QRadar

The IBM QRadar 7.5.0 family of products includes enhancements to operational efficiency and flow improvements. An update package includes new features, enhancements, and bug fixes to improve the performance and functionality of QRadar. They are available for download from the IBM Support Fix Central.

QRadar 7.5.0 Update Package 14

Support for Tiered Storage
A new approach to managing QRadar (Ariel) data improves search performance and cost of ownership and includes. 
  • Hot and Warm Tiers - Newly ingested data is stored in the Hot tier for fast access and is automatically migrated to the Warm tier as it ages, based on a defined data migration policy. 
  • Improved Performance and Efficiency - By keeping recent data readily accessible and moving older data to more cost-effective storage, Tiered Storage helps to balance search speed, cost, and deployment footprint.
Improved performance in the pipelines (Parsing, CRE) to reduce routing to storage
QRadar now makes routing-to-storage decisions in the data processing pipeline by accounting for the processing utilization of the Parsing and CRE thread pools. This enhancement significantly reduces false-positive routing to storage and strengthens the security posture by minimizing unparsed and uncorrelated events.
Improved event or flow burst handling capability on services startup
The QRadar data processing pipeline services now allocate process memory on startup, improving performance and stability of those real-time processes. This improves handling of event spikes after services startup.
Performance tuning for Pipeline Scheduling
The Ariel Database Writer performance is improved in additional configurations, improving the events and flows writing speed and performance of data processing pipeline. The original work that is introduced in QRadar UP11 applied only to the 1629, 1648, 1729, and 1748 appliance types when using the appliance installation. QRadar UP14 work further expands the scope of the improvements to include all 31xx, 16xx, 17xx, 18xx, and 14xx hosts with at least 32 C Pus.
LVM Phase 2
This release introduces enhancements that are focused on improving the management of Logical Volume Management (LVM) on appliance-installed systems. The key areas of improvements are enabling LVM expansion for appliance installations.
Enhanced visibility and user experience for Custom AQL Queries in Managed Search Results
In previous QRadar versions, custom AQL searches on the Managed Search Results screen were labeled generically as "Custom AQL Query", with no visibility into the actual query logic until the user clicked into the search. This enhancement improves usability by: 
  • Replacing the generic name, "Custom AQL Query", with the actual AQL query string for custom AQL searches
  • Displaying the full AQL query in a tooltip on hover
  • Adding a Copy to Clipboard button for quick and reuse. 
These improvements streamline the user experience and makes custom AQL searches more efficient. 
Managed Search Results enhancements
The Managed Search Results screen now includes visual indicators for searches that might be slow, expensive, and degrade system efficiency and includes:
  • Non-Indexed Fields - Searches that do not use indexed fields are flagged to highlight potential performance bottlenecks. 
  • Pattern matching usage without extra filters - Searches by using the "payload contains" or "payload matches" operations are flagged due to their inefficiency and potential high resource consumption.
These indicators help users identify and revise inefficient queries, promoting good practices for building performant searches.
Version history for rules
This enhancement gives you the flexibility to revert changes to any previous version of a rule not just the original to manage updates and recover from mistakes. You can now see who made changes, what was changed, and when, giving your team full visibility into rule modifications. Authors can add a note that explains the reason for each change, helping everyone stay aligned and informed. These updates are automatically tracked and displayed, so you don't need to modify your existing notes. This release brings greater transparency, accountability, and control to how your rules change over time.
Offence enhancements
You can now set magnitude thresholds when you create rule tests. This enhancement helps you prioritize offenses based on their criticality to focus on the most important threats and respond faster.
Enhanced Offences tracking
This update tracks only the most recent time that an offense was assigned to a user along with the assignment timestamp. 
QRadar (QFlow) - Autonomous System Number (ASN) information
QFlow now automatically enriches network flows with Autonomous System Number (ASN) information. The ASN field is now populated, increasing an analyst’s ability to determine the origin of IP traffic. Now, QRadar automatically performs ASN lookups, providing valuable context such as the network or ISP associated with each IP address. The feature provides the following advantages: 
  • Gain immediate visibility into the ownership and origin of IP traffic
  • Quickly identify traffic from suspicious or high-risk networks
  • Eliminate the need for manual ASN enrichment  
  • Enhance correlation rules and threat detection with enriched flow metadata  
This improvement helps security teams respond faster, improve triage accuracy, and align with modern SIEM expectations for enriched, actionable data. 
QRadar Risk Manager (QRM) supports Check Point HTTPS integration
QRadar Risk Manager now receives firewall rule event logs directly from Check Point Security Management Servers (SMS). This enhancement enables real-time monitoring of firewall rule event counts, helping customers manage and optimize the effectiveness of their firewall rule policies across all managed devices. The benefits are as follows:
  • Identify most and least used Checkpoint HTTPS firewall rules 
  • Detect rules that might unnecessarily block network access 
  • Highlight frequently triggered rules that might impact performance 
  • View detailed rule event data for analysis 
  • Schedule reports to improve policy management and visibility 
This feature helps users to monitor and optimize Check Point firewall rules in real time for improved security and network efficiency.

QRadar 7.5.0 Update Package 13

Console-Only Failover support - Support for App Host on both the primary and DR sites
  • Improved primary site failover handling to ensure continuity when the App Host becomes unavailable during a failover event. The restoration process now maintains system availability without disruption.
  • Optimized backup validation response time during Disaster Recovery (DR) site activation, especially in large environments with over 1000+ backups at the primary site, reducing delays and improving recovery efficiency.
Infographic-based visualization in Offense tab
  • Introduced infographic-based visual summaries in the QRadar Offense tab, enhancing situational awareness through:
    • Timeline views of offenses to monitor activity trends.
    • Magnitude-based ranking to prioritize offenses effectively.
    • Host-based categorization to quickly identify targeted assets.
  • Infographic-based visual insights enable analysts to investigate and respond to threats more efficiently.
Enhanced Admin tab with Unified Interfaces
  • Consistent and streamlined user experience across:
    • Store and Forward
    • Domain Management
    • Centralized Credentials
    • Resource Restrictions
  • This enhancement simplifies system configuration and management through a consistent interface design.
Console-Only Apps Failover
Enabled seamless application continuity when apps are hosted on the App Host and the DC Console is unavailable. This enhancement ensures that critical application services remain available during console-specific failover scenarios.
Custom properties
Ability to use multiple capture groups and literals in regex custom properties. Multiple capture groups for custom properties give customers the ability to use format strings and literal characters when defining a property, which allows you to extract non continuous strings in the payload.
QRadar Host Monitoring via SNMPwalk
Enabled SNMPv3 and created UI to support SNMP polling (snmpwalk) of QRadar appliances. SNMPv3 is a secure protocol and is now supported for QRadar host monitoring to comply with modern security standards and IBM’s “Secure by Design” and “Secure by Default” paradigms.
Enhanced Partial Search Results Visibility for Running Searches
The number of partial search results visible during active queries in Log Activity and Network Activity has been increased from 40 to up to 1000 entries. This enhancement provides greater visibility into long-running searches, enabling users to explore more data in real-time and identify potential filters to refine results while the query is still executing.
Disaster Recovery and Data Centre backup and restore processes
Improved efficiency and reliability
Improved efficiency and reliability
  • Improved event parsing and mapping in F5 Networks, BIG-IP APM, VMware vCenter, Linux OS, McAfee ePolicy Orchestrator, and TLS Syslog
  • Improved auto-population of Event ID and Event Category fields in the “Create a New Event Mapping” dialog
  • Improved “Suggest Regex” feature for users with System Administrator capabilities
ERSPAN Traffic Support
QRadar can now collect ERSPAN (Encapsulated Remote Switched Port Analyzer) traffic, which means it can see mirrored network data directly. This helps with:

  1. Seamless Visibility into Remote and Virtual Environments

    ERSPAN enables QRadar to receive mirrored traffic from remote or virtual network segments over IP, providing deep visibility into environments where physical sensors are impractical. This allows customers to monitor hybrid and cloud infrastructures more effectively, ensuring consistent traffic analysis across the entire network.

  2. Reduced Deployment Complexity and Cost

    By leveraging ERSPAN, customers can eliminate the need for dedicated packet capture appliances at every location. Network devices can send traffic directly to QRadar, simplifying the architecture and significantly lowering deployment and maintenance costs while speeding up time-to-value.

  3. Improved Threat Detection and Network Forensics

    With ERSPAN traffic support, QRadar can perform detailed packet inspection and enrich flow records, enabling detection of threats that may bypass traditional flow analysis. This enhances customers’ ability to identify APTs, and policy violations, thereby strengthening security posture.

Improved MAC Address Visibility in QRadar for Smarter Threat Detection
QRadar now reads MAC addresses in key flow types like QFlow, SFlow, and Packeteer. This helps with:
  1. Enhanced Asset Identification and Correlation
  2. Improved Network Forensics and Lateral Movement Detection
  3. Verifiable device identity
Enhanced Asset APIs:

a) DELETE API. The Delete Assets API is a fundamental feature that has been missing from QRadar for a long time. With this API, customers can integrate their environments (e.g., CMDB) to remove outdated assets and maintain synchronized data with the QRadar environment.

Whenever applications need to interact with the asset model, APIs are the only available method. Therefore, this API has strong potential to be utilized by applications in the future.

b) Extended GET API. Product information is required for assets so that any consumer can identify the type of asset based on the data. UEBA will be a potential consumer of this extended API, using the product details to enrich the context of monitored entities. This provides analysts with a clearer view, helping them identify which operating system is associated with a specific entity.

Upgraded the Analyst WorkFlow Out-of-the-Box (OOTB) application version - The Analyst Workflow application version is upgraded to v3.0.0. QRadar releases will now contain the latest version of the Analyst Workflow Application out-of-the-box

QRadar 7.5.0 Update Package 12

Upgraded Red Hat Operating System from 8.8 to 8.10
Red Hat Enterprise Linux is upgraded to version 8.10. For more information, see Red Hat Enterprise Linux 8.10.
Search Performance Improvement in Multi-Tenant Deployments with Reference Set Filters
Search performance is increased by up to 100 times or more in QRadar deployments with multi-tenancy, where Reference Set filters are used in search.
Enhanced Search Progress Visualization
The search visualization on the Log and Network Activity screen has been improved by replacing the previous circling animation with a dynamic progress bar. This update includes an estimated time to completion, calculated based on elapsed time and remaining percentage, providing users with a clearer view of the search process.
Add Creation Date to the offense summary page and the offense search page
In previous versions of QRadar, the offense summary page would show the offense start date, which is tied to the first event related to the offense. We have also added the creation date, which indicates when the offense was created, typically after the start time.
Enhanced Log Search by Event Collector Name
Searching logs by event collector is now simplified by allowing the use of the Event Collector field and the previous Event Collector ID. This update offers a more intuitive search experience with an auto-populated dropdown of compatible values and operators, aligning with the search functionality used for other host criteria like Event Processor.
Improved Scattering with Absolute Space Thresholds on larger Data Nodes
Scattering has been improved to use absolute space thresholds, optimizing space utilization on larger Data Nodes. This change ensures more efficient space management by comparing available free space with calculated thresholds, allowing for better handling of storage capacity without risk of shutdown.
The package DSM DSM-JuniperJunOS-7.5-20240628064229.noarch has been added
To enhance the customer experience, this package should be pre-installed to ensure log parsing works seamlessly for Juniper customers, especially those in air-gapped environments where automatic updates are not available.
Updated Protocols: Common, UniversalCloudRESTAPI, TLSSyslog, BoxRESTAPI, and CertificateUtilsCommon
These protocols have been enhanced to ensure compatibility with Java 11 by implementing the necessary updates to meet Java 11 compliance requirements.
Updated Default AutoUpdate Version to 9.21
The enhanced AutoUpdate version 9.21 is now set as the default to provide support for Java 11 and PostgreSQL 16.
Released New DSM for Storage Protect
IBM Storage Protect
Released New DSM for Azure Monitor Agent(AMA) for Linux
Microsoft
Released New Palo Alto Firewall PAN-OS Support

Parsing capabilities have been extended to support PAN-OS version 11.0, including DNS Security, FILE, Tunnel, and URL logs.

Protocol Cisco Duo Pagination Enhancement
Resolved an issue in the CiscoDuo Protocol where events were missed between two recurrences when the response contained more events than the limit defined by Cisco. This update implements pagination to ensure all events between recurrences are processed.
Protocol Salesforce Enhancement
Enhanced the Salesforce REST API Protocol to optimize user API calls to the Salesforce account. This update ensures that both active and inactive accounts are retrieved. Administrators with automatic updates disabled need to manually install the Salesforce REST API Protocol RPM on the Console to enable this feature.
Protocol IBM Security QRadar EDR Enhancement
Enhanced the IBM Security QRadar EDR REST API Protocol to retrieve more detailed alert information by calling the events endpoint.

QRadar 7.5.0 Update Package 11

Upgraded Red Hat Operating System from 8.8 to 8.10
Red Hat Enterprise Linux is upgraded to version 8.10. For more information, see Red Hat Enterprise Linux 8.10.
Default dashboard in QRadar is set to the Analyst Workflow App
In QRadar 7.5.0 Update Package 11, the default dashboard in QRadar is set to Analyst Workflow App (AWF), You can toggle between the AWF dashboard and legacy dashboards as needed. If AWF is not installed during the upgrade process or you uninstall it, the default dashboard reverts to the legacy dashboard.
Improved JSON performance for offline forwarding of flows
The Flow Rate (FPS) is increased for offline forwarding with JSON type to improve performance.
Added support to create an asset by using the asset_model Rest API interface
You can now create an asset by using the /api/asset_model Rest API interface.
Added support to create a new log source group and log source type in the Log Source Management App
You can now create log source groups directly in the Log Source Management App. You can also create a new log source type by using the DSM Editor button that is available on the Single Log Source and Multiple Log Source creation pages.
Improved the installation process of OOTB apps
You can now create log source groups directly in the Log Source Management App. You can also create a new log source type by using the DSM Editor button that is available on the Single Log Source and Multiple Log Source creation pages.
Upgraded Apache Struts to the latest 6.x version
Apache Struts is upgraded to the latest 6.x version. This update improves support and response time for related security fixes and enhances compatibility with newer versions of Java.
Added an offense API endpoint for OCSF
You can now view the offense API output in the OCSF (Open Cybersecurity Schema Framework) format by using the new endpoint under siem/offense_ocsf.

QRadar 7.5.0 Update Package 10

Light and dark mode UI theme in IBM QRadar
In QRadar 7.5.0 Update Package 10, you can change the IBM QRadar user-interface (UI) theme to your preferred light or dark mode. To change the UI theme, go to the Theme drop down in the User Preferences page of your user profile, and select the Light or Dark option.​
Parallel patching
After you upgrade the QRadar Console, you can upgrade all other managed hosts in parallel. A new reporting service is introduced to capture and display the status of managed hosts on the Console.
Important:
  1. If a high number of managed hosts are attached to the deployment before a Console HA is removed, parallel patching for the detached or removed Console HA can increase the upgrade time. Use the legacy upgrade process to upgrade a detached or removed Console HA.
  2. If a managed host fails to upgrade and the Exit parallel patching option is selected, a console reboot occurs. To continue the upgrade, complete the following steps:
    • Remount the SFS file and select Parallel patching.
    • Select Check patching status, and then select Parallel patching to start the upgrade.

New information Learn more about parallel patching...

WinCollectHealthCheck.sh support script
To use managed Wincollect after you upgrade to QRadar 7.5.0 Update Package 10, complete the following steps to configure the iptables rules by using the updated WinCollectHealthCheck.sh support script.
  1. Upgrade to QRadar 7.5.0 Update Package 10.
  2. Apply Auto Updates to pull the latest support tools.
  3. Run the following script.
    /opt/qradar/support/WinCollectHealthCheck.sh
  4. Verify that the iptables rules are successfully configured.

If an issue occurs when the iptables rules are configured, an error message with a manual workaround is displayed.

Disabled 24 Java ciphers
The following Java ciphers are disabled in QRadar 7.5.0 Update Package 10.

jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, DH keySize < 1024, DESede, 3DES_EDE_CBC, anon, NULL, DES_CBC, SHA1, DHE, SSL_RSA_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_AES_256_CBC_SHA256, EC keySize < 224, include jdk.disabled.namedCurves

If the disabled ciphers cause issues with customer deployments, you can add or remove ciphers from the configuration file.
Performance enhancements for event and flow searches
  • Improved event and flow search stability and performance for large deployments, high query concurrency, and complex data sets by managing memory more effectively.
  • Event and flow searches that interact with IPv6 addresses are up to 200 times faster.
IPv6 capabilities for FISMA
In QRadar 7.5.0 Update Package 10, the following new capabilities are added for Federal Information Security Modernization Act (FISMA):
  • Scanner integrations can now forward IPv6 addresses to the Asset Profiler.
  • Asset profiling is supported for IPv6 host addresses, and processing of link-local addresses is optional.
  • IPv6 addresses in syslog headers can now be parsed for Log Source IDs.
  • Updated several DSMs and scanner integrations to improve IPv6 parsing.
  • Validated Custom Rules Engine (CRE) rule tests with IPv6 address fields.
  • Added support for right-click filters on IPv6 address fields.
  • Network configuration is now completed for IPv6 during the installation process.
  • Revalidated several applications to work in pure IPv6 networks.
  • Verified remote nets and GeoData to work with IPv6 content.
  • Improved search performance on IPv6 address fields.

QRadar 7.5.0 Update Package 9

IBM QRadar Console-only DR by using Data Synchronization App
In QRadar 7.5.0 Update Package 9, Console-only disaster recovery (DR) feature is added. Console-only DR implementation is useful for customers in the following scenarios.
  • An actual disaster recovery where the console is not available but the other deployment hosts are still running.
  • A disaster recovery exercise where the main site is still available during the disaster recovery process.

You can switch deployment control from the main site console to the destination site console (failover) which activates your destination site. Later on, you can switch deployment control back to the main site from the destination site (failback) which reactivates your main site. The QRadar Console-only DR feature is supported in IBM QRadar Data Synchronization 3.2.0 and later.

IBM QRadar updated to dark theme
The IBM QRadar user interface (UI) is updated to a dark theme. The light mode option is no longer available. This update does not affect the functionality of the product.
CIDR data type for reference data
Added a data type for reference data called CIDR (Classless Inter-Domain Routing). The CIDR data type supports both IPv4 and IPv6 addresses.

New information Learn more about reference data utilities...

Performance enhancements
RegexMonitor now supports an optional Monitor-only mode that can notify you about expensive artifacts that are detected during parsing without disabling them automatically.
Monitor-only mode in RegexMonitor
  • Search performance is up to 2 times higher on Data Nodes in certain scenarios.
  • Quick Filter index generation is now faster on Data Nodes, and allows timely indexing of larger data volumes.
  • The JSON encoded offline forwarding speed is increased up to 80 times, depending on the forwarded event sizes and the custom properties used in forwarding.

QRadar 7.5.0 Update Package 8

RHEL8 support as RHEL7 reaches end of life
Red Hat® Enterprise Linux® 7 (RHEL) is end of life (EOL) as of June 2024. IBM QRadar 7.5.0 Update Package 8 upgrades the existing support for RHEL 7 to RHEL 8.
Attention: For existing customers, significant changes are made to upgrade to RHEL 8. Read the following topics before you begin your upgrade.
Minimum permitted app base image stream
In QRadar 7.5.0 Update Package 8, you can disable older base image streams that might have security vulnerabilities by using the new Minimum Permitted App Base Image Stream system setting on the Admin tab.

New information Learn more about Minimum Permitted App Base Image Stream

SSH extraction enhancements
In QRadar 7.5.0 Update Package 8, QRadar Network Insights introduces enhanced extraction for the SSH protocol. This functionality includes the extraction of several new fields around the SSH connection establishment and also the "Hassh" fingerprints of those connections.

New information Learn more about enriched inspection ...

Tunnelling enhancements
QRadar Network Insights introduces enhanced protocol support for GRE and ERSPAN network traffic and new common features for all tunneled network traffic (including the existing VXLAN support).

New information Learn more about enriched inspection ...

Leapp pretest added for RHEL8 migration
Run a Leapp pretest on your console or managed host before you upgrade from Red Hat Enterprise Linux V7.9 to Red Hat Enterprise Linux V8.8 to reduce the risk of failure. If the Leapp pretest fails on your deployment, the upgrade is blocked.
To run the Leapp pretest before you run the upgrade installer, use the following command:
/media/updates/installer --leapp-only

New information Learn more about upgrading QRadar SIEM to 7.5.0 UP8...

Read-only configuration
In QRadar 7.5.0 Update Package 8, Read-only Configuration permission on the User Role Management window grants permission to view other users without the ability to create or edit them.

New information Learn more about creating a user role...

New WinCollect update package for QRadar
WinCollect 7.3.1 P3 supports QRadar 7.5.0 Update Package 8 or later. If your QRadar system is upgraded to UP8 or later but is running WC 7.3.1 P1 or earlier, upgrade to WinCollect 7.3.1 P3 so that the agents work properly. For more information, see release note 7029393 and technote 6953887.

QRadar 7.5.0 Update Package 7

Read-only configuration
In QRadar 7.5.0 Update Package 7, the new Read-only Configuration permission on the User Role Management window grants users permission to view, but not create or edit, log sources or offenses.

New informationLearn more about creating a user role...

QRadar 7.5.0 Update Package 3

LDAP server synchronization changes
When you upgrade to QRadar 7.5.0 Update Package 3 or later and you run LDAP synchronization if the system finds a user that is no longer in the LDAP server and is not set to Local Fallback or set as Local Only, that user is disabled in QRadar. If the user is set to Local Fallback or set as Local Only, then the user is not disabled but is flagged on the User Management page. A system notification is sent to inform the administrator of the change to the user account.

New information Learn more about LDAP synchronization...

QRadar 7.5.0 Update Package 2

Local only authentication
When you upgrade to QRadar 7.5.0 Update Package 2 or later, the Manage Local Only Authentication role is added to manage the Local Only authentication for users. Local Only authentication is a setting that is used when external authentication is enabled on IBM QRadar. Setting Local Only authentication to true for a user makes sure that the user authenticates to QRadar locally rather than through external authentication. Local Only authentication prevents unintended access to QRadar from the accounts that are configured in the external authentication repository.

New information Learn more about Local Only authentication...

Secure boot

In QRadar 7.5.0 Update Package 2, you can use secure boot to make sure that only trusted kernels and kernel modules are loaded when you start QRadar. The firmware makes sure that the kernel and kernel modules are signed and a valid key is stored in the system keyring before the control is passed to the kernel.

QRadar 7.5.0 Update Package 2 and any current EFI systems that are upgraded to 7.5.0 Update Package 2 can turn on secure boot when the IBM public key is imported into the system keyring.

New information Learn more about secure boot...

QRadar 7.5.0

Offense rule tests
In QRadar 7.5.0, there are two new offense rule tests: when an offense is closed and when an offense is modified. A modified offense rule test is applied when any offense property is changed based on the events that are associated with that offense. Modified rule tests allow for better configuration of how and when rules are implemented.

A closed offense rule test is applied when the offense is closed.

New information Learn more about modified offense rule tests...

More secure operating system
QRadar 7.5.0 runs on Red Hat Enterprise Linux version 7.9. The upgrade to RHEL V7.9 is necessary to continue receiving security updates from Red Hat Enterprise Linux.
OFFENSE_TIME function
In QRadar 7.5.0, use the new OFFENSE_TIME function to increase the speed of your offense queries.

The OFFENSE_TIME function limits the query to applicable times that an offense might be active.

For example, if you want to query for an offense within a time range, use the OFFENSE_TIME function together with the IN_OFFENSE function to limit the query to the times that the offense might have occurred.

SELECT * FROM events
 WHERE INOFFENSE(1) times OFFENSE_TIME(1)

New information Learn more about AQL data retrieval functions...

DISTINCTCOUNT function
In QRadar 7.5.0, use the new DISTINCTCOUNT function to return the unique count of the value in the aggregate.

The DISTINCTCOUNT function uses the HyperLogLog+ approximation algorithm to calculate the unique count and operates with a constant memory requirement. The function supports unlimited data sets.

For example, 

SELECT username, 
DISTINCTCOUNTCOUNT(sourceip) 
AS CountSrcIP
FROM events 
GROUP BY username

New information Learn more about AQL data aggregation functions...

Encryption of managed hosts is enabled by default
To provide secure data transfer between each of the appliances in your environment, IBM QRadar integrates encryption support that uses OpenSSH. In QRadar 7.5.0, encryption between managed hosts is enabled by default when you add a managed host. Previously, you manually enabled encryption when you added a managed host.

New information Learn more about encryption of managed hosts...