Release Notes
Abstract
A list of the installation instructions and fixes for IBM Security QRadar 7.2.7 Patch 1 (7.2.6.20160727184601).
Content
********
IMPORTANT: An issue APAR IV87973 has been identified in QRadar 7.2.7 Patch 1. Administrators who have downloaded the 7.2.7 Patch 1 update should wait for QRadar 7.2.7 Patch 2 to ensure they do not experience this issue.
********
Before you begin
Ensure that you take the following precautions:
- Back up your data before you begin any software upgrade. For more information about backup and recovery, see the IBM Security QRadar Administration Guide.
- To avoid access errors in your log file, close all open QRadar sessions.
- DO NOT attempt to upgrade an appliance to a different version than the QRadar Console. All appliances in the deployment must be at the same software revision to patch the entire deployment. The fix pack for QRadar cannot be installed on a managed host that is at a different software version from the Console.
- Verify that all changes are deployed on your appliances. The patch cannot install on appliances that have changes that are not deployed.
About this patch
In 7.2.6 we introduced a new indexing method within our Ariel database. This new indexing method increased search performance by creating hourly indices, but with this technological improvement a bug was introduced for certain types of indices.
An issue has been identified as APAR IV87029. Any index that can be null (N/A) can experience this issue. Most notably Username (enabled by default), or any Custom Event/Flow Property that may not be parsed on all events. When data comes into the system with null properties interweaved with completed properties, it is possible that the index created is incomplete. Not all index files will exhibit this behavior, as not all properties can be null (N/A).
For example:
On Friday, July 16 at 13:01 – 143 events came through the QRadar pipeline and all of the events’ Username field were parsed correctly. The next minute at 13:02 – we had 121 events come through the QRadar pipeline, with 13 of the events not containing a Username (null). This pattern continues for an hour. When Ariel performs its index rollup and creation process, it is likely that the index is corrupt. When searching for data in this time period using the “Username” field as a filter, will not return results that should have matched for this interval.
Installation
Fix packs are cumulative software updates to fix known software issues in your QRadar deployment. QRadar fix packs are installed by using an SFS file. The fix pack can update any appliance that is attached to the QRadar Console that is at the same software version as the Console.
- Download the fix pack 7.2.7-QRADAR-QRSIEM-20160727184601 from the IBM Fix Central website:
- Using SSH, log in to your system as the root user.
- Copy the fix pack to the /tmp directory on the QRadar Console.
Note: If space in the /tmp directory is limited, copy the fix pack to another location that has sufficient space. - To create the /media/updates directory, type the following command: mkdir -p /media/updates
- Change to the directory where you copied the patch file. For example, cd /tmp
- To mount the patch file to the /media/updates directory, type the following command:
mount -o loop -t squashfs 726_QRadar_patchupdate-7.2.7.20160727184601.sfs /media/updates - To run the patch installer, type the following command: /media/updates/installer
Note: The first time that you run the fix pack, there might be a delay before the fix pack installation menu is displayed.
- Using the patch installer, select all.
- The all option updates the software on all appliances in the following order:
1. Console
2. Event Processors
3. Event Collectors
4. Flow Processors
5. Flow Collectors
- If you do not select the all option, you must select your Console appliance.
As of QRadar 7.2.6 Patch 3 and later, administrators are only provided the option to update all or update the Console appliance as the managed hosts are not displayed in the installation menu. After the Console is patched, a list of managed hosts that can be updated is displayed in the installation menu. This change was made starting with QRadar 7.2.6 Patch 3 to ensure that the Console appliance is always updated before managed hosts to prevent upgrade issues.
If administrators want to patch systems in series, they can update the Console first, then copy the patch to all other appliances and run the patch installer individually on each managed host. The Console must be patched before you can run the installer on managed hosts.
If your Secure Shell (SSH) session is disconnected while the upgrade is in progress, the upgrade continues. When you reopen your SSH session and rerun the installer, the patch installation resumes.
- A summary of the fix pack installation advises you of any managed host that were not updated.
TIP: If the fix pack fails to update a managed host, you can copy the fix pack to the host and run the installation locally. The Console appliance must be upgraded before you can do a local update for your managed host.
- After the patch completes and you have exited the installer, type the following command: umount /media/updates
- After all hosts are updated, administrators can send an email to their team to inform them that they will need to clear their browser cache before logging in to the QRadar SIEM interface.
Results
At 01:00 AM appliance local time following a successful patch, all index files on an appliance that were generated while running QRadar 7.2.6 or 7.2.7 will be validated to ensure that all indexes on the appliance are accurate. This one-time validation could take several hours to complete depending on the amount of index data. The index validation process does not significantly impact the performance of other QRadar processes.
If the administrator wants to adjust the time at which index validation starts, they can contact IBM QRadar Support for assistance or ask a question in the QRadar forum for more information.
Procedure
Resolved issues
As QRadar 7.2.7 Patch 1 is a cumulative release, the release notes listed below include additional tables for issues resolved in previous 7.2.6 patch updates. Note: Some APAR links in the table below might take 24 hours to display properly after a software release.
Product | Number | Description |
---|---|---|
QRADAR | IV71970 | NO ACCUMULATED DATA FOR 'SOURCE NETWORK GROUP' COLUMN |
QRADAR | IV74147 | REPORTS RUN ON ADVANCED SEARCHES CONTAINING THE 'HAVING' CLAUSE PRODUCE DUPLICATE COLUMNS |
QRADAR | IV76224 | ERROR 'PATCH ABORTED' WHEN PATCHING QRADAR MANAGED HOSTS FROM THE CONSOLE USING THE PATCH ALL OPTION |
QRADAR | IV77615 | QFLOW PROCESS ON QRADAR 1310 APPLIANCES CAN SOMETIMES STOP WORKING CAUSING NO FLOWS TO BE RECEIVED |
QRADAR | IV80159 | REPORTS USING AN ADVANCED SEARCH WITH MULTIPLE 'ORDER BY' COLUMNS CAN FAIL TO BE GENERATED SUCCESSFULLY |
QRADAR | IV80662 | REPORTS CONTAINING TABLES BASED ON SOME ADVANCED SEARCHES CAN CONTAIN EXTRA COLUMNS AND/OR BE MISSING COLUMNS |
QRADAR | IV81818 | CHANGES MADE TO THE GLOBAL SYSTEM NOTIFICATION, SYSTEM LOAD, VALUES ARE NOT RECOGNIZED BY QRADAR |
QRADAR | IV82018 | DEPLOY FUNCTION FAILS AFTER REMOVING ENCRYPTION USING SYSTEM AND LICENSE MANAGEMENT OPTIONS |
QRADAR | IV82557 | 'ERROR OCCURED WHILE SEARCHING FOR DEPENDENTS' MESSAGE WHEN ATTEMPTING TO DELETE A RULE FROM THE USER INTERFACE |
QRADAR | IV82813 | SOME TIME SERIES DASHBOARD GRAPHS ONLY SHOW LAST SIX MINUTES OF EVENTS |
QRADAR | IV82814 | OFFENSE SEARCH BY 'DESTINATION IP' CAN CAUSE A TOMCAT TXSENTRY MAKING THE USER INTERFACE TEMPORARILY INACCESSIBLE |
QRADAR VULN. MANAGER | IV83527 | QRADAR VULNERABILITY MANAGER SCANS CAN FAIL WHEN THERE ARE TOO MANY IP EXCLUSIONS DEFINED |
QRADAR VULN. MANAGER | IV83534 | QRADAR VULNERABILITY MANAGER PROCESSOR FAILS TO START WHEN A SCANNER INSTANCE NAME IS TOO LONG |
QRADAR | IV83692 | UNABLE TO DELETE CUSTOM EVENT PROPERTIES WHEN THEY ARE USED WITH MULTIPLE LOG SOURCE TYPES AND SEARCHES |
QRADAR | IV83769 | NAVIGATING TO THE 'MY ASSIGNED VULNERABILITIES' SCREEN CAN HANG AND THE USER INTERFACE CAN BECOME INACCESSIBLE |
QRADAR | IV83969 | UNABLE TO CREATE NEW NETFLOW FLOW SOURCE FORWARDS OR EDIT ANY THAT ARE ALREADY CREATED |
QRADAR | IV84004 | USING A LOG SOURCE EXTENSION (LSX) SET TO 'PARSING OVERRIDE' ON A STANDARD DSM CAN CHANGE THE EVENT SEVERITY LEVEL |
QRADAR VULN. MANAGER | IV84031 | RUNNING QRADAR VULNERABILITY MANAGER SCANS DISTRIBUTED ACROSS MULTIPLE SCANNER INSTANCES WITH CENTRALISED CREDENTIALS MAY FAIL |
QRADAR | IV84058 | MANAGE VULNERABILITY DEPLOYMENT SCREEN 'SAVE' BUTTON IS NOT USABLE IN SOME CIRCUMSTANCES |
QRADAR | IV84603 | DEPLOYMENT_INFO.SH AND GET_LOGS.SH CAN FAIL TO COMPLETE IN A QRADAR ENVIRONMENT THAT CONTAINS NAT'D HOSTS |
QRADAR | IV84678 | QRADAR USER INTERFACE SCREEN MOVES ERRATICALLY WHEN USING SPECIFIC CHARACTERS IN THE OFFENSE CLOSING 'NOTE' SECTION |
QRADAR | IV85031 | EVENT COUNT CONTIBUTING TO AN OFFENSE DOES NOT MATCH THE NUMBER OF EVENTS WHEN DISPLAYED IN LOG ACTIVITY |
QRADAR | IV85157 | COMPLEX ADVANCED SEARCHES CAN CAUSE ACCUMULATOR_ROLLUP TO RUN OUT OF MEMORY |
QRADAR | IV85207 | 'COULD NOT DESERIALIZE QUERY HANDLE...-ASYNCHRONOUS' NULLPOINTEREXCEPTIONS REPETITIVELY APPEARING IN QRADAR |
QRADAR VULN. MANAGER | IV85252 | THE MANAGE VULNERABILITY PAGE IN THE QRADAR USER INTERFACE CAN SOMETIMES TAKE A LONGER THAN EXPECTED TIME TO LOAD |
QRADAR VULN. MANAGER | IV85261 | AN 'APPLICATION ERROR' CAN BE SOMETIMES BE GENERATED WHEN CLICKING A HYPERLINK ON THE SCAN RESULTS PAGE |
QRADAR | IV85370 | QRADAR PATCHES CAN SOMETIMES TAKE AN UNEXPECTEDLY LONG TIME TO COMPLETE |
QRADAR | IV85415 | 'APPLICATION ERROR' ON THE CONFIGURATION MONITOR SCREEN WHEN ATTEMPTING TO VIEW A DEVICE SUMMARY |
QRADAR | IV85447 | REPORTS AND DASHBOARDS BASED ON SOME ADVANCED (AQL) SEARCHES MIGHT NOT WORK AS EXPECTED |
QRADAR VULN. MANAGER | IV85449 | THE QRADAR VULNERABILITY MANAGER 'SCAN RESULTS' SCREEN CAN TAKE A LONGER THAN EXPECTED TIME TO LOAD/POPULATE |
QRADAR | IV85599 | APPLICATION ERROR CAN SOMETIMES OCCUR WHEN ATTEMPTING TO CLOSE AN OFFENSE CAUSING A BLANK USER INTERFACE BROWSER WINDOW |
QRADAR VULN. MANAGER | IV85635 | 'AN ERROR OCCURRED - UNABLE TO RETRIEVE SCAN RESULTS' ERROR DIALOG CAN SOMETIMES APPEAR WHEN OPENING SCAN RESULTS |
QRADAR VULN. MANAGER | IV85757 | QRADAR VULNERABILITY MANAGER SCHEDULED SCANS CAN SOMETIMES FAIL TO START |
QRADAR RISK MANAGER | IV85870 | UNABLE TO SEE ROUTE TO INTERNET IN TOPOLOGY WHEN PERFORMING A PATH SEARCH WHEN ROUTE IS THROUGH AN UNCLASSIFIED ISP ROUTER |
QRADAR | IV86402 | THE VALUES ENTERED FOR REFERENCE SET DATA 'TIME TO LIVE' DAYS AND HOURS ARE SWAPPED AFTER CLICKING THE SUBMIT BUTTON |
QRADAR | IV86686 | REPORTS BASED ON AN ADVANCED SEARCH (AQL) CAN SOMETIMES CAUSE REPORTING_EXECUTOR TO OUT OF MEMORY |
QRADAR | SECURITY BULLETIN | IBM JAVA AS USED IN IBM QRADAR SIEM IS VULNERABLE TO INFORMATION DISCLOSURE. (CVE-2016-3426) |
QRADAR | SECURITY BULLETIN | OPENSSL AS USED IN IBM QRADAR SIEM IS VULNERABLE TO MULTIPLE CVES |
Product | Number | Description |
---|---|---|
QRADAR | IV50320 | WINCOLLECT AGENTS CONTAIN A DEFAULT EVENT THROTTLE THAT MIGHT NOT BE SUFFICIENT FOR HIGH EPS WINDOWS SYSTEMS |
QRADAR | IV67458 | RULES THAT COMPARE A NUMERICALLY FORMATTED CUSTOM PROPERTY TO A NUMERICAL REFERENCE SET FAIL TO MATCH |
QRADAR | IV72794 | THE QRADAR/STORE/TRANSIENT PARTITION CAN EXCEED 95% DISK SPACE USAGE CAUSING SERVICES TO STOP |
QRADAR | IV73253 | QRADAR UNABLE TO ADD REFERENCE TABLE ELEMENTS WHEN USING PORT, IP, OR NUMERIC REFERENCE TABLES |
QRADAR | IV76726 | GEOGRAPHIC COUNTRY/REGION DATA POPULATED INTO REFERENCE TABLES IS NOT USED CONSISTENTLY WHEN TESTING AGAINST OTHER RULES |
QRADAR | IV78329 | UNABLE TO PERFORM RULE OR ADVANCED QUERY COMPARISONS USING 'DATE' TYPE REFERENCE DATA |
QRADAR | IV78720 | OFFENSES CAN SOMETIMES STOP GENERATING OR UPDATING IN CERTAIN 'FLOW SOURCE STOPPED SENDING FLOWS' SCENARIOS |
QRADAR | IV79198 | SYSTEM NOTIFICATIONS RELATED TO 'BERKELEY DB LIBRARY' CAN SOMETIMES BE GENERATED WITHIN QRADAR |
QRADAR | IV79686 | NO SYSTEM HEALTH DATA IS DISPLAYED AFTER PERFORMING A QRADAR CONFIGURATION RESTORE |
QRADAR | IV79698 | NON-ADMIN USERS ASSIGNED TO A DOMAIN ARE UNABLE TO SWITCH REPORT GROUPS |
QRADAR | IV79930 | CREATING AN ASSET MANUALLY CAN TAKE A LONGER THAN EXPECTED AMOUNT OF TIME AND/OR APPEARS TO HANG INDEFINITELY |
QRADAR VULN MANAGER | IV81997 | AN ARIEL_PROXY_SERVER 'OUT OF MEMORY' CAN SOMETIMES OCCUR DURING EVENT AND/OR FLOW SEARCHES |
QRADAR | IV82160 | CRE FAILED TO READ RULES MESSAGES IN QRADAR LOGGING AFTER PERFORMING A CONTENT MANAGEMENT TOOL IMPORT |
QRADAR | IV83455 | DATA NODE REBALANCING PROCESS CAN SOMETIMES FAIL AND RESTART TAKING A LONGER THAN EXPECTED TIME TO REBALANCE |
QRADAR | IV83535 | REPORT ON TOP OFFENSES THAT ARE BASED ON SAVED SEARCHES CONTAINING DOMAIN FILTERS DO NOT WORK AS EXPECTED |
QRADAR | IV83748 | AN ERROR OCCURRED POSITIONING THE RESULT SET RETURNED FROM THE SERVER TO ROW 1...ERROR MESSAGE DISPLAYED IN SEARCH RESULTS |
QRADAR | IV84025 | UNABLE TO DELETE RULES THAT ARE ADDED TO THE GROUP 'ANOMALY' |
QRADAR | IV84056 | ADVANCED SEARCHES (AQL) THAT CONTAIN 'LOG SOURCE GROUP' FILTER OR COLUMN CAN APPEAR TO HANG |
QRADAR | IV84062 | QRADAR USER INTERFACE ACTION BAR IS MISSING FROM MULTIPLE UI SCREENS |
QRADAR | IV84390 | ERROR POP-UP OR BLANK WINDOW CAN OCCUR WHEN USING CHROME OR INTERNET EXPLORER BROWSER IN SPECIFIC FILTER SEARCH INSTANCES |
QRADAR | IV81461 | LARGE NUMBER OF SIEM-AUDIT-2 SYSTEM GENERATED EVENTS WITHIN QRADAR |
QRADAR | IV84511 | UNABLE TO REMOVE THE 'OPTIMIZE PARSING FOR RULES, REPORTS AND SEARCHES' FLAG ON CUSTOM EVENT/FLOW PROPERTIES |
QRADAR | IV84682 | QRADAR VIS COMPONENT DOES NOT GET RE-ADDED TO QFLOW APPLIANCE WHEN A QFLOW IS REMOVED AND RE-ADDED TO A DEPLOYMENT |
QRADAR | IV84689 | OFFLINE FORWARDING FROM DATA NODES DOES NOT WORK |
QRADAR | IV84733 | QRADAR CAN FAIL TO PARSE EVENTS THAT HAVE UNRESOLVED DNS NAMES |
QRADAR | IV85210 | INVALID BACKUP ARCHIVE MESSAGE WHEN ATTEMPTING TO UPLOAD A BACKUP FILE FROM WITHIN THE QRADAR USER INTERFACE |
---------
Where do you find more information?
Was this topic helpful?
Document Information
Modified date:
10 May 2019
UID
swg27048465