do/reportwizard]    at
    com.q1labs.reports.ui.action.ReportWizard.generateReport(ReportWizard.java)
    [tomcat.tomcat] [Admin@127.0.0.1 (2727)
    /console/do/reportwizard]    at
    com.q1labs.reports.ui.action.ReportWizard.fetchPageToDisplay(ReportWizard.java)
    [tomcat.tomcat] [Admin@127.0.0.1 (2727)
    /console/do/reportwizard]    at
    com.q1labs.reports.ui.action.ReportWizard.executeAction(ReportWizard.java:261)
    [tomcat.tomcat] [Admin@127.0.0.1 (2727)
    /console/do/reportwizard]    at
    com.q1labs.uiframeworks.actions.WizardAction.execute(WizardAction.
    java)
    08 July 2019
    EMAIL NOTIFICATIONS IJ16965 QRADAR CAN STOP SENDING EMAIL NOTIFICATIONS WHEN SMBTAIL HAS TOO MANY OPEN PORT CONNECTIONS Closed as unreproducible in next release Workaround
    Performing a restart of the ecs-ec service from an SSH connection to the QRadar Console can temporarily correct this condition.

    Issue
    It has been identified that in some instances, SMBTail configured Log Sources in Error state can use up too many port connections causing QRadar to stop sending email notifications. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [ecs-ep]
    [[type=com.eventgnosis.system.ThreadedEventTerminator]
    [parent={host}:ecs-ep/EP/EmailDestination]]
    com.q1labs.sem.util.EmailSender: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Exception attempting to
    send email: Sending the email to the following server failed :
    localhost:25
    [ecs-ep]
    [[type=com.eventgnosis.system.ThreadedEventTerminator]
    [parent={host}:ecs-ep/EP/EmailDestination]]
    org.apache.commons.mail.EmailException: Sending the email to
    the following server failed : localhost:25
    [ecs-ep]
    [[type=com.eventgnosis.system.ThreadedEventTerminator]
    [parent={host}:ecs-ep/EP/EmailDestination]]   at
    org.apache.commons.mail.Email.sendMimeMessage(Email.java:1242)
    [ecs-ep]
    [[type=com.eventgnosis.system.ThreadedEventTerminator]
    [parent={host}:ecs-ep/EP/EmailDestination]]   at
    org.apache.commons.mail.Email.send(Email.java:1267)
    [ecs-ep]
    [[type=com.eventgnosis.system.ThreadedEventTerminator]
    [parent={host}:ecs-ep/EP/EmailDestination]]   at
    com.q1labs.sem.util.EmailSender.send(EmailSender.java:137)
    [ecs-ep]
    [[type=com.eventgnosis.system.ThreadedEventTerminator]
    [parent={host}:ecs-ep/EP/EmailDestination]]   at
    com.q1labs.semsources.destinations.EmailDestination.outputEvent(
    EmailDestination.java:42)
    [ecs-ep]
    [[type=com.eventgnosis.system.ThreadedEventTerminator]
    [parent={host}:ecs-ep/EP/EmailDestination]]   at
    com.eventgnosis.system.ThreadedEventTerminator.run(ThreadedEvent
    Terminator.java:51)
    [ecs-ep]
    [[type=com.eventgnosis.system.ThreadedEventTerminator]
    [parent={host}:ecs-ep/EP/EmailDestination]]   at
    java.lang.Thread.run(Thread.java:785)
    [ecs-ep]
    [[type=com.eventgnosis.system.ThreadedEventTerminator]
    [parent={host}:ecs-ep/EP/EmailDestination]] Caused by:
    [ecs-ep]
    [[type=com.eventgnosis.system.ThreadedEventTerminator]
    [parent={host}:ecs-ep/EP/EmailDestination]]
    javax.mail.MessagingException: Could not connect to SMTP host:
    localhost, port: 25;
    nested exception is:
       java.net.BindException: Address already in use (Bind failed)
    [ecs-ep]
    [[type=com.eventgnosis.system.ThreadedEventTerminator]
    [parent={host}:ecs-ep/EP/EmailDestination]]   at
    com.sun.mail.smtp.SMTPTransport.openServer(SMTPTransport.java)
    [ecs-ep]
    [[type=com.eventgnosis.system.ThreadedEventTerminator]
    [parent={host}:ecs-ep/EP/EmailDestination]]   at
    com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.ja
    va:311)
    [ecs-ep]
    [[type=com.eventgnosis.system.ThreadedEventTerminator]
    [parent={host}:ecs-ep/EP/EmailDestination]]   at
    javax.mail.Service.connect(Service.java:233)
    [ecs-ep]
    [[type=com.eventgnosis.system.ThreadedEventTerminator]
    [parent={host}:ecs-ep/EP/EmailDestination]]   at
    javax.mail.Service.connect(Service.java:134)
    [ecs-ep]
    [[type=com.eventgnosis.system.ThreadedEventTerminator]
    [parent={host}:ecs-ep/EP/EmailDestination]]   at
    javax.mail.Service.connect(Service.java:86)
    [ecs-ep]
    [[type=com.eventgnosis.system.ThreadedEventTerminator]
    [parent={host}:ecs-ep/EP/EmailDestination]]   at
    com.sun.mail.smtp.SMTPTransport.connect(SMTPTransport.java:144)
    [ecs-ep]
    [[type=com.eventgnosis.system.ThreadedEventTerminator]
    [parent={host}:ecs-ep/EP/EmailDestination]]   at
    javax.mail.Transport.send0(Transport.java:150)
    [ecs-ep]
    [[type=com.eventgnosis.system.ThreadedEventTerminator]
    [parent={host}:ecs-ep/EP/EmailDestination]]   at
    javax.mail.Transport.send(Transport.java:80)
    [ecs-ep]
    [[type=com.eventgnosis.system.ThreadedEventTerminator]
    [parent={host}:ecs-ep/EP/EmailDestination]]   at
    org.apache.commons.mail.Email.sendMimeMessage(Email.java:1232)
    [ecs-ep]
    [[type=com.eventgnosis.system.ThreadedEventTerminator]
    [parent={host}:ecs-ep/EP/EmailDestination]] ... 5 more
    28 August 2019
    REPORTS IJ18481 'DAILY "START TIME" MUST BE BEFORE "END TIME"' MESSAGE WHEN SELECTING PREVIOUS DAY START TIME BETWEEN 12AM AND 12:45AM CLOSED Resolved in QRadar 7.4.1 (7.4.1.20200716115107)

    Workaround
    No workaround available.

    Issue
    It has been identified that the Report container can fail to save and generates a pop up message similar to '"Daily "Start Time" must be before "End Time"' when using "Data of previous day" and any start time between 12:00AM and 12:45AM is selected in daily scheduling of a report.
    26 August 2019
    DEVICE SUPPORT MODULE (DSM) IJ16412 MICROSOFT OFFICE 365 DSM IS POPULATING THE IPV4 LOG SOURCE ADDRESS AS SOURCE IP WHEN IT SHOULD BE USING IPV6 ADDRESS OPEN: Reported in DSM-MicrosoftOffice365-7.3-20190226183934 Workaround: From the Admin tab > DSM Editor user interface, create an override for the Source IP in QRadar to substitute 0.0.0.0 when an IPv6 address is present in the ClientIP of the event payload. This change prevents the packet IP address being entered in to the Source IP address field in IPv4 format when an IPv6 address is available.

    • Regex: ClientIP":"((?:[0-9a-fA-F]{0,4}:){2,7}[0-9a-fA-F]{0,4})
    • Format string: 0.0.0.0
    For a screen capture of the override from this APAR, see this DSM Editor example.

    It has been identified that the QRadar Microsoft Office 365 DSM successfully parses the IPv6 address from the an Office 365 event payloads and adds it as IPv6 on the properties, but it places the Log Source (Packet) IPv4 address in the Source IP field of the user interface.
    28 August 2019
    SCHEDULED SCAN / QRADAR VULNERABILITY MANAGER (QVM) IJ17942 VULNERABILITY SCHEDULED SCANS CAN FAIL AND THE SCAN DATA APPEARS TO HANG CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    Administrators can install a software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances.

    Issue
    It has been identified that Vulnerability Manager scheduled scans can fail with the scan data hanging. When this occurs, affected scans have no results to be processed and scans sit at 'stopped' and the duration continues counting up. Cancelling an affected scan during its run time causes it to stay at 100% with duration counting up and providing no results again. Hovering over the Progress bar, the "Estimated time to Process" appears but the time that is displayed continues to rise with the duration. Manually run scans complete as expected when this behavior is affecting scheduled scans.

    Messages similar to the following might be visible in /var/log/qradar-sql.log when this issue occurs:
    postgres[23015]: [1161-1] ERROR:  out of shared memory
    postgres[23015]: [1161-2] HINT:  You might need to increase
    max_locks_per_transaction.
    postgres[23015]: [1161-3] CONTEXT:  SQL statement "SELECT (NOT
    EXISTS(SELECT jo.JobOrderID
    postgres[23015]: [1161-4] FROM JobOrders jo....
    postgres[4285]: [3478-1] ERROR: relation "tt_table9" does not
    exist
    postgres[4285]: [3478-2] CONTEXT:  SQL statement "truncate
    table tt_TABLE9"
    postgres[4285]: [3478-3]  PL/pgSQL function
    cwf_orgunit_getallcompanynodesabove_maint(integer) line 18 at
    SQL statement
    postgres[4285]: [3478-4]  SQL statement "INSERT INTO
    tt_new_rows_mapped_q1_exclusion_rules
    26 November 2020
    WINCOLLECT IJ17949 WINCOLLECT AGENT ONLY RUNS A DNS LOOKUP WHEN THE AGENT IS RESTARTED CLOSED Resolved in
    WinCollect 7.2.9 Patch 1

    Workaround
    No workaround available.

    Issue
    It has been identified that there are instances where a WinCollect Agent should run a refresh DNS Lookup. When using Event Forwarding, the current WinCollect Agents behaves as follows:

    The WinCollect Agent runs and does a DNS look-up when it gets its first event from the Windows Computer in an attempt to resolve the proper IP and then cache this IP. This IP is used in the originating computer field in the payload. If the Windows Computer is switched between a wired/wireless connection it effectively receives a new IP address. The WinCollect Agent caches the event, and does not perform a DNS query for a new IP. The Windows Computer asset does not get a new IP address registered for it until the WinCollect Agent is restarted.
    18 November 2019
    GEOGRAPHIC DATA IJ17989 QRADAR CONTINUES TO USE THE GEO2LITE MAXMIND DATABASE FOR GEODATA INFORMATION WHEN MAXMIND SUBSCRIPTION CONFIGURED OPEN: Reported in QRadar 7.3.1 and 7.3.2 versions Contact Support for a possible workaround that might address this issue in some instances.

    It has been identified that QRadar continues to use the Geo2Lite MaxMind database even when a paid subscription to MaxMind is configured in the QRadar User Interface -> System Settings.
    07 August 2019
    REPORTS IJ18005 LEFT TAB REPORT FILTER OPTIONS IN THE REPORTING TAB ARE NOT WORKING AS EXPECTED USING A GROUP THAT HAS BEEN SHARED OPEN: Reported in QRadar 7.3.1 and 7.3.2 versions Workaround: Sort the reporting tab by "Schedule" to see relevant reports.

    It has been identified that the left tab filters in the Reporting tab (Manual, Hourly, Weekly, Monthly) are not filtering the report list as expected.

    For example:
    1. When selecting "Manual", reports that are Daily and Weekly are displayed.
    2. When selecting "Monthly", reports that are Weekly, Daily, and Hourly are displayed.
    These incorrect reports are displayed when using a Group that has been shared across users. (Reports > Manage Groups > select a group > Share > Share with "Users matching the following criteria")
    07 August 2019
    X-FORCE UPDATES / PROXY IJ18011 MANUAL SCASERVER PROXY CONFIG SETTINGS ARE OVERWRITTEN BY /OPT/QRADAR/SYSTEMD/BIN/SCASERVER_UPDATE_SETTINGS.SH OPEN: Reported in multiple QRadar versions Contact Support for a possible workaround that might address this issue in some instances.

    It has been identified that the scaserver fails to connect to *.xforce-security.com using an authenticated proxy when /opt/qradar/systemd/bin/scaserver_update_settings.sh runs and overwrites the required manual changes that were made in:
    • /opt/qradar/dca/dca/init/dca_license/dca_license_settings_user.txt
      and
    • /opt/qradar/dca/dca/init/dca_update/dca_update_settings_user.txt
    This issue can prevent proxy config settings in /opt/qradar/dca/server.ini from connecting to *.xforce-security.com. For the support article that describes how to configure an authenticated proxy for X-Force Updates, see: QRadar: X-Force Frequently Asked Questions (FAQ)
    07 August 2019
    PROTOCOL / TIVOLI ENDPOINT MANAGER SOAP IJ18014 BIGFIX LOG SOURCE RECEIVING LOGIN SUCCESS EVENTS AND NOT RECEIVING ACTION EVENTS OPEN: Reported in PROTOCOL-IBMBigFixSOAP-7.3-20180914130641 No workaround available.

    It has been identified that BigFix Log Sources are only receiving Login Success events and not receiving Action events.
    16 August 2019
    HIGH AVAILABILITY (HA) IJ18040 ADDING HIGH AVAILABILITY TO AN APPLIANCE CAN FAIL DURING THE REMOTE VERSION CHECK OPEN: Reported in QRadar 7.3.2 versions Contact Support for a possible workaround that might address this issue in some instances.

    ERROR DESCRIPTION:Ø It has been identified that adding High Availability (HA) to an appliance can fail due to the remote version check incorrectly reporting the QRadar version of the appliance that is to become the Secondary HA appliance.

    Messgages similar to the following might be visible in the qradar_hasetup.log file on the "Primary" appliance when this issue occurs:
    [HA Setup (P-M----)] ESC[31m[ERROR] Remote system is version
    root@1.1.1
    7.3.2 but we are 7.3.2.
    You must re-install the standby system with the latest version.
    08 August 2019
    RESOURCE RESTRICTION / SEARCH IJ18069 CONFIGURED RESTRICTION DOES NOT CANCEL SEARCHES AS EXPECTED AND THE SEARCH RUNS UNTIL A TIMEOUT LIMIT IS REACHED OPEN: Reported in QRadar 7.3.2 versions Workaround: Modify the search using further filtering so as not to hit the Admin -> Resource Restriction "Record Limit" that is configured.

    It has been identified that the Admin -> Resource Restrictions for Record Limit set within the QRadar User Interface is not working as expected. When a search hits the configured Resource Restriction it does not immediately cancel. The search still shows as in progress with 100% until it hits the default execution timeout limit. Messages similar to the following might be visible in QRadar logging when this issue occurs:
    ariel_client /127.0.0.1:41920 | [Action] [Search]
    [SearchExecuted] query starts,
    description="User:tkmau,Source:UI,Params:Id:xxxxx-xxxx-xxxx-
    xxxx-xxxxx,DB:, Time:<9:19 AM to 9:19 AM>,
    Columns:Associated With Offense, Event Name, Log Source, Event
    Count, Time, Category, Source IP, Source Port, Destination IP,
    Destination Port, Username, Magnitude"
    aqw_remote_27:xxxxx-xxxx-xxxx-xxxx-xxxxx | [Action]
    [Search] [SearchCanceled] query canceled,
    details="Id:xxxxx-xxxx-xxxx-xxxx-xxxxx,
    Reason:Maximum processed records number for query w
    as exceeded"
    ariel_query_22:xxxxx-xxxx-xxxx-xxxx-xxxxx | [Action]
    [Search] [SearchCanceled] query canceled,
    details="Id:xxxxx-xxxx-xxxx-xxxx-xxxxx, Reason:Query
    execution time limit was exceeded"


    The actual cancelled message is located after the read timeout is displayed:
    ariel_query_22:xxxxx-xxxx-xxxx-xxxx-xxxxx | [Action]
    [Search] [SearchCompleted] query finished, status=CANCELED,
    stat details="Id:xxxxx-xxxx-xxxx-xxxx-xxxxx,
    FileStats [dataFileCount=22, compressedDataFileCount=0,
    indexFileCount=11, dataTotalSize=130746346KB,
    compressedDataTotalSize=0KB, indexTotalSize=101139786KB,
    progress=100.0%, totalResult=27, totalResultDataSize=18KB,
    searchTime=45800ms]", concurrent queries="5"
    [ariel_proxy.ariel_proxy_server]
    [AsynchronousReceiver:localhost/127.0.0.1:32023]
    com.q1labs.frameworks.nio.network.Communicator: [ERROR]
    [NOT:0000003000][x.x.x.x/- -] [-/- -]Read timeout (45000 ms)
    expired, Port: 52760, localhost/127.0.0.1:32023
    [ariel_proxy.ariel_proxy_server]
    [AsynchronousReceiver:localhost/127.0.0.1:32023]
    java.net.SocketTimeoutException: Read timeout (45000 ms)
    expired, Port: 52760, localhost/127.0.0.1:32023
    [ariel_proxy.ariel_proxy_server]
    [AsynchronousReceiver:localhost/127.0.0.1:32023]    at
    com.q1labs.frameworks.nio.network.protocol.Protocol$Asynchronous
    Receiver.readBlockFromChannel(Protocol.java:1577)
    [ariel_proxy.ariel_proxy_server]
    [AsynchronousReceiver:localhost/127.0.0.1:32023]    at
    com.q1labs.frameworks.nio.network.protocol.Protocol$Asynchronous
    Receiver.read(Protocol.java:1597)
    [ariel_proxy.ariel_proxy_server]
    [AsynchronousReceiver:localhost/127.0.0.1:32023]    at
    com.q1labs.frameworks.nio.network.protocol.Protocol$Asynchronous
    Receiver.run(Protocol.java:1657)
    [ariel_proxy.ariel_proxy_server]
    [AsynchronousReceiver:localhost/127.0.0.1:32023]    at
    java.lang.Thread.run(Thread.java:812)
    [ariel_proxy.ariel_proxy_server]
    [aqw_remote_14:ff3ee225-1044-4c88-9523-55e902cce450]
    com.q1labs.ariel.searches.service.ids.Slave:
    [INFO] [-/- -]Error closing remote server [localhost:32023]
    [ariel_proxy.ariel_proxy_server]
    [aqw_remote_14:xxxxx-xxxx-xxxx-xxxx-xxxxx]
    java.util.concurrent.ExecutionException:
    java.net.SocketTimeoutException: Read timeout (45000 ms)
    expired, Port: 52760, localhost/127.0.0.1:32023
    [ariel_proxy.ariel_proxy_server]
    [aqw_remote_14:xxxxx-xxxx-xxxx-xxxx-xxxxx]    at
    com.q1labs.frameworks.nio.network.protocol.ProtocolProcessor.rep
    ortError(ProtocolProcessor.java:409)
    [ariel_proxy.ariel_proxy_server]
    [aqw_remote_14:xxxxx-xxxx-xxxx-xxxx-xxxxx]    at
    com.q1labs.frameworks.nio.network.protocol.Protocol$Asynchronous
    Receiver.run(Protocol.java:1664)
    [ariel_proxy.ariel_proxy_server]
    [aqw_remote_14:xxxxx-xxxx-xxxx-xxxx-xxxxx]    at
    java.lang.Thread.run(Thread.java:812)
    [ariel_proxy.ariel_proxy_server]
    [aqw_remote_14:xxxxx-xxxx-xxxx-xxxx-xxxxx] Caused by:
    [ariel_proxy.ariel_proxy_server]
    [aqw_remote_14:xxxxx-xxxx-xxxx-xxxx-xxxxx]
    java.net.SocketTimeoutException: Read timeout (45000 ms)
    expired, Port: 52760, localhost/127.0.0.1:32023
    [ariel_proxy.ariel_proxy_server]
    [aqw_remote_14:xxxxx-xxxx-xxxx-xxxx-xxxxx]    at
    com.q1labs.frameworks.nio.network.protocol.Protocol$Asynchronous
    Receiver.readBlockFromChannel(Protocol.java:1577)
    [ariel_proxy.ariel_proxy_server]
    [aqw_remote_14:xxxxx-xxxx-xxxx-xxxx-xxxxx]    at
    com.q1labs.frameworks.nio.network.protocol.Protocol$Asynchronous
    Receiver.read(Protocol.java:1597)
    [ariel_proxy.ariel_proxy_server]
    [aqw_remote_14:xxxxx-xxxx-xxxx-xxxx-xxxxx]    at
    com.q1labs.frameworks.nio.network.protocol.Protocol$Asynchronous
    Receiver.run(Protocol.java:1657)
    [ariel_proxy.ariel_proxy_server]
    [aqw_remote_14:xxxxx-xxxx-xxxx-xxxx-xxxxx]
    ... 1 more
    09 August 2019
    RULES / RULE WIZARD IJ18085 THE RULE EDITOR DOES NOT DISPLAY THE SPECIAL SYMBOL " + " WHEN DISPLAYING RULE CONDITIONS CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505)
    QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002)

    Workaround
    No workaround available.

    Issue
    It has been identified that the Rule editor does not display the regex special symbol " + " when displaying the rule conditions in the stack.

    To replicate this issue:
    1. Log in to QRadar.
    2. Select Offenses -> Actions -> New event Rule.
    3. Type filter "event matches this search filter" add "when the event matches this search filter".
    4. Click "this search filter" select Payload Matches Regular Expression input "Test\s+Test2\s+"Test3\s+Test4"\s+Test5\s+(Test6|123)".
    5. Click "Add +".

      Result
      All of the " + " symbols in the regular expression are removed in the "Current filters"

      Note: The issue described above is visual in nature only, the regex provided in the rule works as expected.
    02 August 2019
    REPORTS / QRADAR VULNERABILITY MANAGER (QVM) IJ18087 'MISSING PATCHES' REPORT CAN FAIL TO GENERATE WHEN THERE IS A LARGE SET OF VULNERABILITY SCAN DATA OPEN: Reported in QRadar 7.3.2 Patch 2 Contact Support for a possible workaround that might address this issue in some instances.

    It has been identified that when there is a large set of vulnerability data from vulnerability scans and the default 'Missing Patches' report is run, the report shows as 'Generating' until it stops and never actually generates. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [hostcontext.hostcontext]
    [xxxxx-xxxx-xxxx-xxxx-xxxxx/SequentialEventDispatcher]
    com.q1labs.hostcontext.tx.TxSentry: [WARN]
    [NOT:0000004000][127.0.0.1/- -] [-/- -]Found a process on host
    127.0.0.1 report_runner, pid=65806, TX age=651 secs
    02 August 2019
    REPORTS IJ18097 REPORTS CAN FAIL TO GENERATE WHEN REQUIRED SPILLOVER FOLDER WITH PERMISSIONS FAILS TO BE CREATED CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

    Workaround
    If you are unable to upgrade to a software version that resolves this issue, but experience this error, contact QRadar Support for a possible workaround that might address this issue in some instances.

    Issue
    It has been identified that reports can fail to generate due to a required spillover folder with proper permissions not being generated as expected. The folder is required for proper report_runner functionality. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [report_runner] [main]
    com.q1labs.cve.accumulation.definition.GlobalViewConfiguration:
    [ERROR] [-/- -]Error reading custom properities.
    [report_runner] [main]
    com.q1labs.frameworks.cache.SpilloverCacheException:
    java.lang.Exception: Unable to create cache directory in
    /store/transient/report_runner/CustomPropertyCache.
    Possibly insufficient permissions?
    [report_runner] [main]    at
    com.q1labs.frameworks.cache.ChainAppendCache.commitCurrentBuffer
    ToDisk(ChainAppendCache.java)
    [report_runner] [main]    at
    com.q1labs.frameworks.cache.ChainAppendCache.addDiskEntry(ChainA
    ppendCache.java:1129)
    [report_runner] [main]    at
    com.q1labs.frameworks.cache.ChainAppendCache.access$100(ChainApp
    endCache.java)
    [report_runner] [main]    at
    com.q1labs.frameworks.cache.ChainAppendCache$1.removeEldestEntry
    (ChainAppendCache.java:465)
    [report_runner] [main]    at
    java.util.LinkedHashMap.afterNodeInsertion(LinkedHashMap.java)
    [report_runner] [main]    at
    java.util.HashMap.putVal(HashMap.java)
    [report_runner] [main]    at
    java.util.HashMap.put(HashMap.java)
    [report_runner] [main]    at
    com.q1labs.frameworks.cache.ChainAppendCache$1.put(ChainAppendCa
    che.java)
    [report_runner] [main]    at
    com.q1labs.frameworks.cache.ChainAppendCache$1.put(ChainAppendCa
    che.java:)
    [report_runner] [main]    at
    com.q1labs.frameworks.cache.ChainAppendCache.put(ChainAppendCach
    e.java)
    [report_runner] [main]    at
    com.q1labs.core.shared.ariel.CustomPropertyServices.constructAnd
    CacheProperty(CustomPropertyServices.java)
    [report_runner] [main]    at
    com.q1labs.core.shared.ariel.CustomPropertyServices.loadCustomPr
    operty(CustomPropertyServices.java)
    [report_runner] [main]    at
    com.q1labs.core.shared.ariel.CustomPropertyServices.getCustomPro
    pertyNoCache(CustomPropertyServices.java)
    [report_runner] [main]    at
    com.q1labs.cve.accumulation.definition.GlobalViewConfiguration.t
    estCustomEventProperties(GlobalViewConfiguration.java)
    [report_runner] [main]    at
    com.q1labs.cve.accumulation.definition.GlobalViewConfiguration.r
    ead(GlobalViewConfiguration.java)
    [report_runner] [main]    at
    com.q1labs.cve.accumulation.definition.GlobalViewConfiguration.l
    oad(GlobalViewConfiguration.java)
    [report_runner] [main]    at
    com.q1labs.cve.accumulation.definition.GlobalViewConfiguration.g
    etInstance(GlobalViewConfiguration.java)
    [report_runner] [main]    at
    com.q1labs.reporting.charts.ArielChart.setData(ArielChart.java)
    [report_runner] [main]    at
    com.q1labs.reporting.ReportTemplate.rebuildTemplate(ReportTempla
    te.java)
    [report_runner] [main]    at
    com.q1labs.reporting.ReportTemplate.read(ReportTemplate.java)
    [report_runner] [main]    at
    com.q1labs.reporting.ReportServices.reload(ReportServices.java)
    [report_runner] [main]    at
    com.q1labs.reporting.ReportRunner.main(ReportRunner.java)
    [report_runner] [main] Caused by:
    [report_runner] [main] java.lang.Exception: Unable to create
    cache directory in
    /store/transient/report_runner/CustomPropertyCache.
    Possibly insufficient permissions?
    [report_runner] [main]    at
    com.q1labs.frameworks.cache.ChainAppendCache.commitCurrentBuffer
    ToDisk(ChainAppendCache.java)
    [report_runner] [main]    ... 21 more
    16 November 2020
    WINCOLLECT IJ18099 WINCOLLECT LOG SOURCES CAN BE MISSING A DAILY LOG FILE OPEN: Reported in WinCollect 7.2.8.145 and later No workaround available.

    It has been identified that WinCollect Log Sources can sometimes be missing one day of data when the WinCollect Agent is pulling daily log files. The WinCollect plugin can incorrectly identify that there are two active day log files and when this occurs it only processes the log file that is the latest, thereby skipping a day log file.
    12 August 2019
    OFFENSES / NETWORK HIERARCHY IJ18103 THE QRADAR OFFENSE MODEL CAN EXPERIENCE REDUCED RESPONSIVENESS AFTER AN UPDATE IS MADE TO A LARGE NETWORK HIERARCHY OPEN: Reported in QRadar 7.3.1 Patch 6 IF01 No workaround available.

    It has been identified that when changes/updates are made to a large Network Hierarchy, the QRadar Offense model can experience an unexpected reduction in responsiveness and in some instances, a TxSentry can also be experienced.

    Messages similar to the following might be visible in /var/log/qradar.log when a related TxSentry occurs:
    com.q1labs.hostcontext.tx.TxSentry: [WARN]
    [NOT:0000004000][127.0.0.1/- -] [-/- -]Found a process on host
    console: ecs-ep.ecs-ep, pid=106257 children= immediately=false,
    TX age=600 secs
    com.q1labs.hostcontext.tx.TxSentry: [WARN]
    [NOT:0000004000][127.0.0.1/- -] [-/- -] TX on host console:
    pid=106257 age=600 IP=127.0.0.1 port=54026 locks=113
    query='SELECT id, network FROM
    clean_netid_network_details_proc()'
    com.q1labs.hostcontext.tx.TxSentry: [WARN]
    [NOT:0000004000][127.0.0.1/- -] [-/- -] Lock acquired on host
    console: rel=attacker_tplu_idx age=600 granted=t
    mode=RowExclusiveLock query='SELECT id, network FROM
    clean_netid_network_detail'
    14 August 2019
    ADVANCED SEARCH (AQL) IJ18156 QRADAR ADVANCED SEARCH FAILS WHEN THERE IS MORE THAN ONE OPERATOR IN A CONDITION CLOSED: Duplicate of IJ16392. Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

    Issue
    It has been identified that the QRadar Advanced Search (AQL) fails with a NullPointerException when there is more than one operator in a condition. Example of an Advanced Search resulting in NullPointerException:
    SELECT LOGSOURCETYPENAME(devicetype) AS "LogSourceType",
    LOGSOURCENAME(logsourceid) AS "LogSourceName",
    SUM(IF "File Hash" IS NULL AND "PANW-file-hash" IS NULL AND
    "PANW-traps-file-hash" IS NULL THEN 1 ELSE 0 END) AS "HashCount"
    FROM events
    GROUP BY logsourceid LAST 1 HOURS

    Messages similar to the following might be visible in /var/log/qradar.log when this issue is occurring:
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:51760] com.q1labs.ariel.ql.parser.Parser: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/-
    -]java.lang.NullPointerException:null
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:51760] java.lang.NullPointerException
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:51760] at
    com.q1labs.ariel.IndexTree.useTree(IndexTree.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:51760] at
    com.q1labs.ariel.IndexTree.createPredicate(IndexTree.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:51760] at
    com.q1labs.ariel.IndexTree.createPredicate(IndexTree.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:51760] at
    com.q1labs.ariel.ql.parser.FieldInfoCondition.getKeyCreator(Fiel
    dInfoCondition.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:51760] at
    com.q1labs.ariel.ql.parser.FieldInfoBase.getObjectType(FieldInfo
    Base.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:51760] at
    com.q1labs.ariel.ql.parser.ParserBase.createAggregateFunctionInf
    o(ParserBase.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:51760] at
    com.q1labs.ariel.ql.parser.ParserBase.processScalarFunction(Pars
    erBase.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:51760] at
    com.q1labs.ariel.ql.parser.ParserBase.processExpression(ParserBa
    se.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:51760] at
    com.q1labs.ariel.ql.parser.ParserBase.processExpression(ParserBa
    se.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:51760] at
    com.q1labs.ariel.ql.parser.ParserBase.processColumnContext(Parse
    rBase.java:428)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:51760] at
    com.q1labs.ariel.ql.parser.ParserBase.processQueryContext(Parser
    Base.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:51760] at
    com.q1labs.ariel.ql.parser.ParserBase.createQueryParams(ParserBa
    se.java:1409)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:51760] at
    com.q1labs.ariel.ql.parser.ParserBase.parseBatch(ParserBase.java
    :1636)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:51760] at
    com.q1labs.ariel.ql.parser.Parser.parseStatement(Parser.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:51760] at
    com.q1labs.ariel.ql.parser.Parser.executeStatement(Parser.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:51760] at
    com.q1labs.ariel.ConnectedClient.processStatement(ConnectedClien
    t.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:51760] at
    com.q1labs.ariel.ConnectedClient.processMessage(ConnectedClient.
    java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:51760] at
    com.q1labs.ariel.ConnectedClient.run(ConnectedClient.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:51760] at
    java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExec
    utor.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:51760] at
    java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe
    cutor.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:51760] at java.lang.Thread.run(Thread.java)
    14 August 2019
    EARLY WARNINGS / QRADAR VULNERABILITY MANAGER (QVM) IJ18159 THE QRADAR VULNERABILITY MANAGER (QVM) EARLY WARNINGS PROCESS CAN CAUSE UNEXPECTED SLOWNESS IN LOADING VULNERABILITY USER INTERFACE PAGES CLOSED Resolved in QRadar 7.4.0 (7.4.0.20200304205308)

    Workaround
    Install the latest version or contact Support for a possible workaround that might address this issue if you are unable to ugprade.

    Issue
    It has been identified that the QRadar Vulnerability Manager (QVM) early warnings process can cause QVM performance issues that sometimes lead to User Interface pages not loading data. Some performance degradation examples:

    • Unexpected slowness while loading the Scan Results screen
    • Unexpected slowness on screens under the Administrative menu on the Vulnerabilities tab
    • Nightly QVM backup taking longer than expected
    • Scans not starting as expected.
    07 August 2019
    RULES IJ18161 CUSTOM RULE FAILS TO LOAD DUE TO ORPHANED LINK_UUID IN THE CUSTOM_RULE DATABASE TABLE CLOSED: Duplicate of IJ15968. Duplicate of IJ15968 and resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

    Issuebr /> It has been identified that a QRadar custom rule fails to load when it is associated with an orphaned link_uuid within the custom_rule table of the database.

    Messages similar to the following might be visible in /var/log/qradar.log whe this issue occurs:
    [ecs-ep.ecs-ep]
    [xxxx-xxxx-xxxx-xxxx-xxxx/SequentialEventDispatcher]
    com.q1labs.core.dao.cre.CustomRule: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Error while
    unmarshalling rule id 108018 from DB table custom_rule
    [ecs-ep.ecs-ep]
    [xxxx-xxxx-xxxx-xxxx-xxxx//SequentialEventDispatcher]
    java.lang.NullPointerException
    [ecs-ep.ecs-ep]
    [xxxx-xxxx-xxxx-xxxx-xxxx//SequentialEventDispatcher]
       at
    com.q1labs.core.dao.cre.CustomRule.getRule(CustomRule.java)
    [ecs-ep.ecs-ep]
    [xxxx-xxxx-xxxx-xxxx-xxxx//SequentialEventDispatcher]
    at com.q1labs.core.shared.cre.CREServices.getCustomRules(CREServices.
    java)
    [ecs-ep.ecs-ep]
    [xxxx-xxxx-xxxx-xxxx-xxxx//SequentialEventDispatcher]
    at com.q1labs.core.shared.cre.CREServices.getCustomRules(CREServices
    .java)
    [ecs-ep.ecs-ep]
    [xxxx-xxxx-xxxx-xxxx-xxxx//SequentialEventDispatcher]
    at com.q1labs.core.shared.cre.CREServices.getAllFlowAndEventRules(C
    REServices.java)
    [ecs-ep.ecs-ep]
    [xxxx-xxxx-xxxx-xxxx-xxxx//SequentialEventDispatcher]
    at com.q1labs.semsources.cre.CustomRuleReader.readRules(CustomRuleR
    eader.java:)
    [ecs-ep.ecs-ep]
    [xxxx-xxxx-xxxx-xxxx-xxxx//SequentialEventDispatcher]
    at
    com.q1labs.semsources.cre.CustomRuleReader.objectChanged(CustomR
    uleReader.java)
    [ecs-ep.ecs-ep]
    [xxxx-xxxx-xxxx-xxxx-xxxx//SequentialEventDispatcher]
    at
    com.q1labs.frameworks.events.config.ConfigurationChangeEvent.dis
    patchEvent(ConfigurationChangeEvent.java)
    [ecs-ep.ecs-ep]
    [xxxx-xxxx-xxxx-xxxx-xxxx//SequentialEventDispatcher]
    at
    com.q1labs.frameworks.events.SequentialEventDispatcher$DispatchT
    hread.run(SequentialEventDispatcher.java)
    14 August 2019
    RULES / BUILDING BLOCKS IJ18167 'URL (CUSTOM) IS CATEGORIZED BY X-FORCE AS ONE OF THE FOLLOWING CATEGORIES' IS DEFAULTED IN BUILDING BLOCK WHEN CREATING A RULE OPEN: Reported in QRadar 7.3.1 Patch 8 No workaround available.

    It has been identified that the following rule test can sometimes be defaulted in the Building Block when creating a rule: "and when URL (custom) is categorized by X-Force as one of the following categories"

    After attempting to change the default Custom Event Property (URL) to another Custom Event Property, the URL (custom) remains in the database and is still used by the rule.
    30 August 2019
    RULES / AQL IJ18181 UNABLE TO EDIT AQL FILTER IN A RULE WHEN '%\U' OR '%\X%' PARAMETERS ARE USED IN THE LIKE CLAUSE CLOSED Resolved in QRadar 7.4.1 (7.4.1.20200716115107)

    Workaround
    No workaround available.

    Issue
    It has been identified that an AQL filter in a Rule cannot be edited when '%\u%' or '%\x%' parameters are used in the Like clause.

    For example:
    1. Create a Custom Event Property called New Process Name.
    2. Create a rule that has the following AQL filter test.
    3. "New Process Name" ILIKE '%\u%' and Submit it.
    4. Attempt to edit the AQL filter by clicking on the filter Query.

      Results
      A blank screen is displayed. Note: The same behavior is observed when AQL Filter "New Process Name" ILIKE '%\x%' is used..
    16 August 2019
    SCAN RESULTS / QRADAR VULNERABILITY MANAGER (QVM) IJ18208 SELECTING 'SCAN RESULTS' ON THE VULNERABILITIES TAB CAN GENERATE 'APPLICATION ERROR' OR 'HTTP ERROR 404' CLOSED Resolved in
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002)

    Workaround
    Select the Vulnerabilities tab to display the scan results.

    It has been identified that selecting Scan Results on the Vulnerabilities tab can result in either "Application Error" or "HTTP ERROR 404" being displayed. This occurs when the host name in the Web browser's URL starts with "console". For example: console-12345.qradar.test.com.

    Note: The timezones are displayed correctly in the QRadar user interface, this issue only affects the timezone values that are included within the vulnerability export file.
    07 August 2019
    MANAGE VULNERABILITIES / DATA EXPORT IJ18235 TIMEZONE VALUES IN THE EXPORTED VULNERABILITIES FILE FROM QRADAR VULNERABILITY MANAGER (QVM) ARE GMT TIMEZONE INSTEAD OF THE SYSTEM TIMEZONE CLOSED Resolved in QRadar Vulnerability Manager 7.4.0 (7.4.0.20200304205308)

    Workaround
    No workaround available.

    Issue
    It has been identified that when vulnerabilities are exported from the Manage Vulnerabilities -> By Asset -> By Vulnerability Instance window in the QRadar User Interface (UI), the "first seen date" and "last seen date" time stamp values in the export file are in the GMT timezone instead of the system timezone.

    Note: The timezones are displayed correctly in the QRadar user interface, this issue only affects the timezone values that are included within the vulnerability export file.
    12 August 2019
    REPORTS / DAILY IJ18239 THE LEGEND FOR DAILY STACKED BAR CHART REPORTS WITH X-AXIS AS 'TIME' DOES NOT SORT AS EXPECTED OPEN: Reported in QRadar 7.3.1 Patch 8 Workaround: Do not use the Time X-Axis for daily reports using stacked bar charts.

    It has been identified that the legend for daily stacked bar chart reports with X-axis using Time, does not sort as expected. The legend does not always correlate with the table results displayed.
    19 August 2019
    UPGRADE / RULES IJ18241 AFTER UPGRADE TO 7.3.2 PATCH 2, QRADAR USER INTERFACE RULE PAGE CAN FAIL TO LOAD AFTER A MANAGED HOST HAS BEEN REPLACED OPEN: Reported in QRadar 7.3.2 Patch 2 Contact Support for a possible workaround that might address this issue in some instances.

    It has been identified that the Rule page can fail to load in the QRadar User Interface after upgrading to QRadar 732 p2. This is due to the presence of an old hostid in the basehostid column of the custom rule table after a Managed Host has been replaced.

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [tomcat.tomcat [admin@127.0.0.1 (1593749)
    /console/do/rulewizard/maintainRules]
    com.q1labs.uiframeworks.action.ExceptionHandler: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]An exception occurred
    while processing the request:
    [tomcat.tomcat] [admin@127.0.0.1 (1593749)
    /console/do/rulewizard/maintainRules]
    java.lang.NullPointerException
    [tomcat.tomcat] [admin@127.0.0.1 (1593749)
    /console/do/rulewizard/maintainRules] at
    com.q1labs.sem.ui.semservices.RuleWizardForm.getAnalysis(RuleWiz
    ardForm.java)
    [tomcat.tomcat] [admin@127.0.0.1 (1593749)
    /console/do/rulewizard/maintainRules] at
    com.q1labs.sem.ui.semservices.RuleWizardForm.copyInitialDataFrom
    DAO(RuleWizardForm.java:2139)
    [tomcat.tomcat] [admin@127.0.0.1 (1593749)
    /console/do/rulewizard/maintainRules] at
    com.q1labs.sem.ui.semservices.RuleWizardForm.summaryCopyFromDAO(
    RuleWizardForm.java)
    [tomcat.tomcat] [admin@127.0.0.1 (1593749)
    /console/do/rulewizard/maintainRules] at
    com.q1labs.sem.ui.action.MaintainRules.getAllRules(MaintainRules.java)
    [tomcat.tomcat] [admin@127.0.0.1 (1593749)
    /console/do/rulewizard/maintainRules] at
    sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    [tomcat.tomcat] [admin@127.0.0.1 (1593749)
    /console/do/rulewizard/maintainRules] at
    sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessor
    Impl.java)
    [tomcat.tomcat] [admin@127.0.0.1 (1593749)
    /console/do/rulewizard/maintainRules] at
    sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethod
    AccessorImpl.java)
    [tomcat.tomcat] [admin@127.0.0.1 (1593749)
    /console/do/rulewizard/maintainRules] at
    java.lang.reflect.Method.invoke(Method.java)
    19 August 2019
    ROUTING RULES / EVENT COLLECTORS (15xx) IJ18322 ONLINE SELECTIVE FORWARDING GENERATES NULLPOINTEREXCEPTION WHEN EVENTS ARE COLLECTED AND 'STORE EVENT PAYLOAD' IS NOT SELECTED CLOSED Resolved in QRadar 7.4.0 (7.4.0.20200304205308)

    Workaround
    Open the Log Source(s) collecting the event(s) and ensure that 'Store Event Payload' is selected.

    Issue
    It has been identified that Online Selective Forwarding, reports dropped events and generates a NullPointerException in the /var/log/qradar.error log when an event(s) is collected with 'Store Event Payload' option unchecked for the Log Source.

    Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs:
    selectiveforwarding.SelectiveForwardingCommunicatorThread:
    [WARN] [-/--]Exceeded maximum number of retries, dropping event.
    and also:
    [ecs-ec.ecs-ec] [SelectiveForwardingCommunictorThread_60]
    .sem.selectiveforwarding.SelectiveForwardingCommunicatorThread:
    [ERROR] [-/--]SelectiveForwardingSender disconnected because of:
    [ecs-ec.ecs-ec] [SelectiveForwardingCommunictorThread_60]
    java.lang.NullPointerException
    [ecs-ec.ecs-ec] [SelectiveForwardingCommunictorThread_60] at
    java.util.regex.Matcher.getTextLength(Matcher.java)
    [ecs-ec.ecs-ec] [SelectiveForwardingCommunictorThread_60] at
    java.util.regex.Matcher.reset(Matcher.java)
    [ecs-ec.ecs-ec] [SelectiveForwardingCommunictorThread_60] at
    java.util.regex.Matcher.{init}(Matcher.java)
    [ecs-ec.ecs-ec] [SelectiveForwardingCommunictorThread_60] at
    java.util.regex.Pattern.matcher(Pattern.java)
    [ecs-ec.ecs-ec] [SelectiveForwardingCommunictorThread_60] at
    com.q1labs.core.dao.selectiveforwarding.light.SelectiveForwardin
    gDestination.isPayloadHeaderMissing(SelectiveForwardingDestinati
    on.java)
    [ecs-ec.ecs-ec] [SelectiveForwardingCommunictorThread_60] at
    com.q1labs.sem.forwarding.mapping.ForwardingPayloadMapping.put(F
    orwardingPayloadMapping.java)
    [ecs-ec.ecs-ec] [SelectiveForwardingCommunictorThread_60] at
    com.q1labs.sem.forwarding.network.ForwardingUDPConnector.send(Fo
    rwardingUDPConnector.java)
    [ecs-ec.ecs-ec] [SelectiveForwardingCommunictorThread_60] at
    com.q1labs.sem.selectiveforwarding.SelectiveForwardingCommunicat
    orThread.process(SelectiveForwardingCommunicatorThread.java)
    [ecs-ec.ecs-ec] [SelectiveForwardingCommunictorThread_60] at
    com.q1labs.sem.selectiveforwarding.SelectiveForwardingCommunicat
    orThread.run(SelectiveForwardingCommunicatorThread.java)
    [ecs-ec.ecs-ec] [SelectiveForwardingCommunictorThread_60]
    com.q1labs.sem.selectiveforwarding.SelectiveForwardingCommunicat
    orThread: [WARN] [NOT:0000004000][127.0.0.1/- -] [-/-
    -]Exceeded maximum number of retries, dropping event.
    19 August 2019
    DATA EXPORT / LOG ACTIVITY IJ18323 LOG ACTIVITY CSV DATA EXPORT DOES NOT CONTAIN THE COLUMN NAME FOR 'PAYLOAD' OPEN: Reported in QRadar 7.3.1 Patch 6 No workaround available.

    It has been identified that output from Log Activity -> Actions -> Export to CSV does not contain the header/column name for 'Payload'.
    19 August 2019
    AUTHENTICATION (LDAP) / ACCESS IJ18324 QRADAR USER FAILS TO LOGIN SUCCESSFULLY WHEN USERNAME DOES NOT MATCH CASE WHEN USING EXTERNAL AUTHENTICATION IN 7.3.2 PATCH 3 OPEN: Reported in QRadar 7.3.2 Patch 3 and later Workaround: Login with a username that exactly matches the case of the QRadar user delegate.

    It has been identified that when external authentication is active/enabled in QRadar 7.2.3 Patch 3 (eg. LDAP Authentication), QRadar users attempting to log in with usernames that do not exactly match the case of their QRadar user delegate cause a NullPointerExpection to be generated and the user login attempt fails.

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [tomcat.tomcat] [TestTest@127.0.0.1  (2271)
    /console/login] java.lang.NullPointerException
    [tomcat.tomcat] [TestTest@127.0.0.1  (2271) /console/login]
    at com.q1labs.uiframeworks.auth.UserNamePasswordAuthentication.
    authenticate(UserNamePasswordAuthentication.java)
    [tomcat.tomcat] [TestTest@127.0.0.1  (2271) /console/login]
    at com.q1labs.uiframeworks.auth.LoginEndpoint.authenticate
    (LoginEndpoint.java)
    [tomcat.tomcat] [TestTest@127.0.0.1  (2271) /console/login]
    at com.q1labs.uiframeworks.auth.LoginEndpoint.login
    (LoginEndpoint.java)
    [tomcat.tomcat] [TestTest@127.0.0.1  (2271) /console/login]
    at com.q1labs.uiframeworks.auth.LoginEndpoint.doPost
    (LoginEndpoint.java)
    13 August 2019
    AUTO UPDATE / DISK SPACE IJ18327 WHEN AUTOUPDATE EXPERIENCES AN OUT OF MEMORY INSTANCE THE RESULTING DUMP FILE IS CREATED IN THE ROOT " / " PARTITION OPEN: Reported in QRadar 7.3.2 versions Contact Support for a possible workaround that might address this issue in some instances.

    It has been identified that in instances of AutoUpdate experiencing an Out Of Memory occurrence, the resulting dump file (e.g. core.20190109.005124.183434.0001.dmp) is written to the Root " / " partition.

    Note: Required services on a QRadar appliance are stopped when less than 5% free space is detected in a monitored partion until the free space issue is corrected.
    14 August 2019
    AUTO UPDATE / PROXY IJ18339 QRADAR AUTOUPDATE CAN FAIL TO RUN WHEN A PROXY SERVER IS CONFIGURED DUE TO MISSING LIBRARY OPEN: Reported in QRadar 7.3.2 versions Workaround: Contact Support for a possible workaround that might address this issue in some instances or see the following technical note for more information: Auto Update Proxy Issues "500 SSL NEGOTIATION FAILED" (Updated).

    It has been identified that in some instances, AutoUpdate can fail to run when configured to connect using a proxy server. The specific instances in this APAR of AutoUpdate failing to run when configured to use a proxy server are due to the missing library:
    LWP-Protocol-connect-6.09
    Messages similar to the following might be visible in the Autoupdate logs when this issue occurs:
    [DEVEL] Attempting to retrieve
    https://qmmunity.q1labs.com/autoupdates/manifest_list?version=7.
    3.2.20190522204210&customer=&lastau=1561730898&la
    stpatch=1561730898&vendor=Q1%20Labs
    [WARN] Could not retrieve "manifest_list": 500 Can't connect to
    {proxy_server}:3128 (Crypt-SSLeay can't verify hostnames)
    14 August 2019
    DATA EXPORT / QRADAR ON CLOUD IJ18449 UNABLE TO DOWNLOAD EXPORTS MESSAGE 'YOUR EXPORT JOB HAS COMPLETED. THE FILE SIZE EXCEEDS THE EMAIL ATTACHMENT LIMIT...' OPEN: Reported in QRadar 7.3.2 versions Contact Support for a possible workaround that might address this issue in some instances.

    It has been identified that exports can be too large for email making them unable to be downloaded within QRadar on Cloud environments. Messages similar to the following might be visible in the user interface when this issue occurs:
    'Your export job has completed. The file size
    exceeds the email attachment limit, you can download the
    results using the below link.
    
    Note that the link is valid for one download only.'
    https:///console/exportData?jobId=xxxxxx-xxxx-xxxx
    26 August 2019
    ADVANCED SEARCH (AQL) IJ18455 RUNTIMEEXCEPTION GENERATED IN QRADAR LOGGING WHEN AN INVALID AQL IS RUN RATHER THAN PROPER AQL PARSER REJECTION OPEN: Reported in QRadar 7.3.2 Patch 3 No workaround available.

    It has been identified that a runtime exception is generated when executing an invalid Advanced Search (AQL) that has aggregate functions in the WHERE clause instead of being rejected by the AQL parser. Messages similar to the following might be visible in /var/log/qardar.log when this issue occurs:
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:59740] com.q1labs.ariel.ConnectedClient:
    [WARN] [-/- -]Ariel Server cannot decode command,
    cmd=Execute statement - AQLRequest ["select qid
    from events where max(qid)!=0", PARSE]
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:59740] java.lang.RuntimeException:
    Unable to write Serializable
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:59740] at
    com.q1labs.frameworks.nio.network.protocol.
    Mappings$SerializableMapping.put(Mappings.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:59740] at
    com.q1labs.frameworks.nio.network.protocol.Mappings$Serializable
    Mapping.put(Mappings.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:59740] at
    com.q1labs.frameworks.nio.network.
    protocol.Protocol.putMappable(Protocol.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:59740] at
    com.q1labs.frameworks.nio.network.protocol.Protocol.
    write(Protocol.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:59740] at
    com.q1labs.frameworks.nio.network.protocol.
    Protocol.writeAndFlush(Protocol.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:59740] at
    com.q1labs.frameworks.nio.network.
    CommunicatorBase.writeAndFlush(CommunicatorBase.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:59740] at
    com.q1labs.frameworks.nio.network.Communicator.
    writeAndFlush(Communicator.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:59740] at
    com.q1labs.ariel.ConnectedClient.processMessage
    (ConnectedClient.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:59740] at
    com.q1labs.ariel.ConnectedClient.run(ConnectedClient.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:59740] at
    java.util.concurrent.ThreadPoolExecutor.runWorker
    (ThreadPoolExecutor.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:59740] at
    java.util.concurrent.ThreadPoolExecutor$Worker.run
    (ThreadPoolExecutor.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:59740] at java.lang.Thread.run(Thread.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:59740] Caused by:
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:59740] java.io.NotSerializableException:
    com.q1labs.ariel.ql.parser.AggregateFunctionInfo
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:59740] at
    java.io.ObjectOutputStream.writeObject0
    (ObjectOutputStream.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:59740] at
    java.io.ObjectOutputStream.defaultWriteFields
    (ObjectOutputStream.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:59740] at
    java.io.ObjectOutputStream.writeSerialData
    (ObjectOutputStream.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:59740] at
    java.io.ObjectOutputStream.writeOrdinary
    Object(ObjectOutputStream.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:59740] at
    java.io.ObjectOutputStream.writeObject0
    (ObjectOutputStream.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:59740] at
    java.io.ObjectOutputStream.defaultWriteFields
    (ObjectOutputStream.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:59740] at
    java.io.ObjectOutputStream.writeSerialData
    (ObjectOutputStream.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:59740 at
    java.io.ObjectOutputStream.writeOrdinaryObject
    (ObjectOutputStream.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:59740] at
    java.io.ObjectOutputStream.writeOrdinaryObject
    (ObjectOutputStream.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:59740] at
    java.io.ObjectOutputStream.writeObject0
    (ObjectOutputStream.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:59740] at
    java.io.ObjectOutputStream.writeObject
    (ObjectOutputStream.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:59740] at
    com.q1labs.frameworks.nio.network.protocol.
    Mappings$SerializableMapping.put(Mappings.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:59740] 
    26 August 2019
    QRADAR ADVISOR WITH WATSON IJ18462 QRADAR ADVISOR WITH WATSON APP TAB IS BLANK WITH 'FAILED TO LOAD INVESTIGATIONS' MESSAGE OPEN: Reported in QRadar 7.3.1 Patch 6 Interim Fix 02 Contact Support for a possible workaround that might address this issue in some instances.

    It has been identified that in instances where the QRadar Offense API is attempting to handle very large queries, the QRadar Advisor With Watson App tab can sometimes be blank with only the message 'Failed to load investigations' being displayed.
    26 August 2019
    SCAN RESULTS / QRADAR VULERABILITY MANAGER (QVM) IJ18486 RED TRIANGLE 'ASSET MODEL HAS NOT BEEN UPDATED' CAN BE INCORRECTLY DISPLAYED FOR SCAN RESULTS FROM QRADAR VULERABILITY MANAGER (QVM) OPEN: Reported in QRadar 7.3.1 and later Contact Support for a possible workaround that might address this issue in some instances.

    It has been identified that in some instances where the asset model has been updated, the "Asset Model has not been updated" red warning triangle is incorrectly displayed on the QRadar Vulnerability Manager Scan Results.
    30 August 2019
    RULE TEST / DISK SPACE IJ18492 /VAR/LOG PARTITION CAN FILL WITH EXCEPTION THROWN WHEN USING 'CHAINED EXPLOIT FOLLOWED BY SUSPICIOUS EVENTS' RULE TEST OPEN: Reported in QRadar 7.3.2 Patch 2 No workaround available.

    It has been identified that an exception is thrown during the test of the Custom Rule Engine rule "Chained Exploit Followed by Suspicious Events". As events are tested against rules, the following exception is thrown for every test and can quickly fill up the /var/log partition. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [ecs-ep.ecs-ep] [CRE Processor [4]]
    com.q1labs.semsources.cre.CustomRule:
    [ERROR] [-/- -]Exception in rule 100106
    - Chained Exploit Followed by Suspicious Events:
    Entry.next=null, data[removeIndex]={ipaddress}=package
    com.q1labs.semsources.cre.tests.gen.RuleSequence_SourceIP_In@a57
    ddb4a previous={ipaddress}=package
    com.q1labs.semsources.cre.tests.gen.RuleSequence_SourceIP_In@a57
    ddb4a key={ipaddress}value=package
    com.q1labs.semsources.cre.tests.gen.RuleSequence_SourceIP_In@af1
    35446 size=25000 maxSize=25000 Please check that your keys are
    immutable, and that you have used synchronization properly. If
    so, then please report this to commons-dev@jakarta.apache.org
    as a bug.
    [ecs-ep.ecs-ep] [CRE Processor [4]]
    java.lang.IllegalStateException: Entry.next=null,
    data[removeIndex]={ipaddress}=package
    com.q1labs.semsources.cre.tests.gen.RuleSequence_SourceIP_In@a57
    ddb4a previous={ipaddress}=package
    com.q1labs.semsources.cre.tests.gen.RuleSequence_SourceIP_In@a57
    ddb4a key={ipaddress} value=package
    com.q1labs.semsources.cre.tests.gen.RuleSequence_SourceIP_In@af1
    35446 size=25000 maxSize=25000 Please check that your keys are
    immutable, and that you have used synchronization properly. If
    so, then please report this to commons-dev@jakarta.apache.org
    as a bug.
    [ecs-ep.ecs-ep] [CRE Processor [4]] at
    org.apache.commons.collections.map.LRUMap.reuseMapping
    (LRUMap.java)
    [ecs-ep.ecs-ep] [CRE Processor [4]] at
    com.q1labs.frameworks.cache.LFUMap.reuseMapping(LFUMap.java)
    [ecs-ep.ecs-ep] [CRE Processor [4]] at
    org.apache.commons.collections.map.LRUMap.addMapping
    (LRUMap.java)
    [ecs-ep.ecs-ep] [CRE Processor [4]] at
    org.apache.commons.collections.map.AbstractHashedMap.
    put(AbstractHashedMap.java)
    [ecs-ep.ecs-ep] [CRE Processor [4]] at
    com.q1labs.frameworks.cache.LFUMap.put(LFUMap.java)
    [ecs-ep.ecs-ep] [CRE Processor [4]] at
    com.q1labs.semsources.cre.tests.DoubleSequenceFunction_Test.test
    (DoubleSequenceFunction_Test.java)
    [ecs-ep.ecs-ep] [CRE Processor [4]]    at
    com.q1labs.semsources.cre.tests.CREStatefulEventTest.test(CRESta
    tefulEventTest.java)
    [ecs-ep.ecs-ep] [CRE Processor [4]]    at
    com.q1labs.semsources.cre.gen.TestExecutor_1_0.test(TestExecutor
    _1_0.java)
    [ecs-ep.ecs-ep] [CRE Processor [4]]    at
    com.q1labs.semsources.cre.CustomRule.test(CustomRule.java:519)
    [ecs-ep.ecs-ep] [CRE Processor [4]]    at
    com.q1labs.semsources.cre.CustomRule.test(CustomRule.java:476)
    [ecs-ep.ecs-ep] [CRE Processor [4]]    at
    com.q1labs.semsources.cre.CustomRuleSetExecutor.testRule(CustomR
    uleSetExecutor.java:342)
    [ecs-ep.ecs-ep] [CRE Processor [4]]    at
    com.q1labs.semsources.cre.CustomRuleSetExecutor.test(CustomRuleS
    etExecutor.java:210)
    [ecs-ep.ecs-ep] [CRE Processor [4]]    at
    com.q1labs.semsources.cre.LocalRuleExecutor.processEventInProper
    tyMode(LocalRuleExecutor.java:229)
    [ecs-ep.ecs-ep] [CRE Processor [4]]    at
    com.q1labs.semsources.cre.LocalRuleExecutor.processEvent(LocalRu
    leExecutor.java:158)
    [ecs-ep.ecs-ep] [CRE Processor [4]]    at
    com.q1labs.semsources.cre.CREEventProcessor.processEvent(CustomR
    uleEngine.java:521)
    [ecs-ep.ecs-ep] [CRE Processor [4]]    at
    com.q1labs.semsources.cre.CREEventProcessor.run(CustomRuleEngine
    .java:464)
    26 August 2019
    QRADAR APPS / HIGH AVAILABILITY (HA) IJ18520 QRADAR APPS CAN FAIL TO LOAD AFTER A FAILOVER IS PERFORMED TO A REBUILT PRIMARY HIGH AVAILABILITY APPLIANCE OPEN: Reported in QRadar 7.3.2 Patch 2 Contact Support for a possible workaround that might address this issue in some instances.

    It has been identified that when a High Availability Primary appliance is rebuilt, after the first failover back to that Primary appliance is performed, QRadar Apps can fail to load. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [hostcontext.hostcontext] [pool-1-thread-2]
    com.ibm.si.api.workload.v1.ApiException:
    java.net.UnknownHostException: [xxxxxxxxx].localdeployment:
    .localdeployment: unknown error
    26 August 2019
    ADVANCED SEARCH (AQL) IJ18551 ADVANCED SEARCH (AQL) THAT USES A REFERENCE SET ASSIGNED TO A TENANT FAILS TO RETURN RESULTS AND GENERATES ERROR OPEN: Reported in QRadar 7.3.2 Patch 2 Workaround: Advanced Search (AQL) which uses a filter based on Reference Set assigned to Shared and Domain works as expected.

    It has been identified that running a search based on AQL using a Reference Set that is assigned to a Tenant fails with an error similar to:
    "ReferenceSetfunction : Unknown reference data collection '{reference_set}'
    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [ariel_proxy.ariel_proxy_server] [ariel_client /127.0.0.1:40510]
    com.q1labs.ariel.ql.parser.Parser: [ERROR][-/- -]ReferenceSet function:
    Unknown reference data collection {reference_set}'
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:40510]
    com.q1labs.frameworks.nio.exceptions.ExtendedRuntimeException:
    ReferenceSet function: Unknown reference data collection
    {reference_set}
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:40510]    at
    com.q1labs.core.aql.AbstractRefDataCollectionFunction.
    load(AbstractRefDataCollectionFunction.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:40510] at
    com.q1labs.core.aql.ReferenceSet$1.call(ReferenceSet.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:40510] at
    com.q1labs.core.aql.ReferenceSet$1.call(ReferenceSet.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:40510] at
    com.q1labs.core.aql.AbstractRefDataCollectionFunction.
    exceptionWrapper(AbstractRefDataCollectionFunction.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:40510] at
    com.q1labs.core.aql.ReferenceSet.
    getArgumentTypes(ReferenceSet.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:40510] at
    com.q1labs.ariel.ql.parser.ScalarFunctionInfo.create(ScalarFunct
    ionInfo.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:40510] at
    com.q1labs.ariel.ql.parser.ParserBase.
    processScalarFunction(ParserBase.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:40510] at
    com.q1labs.ariel.ql.parser.ParserBase.processBooleanExpression(P
    arserBase.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:40510] at
    com.q1labs.ariel.ql.parser.ParserBase.processBooleanExpression(P
    arserBase.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:40510] at
    com.q1labs.ariel.ql.parser.ParserBase.
    processBooleanExpression(ParserBase.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:40510] at
    com.q1labs.ariel.ql.parser.ParserBase.
    processBooleanExpression(ParserBase.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:40510] at
    com.q1labs.ariel.ql.parser.ParserBase.
    processBooleanExpression(ParserBase.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:40510] at
    com.q1labs.ariel.ql.parser.ParserBase.createQueryParams(ParserBa
    se.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:40510] at
    com.q1labs.ariel.ql.parser.ParserBase.parseBatch(ParserBase.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:40510] at
    com.q1labs.ariel.ql.parser.Parser.parseStatement(Parser.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:40510] at
    com.q1labs.ariel.ql.parser.Parser.executeStatement(Parser.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:40510] at
    com.q1labs.ariel.ConnectedClient.processStatement
    (ConnectedClient.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:40510] at
    com.q1labs.ariel.ConnectedClient.processMessage
    (ConnectedClient.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:40510] at
    com.q1labs.ariel.ConnectedClient.run(ConnectedClient.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:40510] at
    java.util.concurrent.ThreadPoolExecutor.runWorker
    (ThreadPoolExecutor.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:40510] at
    java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExe
    cutor.java)
    [ariel_proxy.ariel_proxy_server] [ariel_client
    /127.0.0.1:40510] at java.lang.Thread.run(Thread.java)
    26 August 2019
    REFERENCE SETS IJ18553 INSTANCES OF NO SEARCH RESULTS RETURNED CAN OCCUR FOR USER ROLES WITH 'READ ONLY' PERMISSIONS ON REFERENCE SETS CLOSED Resolved in QRadar 7.4.1 (7.4.1.20200716115107)

    Workaround
    Contact Support for a possible workaround that might address this issue in some instances.

    Issue
    It has been identified that users of a particular user role with read only access can experience issues when searching through reference sets. When opening the "View Reference Sets" window through the Log Activity -> Add Filter -> Reference Set -> View Reference Set window they are able to enter a name to search on the reference set names, but after pressing enter, the window does not update to reflect the search that has been performed. When selecting a field to sort on (Name,Type....) the window updates to reflect the search.
    26 August 2019
    APPLICATION FRAMEWORK / APP INSTALL IJ18610 APPS CONTAINING A NULL PAYLOAD IN ARIEL_PROPERTY_EXPRESSION DATABASE TABLE FAIL TO INSTALL AT QRADAR 7.3.2 PATCH 3 CLOSED Resolved in QRadar 7.3.2 Patch 4 (7.3.2.20190803012943)

    It has been identified that after patching to QRadar 7.3.2 Patch 3, QRadar Apps that have a null payload in the database table ariel_property_expression (eg. Cb Defense App for IBM QRadar) fail to install. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [tomcat.tomcat] [admin@127.0.0.1]
    com.ibm.si.content_management.Content: [ERROR]
    [NOT:0000003000][127.0.0.1/- -] [-/- -]Failed to import
    [device_ext]
    [tomcat.tomcat] [admin@127.0.0.1] java.lang.NullPointerException
    [tomcat.tomcat] [admin@127.0.0.1] at
    com.ibm.si.content_management.utils.ContentMgmtChangeTracker.
    buildChanges(ContentMgmtChangeTracker.java)
    [tomcat.tomcat] [admin@127.0.0.1] at
    com.ibm.si.content_management.utils.ContentMgmtChangeTracker.bui
    ldUpdateChanges(ContentMgmtChangeTracker.java)
    [tomcat.tomcat] [admin@127.0.0.1] at
    com.ibm.si.content_management.Content.updateContent(Content.java)
    [tomcat.tomcat] [admin@127.0.0.1] at
    com.ibm.si.content_management.Content.importContent(Content.java)
    [tomcat.tomcat] [admin@127.0.0.1] at
    com.ibm.si.content_management.Content.importCustom
    Content(Content.java)
    [tomcat.tomcat] [admin@127.0.0.1] at
    com.ibm.si.content_management.ContentManager.importContent(Conte
    ntManager.java)
    [tomcat.tomcat] [admin@127.0.0.1] at
    com.ibm.si.content_management.ContentManager.doImport
    (ContentManager.java)
    [tomcat.tomcat] [admin@127.0.0.1] at
    com.ibm.si.data_ingestion.api.impl.cmt.install.
    ExtensionInstaller.doImport(ExtensionInstaller.java)
    [tomcat.tomcat] [admin@127.0.0.1] at
    com.ibm.si.data_ingestion.api.impl.cmt.install.
    ExtensionInstaller.installExtension(ExtensionInstaller.java)
    [tomcat.tomcat] [admin@127.0.0.1] at
    com.ibm.si.data_ingestion.api.impl.cmt.tasks.
    InstallExtensionTask.runTask(InstallExtensionTask.java)
    [tomcat.tomcat] [admin@127.0.0.1] at
    com.ibm.si.frameworks.taskmanagement.Task.run(Task.java)
    [tomcat.tomcat] [admin@127.0.0.1] at
    java.util.concurrent.Executors$RunnableAdapter.
    call(Executors.java)
    [tomcat.tomcat] [admin@127.0.0.1] at
    java.util.concurrent.FutureTask.run(FutureTask.java)
    [tomcat.tomcat] [admin@127.0.0.1] at
    java.util.concurrent.ThreadPoolExecutor.runWorker
    (ThreadPoolExecutor.java)
    [tomcat.tomcat] [admin@127.0.0.1] at
    java.util.concurrent.ThreadPoolExecutor$Worker.run
    (ThreadPoolExecutor.java)
    [tomcat.tomcat] [admin@127.0.0.1] at
    java.lang.Thread.run(Thread.java)
    [tomcat.tomcat] [admin@127.0.0.1]
    com.q1labs.frameworks.session.SessionContext:
    [WARN] [-/- -]Attempt made to begin nested read-write transaction
    [tomcat.tomcat] [admin@127.0.0.1] java.lang.Exception
    [tomcat.tomcat] [admin@127.0.0.1] at
    com.q1labs.frameworks.session.SessionContext.
    beginTransaction(SessionContext.java)
    [tomcat.tomcat] [admin@127.0.0.1] at
    com.ibm.si.content_management.utils.ContentMgmtChangeTracker.
    buildChanges(ContentMgmtChangeTracker.java)
    [tomcat.tomcat] [admin@127.0.0.1] at
    com.ibm.si.content_management.utils.ContentMgmtChangeTracker.
    buildUpdateChanges(ContentMgmtChangeTracker.java)
    [tomcat.tomcat] [admin@127.0.0.1] at
    com.ibm.si.content_management.Content.updateContent(Content.java)
    [tomcat.tomcat] [admin@127.0.0.1] at
    com.ibm.si.content_management.Content.importContent(Content.java)
    [tomcat.tomcat] [admin@127.0.0.1] at
    com.ibm.si.content_management.Content.importCustomContent(Content.java)
    [tomcat.tomcat] [admin@127.0.0.1] at
    com.ibm.si.content_management.ContentManager.
    importContent(ContentManager.java)
    [tomcat.tomcat] [admin@127.0.0.1] at
    com.ibm.si.content_management.ContentManager.
    doImport(ContentManager.java)
    [tomcat.tomcat] [admin@127.0.0.1] at
    com.ibm.si.data_ingestion.api.impl.cmt.install.
    ExtensionInstaller.doImport(ExtensionInstaller.java)
    [tomcat.tomcat] [admin@127.0.0.1] at
    com.ibm.si.data_ingestion.api.impl.cmt.install.
    ExtensionInstaller.installExtension(ExtensionInstaller.java)
    [tomcat.tomcat] [admin@127.0.0.1] at
    com.ibm.si.data_ingestion.api.impl.cmt.tasks.
    InstallExtensionTask.runTask(InstallExtensionTask.java)
    [tomcat.tomcat] [admin@127.0.0.1] at
    com.ibm.si.frameworks.taskmanagement.Task.run(Task.java)
    [tomcat.tomcat] [admin@127.0.0.1] at
    java.util.concurrent.Executors$RunnableAdapter.
    call(Executors.java)
    [tomcat.tomcat] [admin@127.0.0.1] at
    java.util.concurrent.FutureTask.run(FutureTask.java:277)
    [tomcat.tomcat] [admin@127.0.0.1] at
    java.util.concurrent.ThreadPoolExecutor.runWorker
    (ThreadPoolExecutor.java)
    [tomcat.tomcat] [admin@127.0.0.1] at
    java.util.concurrent.ThreadPoolExecutor$Worker.
    run(ThreadPoolExecutor.java)
    [tomcat.tomcat] [admin@127.0.0.1] at
    java.lang.Thread.run(Thread.java)
    30 August 2019
    HIGH AVAILABILITY (HA) IJ18607 ADDING AN APPLIANCE INTO HIGH AVAILABILITY FAILS WHEN HOSTNAME ENDS WITH [.LOCALDOMAIN] CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    Do not have appliance hostnames ending in . The following technical note explains the functionality of using qchange_netsetup:
    QRadar: Changing the network settings of managed hosts.

    Issue
    It has been identified that adding an appliance into High Availability (HA) fails when the appliance hostname ends in .[localdomain]. Messages similar to the following might be visible in the ha_setup.log file when this issue occurs:
    [HA Setup (S-M----)] [ERROR] Unexpected error.
    Failed to calculate maximum secondary size
    26 November 2020
    AUTHENTICATION / HIGH AVAILABILITY (HA) IJ18609 ACTIVE DIRECTORY AUTHENTICATION LOGIN FAILS AFTER A FAILOVER TO HIGH AVAILABILITY SECONDARY CONSOLE OPEN: Reported in QRadar 7.3.1 versions Contact Support for a possible workaround that might address this issue in some instances.

    It has been identified that in some instances QRadar Active Directory authentication can fail after a failover to a high availability secondary console has occurred. In these specific instances of Active Directory failure to login, the /etc/krb5.conf file has been emptied out, and is a 0 byte file.
    30 August 2019
    SCHEDULED SCANS IJ18337 QRADAR VULNERABILITY MANAGER (QVM) SCAN JOBS THAT USE ADVANCED RUN SCHEDULE OPTION FAIL TO RUN OPEN: Reported in QRadar 7.3.2 versions Workaround: Edit the scan profile to use a daily, weekly, or monthly schedule.

    It has been identified that QRadar Vulnerability Manager scan jobs that use the advanced run schedule option fail to run. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [qvmprocessor.qvmprocessor] [qvmScheduler_Worker-1]
    org.quartz.core.JobRunShell:
    [ERROR] Job qvmScheduling.113 threw an unhandled Exception:
    [qvmprocessor.qvmprocessor] [qvmScheduler_Worker-1]
    java.lang.NoSuchMethodError:
    com/q1labs/core/shared/permissions/UserManager.getDeployedUserBy
    Id(J)Lcom/q1labs/core/dao/permissions/light/User; (loaded from
    file:/opt/qradar/jars/q1labs_core.jar by
    sun.misc.Launcher$AppClassLoader@ccd55a90) called from class
    com.q1labs.qvm.workflow.processor.security.user.UserManagerUserL
    ocator (loaded from
    file:/opt/qradar/jars/q1labs_qvmworkflow.jar by
    sun.misc.Launcher$AppClassLoader@ccd55a90).
    [qvmprocessor.qvmprocessor] [qvmScheduler_Worker-1] at
    com.q1labs.qvm.workflow.processor.security.user.UserManagerUserL
    ocator.getUserByUserId(UserManagerUserLocator.java:44)
    [qvmprocessor.qvmprocessor] [qvmScheduler_Worker-1] at
    com.q1labs.qvm.workflow.processor.ws.scanprofile.ScanProfileServ
    iceImpl.setLastUserName(ScanProfileServiceImpl.java)
    [qvmprocessor.qvmprocessor] [qvmScheduler_Worker-1] at
    com.q1labs.qvm.workflow.scheduler.ScheduleScan.
    executeInternal(ScheduleScan.java:50)
    [qvmprocessor.qvmprocessor] [qvmScheduler_Worker-1] at
    org.springframework.scheduling.quartz.QuartzJobBean.
    execute(QuartzJobBean.java:114)
    [qvmprocessor.qvmprocessor] [qvmScheduler_Worker-1] at
    org.quartz.core.JobRunShell.run(JobRunShell.java:206)
    [qvmprocessor.qvmprocessor] [qvmScheduler_Worker-1] at
    org.quartz.simpl.SimpleThreadPool$WorkerThread.run
    (SimpleThreadPool.java
    19 August 2019
    BACKUP & RECOVERY IJ14189 DATA BACKUPS CAN FAIL (TIME OUT) WHEN A BACKEND "PS" COMMAND HANGS CLOSED Resolved in:
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 1 (7.3.3.20191203144110)
    QRadar 7.3.2 Patch 6 (7.3.3.20191224145010)

    It has been identified that data backups can fail when a backend ps command hangs. QRadar notifications similar to "Backup: last backup exceeded execution threshold error." and messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [hostcontext.hostcontext] [Backup]
    com.q1labs.hostcontext.backup.core.BackupUtils:
    [ERROR] [-/- -]Cannot execute 'ps -e -o pid -o ppid -o cmd'
    [hostcontext.hostcontext] [Backup]
    java.lang.InterruptedException
    [hostcontext.hostcontext] [Backup]    at
    java.lang.Object.wait(Native Method)
    [hostcontext.hostcontext] [Backup]    at
    java.lang.Object.wait(Object.java:189)
    [hostcontext.hostcontext] [Backup]    at
    java.lang.UNIXProcess.waitFor(UNIXProcess.java)
    [hostcontext.hostcontext] [Backup]    at
    com.q1labs.hostcontext.backup.core.BackupUtils.
    getPsProcesses(Ba ckupUtils.java)
    [hostcontext.hostcontext] [Backup]    at
    com.q1labs.hostcontext.backup.BackupRecoveryEngine
    .cleanup(BackupRecoveryEngine.java)
    [hostcontext.hostcontext] [Backup]    at
    com.q1labs.hostcontext.backup.BackupRecoveryEngine
    $BackupThread.run(BackupRecoveryEngine.java)
    [hostcontext.hostcontext] [Backup]
    com.q1labs.hostcontext.backup.BackupRecoveryEngine: [INFO]
    [-/- -]Cancel process '/bin/bash /opt/qradar/bin/run_command.sh
    /opt/qradar/bin/determine_partition.sh
    /store/backup/store/tmp/backup/determine_partition' if exists
    
    09 December 2019
    DEPLOY CHANGES / LOG SOURCES IJ17858 AUTOUPDATE FAILS TO DEPLOY INSTALLED UPDATES ON QRADAR ENVIRONMENTS THAT HAVE A PROXY SERVER CONFIGURED OPEN: Reported in QRadar 7.3.2 versions Contact Support for a possible workaround that might address this issue in some instances.

    It has been identified that QRadar deploys can fail/hang after receiving/running the autoupdate-deploy-1607112703-00 script contained within AutoUpdate.

    NOTE: A Support ticket needs to be logged to confirm that the number of flow sources is the reason for hostcontext out of memory occurrences.
    06 August 2019
    AUTO UPDATE / PROXY IJ17855 AUTOUPDATE FAILS TO DEPLOY INSTALLED UPDATES ON QRADAR ENVIRONMENTS THAT HAVE A PROXY SERVER CONFIGURED OPEN: Reported in QRadar 7.3.2 versions Workaround: Perform a manual "Deploy Changes" from the Admin tab after the weekly auto update has downloaded and installed.

    It has been identified that in QRadar environments where a proxy server is configured, AutoUpdates that have been downloaded/installed do not get deployed out to the Managed Hosts automatically. User Interface messages similar to "There are undeployed changes. Click 'Deploy Changes' to deploy them".

    NOTE: A Support ticket needs to be logged to confirm that the number of flow sources is the reason for hostcontext out of memory occurrences.
    26 July 2019
    FLOWS / SERVICE IJ17432 HOSTCONTEXT CAN EXPERIENCE AN OUT OF MEMORY OCCURRENCE WHEN A VERY LARGE NUMBER OF FLOW SOURCES EXIST OPEN: Reported in QRadar 7.3.1 Patch 8 Interim Fix 01 Contact Support for a possible workaround that might address this issue in some instances.

    It has been identified that the hostcontext process can experience an out of memory occurence in QRadar environments that have a very large number of flow sources (hundreds of thousands).

    NOTE: A Support ticket needs to be logged to confirm that the number of flow sources is the reason for hostcontext out of memory occurrences.
    08 July 2019
    BACKUP & RECOVERY / MIGRATION IJ17414 PERFORMING A CONFIGURATION RESTORE ON A CONSOLE THAT HAS A NEW IP ADDRESS CAN MODIFY SIMILAR IP ADDRESSES IN QRADAR CONFIG FILE OPEN: Reported in QRadar 7.3.1 Patch 8 Contact Support for a possible workaround that might address this issue in some instances.

    It has been identified that when a config restore is performed on a QRadar Console that has had the IP address changed, similar IP addresses can sometimes be incorrectly modified in the configuration file "deployment.xml".

    Example scenario deployment:
    • Console: 127.0.0.1
    • New Console IP: 127.0.0.24
    • 1899 Appliance 1: 127.0.0.40
    • 1899 Appliance 2: 127.0.0.129

    Reported issues
    1. During the config restore using the backup file from the original console (127.0.0.1) on the new console (127.0.0.24), Deploy Changes fail to complete.
    2. The IP address for appliance 2 is incorrectly updated in the deployments. xml configuration file. Any issue in the configuration restore can change the IP address from 127.0.0.129 to 127.0.0.2429.
    08 July 2019
    QRADAR VULNERABILITY INSIGHTS APP IJ17410 X-FORCE USER LIMITS EXCEEDED WHEN USING QRADAR VULNERABILITY INSIGHTS (QVI) APP OPEN: Reported in QRadar 7.3.1 Patch 8 No workaround available.

    It has been identified that when using the QRadar Vulnerability Insights application, the records limit of 5000 for the Xforce user can be exceeded. When this occurs, any new requessts to X-Force fail.
    08 July 2019
    HIGH AVAILABILITY (HA) IJ17408 ENABLING CROSSOVER ON HIGH AVAILABILITY PAIR CAN CAUSE NETWORK COMMUNICATION FAILURE ON THE PRIMARY NODE OPEN: Reported in QRadar 7.3.1 Patch 8 Contact Support for a possible workaround that might address this issue in some instances.

    It has been identified that in some instances enabling High Availability (HA) crossover caused network communication to fail on the primary HA node. This occurs if the HA crossover becomes set as the default route, disrupting expected network communications.
    08 July 2019
    OFFENSES / PERFORMANCE IJ17380 ATTEMPTING TO OPEN AN OFFENSE CAN FAIL WHEN THERE ARE A LARGE NUMBER OF NETWORKS ASSOCIATED TO IT CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 3 (7.4.0.20200606144505)
    QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002)

    Workaround
    Where possible, modify the user needing access to the Offense to include administrator (Admin) permissions.

    It has been identified that attempting to load an Offense can fail when an offense has a large number of networks associated with it. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [tomcat.tomcat] [user@127.0.0.1 (2281)
    /console/do/sem/offensesummary] Caused by:
    [tomcat.tomcat] [user@127.0.0.1 (2281)
    /console/do/sem/offensesummary] java.lang.StackOverflowError
    [tomcat.tomcat] [user@127.0.0.1 (2281)
    /console/do/sem/offensesummary] at
    org.apache.openjpa.lib.util.J2DoPrivHelper$
    59.run(J2DoPrivHelper.java)
    [tomcat.tomcat] [user@127.0.0.1 (2281)
    /console/do/sem/offensesummary] at
    org.apache.openjpa.lib.util.J2DoPrivHelper$
    59.run(J2DoPrivHelper.java)
    [tomcat.tomcat] [user@127.0.0.1 (2281)
    /console/do/sem/offensesummary] at
    java.security.AccessController.doPrivileged
    (AccessController.java)
    [tomcat.tomcat] [user@127.0.0.1 (2281)
    /console/do/sem/offensesummary] at
    org.apache.openjpa.persistence.AnnotationPersistenceXML
    MetaDataParser.parseXMLClassAnnotations
    (AnnotationPersistenceXMLMetaDataParser.java)
    [tomcat.tomcat] [user@127.0.0.1 (2281)
    /console/do/sem/offensesummary] at
    org.apache.openjpa.persistence.AnnotationPersistenceXML
    MetaDataParser.parse(AnnotationPersistenceXMLMeta
    DataParser.java)
    [tomcat.tomcat] [user@127.0.0.1 (2281)
    /console/do/sem/offensesummary] at
    org.apache.openjpa.persistence.PersistenceMetaData
    Factory.loadXMLMetaData(PersistenceMeta
    DataFactory.java)
    [tomcat.tomcat] [user@127.0.0.1 (2281)
    /console/do/sem/offensesummary] at
    org.apache.openjpa.meta.MetaDataRepository.get
    XMLMetaDataInternal(MetaDataRepository.java)
    [tomcat.tomcat] [user@127.0.0.1 (2281)
    /console/do/sem/offensesummary] at
    org.apache.openjpa.meta.MetaDataRepository.getXMLMeta
    Data(MetaDataRepository.java)
    [tomcat.tomcat] [user@127.0.0.1 (2281)
    /console/do/sem/offensesummary] at
    org.apache.openjpa.kernel.exps.AbstractExpression
    Builder.traversePath(AbstractExpressionBuilder.java)
    [tomcat.tomcat] [user@127.0.0.1 (2281)
    /console/do/sem/offensesummary] at
    org.apache.openjpa.kernel.jpql.JPQLExpressionBuilder.getPath(JPQ
    LExpressionBuilder.java:2000)
    [tomcat.tomcat] [user@127.0.0.1 (2281)
    /console/do/sem/offensesummary] at
    org.apache.openjpa.kernel.jpql.JPQLExpressionBuilder.getPathOrCo
    nstant(JPQLExpressionBuilder.java)
    [tomcat.tomcat] [user@127.0.0.1 (2281)
    /console/do/sem/offensesummary] at
    org.apache.openjpa.kernel.jpql.JPQLExpressionBuilder.eval(JPQLEx
    pressionBuilder.java)
    [tomcat.tomcat] [user@127.0.0.1
    08 July 2019
    LICENSE / EVENT COLLECTOR IJ17363 QRADAR EVENT COLLECTOR APPLIANCE DOES NOT INHERIT THE LICENCE LIMITS FROM THE EVENT PROCESSOR AFTER THE IP ADDRESS HAS BEEN CHANGED OPEN: Reported in QRadar 7.3.2 versions Workaround
    1. Connect the EC to the console. Deploy the changes.
    2. Reconnect the EC to the EP and Deploy the changes.

    It has been identified that after an Event Processor (EP) has had the IP address changed, when an Event Collector (EC) is added to it, that EC does not inherit the license limits from the EP.
    08 July 2019
    CUSTOM ACTION SCRIPTS IJ17358 CUSTOM ACTION SCRIPTS REFERENCING THE QRADAR CONSOLE HOSTNAME FAIL IN QRADAR 7.3.2 OPEN: Reported in QRadar 7.3.2 versions Contact Support for a possible workaround that might address this issue in some instances.

    It has been identified that Custom Action Scripts referencing the hostname of the QRadar console that worked as expected in 7.3.1 fails to work in QRadar 7.3.2 versions.
    08 July 2019
    OFFENSES IJ17332 OFFENSES FOR NON-ADMIN USER FAIL TO LOAD WHEN A SECURITY PROFILE HAS 'NO RESTRICTIONS' CONFIGURED CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    In instances where possible, modify the user to be an admin user.

    Issue
    It has been identified that Offenses for non-admin user fail to load with a security profile that has No Restrictions configured. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [tomcat.tomcat] [user@127.0.0.1 (2281)
    /console/do/sem/offensesummary] Caused by:
    [tomcat.tomcat] [user@127.0.0.1 (2281)
    /console/do/sem/offensesummary] java.lang.StackOverflowError
    [tomcat.tomcat] [user@127.0.0.1 (2281)
    /console/do/sem/offensesummary] at
    org.apache.openjpa.lib.util.J2DoPrivHelper$59.
    run(J2DoPrivHelper)
    [tomcat.tomcat] [user@127.0.0.1 (2281)
    /console/do/sem/offensesummary] at
    org.apache.openjpa.lib.util.J2DoPrivHelper$59.run
    (J2DoPrivHelper.java)
    [tomcat.tomcat] [user@127.0.0.1 (2281)
    /console/do/sem/offensesummary] at
    java.security.AccessController.doPrivileged
    (AccessController.java)
    [tomcat.tomcat] [user@127.0.0.1 (2281)
    /console/do/sem/offensesummary] at
    org.apache.openjpa.persistence.AnnotationPersistence
    XMLMetaDataParser.parseXMLClassAnnotations
    (AnnotationPersistenceXMLMetaDataParser.java)
    [tomcat.tomcat] [user@127.0.0.1 (2281)
    /console/do/sem/offensesummary] at
    org.apache.openjpa.persistence.AnnotationPersistence
    XMLMetaDataParser.parse(AnnotationPersistenceXML
    MetaDataParser.java)
    [tomcat.tomcat] [user@127.0.0.1 (2281)
    /console/do/sem/offensesummary] at
    org.apache.openjpa.persistence.PersistenceMetaDataFactory.
    loadXMLMetaData(PersistenceMetaDataFactory.java)
    [tomcat.tomcat] [user@127.0.0.1 (2281)
    /console/do/sem/offensesummary] at
    org.apache.openjpa.meta.MetaDataRepository.getXMLMeta
    DataInternal(MetaDataRepository.java)
    [tomcat.tomcat] [user@127.0.0.1 (2281)
    /console/do/sem/offensesummary] at
    org.apache.openjpa.meta.MetaDataRepository.getXMLMeta
    Data(MetaDataRepository.java)
    [tomcat.tomcat] [user@127.0.0.1 (2281)
    /console/do/sem/offensesummary] at
    org.apache.openjpa.kernel.exps.AbstractExpression
    Builder.traversePath(AbstractExpressionBuilder.java)
    [tomcat.tomcat] [user@127.0.0.1 (2281)
    /console/do/sem/offensesummary] at
    org.apache.openjpa.kernel.jpql.JPQLExpression
    Builder.getPath(JPQLExpressionBuilder.java)
    [tomcat.tomcat] [user@127.0.0.1 (2281)
    /console/do/sem/offensesummary] at
    org.apache.openjpa.kernel.jpql.JPQLExpression
    Builder.getPathOrConstant(JPQLExpressionBuilder.java)
    [tomcat.tomcat] [user@127.0.0.1 (2281)
    /console/do/sem/offensesummary] at
    org.apache.openjpa.kernel.jpql.JPQLExpressionBuilder.
    eval(JPQLExpressionBuilder.java)
    [tomcat.tomcat] [user@127.0.0.1 (2281)
    /console/do/sem/offensesummary] at
    org.apache.openjpa.kernel.jpql.JPQLExpression
    Builder.getValue(JPQLExpressionBuilder.java)
    08 July 2019
    DISK UTILITIES IJ17331 DISKMAINTENANCE.PL SCRIPT DOES NOT HONOR FILES IN THE PATH_TO_KEEP DEFINED IN /OPT/QRADAR/CONF/DISKMAINTD.CONF CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    Administrators can install a software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances.

    Issue
    It has been identified that diskmaintd.pl deletes files that are older than 6 hours in paths identified in path_to_keep as defined in /opt/qradar/conf/diskmaintd.conf.
    08 July 2019
    SERVER DISCOVERY IJ17324 DUPLICATE 'SERVER TYPE' CAN SOMETIMES BE DISPLAYED IN SERVER DISCOVERY DROP DOWN OPEN: Reported in QRadar 7.3.2 versions Contact Support for a possible workaround that might address this issue in some instances.

    It has been identified that duplicate entries in the 'Server Type' drop down in Asset -> Server Discovery can sometimes be observed.
    08 July 2019
    RULES / COMMON IJ17309 SOURCE IP OR DESTINATION IP FILTER IS NOT AN AVAILABLE TEST OPTION FOR 'COMMON' RULES OPEN: Reported in multiple QRadar versions No workaround available.

    It has been identified that Source IP and Destination IP filters are not available for Common Rules for "when the event matches this search filter" rule test, but is available as an option in Event Rule and Flow Rule.
    05 July 2019
    PROTOCOL / DISCONNECTED LOG COLLECTOR (DLC) IJ17308 AUTOUPDATE DEPLOY SCRIPT PERFORMS A RESTART OF THE ECS-EC PROCESS WHEN IT IS SOMETIMES NOT REQUIRED OPEN: Reported in QRadar 7.3.2 version using PROTOCOL-IBMQRadarDLC.7.3-2018121713325 No workaround available.

    It has been identified that when the PROTOCOL-IBM-QRadarDLC is installed in a QRadar environment, a new autoupdate-deploy script is employed. That script, when run, has been found to perform ecs-ec process restarts in instances where the process restart is not required.
    04 July 2019
    APP FRAMEWORK / APP INSTALL IJ17231 LARGER QRADAR APPS CAN FAIL TO INSTALL DUE TO A TIMEOUT VALUE BEING REACHED DURING THE INSTALLATION CLOSED Resolved in QRadar 7.4.0 (7.4.0.20200304205308)

    Workaround
    Install the latest software version or contact Support for a possible workaround that might address this issue in some instances if you cannot upgrade at this time.

    Issue
    It has been identified that in some instances, large QRadar Apps (eg Pulse, UBA) can fail to install due to a timeout value being reached during the installation process. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:

    Pulse App Error
    [tomcat.tomcat] [pool-1-thread-4]
    com.q1labs.uiframeworks.application.api.service.builders.shared.
    AsyncBuildStageTask: [ERROR] [-/- -]
    An exception occurred while building app asynchronously.
    Triggering rollback.
    [tomcat.tomcat] [admin@127.0.0.1
    com.ibm.si.content_management.utils.AppFrameworkAPIClient:
    [ERROR] [-/- -]Install of app 1354 did not complete
    cat.tomcat] [pool-1-thread-4]
    com.q1labs.uiframeworks.application.api.exception.AppDockerImage
    BuildException: An error occurred while building docker image.
    Task state is PROCESSING
    [tomcat.tomcat] [pool-1-thread-4] at
    com.q1labs.uiframeworks.application.api.service.builders.shared.
    DockerBuildProcessor.process(DockerBuildProcessor.java)
    [tomcat.tomcat] [pool-1-thread-4] at
    com.q1labs.uiframeworks.application.api.service.builders.shared.
    AsyncBuildStageTask.runTask(AsyncBuildStageTask.java)
    [tomcat.tomcat] [pool-1-thread-4] at
    com.ibm.si.frameworks.taskmanagement.Task.run(Task.java)
    [tomcat.tomcat] [pool-1-thread-4] at
    java.util.concurrent.Executors$RunnableAdapter.
    call(Executors.java)
    [tomcat.tomcat] [pool-1-thread-4] at
    java.util.concurrent.FutureTask.run(FutureTask.java)
    [tomcat.tomcat] [pool-1-thread-4] at
    java.util.concurrent.ThreadPoolExecutor.runWorker
    (ThreadPoolExecutor.java)
    [tomcat.tomcat] [pool-1-thread-4] at
    java.util.concurrent.ThreadPoolExecutor$Worker.run
    (ThreadPoolExecutor.java)
    [tomcat.tomcat] [pool-1-thread-4] at
    java.lang.Thread.run(Thread.java:812)
    [tomcat.tomcat] [admin@127.0.0.1]
    com.ibm.si.content_management.ContentManager:
    [ERROR][-/- -]Failed to import
    content file [/store/tmp/cmt/out/Pulse_2/extension_zip.xml]
    [tomcat.tomcat] [admin@127.0.0.1]
    com.ibm.si.data_ingestion.api.impl.cmt.tasks.InstallExtensionTask:
    [ERROR][-/- -]installing extension with id = 301 failed: An error
    occurred installing application.
    Please see error logs for details.
    [tomcat.tomcat] [admin@127.0.0.1] java.lang.Exception: An error
    occurred installing application.
    Please see error logs for details.
    [tomcat.tomcat] [admin@127.0.0.1] at
    com.ibm.si.data_ingestion.api.impl.cmt.tasks.InstallExtensionTas
    k.runTask(InstallExtensionTask.java)
    [tomcat.tomcat] [admin@127.0.0.1] at
    com.ibm.si.frameworks.taskmanagement.Task.run(Task.java)
    [tomcat.tomcat] [admin@127.0.0.1] at
    java.util.concurrent.Executors$RunnableAdapter.call(Executors.java)
    [tomcat.tomcat] [admin@127.0.0.1] at
    java.util.concurrent.FutureTask.run(FutureTask.java)
    [tomcat.tomcat] [admin@127.0.0.1] at
    java.util.concurrent.ThreadPoolExecutor.runWorker
    (ThreadPoolExecutor.java)
    


    UBA App Error
    [tomcat.tomcat] [pool-1-thread-9]
    com.q1labs.uiframeworks.application.api.exception.AppDockerImage
    BuildException: An error occurred while building docker image.
    Task state is PROCESSING
    [tomcat.tomcat] [pool-1-thread-9] at
    com.q1labs.uiframeworks.application.api.service.builders.shared.
    DockerBuildProcessor.process(DockerBuildProcessor.java)
    [tomcat.tomcat] [pool-1-thread-9] at
    com.ibm.si.frameworks.taskmanagement.Task.run(Task.java)
    [tomcat.tomcat] [pool-1-thread-9] at
    com.q1labs.uiframeworks.application.api.service.builders.shared.
    AsyncBuildStageTask.runTask(AsyncBuildStageTask.java)
    [tomcat.tomcat] [pool-1-thread-9] at
    java.util.concurrent.Executors$RunnableAdapter.call(Executors.java)
    [tomcat.tomcat] [pool-1-thread-9] at
    java.util.concurrent.FutureTask.run(FutureTask.java)
    [tomcat.tomcat] [pool-1-thread-9] at
    java.util.concurrent.ThreadPoolExecutor.runWorker
    (ThreadPoolExecutor.java)
    [tomcat.tomcat] [pool-1-thread-9] at
    java.util.concurrent.ThreadPoolExecutor$Worker.run
    (ThreadPoolExecutor.java)
    [tomcat.tomcat] [pool-1-thread-9] at
    java.lang.Thread.run(Thread.java)
    [tomcat.tomcat] [admin@127.0.0.1]
    com.ibm.si.content_management.utils.AppFrameworkAPIClient:
    [ERROR][-/- -]Install of app 1602 did not complete
    [tomcat.tomcat] [admin@127.0.0.1]
    com.ibm.si.content_management.ContentManager:
    [ERROR][-/- -]Failed to import content file
    [/store/tmp/cmt/out/User_Behavior_Analytics/ubaApp-3143-release-
    3.2.0-201903211320.xml]
    [tomcat.tomcat] [admin@127.0.0.1]
    com.ibm.si.data_ingestion.api.impl.cmt.tasks.InstallExtensionTask:
    [ERROR][-/--]installing extension with id = 551 failed:
    An error occurred installing application.
    Please see error logs for details.
    [tomcat.tomcat] [admin@127.0.0.1] java.lang.Exception:
    An error occurred installing application.
    Please see error logs for details.
    [tomcat.tomcat] [admin@127.0.0.1] at
    com.ibm.si.data_ingestion.api.impl.cmt.tasks.InstallExtension
    Task.runTask(InstallExtensionTask.java)
    [tomcat.tomcat] [admin@127.0.0.1] at
    com.ibm.si.frameworks.taskmanagement.Task.run(Task.java:108)
    [tomcat.tomcat] [admin@127.0.0.1] at
    java.util.concurrent.Executors$RunnableAdapter.
    call(Executors.java)
    [tomcat.tomcat] [admin@127.0.0.1] at
    java.util.concurrent.FutureTask.run(FutureTask.java:277)
    [tomcat.tomcat] [admin@127.0.0.1] at
    java.util.concurrent.ThreadPoolExecutor.runWorker
    (ThreadPoolExecutor.java)
    
    26 June 2019
    DISK SPACE / EVENT QUEUE IJ17202 /STORE/PERSISTENT_QUEUE CAN RUN OUT OF DISK SPACE DUE TO ECS AND EC-INGRESS SPILLOVER QUEUE CONFIGURATION CLOSED Resolved in QRadar 7.4.0 (7.4.0.20200304205308)

    Install the latest software version or contact Support for a possible workaround that might address this issue if you are unable to ugprade at this time.

    It has been identified that /store/persistent_queue/ can run out of free space due the configuration of tuning parameters for the event queues:
    • applyECSpilloverQueueChanges
    • applyECIngressSpilloverQueueChanges
    25 June 2019
    ADVANCED SEARCH (AQL) IJ17196 ADVANCED SEARCH (AQL) RETURNS ERROR 'REQUEST-URL TOO LARGE' OPEN: Reported in multiple QRadar versions No workaround available.

    It has been identified that an Advanced Search (AQL) in the Log Activity or Network Activity tab can return an error message that is similar to: "Request-URI Too Large".

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856]
    org.antlr.v4.runtime.Parser:
    [ERROR] [-/- -]Parse error:  and
    (INCIDR('127.0.0.1/23', KL_source_...
    [ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856]
    com.q1labs.ariel.ql.parser.AQLParserException: Unrecognized
    context (Line: 1, Position: 130): " and (INCIDR('127.0.0.1/23',
    My_source_..."
    [ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856]
    at com.q1labs.ariel.ql.parser.ParserBase.parseStatement
    (ParserBase.java)
    [ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856]
    at com.q1labs.ariel.ql.parser.Parser.processRequest(Parser.java)
    [ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856]
    at com.q1labs.ariel.ql.parser.Parser.executeStatement(Parser.java)
    [ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856]
    at com.q1labs.ariel.ConnectedClient.processStatement(ConnectedClien
    t.java)
    [ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856]
    at com.q1labs.ariel.ConnectedClient.processMessage(ConnectedClient.
    java)
    [ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856]
    at com.q1labs.ariel.ConnectedClient.run(ConnectedClient.java)
    [ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856]
    at java.util.concurrent.ThreadPoolExecutor.runWorker
    (ThreadPoolExecutor.java)
    [ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856]
    at java.util.concurrent.ThreadPoolExecutor$Worker.
    run(ThreadPoolExecutor.java)
    [ariel.ariel_proxy_server] [ariel_client /127.0.0.1:47856]
    at java.lang.Thread.run(Thread.java)
    26 June 2019
    PROTOCOL / UDP MULTILINE SYSLOG IJ17839 'LISTEN PORT MUST BE AN INTEGER BETWEEN 1 AND 65535' MESSAGE WHEN CONFIGURING PORT 514 FOR UDP MULTILINE PROTOCOL LOG SOURCES CLOSED An updated version of UDP Multiline Syslog protocol has been published to IBM Fix Central to resolve this issue:
    PROTOCOL-UDPMultilineSyslog-7.3-20190412134523

    Administrators who have QRadar weekly auto updates enabled will receive this RPM file during the next weekly update. However, users experiencing this issue can download and manually install the RPM on the QRadar Console appliance using: yum -y install {rpmname}.

    Issue: It has been identified that when editing a Log Source that uses the UDP Multiline Syslog protocol, QRadar can generate an error when the user attempts to assign a listen port value of 514. The QRadar generates an error similar to the following:
    Listen port must be an integer between 1 and 65535.

    Port 514 is the default Syslog listeners in QRadar and the error presented when trying to assign port 514 should be more clearly defined. This is a benign error message and users need to select a different port to use for the UDP Multiline Syslog protocol. The protocol requires an update to provide a better error message for a portin use, such as: There is already a listener using that port.
    26 July 2019
    API / PERFORMANCE IJ17016 QRADAR INCIDENT FORENSICS RECOVERY HANGS WITH 'RUNNING' STATUS OPEN: Reported in QRadar Packet Capture 7.3.2 versions No workaround available.

    It has been identified that in some instances, a timeout occurs with Incident Forensics in the backend while attempting to retrieve required PCAP data. When this issue occurs a Forensics Recovery can hang in 'Running' status.
    05 July 2019
    RULES / FLOWS IJ16995 REFERENCE SET RULE TEST DOES NOT WORK AS EXPECTED WITH SUPERFLOWS CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    No workaround available.

    Issue
    It has been identified that Reference Set rule tests only use the first IP reflected in a Superflow.

    Example with having 2 rules:
    1. The first rule evaluates the source IP of flow against a reference set to determine that the data is contained in the reference set. For example, and when any source IP is contained in {myreferenceset}.
    2. The second rule test evaluates if source IP is a specific value from the flow. The specific value is contained in the reference set. For example, and when the source IP is one of the following {x.x.x.x in the myreferenceset}.

      Results
      When the source IP is that specific value, the expected result is that both rule 1 and 2 would be matched and return results, but actual result is that the less restrictive any Source IP from rule 1 does not match the superflow.
    26 November 2020
    SCANNER / VIS IJ16994 VA SCANNER STAYS AT 'PENDING' STATE WHEN ATTEMPTING TO START IT FROM A FLOW COLLECTOR APPLIANCE OPEN: Reported in QRadar 7.3.1 Patch 7 No workaround available.

    It has been identified that flow collectors are listed in the QRadar User Interface options for configuring a VA scanner, but attempting to start a scanner from a flow collector does not work as expected, and stays at 'Pending' state.

    When attempting to start the vis service on a flow collector, a command line error similar to the following is returned:
    "Job for vis.service failed because the control process exited
    with error code. See "systemctl status vis.service" and
    "journalctl -xe" for details.|"
    Flow collectors do not have VIS components enabled, and should not have been available to select when configuring a scanner.
    03 July 2019
    DNS SETTINGS IJ16968 DNS SETTINGS MODIFIED ON AN EVENT COLLECTOR APPLIANCE (15XX) DO NOT PERSIST AFTER THE APPLIANCE REBOOTS CLOSED Closed as an invalid issue. Administrators must unmanaged and use qchange_netsetup to update their DNS settings.

    It has been identified that when DNS settings are modified on Event Collector appliances (15xx) do not persist after an appliance reboot. Changes to resolv.conf are not supported and do not persist on Event Collector appliances after a reboot. Invalid issues are not publicly visible, so the link to the APAR has been removed and left in the table for reference purposes.
    05 July 2019
    AQL / X-FORCE IJ16967 ADVANCED SEARCH (AQL) USING XFORCE_IP_CONFIDENCE FUNCTION DOES NOT WORK AS EXPECTED WHEN RUN USING LOCALES OTHER THAN ENGLISH (UNITED STATES) OPEN: Reported in QRadar 7.3.2 versions Workaround
    Click the user icon in the top right hand corner of the UI, then go to User preferences -> locale. Change this to English (United States). Refresh your browser and confirm the functions work as expected.

    Issue
    It has been identified that using the XFORCE_IP_CONFIDENCE function does not work as expected in an Advanced Search (AQL) when QRadar is configured to use a locale other than English (United States).
    05 July 2019
    INSTALL / QRADAR PACKET CAPTURE IJ16966 QRADAR PACKET CAPTURE: /ROOT/RESET_INTERFACES.SH SCRIPT ON PCAP APPLIANCES DOES NOT WORK AS EXPECTED OPEN: Reported in QRadar Network Packet Capture 7.3.2 Patch 1 Contact Support for a possible workaround that might address this issue in some instances.

    The /root/Reset_Interfaces.sh script on PCAP appliances was introduced to correct issues that incorrect udev naming can sometimes cause. It has been observed that the script does not perform all expected tasks but does complete, then prompts for a reboot.
    05 July 2019
    DASHBOARDS IJ16962 UNABLE TO ADD THE 'EVENTS BY SEVERITY' DASHBOARD INTO THE QRADAR USER INTERFACE OPEN: Reported in QRadar 7.3.2 versions No workaround available.

    It has been identified that attempting to add the 'Events by Severity' dashboard into the QRadar User Interface (UI) fails and does not provide any error or feedback in the UI.
    26 June 2019
    SIMULATION / QRADAR RISK MANAGER (QRM) IJ16947 WHEN 'USE CONNECTION DATA' IS CONFIGURED THE SIMULATION DOES NOT COMPLETE AND GENERATES AN ILLEGALARGUMENTEXCEPTION OPEN: Reported in QRadar 7.3.2 versions Workaround: Do not use the selection 'Use Connection Data' in the simulation.

    It has been identified that a Risk Manager simulation can fail to complete when 'Use Connection Data' is selected. The Configuration Monitor screen displays "No Results" in the Results column. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [tomcat-rm.tomcat-rm] [SimulationRunner-10001-Test]
    com.q1labs.simulator.simulation.SimulationRunner:
    [ERROR] [-/- -]Error executing simulation 10001:Points below
    the dimension's min value are not allowed
    (using + PortRangeEnumerator enumerator)
    [tomcat-rm.tomcat-rm] [SimulationRunner-10001-Test]
    java.lang.IllegalArgumentException: Points below the
    dimension's min value are not allowed (using +
    PortRangeEnumerator enumerator)
    [tomcat-rm.tomcat-rm] [SimulationRunner-10001-Test]    at
    com.q1labs.simulator.topology.MultiRange.__createFromPoints(Mult
    iRange.java:723)
    [tomcat-rm.tomcat-rm] [SimulationRunner-10001-Test]    at
    com.q1labs.simulator.topology.MultiRange.createFromPoints(MultiR
    ange.java:682)
    [tomcat-rm.tomcat-rm] [SimulationRunner-10001-Test]    at
    com.q1labs.simulator.iag.impl.InferredAccessGraph$ArcProcessor.g
    etPortResults(InferredAccessGraph.java:1151)
    [tomcat-rm.tomcat-rm] [SimulationRunner-10001-Test]    at
    com.q1labs.simulator.iag.impl.InferredAccessGraph.findReachable(
    InferredAccessGraph.java:1231)
    17 June 2019
    INSTALL / QRADAR NETWORK INSIGHTS IJ18213 QRADAR NETWORK INSIGHTS 1920 INSTALL MENU DOES NOT DISPLAY THE OPTION FOR A QNI 6200 APPLIANCE CLOSED Resolved in
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Fix Pack 4 (7.4.0.20200704141002)

    Workaround
    Review IBM QRadar Network Insights: Install Menu does not Display a Select Option for QNI 6200 Appliances (APAR IJ18213) for additional installation instructions.

    Issue
    It has been identified that the QRadar Network Insights (QNI) install menu on a fresh install of QRadar 7.3.2 patch 2 displays the options for a 6000 and 6100 appliance type, but not a QNI 6200 appliance. If you continue to experience issues, Contact Support for additional assistance.
    16 August 2019
    SCANNER / TENABLE IJ17829 TENABLE SECURITY SCANNER IMPORT FAILS DUE TO CHANGES IN THE ALLOWED CIPHER SUITES ON THE TENABLE SERVER CLOSED The fix for this issue is released in the following RPM package update: VIS-TenableSecurityCenter-7.3-20190725180412.noarch.rpm.

    This update will be delivered in the next QRadar weekly auto update, but is available on IBM Fix Central now. Administrators who require an immediate resolution to this issue should ensure they have installed the latest version of the VIS-TenableSecurityCenter rpm file on their Console from IBM Fix Central using the command:
    yum -y install 7.3.0-QRADAR-VIS-TenableSecurityCenter-7.3-20190725180412.noarch.rpm


    Issue: It has been identified that Tenable Security scan imports can fail. This is caused by changes in the list of allowed Cipher Suites on the Tenable Server.
    22 August 2019
    AUTHENTICATION / USER ROLES IJ16851 USER LOGIN FAILURE AFTER DELETING A QRADAR USER ROLE OR SECURITY PROFILE WHEN LDAP GROUP AUTH IS ACTIVE OPEN: Reported in QRadar 7.3.2 versions Workaround: From the Admin tab > Authentication window, open each affected LDAP Repository for editing, and immediately save. A deploy changes is required for the changes to take effect.

    It has been identified that user login failure can occur after deleting a QRadar user role or security profile when LDAP group authorization is active.
    14 June 2019
    SYSTEM SETTINGS / DEPLOY CHANGES IJ18436 UNABLE TO SAVE CHANGES MADE TO QRADAR SYSTEM SETTINGS AND 'INTERNAL ERROR: SAVE FAILED" MESSAGE IS DISPLAYED CLOSED This auto update script issue was addressed in the following RPM release on IBM Fix Central:
    DSM-ArborNetworksPravail-7.3-20190822144538

    Administrators who have QRadar weekly auto updates enabled will receive this RPM file during the next weekly update. However, users experiencing this issue can download and manually install the RPM on the QRadar Console appliance using: yum -y install {rpmname}.

    Issue: It has been identified that an Auto Update action script can change the owernship of nva.conf in the staging directory to root during a Deploy function. When ownership of nva.conf is changed, administrators can experience a user interface issue when they attempt to save changes made to some parameters in System Settings. The QRadar User Interface can fail to save System Settings with the error message:'Internal Error: save failed'

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    Unable to write system settings:
    java.io.IOException: Failed to write
    nva.conf/store/configservices/staging/globalconfig/nva.conf
    (Permission denied)
    26 August 2019
    FLOWS / DEPLOY CHANGES IJ16823 UNABLE TO CONFIGURE DTLS FOR QRADAR NETWORK INSIGHTS (QNI) FLOW CONFIGURATION WHEN FLOW SOURCE IS FROM THE CONSOLE CLOSED Resolved in:
    QRadar 7.4.0 (7.4.0.20200304205308)
    QRadar 7.3.3 Patch 2 (7.3.3.20200208135728)
    QRadar 7.3.2 Fix Pack 7 (7.3.2.20200406171249)

    Workaround
    From a command line interface (SSH), connect to the QRadar Console appliance as the root user and type the following command:
    chown -R nobody:nobody /opt/qradar/conf/dtls
    After you have set the ownership, you can successfully complete a Deploy Changes from the Admin tab.

    Issue
    It has been identified that attempting to enable DTLS on QRadar Network insights (QNI) flow configuration can cause the required Deploy Changes to fail when flow source is from the Console appliance. Administrators can attempt to verify this issue by changing the Console's default netflow to use a Linking Protocol = DTLS. For example:
    1. Click the Admin tab.
    2. Click the Flow Sources icon.
    3. Update the QNI connection to use the Console and default netflow as the flow source.
    4. Save the changes.
    5. From the Admin tab, click Deploy Changes.

      Results
      The deploy function fails and the QNI appliance is unable to send the flows to Console. See the workaround above to asssit with this issue.
    08 July 2019
    UPGRADE IJ16821 QRADAR PATCH FAILS TO COMPLETE SUCCESSFFULLY WHEN A HTTP_PROXY ENVIRONMENT VARIABLE IS CONFIGURED CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

    Workaround
    Prior to attempting the QRadar patching process, unset the environment variable http_proxy before running patch. Ensure sure that it is not being set in the root users profile when logging in. If a QRadar patch has already failed, roll back the patch to prior 7.3.x version, unset http_proxy, and re-run the patch.

    Issue
    It has been identified that QRadar patching can fail to complete successfully when there is a http_proxy configured in /etc/environment Messages similar to the following might be visible when this issue occurs:
    [WARN](patchmode) time="2019-03-07T22:20:47+04:00" level=fatal
    msg="Error checking for blob
    sha256:fbbe1dc3535f2e4cfd3606016df4b075ae74e3bf39f8490cdbc073d93
    at destination: pinging docker registry returned: Get
    https://xxxxxxxxxxx.localdeployment:5000/v2/:Forbidden"
    [DEBUG](patchmode) WARN: Failed to deliver images to the registry
    [DEBUG](patchmode) ERROR: Failed to push images to the registry.
    26 November 2020
    RULES / RULE TEST IJ16820 RULE CONDITION 'WHEN THE EVENT MATCHES DESTINATION GEOGRAPHIC COUNTRY/REGION' IS NOT WORKING CORRECTLY FOR TURKEY OPEN: Reported in QRadar 7.3.2 Patch 1 No workaround available.

    It has been identified that the Rule Condition when the event matches Destination Geographic Country/Region is not working correctly for the country of Turkey. This can cause unexpected rule responses and or Offense behavior.

    For example: When events have Destination IP addess within Turkey the events match rules that include the rule condition: when the event matches Destination Geographic Country/Region is not Turkey.
    14 June 2019
    LOG SOURCE MANAGEMENT APP IJ17859 USING THE 'DON'T SHOW ME AGAIN' BUTTON ON THE LOG SOURCE MANAGEMENT APP BANNER DOES NOT WORK AS EXPECTED CLOSED Closed as a suggestion for future release.

    It has been identified that the "Don't Show Me Again" button that can be displayed on a Log Source Management (LSM) app banner message does not work as expected. The banner message that was selected for 'Don't Show Me Again' is displayed when the web browser used for the QRadar user interface is restarted.
    16 August 2019
    HIGH AVILABILITY (HA) / EVENT COLLECTOR IJ16785 POSTGRESQL DATABASE ON QRADAR COLLECTOR APPLIANCE (15XX) CAN BE OUT OF SYNC ON STANDBY APPLIANCE CAUSING ISSUES AFTER FAILOVER CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    Administrators can install a software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances.

    Issue
    It has been identified that after a failover occurs from an active to a standby Event Collector appliance (15XX), the QRadar postgresql database can be out of sync in some instances and requests a FULL replication transaction. This can lead to various issues within QRadar occuring after an appliance failover, such as incorrect EPS license setting to ecs-ec-ingress, incorrect Log Source configurations, or missing routing rules.
    14 June 2019
    API IJ16784 RESTAPI WITH BASIC AUTHENTICATION CAN FAIL TO GET USER CAPABILITIES WHEN USING LDAP AUTH 'LOCAL AUTHORIZATION' OPEN: Reported in QRadar 7.3.1 Patch 3 No workaround available.

    It has been identified that using RESTAPI to get endpoint resources with basic authentication fails to get user capabilities when using LDAP authentication with local authorization. A message similar to the following is returned:
    {"http_response":{"code":403,"message":"Your account is not
    authorized to access the requested resource"},"code":26,
    "description":"","details":{},"message":
    "User has insufficient capabilities to access this endpoint resource"}


    Messages similar to the following might also be visible in /var/log/qradar.log when this issue occurs:
    [tomcat.tomcat] [ou=People,dc=my-domain,dc=com\ldapuser1@127.0.0.1 (189)
    /console/restapi/api/reference_data/tables]
    com.q1labs.core.shared.capabilities.CapabilityConfiguration:
    [INFO] [-/- -]user ou=People,dc=my-domain,dc=com\ldapuser1
    does not exist. Returning false
    [tomcat.tomcat]
    [ou=People,dc=my-domain,dc=com\ldapuser1@127.0.0.1 (189)
    /console/restapi/api/reference_data/tables]
    com.q1labs.core.shared.capabilities.CapabilityConfiguration:
    [INFO] [-/- -]user ou=People,dc=my-domain,dc=com\ldapuser1
    does not exist. Returning false
    14 June 2019
    OFFENSES IJ16742 OFFENSES CAN FAIL TO BE UPDATED AFTER A CONSOLE APPLIANCE REBOOT CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.4.0 Fix Pack 1 (7.4.0.20200409095210)
    QRadar 7.3.3 Fix Pack 3 (7.3.3.20200409085709)

    Workaround
    Perform a Soft Clean SIM. See the following documentation for steps and results of performing a Soft Clean SIM, Cleaning the SIM data model.

    Issue
    It has been identified that in some instances, Offenses can fail to update after a Console appliance reboot has occurred (controlled or uncontrolled) due to a required file becoming corrupted and deleted. Messages similar to the following might be visble in /var/log/qrdar.error when this issue occurs:
    [ecs-ep.ecs-ep] [ECS Runtime Thread]
    com.q1labs.core.shared.storage.BaseStorageContext:
    [ERROR] [-/- -] Error reading file /store/mpc/core/
    CounterProcessor/dormant-handles-index.ser, deleting it...
    [ecs-ep.ecs-ep] [ECS Runtime Thread] java.io.EOFException
    [ecs-ep.ecs-ep] [ECS Runtime Thread] at java.io.ObjectInputStream
    $PeekInputStream.readFully(ObjectInputStream.java)
    [ecs-ep.ecs-ep] [ECS Runtime Thread] at
    java.io.ObjectInputStream$BlockDataInputStream
    .readShort(ObjectInputStream.java)
     [ecs-ep.ecs-ep] [ECS Runtime Thread] at
    java.io.ObjectInputStream.readStreamHeader(ObjectInputStream.java)
     [ecs-ep.ecs-ep] [ECS Runtime Thread] at
    java.lang.Thread.run(Thread.java:812)
     [ecs-ep.ecs-ep] [ECS Runtime Thread]
    com.q1labs.core.shared.storage.BaseStorageContext:
    [ERROR][-/- -]Error reading file /store/mpc/core/
    CounterProcessor/active-handles-index.ser, deleting it...
    [ecs-ep.ecs-ep] [ECS Runtime Thread] java.io.EOFException
    [ecs-ep.ecs-ep] [ECS Runtime Thread] at
    java.io.ObjectInputStream$PeekInputStream.readFully
    (ObjectInputStream.java)
    [ecs-ep.ecs-ep] [ECS Runtime Thread] at
    java.io.ObjectInputStream$BlockDataInputStream.
    readShort(ObjectInputStream.java)
    14 June 2019
    RULES / FLOW DIRECTION IJ16741 RULES DEPENDENT UPON FLOW DIRECTION CAN FIRE UNEXPECTEDLY DUE TO QRADAR NETWORK INSIGHTS (QNI) LOGGING REVERSED FLOW DIRECTION OPEN: Reported in QRadar 7.3.2 versions No workaround avaialble.

    It has been identified that in instances of Content Flow generated by QRadar Network Insights, reversed flow direction with 0 byte payload lengths are observed. i.e. The flow direction is from server to client, when the server should be destination, but shows server as source. When this occurs, rules dependent on flow direction can fire in instances they should not have.
    08 July 2019
    AUTHENTICATION / ACTIVE DIRECTORY (AD) IJ16739 ACTIVE DIRECTORY REPOSITORY SETUP PAGE FIELD NAME 'LOGIN DN' CAN CAUSE CONFUSION AS TO IT'S PROPER USE OPEN: Reported in QRadar 7.3.2 versions Workaround: Use a Windows account name (also known as sAMAccountName) in the 'Login DN' field.

    It has been identified that on the Admin > Authentication > Active Directory setup page, the field 'Login DN' can be confused as to its proper usage (connection testing). When setting up an Active Directory repository, entering a full Distinguished Name (DN) in the "Login DN" field causes the test connection to fail. Both the 'Login DN' field and associated password field are directly tied to the "Test connection" button and are not used at any other time.
    14 June 2019
    USER INTERFACE / QRADAR VULNERABILITY MANAGER IJ16670 'CRITICAL' IS NOT AN OPTION IN RISK LIST OF VULNERABILITY MANAGER'S 'REMEDIATION TIMES' WINDOW OPEN: Reported in QRadar 7.3.1 Patch 6 No workarond available.

    It has been identified that the use of 'Critical' is inconsistent within the QRadar Vulnerabiulity Manager user interface windows and options. For Example: 'Critical' is not listed on the 'Remediation Times' window in Vulnerability Manager.
    17 June 2019
    POLICY MONITOR / QRADAR RISK MANAGER IJ16610 QRADAR RISK MANAGER (QRM) POLICY QUESTION DOES NOT RETURN ALL MATCHING RULES FOR CONDITION SPECIFIED OPEN: Reported in QRadar 7.3.1 Patch 6 No workarond available.

    It has been identified that a Risk Manager Policy Monitor question with a return type of Device/Rules and a condition "allow connections to the following IP addresses" does not find a rule that should match this condition if the rule uses an object group to reference the IP addresses.
    18 June 2019
    RISK FACTOR / QRADAR VULNERABILITY MANAGER IJ16594 ASSET PROFILER EXCEPTION CAUSED BY NEW 'CRITICAL RISK FACTOR' CLASSIFICATION IN QRADAR VULNERABILITY MANAGER (QVM) CLOSED Resolved in QRadar 7.4.1 (7.4.1.20200716115107)

    Workaround
    Contact Support for a possible workaround that might address this issue in some instances.

    Issue
    It has been identified that the new PCI Severity and Risk Factor classification 'Critical' causes the asset profiler to throw an Invalid RiskFactor Exception in QRadar logging when a vulnerability is assigned a Critical Risk Factor. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [tomcat.tomcat] [pool-1-thread-6] com.q1labs.assetprofile.
    api.vulninstance.common.VulninstancesAPITask:
    [ERROR][-/- -]An unhandled exception was thrown during the
    execution of task: 258
    [tomcat.tomcat] [pool-1-thread-6]
    java.lang.IllegalArgumentException:
    Invalid RiskFactor name: Critical
    [tomcat.tomcat] [pool-1-thread-6] at
    com.q1labs.assetprofile.api.r1_2017.pojo.RiskFactorDTO.forName
    (RiskFactorDTO.java)
    [tomcat.tomcat] [pool-1-thread-6] at
    com.q1labs.assetprofile.api.r1_2017.R1_2017VulnInstanceDTOAdapte
    r.doConvert(R1_2017VulnInstanceDTOAdapter.java)
    07 June 2019
    FLOWS / FLOW SOURCE ALIAS IJ18233 A MANUALLY ADDED OR EDITED FLOW SOURCE ALIAS DOES NOT WORK AS EXPECTED OPEN: Reported in QRadar 7.3.0 and 7.3.1 versions Contact Support for a possible workaround that might address this issue in some instances.

    It has been identified that a manually added or edited Flow Source alias does not work as expected. When a flow source alias is manually created or edited, the flow collector component is not being properly populated on the associated managed host and the edited alias is not listed in the search filter for the flow interface. Associated flows are not received when this issue is occurring.
    19 August 2019
    DOMAIN MANAGEMENT IJ18345 LOG SOURCES WITHIN A LOG SOURCE GROUP DO NOT INHERIT DOMAIN MEMBERSHIP WHEN THE LOG SOURCE GROUP IS ADDED TO A DOMAIN CLOSED Resolved in:
    QRadar 7.3.1 Patch 7 (7.3.1.20181123182336)
    QRadar 7.3.2 (7.3.2.20190201201121)

    Workaround: From the Admin tab, open Domain Management interface to select the Log Sources you would like to add, then manually add the log soures.

    It has been identified that adding Log Source Groups to a Domain does not cause the log sources contained inside the Log Source Group or it's Sub Groups to inherit that Domain membership, even if the Log Source is not within another Domain.
    15 August 2019
    SECURITY BULLETIN CVE-2019-10072 APACHE TOMCAT AS USED IN IBM QRADAR SIEM IS VULNERABLE TO A DENIAL OF SERVICE CLOSED Resolved in QRadar 7.3.2 Patch 4 (7.3.2.20190803012943) 15 August 2019
    BACKUP / RECOVERY IJ18357 CHANGE TO FILE PERMISSION ON GEOLITE2-CITY.MMDB CAN OCCUR AFTER A CONFIG RESTORE AND DEPLOY IS SUCCESSFULLY PERFORMED OPEN: Reported in QRadar 7.3.2 Patch 4 Contact Support for a possible workaround that might address this issue in some instances.

    It has been identified that in some instances, the file permissions for /store/configservices/deployed/globalconfig/GeoLite2-City.mmdb can be changed from "nobody nobody" to "root root" after a successful Configuration Restore and a Deploy Changes has been performed. When this issue occurs, permission errors can be observed in the logs when users attempt to save changes from the Admin > System Settings window in QRadar. Messages similar to the following might be visible in /var/log/qradar.log:
    [tomcat.tomcat][LocationUtils_Timer]
    com.q1labs.core.shared.location.LocationUtils:
    [ERROR][-/- -]Error occurred while reloading the LocationUtils database
    [tomcat.tomcat] [LocationUtils_Timer] java.io.IOException: Destination
    '/store/configservices/deployed/globalconfig/GeoLite2-City.mmdb' exists
    but is read-only
    [tomcat.tomcat] [LocationUtils_Timer] at org.apache.commons.io.
       FileUtils.copyFile(FileUtils.java)
    [tomcat.tomcat] [LocationUtils_Timer] at org.apache.commons.io.
       FileUtils.copyFile(FileUtils.java)
    [tomcat.tomcat] [LocationUtils_Timer] at com.q1labs.core.shared.
       location.LocationUtils.getCorrectCurrentGeoLiteFile(LocationUtils.java)
    [tomcat.tomcat] [LocationUtils_Timer] at com.q1labs.core.shared.location.
       LocationUtils.reload(LocationUtils.java)
    [tomcat.tomcat] [LocationUtils_Timer] at com.q1labs.core.shared.location.
       LocationUtils$LocationUtilsReloadTask.run(LocationUtils.java)
    [tomcat.tomcat] [LocationUtils_Timer] at
       java.util.TimerThread.mainLoop(Timer.java)
    [tomcat.tomcat] [LocationUtils_Timer] at
       java.util.TimerThread.run(Timer.java)
    15 August 2019
    SCAN RESULTS IJ16518 QRADAR VULNERABILITY MANAGER (QVM) SCAN RESULT RECORDS LISTED IN THE USER INTERFACE ARE NEVER PURGED CLOSED Resolved in QRadar 7.4.1 (7.4.1.20200716115107)

    Workaround
    No workaround available.

    Issue
    ERROR DESCRIPTION:Ø It has been identified that vulnerability scan results records that are listed in the User Interface continue to be displayed after the 'Purge Scan Results After Period' purges the backed data.
    31 May 2019
    OFFENSES IJ16941 OFFENSES CAN FAIL TO GENERATE WHEN EXPECTED, WHEN SPILLOVER FROM MEMORY TO DISK DURING CACHING OCCURS CLOSED Resolved in QRadar 7.3.2 Patch 4 (7.3.2.20190803012943)

    It has been identified that Offenses can be slow to generate or fail to generate when expected when QRadar experiences a cache spillover from memory to disk. Messages similar to the following might be visible in /var/log/qradar.log when this specifc issue occurs:
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000050540]
    com.q1labs.frameworks.cache.ChainAppendCache:
    [WARN][-/- -]TargetIPtoID is experiencing heavy COLLISIONS
    exceeding configured threshold (this may have negative
    performance impact) threshold = 5.0
    average collisions = 7.0
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000050540]
    com.q1labs.frameworks.cache.ChainAppendCache:
    [WARN][-/- -]LightTarget is experiencing heavy COLLISIONS
    exceeding configured threshold (this may have negative
    performance impact) threshold = 5.0
    average collisions = 6.0
    19 June 2019
    TUNNELS / DEPLOY CHANGES IJ00025 DEPLOY FUNCTION CAN SOMETIMES FAIL DUE TO TUNNELS NOT STARTING CORRECTLY WHEN ENCRYPTION IS ENABLED CLOSED Resolved in QRadar 7.3.2 Patch 4 (7.3.2.20190803012943)

    It has been identified that on encrypted managed hosts with QRadar 7.3.0.x versions that the generate_tunnel_environment.sh script can sometimes fail to start tunnels correctly. When this occurs, there is no connectivity between QRadar Managed Hosts and the Console causing deploys and all traffic between the Console and the encrypted Managed Hosts to fail.
    02 April 2018
    CUSTOM PROPERTIES / PARSE IN ADVANCE IJ16411 QRADAR DEPENDENCY CHECKER CAN FAIL WHEN USERS WITH NO LOCALE CONFIGURED ATTEMPTS TO MODIFY A CUSTOM EVENT PROPERTY CLOSED Resolved in QRadar 7.3.2 Patch 4 (7.3.2.20190803012943)

    Workaround: Have the user configure a user locale and retry the "un-select" for the Custom Event Property.

    It has been identified that the QRadar dependency checker can launch when "Parse in advance for rules, reports and searches' check box is cleared from the Property Definition section in the user interface and can generate an error message "1.Found Custom Rules: 0" or "2. Error occured while finding Ariel Indexing". This issue can occur in cases where the QRadar user who created the custom property has no locale configured. Messages similar to the following might be visible in /var/log/qradar.error when this issue occurs:
    [tomcat.tomcat] [pool-1-thread-10]
    com.q1labs.core.shared.datadeletion.task.FindDependentsTask:
    [ERROR][-/- -]Error trying to find Dependents
    for id: [347902bb-f6c0-4b07-9791-f3a8b0a94f17],
    and type: EVENT_REGEX_PROPERTY_DEPENDENCY
    [tomcat.tomcat] [pool-1-thread-10]
    java.lang.NullPointerException
    [tomcat.tomcat] [pool-1-thread-10] at
    java.util.Locale.(Locale.java)
    [tomcat.tomcat] [pool-1-thread-10] at
    java.util.Locale.(Locale.java)
    [tomcat.tomcat] [pool-1-thread-10] at
    com.q1labs.core.shared.datadependency.CustomPropertyDependency.g
    etArielIndexingByPropertyId(CustomPropertyDependency.java)
    [tomcat.tomcat] [pool-1-thread-10] at
    com.q1labs.core.shared.datadependency.CustomPropertyDependency.g
    etUsage(CustomPropertyDependency.java)
    28 May 2019
    FLOWS / SIGNATURES IJ17359 MANUAL CHANGES MADE TO SIGNATURES.XML ARE OVERWRITTEN DURING AN AUTOUPDATE FUNCTION CLOSED Closed as a documentation issue.

    Users who include custom signature values for source and destination ports to identify flow traffic should ensure that they have a signature ID (sigid) defined in their signatures.xml file to prevent the auto update from discarding the change. Customers can use a sigid value of 3000 or above to denote custom changes to the signatures.xml file. Including the sigid value will prevent xmldiff from merging signature.xml changes with the autoupdate version of the signatures.xml file when updates occur. For an example on including new source and destination ports for signature detection, see this technical note: QRadar: Detecting SMB1 & SMBv2 Traffic with QFlow (Updated)

    Issue: It has been identified that when manual changes are made to signatures.xml using the Technote documented methods to preserve the changes, an AutoUpdate function overwrites the manual changes anyway.
    09 August 2019
    REPORTS IJ16290 A REPORT RUN ON RAW DATA CAN FAIL WITH 'STRING INCOMPATIBLE WITH COM.Q1LABS.FRAMEWORKS.NIO.COMPOSITEKEY' IN LOGGING OPEN: Reported in multiple QRadar versions No workaround available.

    It has been identified that performing a "Run Report on RAW data' can fail and output an error to /var/log/qradar.log similar to the following:
    [report_runner] [main] com.q1labs.cve.aggregation.
    props.AggregatedRecordKeyProperty:
    [ERROR][-/- -]About to cast key = IPADDRESS.hostname.lab:ecs-ec/EC/Processor2 to CompositeKey
    [report_runner] [main] com.q1labs.reporting.ReportServices:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]java.lang.String
    incompatible with com.q1labs.frameworks.nio.CompositeKey
    [report_runner] [main] java.lang.ClassCastException:
    java.lang.String incompatible with com.q1labs.frameworks.nio.CompositeKey
    [report_runner] [main] at
    com.q1labs.cve.aggregation.props.AggregatedRecordKeyProperty.cre
    ateKey(AggregatedRecordKeyProperty.java)
    [report_runner] [main] at
    com.q1labs.cve.aggregation.props.AggregatedRecordKeyProperty.cre
    ateKey(AggregatedRecordKeyProperty.java)
    [report_runner] [main] at
    com.q1labs.cve.resultset.CVEResultSet.getObject(CVEResultSet.java)
    [report_runner] [main] at
    com.q1labs.cve.resultset.CVEResultSet.getLong(CVEResultSet.java)
    [report_runner] [main] at
    com.q1labs.cve.resultset.CVEResultSet.getLong(CVEResultSet.java)
    [report_runner] [main] at
    com.q1labs.dal.charts.SQLChart.getChartDataForTimeSeries(SQLChar
    t.java)
    [report_runner] [main] at
    com.q1labs.dal.charts.SQLChart.getChartData(SQLChart.java)
    [report_runner] [main] at
    com.q1labs.dal.charts.AbstractChart.createChart(AbstractChart.java)
    [report_runner] [main] at com.q1labs.dal.charts.SQLChart(SQLChart.java)
    [report_runner] [main] at com.q1labs.dal.charts.SQLChart(SQLChart.java)
    [report_runner] [main] at
    com.q1labs.reporting.charts.ArielChart.processResultSet(ArielCha
    rt.java)
    [report_runner] [main] at
    com.q1labs.reporting.charts.ArielChart.getData(ArielChart.java)
    [report_runner] [main] at com.q1labs.reporting.Chart.getXML(Chart.java)
    [report_runner] [main] at com.q1labs.reporting.Report.createData(Report.java)
    [report_runner] [main] at
    com.q1labs.reporting.Report.process(Report.java)
    [report_runner] [main] at
    com.q1labs.reporting.ReportRunner.main(ReportRunner.java)
    15 May 2019
    RULES / NETWORK HIERARCHY IJ16173 IPV6 NETWORK HIERARCHY GENERATES A NULLPOINTEREXCEPTION WHEN A RULE IS BASED OFF A NETWORK DEFINED IN REMOTENET.CONF OPEN: Reported in QRadar 7.3.2 No workaround available.

    It has been identified that a IPv6 Network Hierarchy can sometimes throw NullPointerException errors in QRadar logging when a rule is based off a network defined in remotenet.conf. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [ecs-ep.ecs-ep] [CRE Processor [0]]
    com.q1labs.semsources.cre.CustomRule:
    [ERROR][-/- -]Exception in rule 1496 -
    Connection to a Remote Proxy or Anonymization Service
    (Outbound): null
    [ecs-ep.ecs-ep] [CRE Processor [0]]
    java.lang.NullPointerException
    [ecs-ep.ecs-ep] [CRE Processor [0]] at
    com.q1labs.semsources.cre.tests.NetworkViewAny.match(NetworkViewAny.java)
    [ecs-ep.ecs-ep] [CRE Processor [0]] at
    com.q1labs.semsources.cre.tests.NetworkView.testAny(NetworkView.java)
    [ecs-ep.ecs-ep] [CRE Processor [0]] at
    com.q1labs.semsources.cre.tests.gen.NetworkView_AnyAny.test(Netw
    orkView_AnyAny.java)
    [ecs-ep.ecs-ep] [CRE Processor [0]] at
    com.q1labs.semsources.cre.tests.NetworkView_Test.test(NetworkVie
    w_Test.java:56)
    [ecs-ep.ecs-ep] [CRE Processor [0]] at
    com.q1labs.semsources.cre.gen.TestExecutor_0_4.test(TestExecutor
    _0_4.java)
    [ecs-ep.ecs-ep] [CRE Processor [0]] at
    com.q1labs.semsources.cre.CustomRule.test(CustomRule.java)
    [ecs-ep.ecs-ep] [CRE Processor [0]] at
    com.q1labs.semsources.cre.CustomRule.test(CustomRule.java)
    [ecs-ep.ecs-ep] [CRE Processor [0]] at
    com.q1labs.semsources.cre.CustomRuleSetExecutor.testRule(CustomR
    uleSetExecutor.java)
    [ecs-ep.ecs-ep] [CRE Processor [0]] at
    com.q1labs.semsources.cre.CustomRuleSetExecutor.test(CustomRuleS
    etExecutor.java)
    [ecs-ep.ecs-ep] [CRE Processor [0]] at
    com.q1labs.semsources.cre.LocalRuleExecutor.processEventInProper
    tyMode(LocalRuleExecutor.java)
    [ecs-ep.ecs-ep] [CRE Processor [0]] at
    com.q1labs.semsources.cre.LocalRuleExecutor.processEvent(LocalRu
    leExecutor.java)
    [ecs-ep.ecs-ep] [CRE Processor [0]] at
    com.q1labs.semsources.cre.CREEventProcessor.processEvent(CustomR
    uleEngine.java)
    [ecs-ep.ecs-ep] [CRE Processor [0]] at
    com.q1labs.semsources.cre.CREEventProcessor.run(CustomRuleEngine.java)
    15 May 2019
    UPGRADE IJ16080 PATCHING QRADAR PACKET CAPTURE TO 7.3.1B322 CAN FAIL TO MOUNT /DEV/SDB1 PARTITION AFTER REBOOT OPEN: Reported in QRadar Packet Capture 7.3.1b322 Contact Support for a possible workaround that might address this issue in some instances.

    It has been identified that after patching QRadar Packet Capture appliance to 7.3.1b322, the /dev/sdb1 partition does not mount after reboot.
    16 May 2019
    DATABASE / DATA IJ16063 QRADAR PACKET CAPTURE APPLIANCE NOT STORING NETWORK DATA AS EXPECTED DUE TO MONGODB PROCESS FAILURE OPEN: Reported in QRadar Packet Capture 7.3.1b322 No workaround available.

    It has been identified that in some instances a PCAP appliance appears to be storing network data, but any attempt to do a PCAP search (natively or as a Forensics Recovery) shows 0 results.

    The required mongod process can coredump and sometimes fails to restart due to a pid/lock file issue. Messages similar to the following might be visible in /var/log/messages when this particular issue occurs:
    abrt[5377]: Saved core dump of pid 5277
    (/usr/local/mongodb-linux-x86_64-3.4.1/bin/mongod) to
    /var/spool/abrt/ccpp-2019-02-28-16:28:41-5277 (215597056 bytes)
    abrtd: Directory 'ccpp-2019-02-28-16:28:41-5277' creation detected
    abrtd: Executable '/usr/local/mongodb-linux-x86_64-3.4.1/bin/mongod'
    doesn't belong to any package and ProcessUnpackaged is set to 'no'
    abrtd: 'post-create' on'/var/spool/abrt/ccpp-2019-02-28-16:28:41-5277' exited with 1
    abrtd: Deleting problem directory '/var/spool/abrt/ccpp-2019-02-28-16:28:41-5277'
    16 May 2019
    LICENSE IJ16043 PCAP LICENSE REPORTS AS "EVALUATION" ON INSTALLATIONS OF VERSION 730B307+ THAT ARE PATCHED UP TO 731B322 OPEN: Reported in QRadar Packet Capture 7.3.1b322 No workaround available.

    It has been identified that when a valid PCAP license is applied to PCAP version 730b307+ that has been patched up to 731b322, the license that was displaying as "permanent" at the earlier veersion, changes to displaying as "evaluation".
    16 May 2019
    PCAP EXPORT / PERMISSIONS IJ16042 QRADAR INCIDENT FORENSICS USER WITH SYSTEM ADMIN ROLE THAT IS NOT THE 'ADMIN' USER CANNOT PERFORM DOWNLOAD OF A PCAP FROM THE USER INTERFACE CLOSED Resolved in QRadar 7.3.2 Patch 4 (7.3.2.20190803012943)

    Workaround: Create another user without "System Admin" role. Login with the newly created user to complete the recovery and download the pcap file.

    It has been identified that a QRadar user that has the "System Admin" role but is not the user "admin" cannot successfully perform a PCAP download. A message similar to the following is displayed when the download is attempted:
    Error "Failed to load resource; the server responded with a
    status of 400 (Bad Request)" or "...404 (Not Found)".
    24 May 2019
    DOMAINS / MULTITENANCY IJ16001 INCONSISTENT BEHAVIOR IN DOMAIN ENVIRONMENTS WITH HOW DISPATCHED EVENTS AND OFFENSES ARE OCCURRING CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

    It has been identified that in a domain environment, there is an inconsistency in how dispatched events and offenses are tagged and handled. For example:
    • The dispatched events, networks, and offenses are generated in the Default Domain.
    • The dispatched events, networks, offenses are in the same domain as the original domain events.
    19 AUGUST 2019
    TOPOLOGY / RISK MANAGER IJ15529 DISPLAY OF THE TOPOLOGY SCREEN IS ALWAYS BASED ON ADMIN USER SET OPEN: Reported in QRadar Risk Manager (QRM) 7.3.1 versions No workaround available.

    It has been identified that when the Topology screen is selected, the displayed topology is based on the topology properties that are set by the admin user. Another user can edit and save the properties, but the displayed topology continues to use the the admin user properties.
    18 April 2019
    VULNERABILITY SCAN IMPORT / SERVICE IJ15513 IMQ PROCESS CAN GO OUT OF MEMORY WHEN IMPORTING A LARGE AMOUNT OF SCAN RESULTS OPEN: Reported in multiple QRadar versions No workaround available.

    It has been identified that importing a large amount of scan results can sometimes cause the imq process on a QRadar Console to experience an Out of Memory ccurrence. Messages similar to the following might be visible in /var/log.qradar.log when this issue occurs:
    tomcat[31977]: 05-Feb-2019 10:58:40.758 WARNING
    [configservices@127.0.0.1 (2778) /console/JSON-RPC
    System.postScanResponse]
    com.sun.messaging.jmq.jmsclient.ExceptionHandler.logCaughtExcept
    ion [I500]: Caught JVM Exception:
    com.sun.messaging.jms.JMSException: [ADD_PRODUCER_REPLY(19)]
    [C4036]: A broker error occurred. :[500] Low memory
    user=qradar, broker=127.0.0.1:7676(7677)
    [tomcat.tomcat] [configservices@127.0.0.1 (2778)
    /console/JSON-RPC System.postScanResponse]
    com.q1labs.rpcservices.VisServices:
    [ERROR][-/- -]Failed to post jms message
    [tomcat.tomcat] [configservices@127.0.0.1 (2778)
    /console/JSON-RPC System.postScanResponse]
    com.sun.messaging.jms.JMSException: [ADD_PRODUCER_REPLY(19)]
    [C4036]: A broker error occurred. :[500] Low memory
    user=qradar, broker=127.0.0.1:7676(7677)
    [tomcat.tomcat] [configservices@127.0.0.1 (2778)
    /console/JSON-RPC System.postScanResponse]    at
    com.sun.messaging.jmq.jmsclient.ProtocolHandler.throwServerError
    Exception(ProtocolHandler.java:4093)
    [tomcat.tomcat] [configservices@127.0.0.1 (2778)
    /console/JSON-RPC System.postScanResponse]    at
    com.sun.messaging.jmq.jmsclient.ProtocolHandler.createMessagePro
    ducer(ProtocolHandler.java:1353)
    [tomcat.tomcat] [configservices@127.0.0.1 (2778)
    /console/JSON-RPC System.postScanResponse]    at
    com.sun.messaging.jmq.jmsclient.ProtocolHandler.createMessagePro
    ducer(ProtocolHandler.java:1247)
    [tomcat.tomcat] [configservices@127.0.0.1 (2778)
    /console/JSON-RPC System.postScanResponse]    at
    com.sun.messaging.jmq.jmsclient.ProtocolHandler.createMessagePro
    ducer(ProtocolHandler.java:1241)
    23 April 2019
    REPORTS / AQL IJ15497 FLOW SOURCE COLUMN AND FLOW INTERFACE COLUMN CAN DISPLAY 'HOST_NAME" INSTEAD OF THE EXPECTED HOSTNAME OPEN: Reported in QRadar 7.3.1 versions No workaround available.

    It has been identified that the output in a report graph is ordered by event count instead of date as in the AQL that is used in the report. For example:
    1. Create a saved search using the following AQL query and provide a name to the search:
      Select DATEFORMAT(starttime, 'MM/dd/yyyy (E)') as "Date",
      SUM(eventcount) as "Event Count" from events WHERE qid =
      1003000005 Group by "Date" ORDER BY "Date" ASC last 7 DAYS
    2. Create a report with following settings
      • Chart type: Events/Log
      • Saved search: Type the query name created in step #1
      • Graph type: Bar
      • limit event/log to top: 50
      • Horizontal axis: Date
      • Vertical axis: Event Count
    3. Run the report.

      Results
      The report output is ordered by event count, instead of the ORDER BY "date" as defined in the advanced query (AQL).
    26 April 2019
    OFFENSES / COUNTS IJ15472 EVENT COUNT NUMBERS DOESN'T MATCH IN THE OFFENSE DETAILS SCREEN ON CLICKING THE EVENT/FLOW COUNT OPEN: Reported in QRadar 7.3.1 Patch 4 No workaround available.

    It has been identified that the Event count in the Offense details screen does not match with the event count displayed when clicking the event/flow count. Rules using "when at least this many events are seen with the same event properties in this many minutes condition" are not matching the Event/Flow count in an Offense versus the Ariel search list of Events/Flows.
    23 April 2019
    DEVICE SUPPORT MODULE (DSM) IJ15445 CISCO ASA EVENTS CAN BE MISIDENTIFIED AS A POSSIBLE SECURITY INCEDENT DUE TO FLIPPED SOURCE AND DESTINATION IP OPEN: Reported in DSM-CiscoFirewallDevices-7.3-20181220154136.noarch No workaround available.

    It has been identified that Cisco ASA 'Teardown TCP Connection' events are being misinterpreted as a potential security incident because the source and destination IP address are being flipped by QRadar. This issue can cause Rules/Offenses to be incorrectly fired/generated.
    31 July 2019
    DATA NODE IJ15414 OUT OF MEMORY OCCURRENCES ON DATANODE APPLIANCES CAN BE EXPERIENCED DUE TO DEFAULT JVM SETTINGS BEING USED CLOSED Resolved in QRadar 7.3.2 Patch 4 (7.3.2.20190803012943)

    It has been identified that Data Node appliances can be using default JVM memory settings instead of the QRadar tuned settings. When this issue occurs, "Out of Memory" errors can sometimes be experienced on affected Data Node appliances.
    13 May 2019
    QRADAR VULNERABILITY MANAGER / ASSETS IJ15360 ASSET VIEW DISPLAYS DIFFERENT VULNERABILITY COUNT VS THE ASSET SUMMARY VIEW WHEN QVM EXCEPTION VULNERABILITIES IS USED OPEN: Reported in QRadar 7.3.1 Patch 7 and 7.3.2 Patch 1 No workaround available.

    It has been identified that the Asset View screen displays a different Vulnerability count compared to the Asset Summary view Screen when QVM exception vulnerabilities is used. Details:
    1. The vulnerabilities count on the asset list page and the asset summary page do not match.
    2. Vulnerabilities Count on the asset view page includes exclusions/exceptioned vulnerabilties and the exceptioned vulnerabilities are not included in the asset summary page.
    3. Expected to view x number of of VULNs as displayed in the asset list page but the number appears to be low (x-vuln exclusions) inside the asset summary screen.
    11 April 2019
    REPORTS IJ15337 'APPLICATION ERROR: AN ERROR HAS OCCURED' WHEN OPENING AN EMAIL LINK TO DOWNLOAD AN EXPORTED REPORT CLOSED Resolved in QRadar 7.3.2 Patch 3 (7.3.2.20190705120852)

    Workaround: When you receive the email, navigate to /store/exports on the QRadar Console and copy the file directly from the directory.

    It has been identified that a message similar to "Application Error: an error has occurred." can be generated when clicking on an email link to an exported report. For example:
    1. Export a QRadar search and select Notify me when complete.
    2. Users receive the following notification email:
      Your export job has completed. The file size exceeds the email attachment limit, you can download the results using the link below.
      *Note that the link is valid for one download only. https://{ipaddress}/console/exportData?jobId=xxxx-xxxx-xxxx-xxx-xxxx
    3. When the user attempts to download the export with the provided link, an error message is generated: Application Error: an error has occurred.
    26 April 2019
    API / OFFENSES IJ15331 QRADAR OFFENSE API INEFFICIENCIES CAN CAUSE HIGHER THAN EXPECTED APPLIANCE SYSTEM LOAD CLOSED Resolved in
    QRadar 7.4.1 (7.4.1.20200716115107)
    QRadar 7.3.1 Patch 8 (7.3.1.20190228154648)

    Workaround
    No workaround available.

    Issue
    It has been identified that inefficiencies in the QRadar Offense API (/api/siem/offenses) endpoint around processing security permissions can cause a higher than expected CPU usage and processing time.
    26 April 2019
    HIGH AVAILABILITY (HA) IJ15328 HIGH AVAILABILITY APPLIANCE SHOWS AS FAILED STATE WHEN /TMP PARTITION AT 100% USAGE CAUSES CONF FILE TRUNCATION CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)
    QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

    Workaround
    Administrators can install a software version that resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances.

    Issue
    It has been identified that a High Availaibility (HA) appliance can display in failed state due to the /tmp partition filling to 100% usage. When this 100% /tmp usage situation occurs, the drbd.conf and ha.conf files, needed for proper HA functionality, can become truncated.
    26 November 2020
    OFFENSES / ANOMALY RULE IJ15298 ANOMALLY DETECTION ENGINE (ADE) RULES FIRE 2 OFFENSES INSTEAD OF 1 WHEN DEFAULT RULE RESPONSES ARE CONFIGURED OPEN: Reported in QRadar 7.3.2 No workaround available.

    It has been identified that enabled Anomally Detection Engine (ADE) rules that are configured with the default Rule Response settings can see two offenses generated instead of one from a rule being fired. For example, when this issue occurs users might see the following:
    1. The offense that is expected to be seen.
    2. A second offense that is based off the Offense Source: Anomaly - Event CRE.
    11 April 2019
    WINCOLLECT IJ15297 MANAGED WINCOLLECT AGENTS DO NOT RECEIVE CONFIG UPDATES WHEN USING 'ENCRYPT HOST CONNECTIONS' IN CONSOLE SETTINGS OPEN: Reported in WinCollect 7.2.8 Patch 2 (7.2.8-145) No workaround available.

    It has been identified that Managed WinCollect agents do not receive Config Updates if "Encrypt Host Connections" is selected under the "Console" appliance settings (System and License Management).

    NOTE: "Encrypt Host Connections" has no benefit when this check box is selected on the QRadar Console appliance. This setting is specific to non-Console / managed host appliances and enables SSH tunnels for communication to managed hosts for data requested by the Console.
    10 May 2019
    RULES / RULE WIZARD IJ15295 CUSTOM/AQL ARITHMATIC PROPERTY IS NOT AVAILABLE TO SELECT IN THE RULE STACK TEST PAGE WHEN CREATING AN ANOMALY RULE IN THE RULE WIZARD OPEN: Reported in QRadar 7.3.1 Patch 7 No workaround available.

    It has been identified that the sum of two fields is not getting populated for the "Accumulated property" at the Anomaly Rule Wizard > Rule Test Stack Editor page and a message "There are parameters in the test stack which have not been specified" is displayed. To reproduce or verify this issue, see the procedure below.
    1. In Network Activity tab, run the following advanced search:
      SELECT sourceip, SUM(sourcebytes+destinationbytes) AS TotalBytes FROM flows WHERE sourceip='IP_Address_Console' GROUP BY sourceip ORDER BY TotalBytes
    2. Save the criteria.
    3. Click Rule > Add Anomaly Rule.
    4. At the Rule Test Stack Editor, add the rule:
      Apply The_rule_Name when time series data is being aggregated by sourceip, TotalBytes and when the average value (per interval) of this accumulated property over the last 1 min
      Is at least 40% different from the average value (per interval) of the same property over the last 24 hours.
    5. Click on this accumulated property.
    6. Select the Accumulated Property for the anomaly:
      Test:SUM(AddDouble(DestinationBytes, SourceBytes))
    7. Click Submit, then Next.

      Results
      The error message: There are parameters in the test stack which have not been specified is generated in the User Interface.

    Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [tomcat.tomcat] [admin@127.0.0.1 (5048)
    /console/do/rulewizard/saveCustomizeConditionParameter]
    com.q1labs.sem.ui.util.RuleConditionUtils: [WARN]
    [-/- -]No lookup results found for user selection(s)
    SUM(SubtractDouble(SourceBytes, SourcePackets)) for method
    com.q1labs.ariel.ui.RuleWizardUtils.getAggregatedSearchFields
    09 April 2019
    WINCOLLECT IJ15236 CYRILLIC TEXT IS DECODED INCORRECTLY WHEN WINCOLLECT FILE FORWARDING FILE CONTENT USES WINDOWS-1251 FORMATTING CLOSED Closed as unreproducible in next release. Upon further investigation for this issue as reported in WinCollect 7.2.2-2, this issue is working in a newer versions of WinCollect. WinCollect 7.2.9 was used to verify that the reported Cyrillic text issue could not be reproduced.

    When configuring the File Forwarder plugin on WinCollect, switch the File Reader Encoding setting to use UTF8 (no conversion). The result was the Cyrillic characters were displayed in the payload on QRadar.
    26 July 2019
    ASSETS IJ15215 ASSET SAVED SEARCH CRITERIA THAT IS CONFIGURED AS DEFAULT CHANGES ON SUBSEQUENT RESULT PAGES OPEN: Reported in QRadar 7.3.1 Patch 6 No workaround available.

    It has been identified that asset save search criteria which was set as default, returns to the original default values when viewing subsequent returned results pages (eg. page 2).
    11 April 2019
    HIGH AVAILABILITY (HA) IJ15214 HIGH AVAILABILITY FAILOVER CAN DISPLAY A GENERIC MESSAGE 'ERROR: COULDN'T UPDATE ROUTING TABLE' CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    No workaround available. Administrators must upgrade to resolve this software issue.

    Issue
    It has been identified that a required script fails at start_routing during a High Availability failover due to missing or incorrect network configuration file content. A default message similar to the following is displayed:
    ERROR: Couldn't update routing table.
    26 November 2020
    PROTOCOLS IJ15213 AUTOMATIC CERTIFICATE DOWNLOADER USES TLS 1.0 BY DEFAULT AND FAILS WHEN VENDOR HAS DISABLED TLS 1.0 OPEN: Reported as a Protocol Commmon RPM issue Contact Support for a possible workaround that might address this issue in some instances.

    It has been identified that the automatic certificate downloader uses TLS 1.0 to attempt to communicate by default. This fails when TLS 1.0 is disabled at the receiving end for obtaining the certificate. Using Netskop as an example of a failure as displayed in /var/log/qradar.log:
    [ecs-ec-ingress.ecs-ec-ingress] [Thread-34177]
    com.q1labs.semsources.sources.netskopeactiverestapi.NetskopeActi
    veRESTAPIProvider: [ERROR][-/--]Unable to download certificate chain from
    [example.goskope.com:443]
    [ecs-ec-ingress.ecs-ec-ingress] [Thread-34177]
    com.q1labs.semsources.sources.netskopeactiverestapi.NetskopeActi
    veRESTAPIProvider: [ERROR][-/--]An error occured when trying to
    configure a source connection for provider class
    com.q1labs.semsources.sources.netskopeactiverestapi.NetskopeActi
    veRESTAPIProvider254
    [ecs-ec-ingress.ecs-ec-ingress] [Thread-34177]
    java.lang.Exception: Server [[example.goskope.com:443]
    presented no certificate chain!
    [ecs-ec-ingress.ecs-ec-ingress] [Thread-34177]  at
    com.q1labs.semsources.sources.utils.certificate.CertificateDownl
    oader.getCertificate(CertificateDownloader.java)
    [ecs-ec-ingress.ecs-ec-ingress] [Thread-34177] at
    com.q1labs.semsources.sources.utils.certificate.CertificateDownl
    oader.downloadCertificates(CertificateDownloader.java)
    [ecs-ec-ingress.ecs-ec-ingress] [Thread-34177] at
    com.q1labs.semsources.sources.utils.certificate.CertificateDownl
    oader.downloadCertificates(CertificateDownloader.java)
    [ecs-ec-ingress.ecs-ec-ingress] [Thread-34177] at
    com.q1labs.semsources.sources.netskopeactiverestapi.NetskopeActi
    veRESTAPIProvider.checkCerts(NetskopeActiveRESTAPIProvider.java)
    [ecs-ec-ingress.ecs-ec-ingress] [Thread-34177] at
    com.q1labs.semsources.sources.netskopeactiverestapi.NetskopeActi
    veRESTAPIProvider.preExecuteConfigure(NetskopeActiveRESTAPIProvi
    der.java:53)
    [ecs-ec-ingress.ecs-ec-ingress] [Thread-34177]    at
    com.q1labs.semsources.sources.base.SourceProvider.run(SourceProv
    ider.java:179)
    [ecs-ec-ingress.ecs-ec-ingress] [Thread-34177]
    com.q1labs.semsources.sources.netskopeactiverestapi.NetskopeActi
    veRESTAPISource: [ERROR][-/--] There appears to be a configuration
    issue with the provider connection 'class
    com.q1labs.semsources.sources.netskopeactiverestapi.NetskopeActi
    veRESTAPIProvider254'.
    27 May 2019
    AUTO UPDATE / PROXY IJ14781 AUTOUPDATE PROXY SETTING PASSWORD CONTAINING A ' # ' (POUND) OR ' ? ' (QUESTION MARK) SYMBOL BREAKS THE PROXY CALL OPEN: Reported in multiple QRadar versions No workaround available.

    It has been identified that when the AutoUpdate proxy password contains either a # (pound) or ? (question mark) symbol, it breaks the proxy call and can result in the password being displayed in autoupdate logs.
    24 May 2019
    UPGRADE / PRETEST IJ14475 QRADAR PATCH HANGS WHEN ONE OR MORE HOSTS IN THE DEPLOYMENT ARE UNREACHABLE CLOSED Resolved in QRadar 7.3.2 Patch 4 (7.3.2.20190803012943)

    It has been identified that during a QRadar patch, the patch can hang for a longer than expected period of time when one or more Managed Hosts in the Deployment are not reachable via SSH (network issue, powered off, etc.). When this issue occurs, the following error message can be displayed:
    Patch Report for {ApplianceIP}, appliance type: 3199
    Patch pretest 'Validate deployment hostnames' failed. (validate_hostname.sh)
    {Hostname} :  patch test failed.

    Press enter to continue...
    28 May 2019
    SEARCH / SERVICES IJ14442 ARIEL PROXY OUT OF MEMORY OCCURRENCES CAN BE OBSERVED WHEN LARGE SEARCHES WITH AGGREGATIONS ARE PERFORMED OPEN: Reported in QRadar 7.3.1 Patch 8 No workaround available.

    It has been identified that the ariel proxy service can experience Out of Memory occurrences when large searches are performed that include data aggregations (many columns, custom properties, etc.).

    When 'Out of Memory' occurrences are experienced with the ariel proxy service, java heap dumps (/store/jheap) can be examined by QRadar Support to identify if these types of searched are the cause.
    01 May 2019
    LICENSE IJ14252 LARGE FLOW LICENSE CAN BE APPLIED TO QRADAR BUT ANY LICENSE AMOUNT OVER 1.2 MILLION FPM IS NOT HONORED BY QRADAR OPEN: Reported in QRadar 7.3.2 Patch 1 No workaround available.

    It has been identified that applying flow licensing of larger than 1.2 million flows per minute (FPM) is not honored by QRadar. The system is capped at the 1.2 million FPM amount.
    15 May 2019
    DISK SPACE IJ14139 LOGROTATE CAN FAIL TO RUN WHEN PARTITION IS FULL AND "ALERT EXITED ABNORMALLY WITH [1]" IN /VAR/LOG/MESSAGES CLOSED Resolved in QRadar 7.3.2 Patch 4 (7.3.2.20190803012943)

    It has been identified that logrotate can create a zero byte file in instances when the partition has filled and then subsequent logrotates fail. When this occurs, monitored partitions containing logs are more vulnerable to being filled.

    IMPORTANT: When disk usage of a monitored partition reaches 95%, QRadar data collection and search processes are shut down to protect the file system from reaching 100%. Messages similar to the following might be visible in /var/log/messages when this issue occurs:
    Feb 22 14:06:48 ip-191-172 logrotate: ALERT exited abnormally with [1]
    16 May 2019
    VULNERABILITY SCAN / SCAN TOOLS IJ14136 VULNERABILITY MANAGER SCANS DO NOT RESPECT CONFIGURED OPERATIONAL WINDOWS CLOSED Resolved in QRadar 7.4.1 (7.4.1.20200716115107)

    Workaround
    No workaround available.

    Issue
    It has been identified that QRadar Vulnerability Manager (QVM) scan tools that are launched within an operational window can continue to run beyond the end of the operational window.
    27 February 2019
    DEVICE SUPPORT MODULE (DSM) IJ13746 INCONSISTENT USER INTERFACE STATUS MESSAGES AND ISSUE WITH AUTO ACQUIRE CERTIFICATE USING THE OKTA RESTAPI PROTOCOL OPEN: Reported in QRadar 7.3.1 versions It has been identifed that there are inconsistent and confusing status messages that can sometimes be generated when using the Otka RESTAPI Protocol along with functionality issues with the Auto Aquire Certificate option in the user interface.
    1. In some instances Log Source which which should throw error, stay as success. Error message for an Okta Log Source recorded in qradar.error but nothing in User Interface (UI). When an error does appear for some Log Source in the UI, they can change from Error -> Success within few seconds (even when nothing is changed/refreshed for the Log source).
    2. User interface status messages can be vague. For example: "Error communicating with remote Okta API resource". This general message can appear when there is a connection Drop/Rejected, when there is a wrong proxyIP, or when there is a wrong ProxyHost.
    3. When an error appears for any Log Source in qradar.error log, the debug log for that log source displays the message "status changed from HEARTBEAT to HEARTBEAT" repeatedly. Also observed can be message "Polling time has arrived. Will now try to execute quer(y|ies)" when the Log Source shouldn't be in HEARTBEAT once it throws the error.
    4. When setting incorrect Okta IP or Hostname while configuring an Okta Log source, an error message is generated in the qradar.error log (error displayed depends on whether you are using proxy or not).
      - When using proxy: nullpointerexception
      - When not using proxy the expected error message appears in the logs: "The Okta Remote IP or Hostname provided could not be reached."
    5. Proxy. Creating a Log Source with correct proxy information, then updating it with an incorrect proxy password: No error is thrown and events are received without issue.
    6. API. There is UI validation for proxyServer, proxyUsername, and proxyPassword which restricts entering more than 255 characters. There is no restricton in API for proxyServer, proxyUsername, and proxyPassword that restricts entering more than 255 characters. Based on the sensorprotocolparameter proxyPort is required but proxy username is not required. Also proxyPassword is required, but proxy username is not required. If proxy port is required it becomes necessary to havve proxy IP as required and likewise if proxy password is required the proxy username should also be required.
    26 February 2019
    EMAIL IJ13589 SETTING A LARGE 'MAX EMAIL ATTACHMENT SIZE' CAN PREVENT POSTFIX FROM STARTING OPEN: Reported in QRadar 7.3.1 and 7.3.2 versions Workaround: Lower the "Max Email Attachment Size" limit in the QRadar User Interface: Admin tab > System Settings.

    It has been identified that Setting "Max Email Attachment Size" in QRadar "Systems Setting" to a large number can prevent postfix from being started. Postfix has mailbox_size_limit and message_size_limit configuration properties where message_size_limit can go over mailbox_size_limit. Messages similar to the following might be visible in maillog when this issue occurs:
    fatal: main.cf configuration error:
    mailbox_size_limit is smaller than message_size_limit
    15 May 2019
    AUTHENTICATION / LDAP IJ13588 LDAP GROUP BASED AUTHENTICATION: 'SORRY, AN ERROR OCCURRED' WHEN A SECURITY PROFILE OR USER ROLE HAS AN '&' IN THE NAME OPEN: Reported in QRadar 7.3.1 and 7.3.2 versions Workaround: Change the name of the user role or security profile to use "and" instead of the '&' (ampersand) symbol.

    It has been identified that when user roles or security profiles have an '&' (ampersand) in them (eg. R&D or Systems & Networking) and then LDAP based authentication is attempted to be configured, those security profiles or user roles are not visible nor are any others that come after them.
    15 May 2019
    HIGH AVAILABILITY (HA) IJ13486 REMOVE HA (HIGH AVAILABILTY) PROCESS CAN FAIL WHILE PERFORMING A PID CHECK ON THE HA_SETUP SCRIPT OPEN: Reported in QRadar 7.3.1 Patch 6 Contact Support for a possible workaround that might address this issue in some instances.

    It has been identified that attempting to perform a Remove HA (High Availability) from within the QRadar User Interface can sometimes fail when performing a PID check on the ha_setup script. This has been observed when a Deploy function is in progress when the Remove HA is performed. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [hostcontext.hostcontext] [Thread-1885552] ComponentOutput:
    [ERROR] [NOT:0000003000][127.0.0.1/- -] [-/- -]ErrorStream
    ha_setup.sh: Jan 29 10:35:10: [HA Setup (S-M----)] [ERROR]
    Another instance of the HA setup script is already running.
    [hostcontext.hostcontext]
    [xxxxx-xxxx-xxxx-xxx-xxxxxxx/SequentialEventDispatcher]
    com.q1labs.configservices.controller.ServerHostStatusUpdater:
    [INFO] [NOT:0000006000][127.0.0.1/- -] [-/- -]Sent update
    status of host 127.0.0.1 to REMOVED_FAILED
    15 May 2019
    SCAN / CENTRALIZED CREDENTIALS IJ13412 WARNING ICON DISPLAYED NEXT TO A SCAN RESULT WHEN SNMP COMMUNITY STRING IS DEFINED IN CENTRALIZED CREDENTIALS OPEN: Reported in QRadar 7.3.1 Patch 7 Workaround: Use the Additional Credentials tab rather than Centralized Credentials.

    It has been identified that when using SNMP community string for scans via centralized credentials, an error (Yellow warning triangle icon) is generated next to the scan results. The results can differ from those with the SNMP community string set in the Additional Creds tab when creating a Scan Profile.
    12 February 2019
    HIGH AVAILABILITY (HA) IJ13410 HIGH AVAILABILITY SECONDARY APPLIANCE DEPLOY CAN FAIL WITH 'ANOTHER INSTANCE OF THE HA SETUP SCRIPT IS ALREADY RUNNING' OPEN: Reported in QRadar 7.3.0 and 7.3.1 versions No workaround available.

    It has been identified that when multiple deploys occur to a QRadar High Availability (HA) Secondary appliance (can sometimes happen with Autoupdate), a message similar to "Another instance of the HA setup script is already running. Skipping HA deploy operation." and a /opt/qradar/ha/.local_ha_failed token can be generated. When this situation occurs, the HA Secondary appliance can become unresponsive.
    13 May 2019
    SEARCH / GEOGRAPHIC DATA IJ13408 INCONSISTENT RESULTS FROM A SAVED SEARCH RUN AGAINST GEO DATA VS A REPORT RUN OFF THAT SAME SAVED SEARCH OPEN: Reported in QRadar 7.3.1 Patch 5 Interim Fix 01 No workaround available.

    It has been identified that a Saved Search run against geo data returns less data then a Report running off that same Saved Search. Some of the data correlates between the Search results and the Report results but some data entries are missing in the Search results.
    12 February 2019
    CUSTOM PROPERTIES IJ13320 CUSTOM PROPERTY DEFINITION WINDOW 'LOG SOURCE FILTER' CANNOT ACCESS/DISPLAY ANY LOG SOURCES OPEN: Reported in QRadar 7.3.1 Patch 7 Contact Support for a possible workaround that might address this issue in some instances.

    It has been identified that when in the Custom Property Definition window and attempting to use the Select Log Source option from within Property Expression Definition, no Log Sources are displayed. For example:
    1. Open the Admin tab.
    2. Open the "Custom Event Properties" window, and select any CEP from within the window.
    3. Click on either the Edit or Add button.
    4. In "Custom Property Definition window" -> Property Expression Definition -> Select Log Source Type (eg. "Microsoft Windows Security Event Log" or "Universal DSM").
    5. Nothing is displayed in the log source.
    6. Put a Log Source name in "Log Source Filter". Same result, nothing is displayed.
    28 May 2019
    LICENSE IJ13319 LICENSE POOL MANAGEMENT CAN DISPLAY "N/A" FOR THE EPS RATE FOR SOME HOSTS WITH A NULL POINTER EXCEPTION IN THE LOGS OPEN: Reported in QRadar 7.2.8 and later versions No workaround available.

    It has been identifed that in some instances the EPS rate for a host can display as "N/A" in the License Pool Management window. This has most often been observed with High Availability hosts. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs. Note that the the Global View (GV) number can vary in the log messages:
    {hostname}[hostcontext.hostcontext]
    [xxxx-xxxx-xxx-xxx-xxxxxxxx/SequentialEventDispatcher]
    com.q1labs.hostcontext.licensing.LicenseMonitor: [INFO]
    [NOT:0000006000][Con.sol.eIP.20/- -] [-/- -]Following message
    suppressed 1 times in 300000 milliseconds
    {hostname}[hostcontext.hostcontext]
    [xxxx-xxxx-xxx-xxx-xxxxxxxx/SequentialEventDispatcher]
    com.q1labs.hostcontext.licensing.LicenseMonitor: [ERROR]
    [NOT:0000003000][Con.sol.eIP.20/- -] [-/- -]Cannot retrieve
    data for GV_10023_HOURLY
    {hostname}[hostcontext.hostcontext]
    [xxxx-xxxx-xxx-xxx-xxxxxxxx/SequentialEventDispatcher]
    java.lang.NullPointerException
    {hostname}[hostcontext.hostcontext]
    [xxxx-xxxx-xxx-xxx-xxxxxxxx/SequentialEventDispatcher]
    at com.q1labs.hostcontext.licensing.Statistics.getIP(Statistics.jav
    a)
    {hostname}[hostcontext.hostcontext]
    [xxxx-xxxx-xxx-xxx-xxxxxxxx/SequentialEventDispatcher]
    at com.q1labs.hostcontext.licensing.Statistics.updateEPSorFPS(Stati
    stics.java)
    {hostname}[hostcontext.hostcontext]
    [xxxx-xxxx-xxx-xxx-xxxxxxxx/SequentialEventDispatcher]
    at com.q1labs.hostcontext.licensing.Statistics.getEpsFps(Statistics
    .java)
    06 February 2019
    UPGRADE / HIGH AVAILABILITY (HA) IJ13316 OFFENSE INDEXING ON A CUSTOM EVENT PROPERTY (CEP) THAT HAS A UTF 0X00 (NULL) VALUE CAN CAUSE OFFENSES TO STOP GENERATING CLOSED Resolved in
    QRadar 7.4.2 Fix Pack 2 (7.4.2.20210120225428)
    QRadar 7.4.1 Fix Pack 2 (7.4.1.20201112005343)
    QRadar 7.3.3 Fix Pack 7 (7.3.3.20210111145446)
    QRadar 7.3.3 Fix Pack 6 (7.3.3.20201205215722)

    Workaround
    • Identifiy the rule that was triggered at the time the error log above (Problem Description) was generated.
    • Modify it to Index on a standard property instead of a CEP or modify the CEP so that it is not capturing null values.
    A soft clean sim can be performed after the above modifications have been made for Offense generation to be corrected: Admin -> Advanced -> Clean SIM model -> Soft Clean

    NOTE: Performing a Soft Clean: Closes all offenses, but does not remove them from the system.

    Issue
    It has been identified that Offense generation in QRadar can stop occuring when Offenses are being indexed on a Custom Event Property (CEP) that have a utf 0x00 (null) value. Messages similar to the following might be visible in /var/log/qradar.log when this issue occurs:
    [ecs-ep.ecs-ep] [MPC/CleanupAndPersistence[1]]
    com.q1labs.sem.magi.contrib.ModelPersister: [INFO]
    [-/- -]Saving TX 0000035761 0.02MB
    [ecs-ep.ecs-ep] [MPC/CleanupAndPersistence[1]]
    com.q1labs.sem.magi.contrib.ModelPersister: [INFO]
    [-/- -]Harvested 34 commands in 0:00:00.174
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000035761]
    com.q1labs.sem.magi.contrib.ModelPersister: [INFO]
    [-/- -]Processing TX 0000035761 (1/1) 0.02MB
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000035761]
    com.q1labs.sem.magi.contrib.ModelPersister: [WARN]
    [-/- -]Exception encounted when executing transaction 35761.
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000035761]
    com.q1labs.sem.magi.contrib.PersistenceException: Failed to
    persist sem model
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000035761] Caused by:
    [ecs-ep.ecs-ep] [MPC/PersisterThread@0000035761]
    org.postgresql.util.PSQLException: ERROR: invalid byte sequence
    for encoding "UTF8": 0x00
    20 March 2019
    QUICK FILTER / QVM IJ13234 QUICK SEARCH MENU BAR IN QRADAR VULNERABILITY MANAGEMENT (QVM) WINDOW DOES NOT EXIST FOR QRADAR LDAP USERS CLOSED Resolved in
    QRadar 7.4.2 (7.4.2.20201113144954)

    Workaround
    Use a QRadar created user instead of an LDAP one. Optionally, administrators can install QRadar 7.4.2 as this upgrade resolves this software issue. If you are unable to upgrade, you can contact support for a possible workaround that might address this issue in some instances.

    Issue
    It has been identified that the Quick Search menu does not exist in the Vulnerability Management windows of the QRadar user interface for users created from LDAP authentication.>
    26 November 2020
    UPGRADE / HIGH A