QRadar Software 101

• IJ46184: QFlow collectors and processors in different domains can experience connection issues
• IJ47032: Unknown or stored events can route incorrectly to the SIM generic log source in QRadar 7.5.0 UP4 and later
• IJ43957: Poor scalability in referencedata cache resulting in degrading search performance when using filters and tests

• Upgrade: Upgrades to QRadar 7.5.0 UP6 might take an extended amount of time to complete due to glusterfs file cleanup. You must allow the upgrade to continue uninterrupted.
• WinCollect: WinCollect 7.x managed agents must upgrade to WinCollect 7.3.1-28 to resolve APAR IJ45285 where new agents or configuration changes cannot be applied without the new version.
• Auto update: Use UpdateConfs.pl -v to confirm your auto update version after you upgrade as it is possible to revert to a previous AU version and experience errors when attmpting to update.
• Apps: Before you upgrade, confirm your ftype configuration for Docker services.
• Apps might go down during the base image update.
• When adding a Data Node to a cluster, they must either all be encrypted, or all be unencrypted. You cannot add both encrypted and unencrypted Data Nodes to the same cluster.
• If you are planning to upgrade from any version of QRadar 7.4.2 Fix Pack 2 through to QRadar 7.4.3 Fix Pack 2, contact support. For more information, see IJ44385.

• IJ47468: Advanced searches (AQL) that use the “IN” operator do not use indexes as expected.
• IJ45926: Anomaly rule enabling “Test the [this accumulated property] value of each log source separately” displays application error.
• IJ45829: Rule wizard cannot transition to the next page properly when rule response updates a reference table.
• IJ47587: ADE rule “Test Separately” checkbox setting not preserved when reopening the rule.

• Upgrade: Upgrades to QRadar 7.5.0 UP5 might take an extended amount of time to complete due to glusterfs file cleanup. You must allow the upgrade to continue uninterrupted.
• WinCollect: WinCollect 7.x managed agents must upgrade to WinCollect 7.3.1-28 to resolve APAR IJ45285 where new agents or configuration changes cannot be applied without the new version.
• Auto update: Use UpdateConfs.pl -v to confirm your auto update version after you upgrade as it is possible to revert to a previous AU version and experience errors when attmpting to update.
• Apps: Before you upgrade, confirm your ftype configuration for Docker services.
• Apps might go down during the base image update.
• When adding a Data Node to a cluster, they must either all be encrypted, or all be unencrypted. You cannot add both encrypted and unencrypted Data Nodes to the same cluster.
• If you are planning to upgrade from any version of QRadar 7.4.2 Fix Pack 2 through to QRadar 7.4.3 Fix Pack 2, contact support. For more information, see IJ44385.

• IJ47049: Risks tab might not load after an upgrade to QRadar 7.5.0 Update Package 6.

• WinCollect: WinCollect 7.x managed agents must upgrade to WinCollect 7.3.1-28 to resolve APAR IJ45285 where new agents or configuration changes cannot be applied without the new version.
• Auto update: Use UpdateConfs.pl -v to confirm your auto update version after you upgrade as it is possible to revert to a previous AU version and experience errors when attmpting to update.
• Apps: Before you upgrade, confirm your ftype configuration for Docker services.
• Apps might go down during the base image update.
• When adding a Data Node to a cluster, they must either all be encrypted, or all be unencrypted. You cannot add both encrypted and unencrypted Data Nodes to the same cluster.
• If you are planning to upgrade from any version of QRadar 7.4.2 Fix Pack 2 through to QRadar 7.4.3 Fix Pack 2, contact support. For more information, see IJ44385.

Other notices
• Precheck added for postgresql 11 migration.
• Fixing browser certificate warnings. In QRadar 7.5.0 Update Package 5, vault has been replaced by QRadar Certificate Authority (CA) and intermediate CA.
• Upgrading SOAR app might be required.
• You can now add QNI hosts to the Data Synchronization app.

• IJ29153: The /var/log partition can fill up due to the tomcat2.log file not being rotated.
• IJ30091: Editing a managed host in a NAT group generates message “IP for host already exists in deployment”.
• IJ30703: Removing a failed QRadar app upgrade by using extensions management also removes the existing running installation.
• IJ31092: QRadar patching can fail due to a free space check that fails.
• IJ33166: Aggregated searches are showing the wrong flag for some IP addresses.
• IJ34647: Upgrading to QRadar 7.4.3 results in a list of deprecated custom event properties being displayed.
• IJ35016: Overridden identity properties can fail to display as expected in the log activity tab.
• IJ35774: Out of memory for decapper on QRadar Network Insights host can occur in advanced inspection level.
• IJ39771: Scheduled reports can run on raw data causing them to fail or take longer than expected to complete.
• IJ39814: Postgresql uninstalled after hostservices restarts on standby high availability managed host.
• IJ40522: Anomaly issues in 7.5.0 UP2 prevent rules wizard from launching and effects offense creation.
• IJ41830: Truncated NVA configuration file can cause failures on deployed managed hosts.
• IJ42465: Applications can time out or fail to load due to conman-mks secret encryption performance.
• IJ43771: Offense emails might not send when custom properties in the agent-config.xml template use curly quotations.
• IJ43779: High availability setup can fail when primary and secondary IP addresses are too similar.
• IJ44076: After upgrading to 7.5.0, known_hosts keys can be removed unexpectedly causing SSH errors.
• IJ44383: A user custom event property (CEP) can incorrectly display the owner as admin in the user interface.
• IJ44384: Copying a custom property can incorrectly assign the original CEP owner (admin) to a new user.
• IJ44435: QRoC SAASADMIN role unable to list all users associated with an asset.
• IJ44580: QRadar apps fail to start or stop after editing an app host setting to disable encryption.
• IJ44597: Application-related issues might occur due to docker keystore error.
• IJ44637: Domain permission checks can impact performance in the CRE and might send events to store.
• IJ44654: “Exception reading CRE rules” error in rules used in cause and effect tests due to NullPointerException.
• IJ44655: Last 30 days in saved search AQL query is searching for information for 5 years.
• IJ44661: QRadar namevaluepairparser can experience errors when the last value contains pair separator.
• IJ44726: “Top category type” dashboard can cause performance issues, leading to Tomcat (UI) instability.
• IJ45127: Radius authentication fails in 7.5.0 UP4 due to invalid attributes in configuration file.
• IJ45153: QNI suspect content descriptions for cert flows can be “certificate invalid” if message header timestamp is invalid.
• IJ45353: Console configuration changes in deployment actions can cause global rule issues.
• IJ45383: Rule wizard interface refreshes unexpectedly when there is a valid QVM license but no assigned QVM component.
• IJ45452: Daily reports run out of schedule and can ignore the wizards settings.
• IJ45552: Inconsistent JSON custom property parsing for optimized payloads with double backslash characters.
• IJ45660: Rule changes from the console might be rejected by the managed host when IMQ message queue is full.
• IJ45736: QRadar unparsed logs incorrectly go to the consoles SIM generic log source.
• IJ45778: Optimized JSON custom event properties with backslashes parse as N/A in the user interface.
• IJ45878: QRadar upgrades to 7.5.0 Update Package 5 can take an extended amount of time to complete.
• IJ45913: Custom event property definition window displays empty “field type” when creating new CEP.
• IJ46246: File names from SMTP email traffic attachments are not reported in QNI 7.5.0.
• IJ46357: Geographic data rules cause search and event pipeline issues when the location cache exceeds the spillover threshold.
• IJ46418: Tuning changes can slow ecs-ec components resulting in delays and events routing to storage.
• IJ46619: Enabled geographic data indexes can cause performance issues in QRadar 7.5.0 UP5.

• CVE-2020-35491, CVE-2018-7489, CVE-2020-35490, CVE-2020-36518, CVE-2020-11971, CVE-2020-13955, CVE-2022-39135.
• CVE-2023-26276.
• CVE-2023-26273.
• CVE-2023-26274.
• CVE-2022-34352.

• Upgrade: QRadar Risk Manager Risks tab might not load after an upgrade to QRadar 7.5.0 Update Package 6.
• Upgrade: Upgrades to QRadar 7.5.0 UP6 might take longer to complete due to glusterfs file cleanup
• WinCollect: WinCollect 7.x managed agents must upgrade to WinCollect 7.3.1-28 to resolve APAR IJ45285 where new agents or configuration changes cannot be applied without the new version.
• Auto update: Use UpdateConfs.pl -v to confirm your auto update version after you upgrade as it is possible to revert to a previous AU version and experience errors when attmpting to update.
• Apps: Before you upgrade, confirm your ftype configuration for Docker services.
• Apps : Apps might go down during the base image update.
• Data Nodes: When adding a Data Node to a cluster, they must either all be encrypted, or all be unencrypted. You cannot add both encrypted and unencrypted Data Nodes to the same cluster.
• Upgrade: If you are planning to upgrade from any version of QRadar 7.4.2 Fix Pack 2 through to QRadar 7.4.3 Fix Pack 2, contact support. For more information, see IJ44385.

• IJ45736: QRadar unparsed logs incorrectly go to the consoles SIM generic log source.
• IJ46357: Geographic data rules cause search and event pipeline issues when the location cache exceeds the spillover threshold.
• IJ46418: Tuning changes can slow ecs-ec components resulting in delays and events routing to storage.
• IJ46619: Enabled geographic data indexes can cause performance issues in QRadar 7.5.0 UP5

• Upgrade: Upgrades to QRadar 7.5.0 UP5 might take an extended amount of time to complete due to glusterfs file cleanup. You must allow the upgrade to continue uninterrupted.
• WinCollect: WinCollect 7.x managed agents must upgrade to WinCollect 7.3.1-28 to resolve APAR IJ45285 where new agents or configuration changes cannot be applied without the new version.
• Auto update: Use UpdateConfs.pl -v to confirm your auto update version after you upgrade as it is possible to revert to a previous AU version and experience errors when attmpting to update.
• Apps: Before you upgrade, confirm your ftype configuration for Docker services.
• Apps might go down during the base image update.
• When adding a Data Node to a cluster, they must either all be encrypted, or all be unencrypted. You cannot add both encrypted and unencrypted Data Nodes to the same cluster.
• If you are planning to upgrade from any version of QRadar 7.4.2 Fix Pack 2 through to QRadar 7.4.3 Fix Pack 2, contact support. For more information, see IJ44385.

• IJ29512: High Availability (HA) restore process allows a primary to be rebuilt as a secondary 500 appliance
• IJ43705: QRadar.jsp call to licensekeymanager.arelicensesvalid() causes a delay on login for customers having multiple managed hosts
• IJ43767: Users patching from QRadar 7.3.2 or 7.4.3 to QRadar 7.5.0 might experience longer patch times than expected
• IJ44257: Reference data API source response does not reflect the requested API source value
• IJ44481: Use case manager exports fail while session was in an open transaction state
• IJ45191: Offense summary page event/flow count field does not match the event count in log activity

Note: These issues were closed in 7.5.0 Upgrade Pack 5 and backported to 7.4.3 Fix Pack 9.

• WinCollect: WinCollect 7.x managed agents must upgrade to WinCollect 7.3.1-28 to resolve APAR IJ45285 where new agents or configuration changes cannot be applied without the new version.
• Apps: A flash notice exists for this issue that impacts Docker services. Users must confirm ftype configuration before you upgrade.
• Auto updates: Verify your auto update version after you upgrade as some users reported the version can be reverted to a version prior to 9.16 (latest), leading to auto update problems.
• App Host cannot commnicate to Console when connection is firewalled.
• Apps might go down during base image.
• When adding a Data Node to a cluster, they must either all be encrypted, or all be unencrypted. You cannot add both encrypted and unencrypted Data Nodes to the same cluster.
• Kernel crash can affect UEFI systems in QRadar 7.4.2 Fix Pack 2 through to QRadar 7.4.3 Fix Pack 2. If you are planning to upgrade from any version of QRadar 7.4.2 Fix Pack 2 through to QRadar 7.4.3 Fix Pack 2, contact support or see IJ44385.

Other notices
• Precheck added for postgresql 11 migration.
• Fixing browser certificate warnings. In QRadar 7.5.0 Update Package 5, vault has been replaced by QRadar Certificate Authority (CA) and intermediate CA.
• Upgrading SOAR app might be required.
• You can now add QNI hosts to the Data Synchronization app.

• IJ44481: USE CASE MANAGER EXPORTS FAIL WHILE SESSION WAS IN AN OPEN TRANSACTION STATE
• IJ44535: APPLICATIONS MIGHT FAIL TO INSTALL BECAUSE THE APPLICATION START TIME EXCEED 500 SECONDS
• IJ45191: OFFENSE SUMMARY PAGE EVENT/FLOW COUNT FIELD DOES NOT MATCH THE EVENT COUNT IN LOG ACTIVITY

• Important: A flash notice exists for this issue that impacts Docker services. Users must confirm ftype configuration before you upgrade.
• Important: Use UpdateConfs.pl -v to confirm your auto update version after you upgrade as it is possible to revert to a previous AU version and experience errors when attmpting to update.
• App Host cannot commnicate to Console when connection is firewalled.
• Apps might go down during base image.
• When adding a Data Node to a cluster, they must either all be encrypted, or all be unencrypted. You cannot add both encrypted and unencrypted Data Nodes to the same cluster.

Known issues
• Precheck added for postgresql 11 migration.
• New certificate files to fix browser security warning.
• Upgrading SOAR app might be required.
• Adding QNI hosts to the Data Synchronization app.

• IJ41613: TIMEZONE CANNOT BE CHANGED FROM UI AND SYSTEM TIME SETTINGS UI TAB MIGHT FAIL TO LOAD
• IJ41234: DEPLOY CHANGES CAN ERROR OUT IF THE SERVER TABLE HAS A NON FULLY QUALIFIED DOMAIN NAME
• IJ29592: ‘APPLICATION ERROR’ OCCURS AFTER AN EXTENDED PERIOD OF TIME WHEN ATTEMPTING TO LOAD THE OFFENSE PAGE
• IJ29374: OFFENSE RULE USING ‘AND WHEN THE DESTINATION LIST INCLUDES ANY OF THE FOLLOWING A.B.C.D/E’ TEST WITH PUBLIC IP DOES NOT TRIGGER
• IJ39549: QRADAR RISK MANAGER: /QRM/SRM_UPDATE_1138.SQL CAN CAUSE 7.5.0 UP1 UPGRADE TO FAIL ON HOSTS WHERE REQUIRED INDEX DOESN’T EXIST
• IJ39256: BIND CREDENTIAL FOR LDAP REPOS CLEARS IF SAVED WITHOUT SUCCESSFUL CONNECTION TEST

Note: These issues were closed in 7.5.0 Upgrade Pack 4 and backported to 7.4.3 Fix Pack 8.

• IBM QRADAR SIEM INCLUDES MULTIPLE COMPONENTS WITH KNOWN VULNERABILITIES
• IBM QRADAR SIEM IS VULNERABLE TO INFORMATION EXPOSURE (CVE-2022-34351)
• IBM QRADAR SIEM IS VULNERABLE TO POSSIBLE INFORMATION DISCLOSURE (CVE-2023-22875)

• ErrorStream log messages (IJ33650)
• Kernel crash can affect UEFI systems in 7.4.2 FP2 to 7.4.3 FP2 and might require support assistance (IJ44385)

• IBM QRADAR SIEM INCLUDES MULTIPLE COMPONENTS WITH KNOWN VULNERABILITIES
• IBM QRADAR SIEM IS VULNERABLE TO INFORMATION EXPOSURE (CVE-2022-34351)

• Important: Flash Notice: After upgrading to 7.5.0 UP4, WinCollect 7.x agents can experience management or configuration change errors (IJ45284)
• Important: Flash Notice: Before upgrading users must confirm ftype configuration to prevent a potential Docker service issue.
• Important: Use UpdateConfs.pl -v to confirm your auto update version after you upgrade as it is possible to revert to a previous AU version and experience errors when attmpting to update.
• App Host cannot commnicate to Console when connection is firewalled.
• Apps might go down during base image.
• When adding a Data Node to a cluster, they must either all be encrypted, or all be unencrypted. You cannot add both encrypted and unencrypted Data Nodes to the same cluster.

Known issues
• Precheck added for postgresql 11 migration.
• New certificate files to fix browser security warning.
• Upgrading SOAR app might be required.
• Adding QNI hosts to the Data Synchronization app.

• Important: A flash notice exists for this issue that impacts Docker services as APAR IJ41796. Users must confirm ftype configuration before you upgrade.
• An upgrade precheck added for postgresql 11 migration to confirm disk space.
• New certificate files to fix browser security warning.
• Upgrading SOAR app might be required.
• Adding QNI hosts to the Data Synchronization app.

Known issues
• App Host cannot commnicate to Console when connection is firewalled.
• Apps might go down during base image.

• Important: A flash notice exists for this issue that impacts Docker services as APAR IJ41796. Users must confirm ftype configuration before you upgrade.
• An upgrade precheck added for postgresql 11 migration to confirm disk space.
• New certificate files to fix browser security warning.
• Upgrading SOAR app might be required.
• Adding QNI hosts to the Data Synchronization app.

Known issues
• App Host cannot commnicate to Console when connection is firewalled.
• Apps might go down during base image.

• Important: A flash notice exists for this issue that impacts Docker services. Users must confirm ftype configuration before you upgrade.
• Precheck added for postgresql 11 migration.
• New certificate files to fix browser security warning.
• Upgrading SOAR app might be required.
• Adding QNI hosts to the Data Synchronization app.

Known issues
• App Host cannot commnicate to Console when connection is firewalled.
• Apps might go down during base image.

• Important: A flash notice exists for this issue that impacts Docker services. Users must confirm ftype configuration before you upgrade.
• Precheck added for postgresql 11 migration.
• New certificate files to fix browser security warning.
• Upgrading SOAR app might be required.
• Adding QNI hosts to the Data Synchronization app.

Known issues
• App Host cannot commnicate to Console when connection is firewalled.
• Apps might go down during base image.

• Precheck added for postgresql 11 migration.
• New certificate files to fix browser security warning.
• Upgrading SOAR app might be required.
• Adding QNI hosts to the Data Synchronization app.

Known issues
• App Host cannot commnicate to Console when connection is firewalled.
• Apps might go down during base image.

• QRadar 7.3.3 Fix Pack 11 runs on Red Hat® Enterprise Linux® version 7.9.
• QIF deployments must upgrade to QRadar 7.3.1 or later.
• The Offenses API is updated to include two new fields: first_persisted_time & last_persisted_time.
• Active Directory module changes.

• Precheck added for postgresql 11 migration.
• New certificate files to fix browser security warning.
• Upgrading SOAR app might be required.
• Adding QNI hosts to the Data Synchronization app.

Known issues
• App Host cannot commnicate to Console when connection is firewalled.
• Apps might go down during base image.

This is a icon-only