Release of the QRadar 7.3.0 Patch 6 ISO (7.3.0.20171107151332) (UPDATED)

Release Notes

Abstract

A list of the installation instructions, new features, and includes a resolved issues list for the release of IBM Security QRadar 7.3.0 Patch 6 (7.3.0.20171107151332) ISO. These instructions are intended for administrators upgrading from QRadar 7.2.8 Patch 1 or later to QRadar 7.3.0 Patch 6 using an ISO file.

Content

About this upgrade

These instructions are intended to assist administrators with updating appliances from QRadar 7.2.8 to QRadar 7.3.0 Patch 6 using an ISO file. This ISO can update QRadar, QRadar Risk Manager, QRadar Vulnerability Manager products from 7.2.8 to version 7.3.0 Patch 6. These instructions inform administrators how to update their deployment to the latest version. If you have a software installation, need the latest memory requirements, or are making use of off-board storage, it is recommended that you review the QRadar Upgrade Guide to prevent issues.

QRadar 7.3.0 uses an ISO file to update hosts to the latest software version. A minimum of QRadar 7.2.8 Patch 1 (or later) is required to be able to upgrade to QRadar 7.3.0 Patch 6. Each host must be updated individually, this includes HA secondary appliances.

Administrator notes

Current QRadar Version	Upgrades to QRadar 7.3.0 `Patch` 6?
QRadar 7.2.6 (any patch level) or earlier	No
QRadar 7.2.7 (any patch level)	No
QRadar 7.2.8.0	No
QRadar 7.2.8 `Patch` 1 or later	Yes, the latest ISO can upgrade beyond the initial 7.3.0 release versions and there is no need to install multiple files. Use these release notes to complete this process.
QRadar 7.3.0 to QRadar 7.3.0 `Patch` 4	See the QRadar 7.3.0 `Patch` 6 SFS release notes.

This update includes a change to how login authentication works for fallback LDAP, Radius, or Active Directory on administrator accounts. If the external authentication server is unavailable, not all administrators will be able to fall back to their local administrator passwords without a configuration change. This change was implemented in QRadar 7.3.0 Patch 4 or later and this note is being included in 7.3.0 Patch 6 to raise awareness for this change. For more information, see: QRadar: External Authentication Fails Due to Password Fallback Change for Administrators.
TLS v1.0 and TLSv1.1 is disabled in this release and connections to the user interface for legacy browsers might be rejected.
WinCollect agents at version 7.2.2-2 or older use TLSv1.0 and TLS v1.1 connections to upgrade agents, which is disabled in QRadar 7.3.0 (all patch version). Administrators with managed WinCollect agents must upgrade to WinCollect 7.2.5 before installing QRadar 7.3.0 Patch 6. WinCollect 7.2.5 is a pre-requisite for QRadar 7.3.0. Stand-alone WinCollect agents are not impacted by this requirement.
Customized routes or static routes configured manually in QRadar are not preserved after the upgrade to QRadar 7.3.0 completes.
Any iptables rules configured by the administrator should be reviewed and noted for clean up post installation. The interface names have changed in QRadar 7.3.0 due to the Red Hat Enterprise 7 operating system updates and administrators who reference interfaces will need to update iptables rules manually.
You must be on QRadar 7.2.8 Patch 1 or later to upgrade to QRadar 7.3.0 Patch 6.
QRadar Network Insights administrators much be on QRadar 7.2.8 Patch 3 or later to upgrade.
The upgrade from QRadar 7.3.8 Patch 1 to QRadar 7.3.0 Patch 6 will use a .ISO file. In the past, support has stated that ISOs are for new appliance installs only, but QRadar 7.3.0 is going to be an exception to this rule because of the Red Hat kernel update requirements.
Each HA appliance must be updated individually using the ISO file. The SFS file is capable of allowing the primary appliance to update the secondary, but the ISO file does not support this functionality. If you run the ISO setup on an HA primary, you should wait for the update to complete, then run the setup on the HA secondary.
There is no patch "All" option as QRadar 7.3.0 uses an ISO file to upgrade. The ISO must be mounted to the appliance and run locally on each host. If you have a software install, you need your Red Hat Enterprise ISO and the QRadar ISO. Administrators with software installations on your own hardware MUST read the QRadar Upgrade Guide to understand how to partition their systems appropriately.
The 7.3.0 upgrade will take longer than expected due to the kernel changes to Red Hat 7 Enterprise. Early upgrade customers are reporting 2 to 2.5 hours to upgrade the Console appliance. Administrators should be aware of this longer time frame to plan their maintenance windows.
Utilities or custom scripts that power users might have created for their QRadar deployment should be copied off of the system. During the 7.3.0 update a warning is displayed that only data in /store is going to be preserved. After the appliance reboots, any scripts, 3rd party accounts, or utilities in /tmp, or /, or /root will be deleted. This does not impact ISO files mounted initially using /root as the this clean up only occurs later in the installation procedure.

Figure 1: Administrators on QRadar 7.2.8 version are not required to install each ISO release to update to the latest version. If an ISO is available for the latest 7.3.0 Patch version, you can install the latest ISO file.

The QRadar 7.3.0 Patch 6 ISO (7.3.020171107151332) can upgrade QRadar 7.2.8 Patch 1 (7.2.8.20161207001258) and later to QRadar 7.3.0. If you are on a version of QRadar earlier than QRadar 7.2.8 Patch 1, you must upgrade to QRadar 7.2.8 Patch 1 or later before proceeding to install the QRadar 7.3.0 ISO to upgrade. For a list of all release note for QRadar, see the QRadar Master Software List.

Before you upgrade

Ensure that you take the following precautions:

Back up your data before you begin any software upgrade and verify that you have recent configuration backups that match your existing Console version. If required, take an on demand configuration backup before you begin. For more information about backup and recovery, see the IBM Security QRadar Administration Guide.
HA appliances should have primaries in the online state and secondary as standby for their HA pair status.
If you have off-board storage configured, see the QRadar Upgrade Guide as there are special instructions for administrators with /store using off-board storage.
If you installed QRadar as a software install using your own hardware, see the QRadar Upgrade Guide for partition information.
WinCollect 7.2.5 is a pre-requisite for QRadar 7.3.0 and all managed agents must be updated. Stand-alone WinCollect agents are not impacted by this requirement.
All appliances in the deployment must be at the same software & patch level in the deployment.
Verify that all changes are deployed on your appliances. The update cannot install on appliances that have changes that are not deployed.
A QRadar 7.3.0 Patch 6 ISO is available for administrators to want to upgrade from QRadar 7.2.8 Patch 1 or install a new appliance or virtual machine. Administrators who want to complete a new install need to review the QRadar Installation Guide.
To avoid access errors in your log file, close all open QRadar user interface sessions.
If you are unsure of the IP addresses or hostnames for the appliances in the deployment, run the utility /opt/qradar/support/deployment_info.sh to get a .CSV file with information about the QRadar deployment. The CSV file will contain a list of IP addresses for each managed host.
If you are unsure of how to proceed when reading these instructions or the documentation, it is best to ask before starting your upgrade. To ask a question in our forums, see: http://ibm.biz/qradarforums.

Part 1. Staging files and pretesting your deployment (required)

It is important that administrators pretest their deployment to ensure that they will not experience unexpected issues when updating to QRadar 7.3.0. A pretest is a common precaution that should be taken by all administrators before they install an update to locate potential issues. The pretest does not restart services and can be completed without scheduled downtime. The pretest typically takes between 3 to 5 minutes to complete on each appliance. If for some reason your SSH session is disconnected, you can reconnect to the remote host using screen.

Procedure
The pretest should be completed on all hosts by the administrator before you attempt to upgrade to QRadar 7.3.0.

Download the QRadar 7.3.0 Patch 6 ISO (3.8 GB) from the IBM Fix Central website: http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.3.0&platform=Linux&function=fixId&fixids=7.3.0-QRADAR-QRFULL-20171107151332&includeRequisites=1&includeSupersedes=0&downloadMethod=http&source=fc

IMPORTANT: QRadar Incident Forensics and QRadar Network Insights use a unique ISO file to upgrade from 7.2.8 to 7.3.0. See the Fix Central page for those products to download the correct file.
Using SSH, log in to your Console as the root user.
Type the following command:
```
screen
```

To make the directory for the update, type:

/opt/qradar/support/all_servers.sh -k “mkdir -p /media/cdrom || umount /media/cdrom"

To verify you have enough space (4GB) in /tmp for the ISO on all appliances, type:
```
/opt/qradar/support/all_servers.sh -k df -h /root /var/log | tee diskchecks.txt
```
- Best directory option: /root
  It is available on all appliance types, is the best option to host the ISO file.
- 2nd best directory option: /var/log
  This directory is available on all appliances, but there might not be the required space available.
- DO NOT USE: /tmp, /store/tmp, or /store/transient for your ISO upgrade. These directories are partitioned as part of the upgrade and administrators cannot use them as storage locations or mount points for the ISO file.
  
  If the disk check command fails, retype the quotation marks from your terminal, then re-run the command. This command returns the details to both the command window and to a file on the Console named diskchecks.txt. Review this file to ensure that all appliances have at minimum 4GB of space available in a directory to copy the ISO before attempting to move the file to a managed host. If required, free up disk space on any host that fails to have less that 4GB available.
  
  Reminder: Utilities or custom scripts that administrators have created for QRadar should be copied off of the system. During the 7.3.0 update a warning is displayed that only data in /store will be preserved. Therefore, scripts, 3rd party utilities in /tmp, or /, or /root will be deleted during the upgrade.
If there is not 4GB of space in /root or /var/log, the administrator must make directory space for the ISO file.
Using WinSCP or SCP, copy the ISO to the /root or /var/log directory on the QRadar Console with 4GB of disk space for the ISO file.

To copy the files to all appliances, type:

/opt/qradar/support/all_servers.sh -k -p /root/Rhe764QRadar7_3_0_20171107151332.stable-7-3-0.iso -r /root

To mount the ISO on all appliances, type the following command:

/opt/qradar/support/all_servers.sh -C -k “mount -o loop /root/Rhe764QRadar7_3_0_20171107151332.stable-7-3-0.iso /media/cdrom"

To pretest the Console appliance, type:
```
/media/cdrom/setup -t
```
The pretest output will be written to the command window. Review this output after the pretest completes.
Using SSH, open an SSH session to the other appliances in your deployment. QRadar Support recommends that all administrators run the pretest on each host to identify issues before the update begins.
To pretest the managed host, type:
```
/media/cdrom/setup -t
```
Results
If an appliance in your deployment fails the pretest, the administrators can take the recommended action from the pretest utility. The issue must be resolved before the update to 7.3.0 begins to prevent downtime for specific appliances. If there are messages you do not understand or want to discuss further, you can use our forums http://ibm.biz/qradarforums to get advice. Alternately, administrators can open a ticket directly with QRadar Support (http://ibm.biz/qradarsupport).

Part 2. Installing the QRadar 7.3.0 ISO on the Console Appliance

These instructions guide administrators through the process of upgrading an existing QRadar install at 7.2.8 Patch 1 or later to QRadar software version 7.3.0. The update on the Console must be completed first, before you attempt to update any managed hosts to QRadar 7.3.0.

Procedure
You must complete: Part 1. Staging files and pretesting your deployment (required) before you begin the installation steps listed below.

Using SSH, log in to the Console as the root user.
To run the ISO installer on the Console, type the following command:
```
/media/cdrom/setup
```
Important: Upgrading from QRadar 7.2.8 Patch 1 or later to QRadar 7.3.0 should take approximately 2 hours on a Console appliance.
Wait for the Console primary update to complete.
For HA appliances. If you have an HA Secondary, you can now update the secondary appliance.
Open an SSH session to the HA Console secondary.
Type the following command to update the secondary Console:
```
/media/cdrom/setup
```
Wait for the HA Console secondary to complete the update.

Results
A summary of the ISO installation advises you of any issues. If there are no issues, administrators can now SSH to managed hosts and start the installer on each host to run the setup in parallel.

Part 3. Installing the QRadar 7.3.0 ISO on all other managed hosts

After the Console and Console HA secondary are updated to QRadar 7.3.0, then the rest of the deployment can updated. There is no order required for updating specific appliance types after the Console is updated. Administrators can update Event Processors, Event Collectors, QFlow appliances in any order. You must open an SSH session to each host to run the setup command. The all_servers.sh utility is not supported for parallel ISO installations. Administrators can start the ISO update in parallel on multiple hosts, if they are not HA pairs.
Administrators with appliances that are HA pairs must upgrade the primary appliance first, then the secondary managed host.

Procedure
You must complete: Part 1. Staging files and pretesting your deployment (required) before you begin the installation steps listed below.

Using SSH, log in to the Console as the root user.
Open an SSH session to each managed host and type the following command:
```
/media/cdrom/setup
```
Important: Upgrades for managed hosts should take approximately 1.5 hours.
Wait for the managed host update to complete.
For HA appliances. If you have an HA Secondary, you can now update the secondary appliance.
Open an SSH session to the manage host HA secondary.
Type the following command to update the secondary:
```
/media/cdrom/setup
```
Wait for the HA Console secondary to complete the update.

Results
A summary of the ISO installation advises you of any issues. If there are no issues, administrators can now run the ISO setup on the Console HA secondary appliance, if you have an HA pair. If you do not have a Console in HA, you can then start SSH sessions to each host and run the setup in parallel.

Part 4. Installation wrap-up

After all hosts are updated, administrators can send an email to their team to inform them that they will need to clear their browser cache before logging in to the QRadar SIEM interface.

To unmount the /media/cdrom directory on all hosts, type:

/opt/qradar/support/all_servers.sh -C -k “umount /media/cdrom"

Administrators can delete the ISO from all appliances.
Administrators who use WinCollect agents version 7.2.6 or latest must reinstall the SFS file on the QRadar Console. This is due to issues were the ISO replaces the SFS on the Console with WinCollect 7.2.5 as described here: APAR IV96364. To install the latest WinCollect SFS on the Console, see the WinCollect release notes: WinCollect 7.2.7 Release Notes.
Review any static routes or customized routing. As mentioned in the administrator notes, all routes were removed and will need to be reconfigured after the upgrade completes.
Any iptable rules configured should be reviewed as the interface names have changed in QRadar 7.3.0 due to the Red Hat Enterprise 7 operating system updates. Any iptables rules that use Red Hat 6 interface naming conventions will need to be updated.

Resolved issues

Some APAR links in the table below might take 24 hours to display properly after a software release is posted to IBM Fix Central.

**Resolved issues for 7.3.0 Patch 6**
Product	Component	Number	Description
QRADAR	SECURITY BULLETIN	CVE-2015-6420	APACHE COMMONS COLLECTION AS USED IN IBM QRADAR SIEM IS VULNERABLE TO REMOTE CODE EXECUTION.
QRADAR	HOST TIME SYNCHRONIZATION	IJ00032	MANAGED HOST TIME SYNCRONIZATION CAN FAIL TO WORK CORRECTLY CAUSED BY AN UPGRADE OF OPENSSL
QRADAR VULN MANAGER	DEPLOY	IJ02090	NEWLY CONFIGURED VULNERABILITY EXCEPTIONS CAN SOMETIMES BE DUPLICATED
QRADAR VULN MANAGER	DEPLOY	IJ00132	QRADAR VULNERABILITY MANAGER IS IN THE PROCESS OF BEING DEPLOYED MESSAGE ON VULNERABILITIES TAB AFTER PATCHING.
QRADAR	LICENSE INTERFACE	IJ00136	EVENT/FLOW (EPS/FPS) IN LICENSE POOL ALLOCATION DISPLAYS AS "N/A" AFTER PATCHING QRADAR
QRADAR	APPLICATION INSTALL	IJ00200	APPLICATION INSTALLATION WINDOW HANGS WHEN ATTEMPTING TO UPDATE QRADAR APPS
QRADAR	APPLICATION INSTALL	IJ00245	QRADAR APPS CAN FAIL TO INSTALL AFTER UPGRADING TO 7.3.0 PATCH 2 OR HIGHER
QRADAR	APPLICATION INTERFACE	IJ00258	QRADAR APPS TAB CAN FAIL TO LOAD AFTER UPGRADING TO 7.3.0 PATCH 4
QRADAR	UPGRADING	IJ00458	GLUSTER DAEMON IS NOT STOPPED WHEN UPDATING GLUSTER RPMS DURING A QRADAR 7.3.0 UPGRADE
QRADAR	APPLICATION INSTALL	IJ00628	QRADAR APPLICATIONS CAN FAIL TO INSTALL PROPERLY AND ROLLBACK WHEN A INSTALLHEALTHCHECK CONNECTION RESET/REFUSE OCCURS
QRADAR	USER INTERFACE	IJ01043	THE QRADAR USER INTERFACE CAN BECOME UNRESPONSIVE WHEN LOADING THE LOG SOURCES WINDOW DUE TO A SENSORDEVICE TABLE LOCK
QRADAR	UPGRADING	IJ01120	FACTORY REINSTALL CAN FAIL ON A QRADAR APPLIANCE THAT HAS BEEN UPGRADED FROM 7.2.8 TO 7.3.0
QRADAR	APPLICATION INSTALL	IJ01241	QRADAR APP INSTALLS CAN SOMETIMES FAIL AFTER AN APP NODE IS INSTALLED IN THE QRADAR ENVIRONMENT
QRADAR	USER INTERFACE	IV84706	QRADAR USER INTERFACE SESSIONS ARE BECOMING DISCONNECTED (SESSION TIMEOUT) UNEXPECTEDLY
QRADAR	CUSTOM ACTION SCRIPTS	IV86611	CUSTOM ACTION RESPONSE RETURNS 'NULL' VALUE FOR SOME DEFINED PARAMETERS
QRADAR	DISK SPACE	IV88269	FAILED REPLICATIONS CAN LEAVE RESIDUAL FILES IN /TMP DIRECTORY
QRADAR	REFERENCE SET	IV90323	UNABLE TO DELETE REFERENCE SET ELEMENTS USING THE QRADAR USER INTERFACE
QRADAR	SEARCH FILTER	IV91301	OFFENSE SEARCH EXCLUSION FILTERS CONTAINING A DEFINED NETWORK HIERARCHY PARAMETER DO NOT RESPECT THE EXCLUSION
QRADAR	RULES	IV93254	'DEVICE STOPPED SENDING EVENTS' RULE SOMETIMES DOES NOT DISPLAY THE ASSOCIATED LOG SOURCE WHEN PART OF AN OFFENSE
QRADAR	DSM EDITOR	IV93696	DSM EDITOR CAN DISPLAY REGEX GRABS INCONSISTENTLY BETWEEN WORKSPACE FIELD AND LOG ACTIVITY PREVIEW
QRADAR	CUSTOM EVENT PROPERTY	IV94165	EVENTS CONTRIBUTING TO AN OFFENSE CANNOT BE DISPLAYED AFTER CUSTOM EVENT PROPERTY 'OFFENSEID' IS CREATED IN DSM EDITOR
QRADAR	REPORTS	IV95248	MESSAGE 'TEMPLATE NOT FOUND' IS DISPLAYED WHEN ATTEMPTING TO VIEW, RUN OR EDIT A REPORT
QRADAR ON CLOUD	APP TAB USER INTERFACE	IV95430	QRADAR ON CLOUD USERS CANNOT SEE QRADAR APPLICATION TABS AFTER INSTALLATION
QRADAR	CUSTOM ACTION SCRIPTS	IV95514	SELECTED EVENT DOES NOT DISPLAY IN THE DSM EDITOR WORKSPACE
QRADAR	SEARCH	IV96161	SEARCHES CAN FAIL WITH 'CONNECTING TO THE QUERY SERVER' ERRORS AND/OR 'I/O ERROR OCCURRED' WHEN MANY SECURITY PROFILES EXIST
QRADAR	DISK SPACE	IV96323	THE /STORE/TRANSIENT PARTITION DOES NOT PERFORM REQUIRED CLEANUP WHEN RUNNING LOW ON FREE DISK SPACE
QRADAR	REPORTS	IV96377	REPORTS RUN ON SOME AQL SEARCHES CAN RETURN INCONSISTENT COLUMN NAMES
QRADAR	SEARCH	IV97151	'THE SERVER ENCOUNTERED AN ERROR READING ONE OR MORE FILES' WHEN PERFORMING A LOG ACTIVITY SEARCH
QRADAR	SEARCH	IV97167	SEARCHES CAN FAIL/CANCEL WHEN A MAXIMUM NUMBER OF RESULTS IS REACHED
QRADAR	SEARCH	IV97182	"MANAGE SEARCH RESULTS" PAGE FAILS TO LOAD WITH 'GENERAL FAILURE. PLEASE TRY AGAIN' MESSAGE
QRADAR	USER INTERFACE	IV97275	NON-ADMIN QRADAR USERS ARE UNABLE TO PERFORM VARIOUS RIGHT CLICK AND API CALL FUNCTIONS
QRADAR	OPERATING SYSTEM	IV97469	RHEL CIFS-UTILS PACKAGE IS NOT INCLUDED ON QRADAR APPLIANCES INSTALLED AT, OR UPGRADED TO, VERSION 7.3.0.X
QRADAR	DEPLOYMENT	IV97835	TUNNEL CONNECTIONS REMAIN AFTER A DATA NODE OR EVENT COLLECTOR ARE REMOVED FROM A QRADAR DEPLOYMENT
QRADAR	DNS LOOKUP	IV97844	DNS LOOKUPS FOR INTERNAL IP NETWORK RANGES ARE NOT WORKING AS INTENDED
QRADAR	FLOW DATA	IV97942	AUTO UPDATE CAN CAUSE AN INTERRUPTION IN FLOW COLLECTION AND A "PERFORMANCE DEGRADATION" SYSTEM NOTIFICATION IN THE UI
QRADAR	SEARCHES	IV98068	IN PROGRESS SEARCHES THAT RUN LONGER THAN THE CONFIGURED SEARCH RESULTS RETENTION PERIOD ARE DELETED PRIOR TO COMPLETION
QRADAR	DATA OBFUSCATION	IV98095	ATTEMPTING TO OBFUSCATE A LARGE VOLUME OF USERNAME FIELD BASED EVENTS CAN CAUSE OBFUSCATED EVENTS TO BE DROPPED
QRADAR	SEARCH EDITS	IV98100	ADDING A REGEX FILTER TO AN EXISTING SEARCH CAN GENERATE ERROR 'FATAL EXCEPTION IN VALIDATIONEXCEPTION: THIS IS NOT A VALID...'
QRADAR	QUICK FILTER SEARCH	IV98190	COMMA CHARACTERS (,) IN QUICK FILTER SEARCHES ARE TREATED AS "OR" VALUES AND CAN CAUSE VARIED SEARCH RESULTS
QRADAR VULN MANAGER	SCAN DURATION	IV98207	QVM SCAN RESULT DISPLAYS 100% PROGRESS AND STOPPED AS SCAN DURATION TIME CONTINUES TO INCREMENT
QRADAR	DEPLOYMENT	IV98214	DEPLOYMENT ACTIONS - 'EDIT HOST CONNECTION' OPTION IS NOT ENABLED AFTER EVENT/FLOW PROCESSOR IS ADDED TO DEPLOYMENT
QRADAR	SEARCH API	IV98260	API SEARCHES USING A COMPLETED ARIEL SEARCH CAN SOMETIMES RETURN WITH AN ERROR 500
QRADAR	BULK LOG SOURCES	IV98436	UNABLE TO PERFORM A BULK ADD OF LOG SOURCES
QRADAR	USER INTERFACE	IV98449	QRADAR USER INTERFACE BECOMES UNRESPONSIVE LINKED TO LOGROTATE OF HTTPD FILES
QRADAR VULN MANAGER	SCAN REPORT	IV98524	EMAILED VULNERABILITY SCAN REPORTS CAN SOMETIMES BE BLANK
QRADAR NETWORK INSIGHTS	CONTENT CAPTURE	IV98529	QNI ONLY GENERATES FILE INFORMATION FOR THE LAST FILE CONTAINED WITHIN A SINGLE EMAIL, NOT ALL ATTACHED FILES
QRADAR	SEARCH PERFORMANCE	IV98539	ARIEL SEARCHES THAT DO MANY STRING COMPARISONS CAN RUN SLOWER THAN EXPECTED IN LOW MEMORY SCENARIOS
QRADAR	USER INTERFACE	IV98707	TOMCAT SERVICE CAN FAIL TO LOAD DUE TO DEADLOCK, CAUSING THE QRADAR USER INTERFACE TO BECOME INACCESSIBLES
QRADAR VULN MANAGER	ASSETS	IV98728	SCAN RESULT DATA CAN SOMETIMES FAIL TO BE UPDATED IN THE QRADAR ASSET MODEL
QRADAR	SEARCHES	IV98742	ATTEMPTING TO CANCEL A DUPLICATE LOG ACTIVITY SEARCH IN PROGRESS CAN DISPLAY ERROR '...WARN_QUERY_COLLECT_DATA_LIMIT"
QRADAR LOG MANAGER	RULES	IV98928	ADDITIONAL RULE TESTS CANNOT BE ADDED TO CURRENT RULES AND NEW RULES CANNOT BE CREATED WHEN USING QRADAR LOG MANAGER
QRADAR	UPGRADE / INSTALLATION	IV98935	QRADAR UPGRADE PROCESS CAN SOMETIMES FAIL AT THE PRE-BOOT PHASE, AND ' / ' PARTITION FILLS TO 100%
QRADAR	EVENT PARSING	IV99330	A NULLPOINTEREXCEPTION CAN BE GENERATED BY QRADAR HANDLING OF DSM ADAPTIVE PATTERNS LEADING TO UNPARSED/STORED EVENTS
QRADAR VULN MANAGER	SCAN RESULTS	IV99333	INCONSISTENT ASSET COUNTS WHEN DRILLING DOWN INTO SOME SCAN RESULTS
QRADAR	APPLICATION FRAMEWORK	IV99334	QRADAR UPGRADE AND/OR PATCHING WITHIN 7.3.0 CAN FAIL ON MICROSERVICES INSTALLER DUE TO A VAULT CERTIFICATE MISMATCH
QRADAR	CONTENT MANAGEMENT TOOL	IV99508	A NULL POINTER EXCEPTION CAN BE GENERATED DURING IMPORT WHEN USING THE CONTENT MANAGEMENT TOOL CONTAINING CUSTOM LOG SOURCE TYPE
QRADAR	CONFIG RESTORE	IV99579	CONFIGURATION RESTORE ONTO A CONSOLE WITH A DIFFERENT IP ADDRESS CAUSES QRADAR APPS TO NO LONGER WORK
QRADAR	LICENSE	IV99705	15XX APPLIANCES CAN HAVE INCORRECT LICENSE EPS VALUE WHEN ATTACHED MANAGED HOST HAS ENCRYPTION ENABLED
QRADAR NETWORK INSIGHTS	FLOW DATA	IV99710	FLOWS ARE UNEXPECTEDLY NO LONGER BEING RECEIVED FROM A QRADAR NETWORK INSIGHTS APPLIANCE

**Resolved issues for 7.3.0 Patch 5**
Product	Component	Number	Description
QRADAR VULN MANAGER	DEPLOY	IJ00132	QRADAR VULNERABILITY MANAGER IS IN THE PROCESS OF BEING DEPLOYED MESSAGE ON VULNERABILITIES TAB AFTER PATCHING.
QRADAR	APPLICATION FRAMEWORK	IJ00258	APPLICATION TABS CAN FAIL TO LOAD AFTER UPGRADING TO QRADAR 7.3.0 PATCH 4.
QRADAR	FLOWS	IJ00259	NO QFLOW DATA RECEIVED FROM 1202 APPLIANCES AFTER UPGRADING/PATCHING TO QRADAR 7.3.0 PATCH 4.
QRADAR	UPGRADING	IJ00458	GLUSTER DAEMON IS NOT STOPPED WHEN UPDATING GLUSTER RPMS DURING A QRADAR 7.3.0 UPGRADE

**Issues resolved in QRadar 7.3.0 Patch 4**
Product	Component	Number	Description
QRADAR	SECURITY BULLETIN	CVE-2017-1162	IBM QRADAR SIEM IS VULNERABLE TO INFORMATION EXPOSURE (CVE-2017-1162)
QRADAR	SECURITY BULLETIN	CVE-2017-7957	OPEN SOURCE XSTREAM AS USED IN IBM QRADAR SIEM IS VULNERABLE TO DENIAL OF SERVICE (CVE-2017-7957)
QRADAR	SECURITY BULLETIN	MULTIPLE	IBM JAVA SDK AS USED IN IBM QRADAR SIEM IS VULNERABLE TO MULTIPLE CVE’S
QRADAR	DEPLOY	IV99206	DEPLOY PROCESS CAN TIMEOUT DUE TO /OPT/QRADAR/CONF/ DIRECTORY PERMISSION CHANGES AFTER A PATCH/UPGRADE
QRADAR	UPGRADE	IV98727	MISSING FILES IN /STORETMP/UPGRADE ERRORS WHEN RUNNING /ROOT/COMPLETE_UPGRADE.SH SCRIPT AFTER A FAILED UPGRADE
VULNERABILITY MANAGER	EXTERNAL SCANS	IV98250	QVM SCANNING THAT USES THE IBM EXTERNAL SCANNER FAIL TO START AFTER PATCHING
QRADAR	CUSTOM ACTION SCRIPTS	IV97846	USING RULE RESPONSE 'EXECUTE CUSTOM ACTION' CAN SOMETIMES NOT WORK AS EXPECTED
VULNERABILITY MANAGER	SCAN RESULTS	IV97212	DEFINED QVM NETWORK EXCEPTIONS ARE NOT HONORED
QRADAR	INSTALLATION	IV96860	CONSOLE INSTALLATION OF QRADAR 7.3.0.X CAN FAIL WHEN UTC TIMEZONE IS SELECTED
QRADAR	LOG ACTIVITY INTERFACE	IV96423	'GENERAL FAILURE. PLEASE TRY AGAIN' MESSAGE WHEN A LOG ACTIVITY SEARCH WITH REF TABLE FILTER 'USER SPECIFIED VALUE' IS RUN
INCIDENT FORENSICS	LICENSING	IV96403	ERROR ALLOCATING LICENSE ID ### WITH HOST IP 'xxx.xxx.xxx.xxx' WHEN ATTEMPTING TO APPLY FORENSICS LICENSE
VULNERABILITY MANAGER	SCAN REPORT	IV96372	INCOMPLETE VULNERABILITY REPORT CAN BE GENERATED WHEN RUNNING AGAINST ASSETS CONTAINED IN THE SAME CIDR
QRADAR	DISK SPACE/LOGGING	IV96357	/VAR/LOG/ PARTITION CAN RUN OUT OF SPACE DUE TO LOGS FILLING WITH MESSAGES 'THE USERSESSION OBJECT IN SESSIONCONTEXT...'
QRADAR	HISTORICAL CORRELATION	IV96193	LOWER THAN EXPECTED PERFORMANCE RESULTS WHEN USING HISTORICAL CORRELATION
QRADAR	SERVICES	IV96190	HOSTCONTEXT CAN RUN OUT OF MEMORY DUE TO TASK MANAGEMENT DATABASE TABLE BECOMING CORRUPTED
QRADAR	APPLICATIONS	IV95751	QRADAR DOCKER LOGGING REPORTS 'AN UNEXPECTED ERROR OCCURRED PERFORMING MONITOR [QAPP_MONITOR]'
QRADAR	ASSET USER INTERFACE	IV93867	THE ASSET DETAILS, ASSET SUMMARY WINDOW OF AN ASSET CAN SOMETIMES BE MISSING THE 'OPERATING SYSTEM' DATA
QRADAR	SEARCH FILTER	IV93076	RESULTS IN REPORT DATA CAN SOMETIMES NOT MATCH SEARCH RESULTS WHEN AN 'OR' CONDITION EXISTS IN SEARCH FILTERS
QRADAR	ROUTING RULES	IV91783	CREATING ROUTING RULES FOR EVENTS IS NOT AN AVAILABLE OPTION FOR QRADAR 1805, 1824, 1848, 1899 APPLIANCES
QRADAR	OFFENSES INTERFACE	IV91103	THE 'ASSIGNED TO' LINK IN AN OPEN OFFENSE SUMMARY WINDOW DOES NOT WORK
QRADAR	ASSET PROFILE	IV89590	THE 'ASSET NAME' FIELD FOR ASSETS CAN SOMETIMES BE BLANK
QRADAR	CUSTOM ACTION SCRIPTS	IV86075	A CUSTOM ACTION SCRIPT USING THE PARAMETER 'CREEVENTLIST' CAN FAIL AND GENERATE AN EXCEPTION IN QRADAR LOGGING

**Issues resolved in QRadar 7.3.0 Patch 3**
Product	Component	Number	Description
QRADAR	USER INTERFACE	IV98386	LOG SOURCE USER INTERFACE DOES NOT SAVE ENABLED, COALESCING EVENTS, STORE EVENT PAYLOAD, AND GROUP ASSIGNMENT CHECK BOX ACTIONS
QRADAR	USER INTERFACE	IV98410	AN ERROR OCCURRED WHEN PARSING THIS EVENT'S PAYLOAD. YOU'LL NOT BE ABLE TO EDIT ITS MAPPING' WHEN MAPPING EVENTS

**Issues resolved in QRadar 7.3.0 Patch 2**
Product	Component	Number	Description
QRADAR	SEARCH	IV89196	REALTIME STREAMING CAN FAIL TO DISPLAY EVENTS WHEN FILTERING ON EVENTPROCESSOR
QRADAR	INTERFACE	IV89672	LDAP HOVER TEXT TOOLTIP DISPLAYS DUPLICATE VALUES
QRADAR	SEARCH	IV91674	SEARCHES USING A GEOGRAPHIC LOCATION FILTER CAN RETURN UNEXPECTED RESULTS (RESOLVED IN 7.2.8 PATCH 6 AND IN 7.3.0 PATCH 2)
VULNERABILITY MANAGER	INTERFACE	IV92973	A SCHEDULED SCAN IN QRADAR VULNERABILITY MANAGER CAN BE STARTED MULTIPLE TIMES ONE MINUTE APART
QRADAR	DATA NODE	IV93697	DATA NODES MAY NOT REBALANCE CORRECTLY IF THERE ARE MULTIPLE DESTINATIONS
QRADAR	CLI	IV93847	RUNNING THE ARIEL_QUERY.PY SCRIPT FROM A CONSOLE COMMAND LINE CAN RETURN EXTRA SPACES IN THE RESULTS
QRADAR	LICENSE	IV94195	EVENT COLLECTOR APPLIANCES (15XX) ARE ASSIGNED A EPS VALUE OF 450 INSTEAD OF THEIR PROCESSOR'S VALUE
FORENSICS	DEPLOY	IV94790	FORENSICS RECOVERY JOBS CAN BECOME ORPHANED IF INTERRUPTED BY A 'DEPLOY FULL CONFIGURATION'
QRADAR	SERVICES	IV95251	HOSTCONTEXT CAN SOMETIMES NOT START AFTER UPGRADING QRADAR WITH 'FAILED TO ACQUIRE JMS CONNECTION' IN QRADAR.ERROR G
QRADAR	UPGRADE	IV97144	PREVIOUS CORRUPTION IN NVA.CONF CAN CAUSE SOME UPGRADES TO QRADAR 7.3.0.X TO FAIL

**Issues resolved in QRadar 7.3.0 Patch 1**
Number	Description
SECURITY BULLETIN	IBM JAVA AS USED IN IBM QRADAR SIEM IS VULNERABLE TO MULTIPLE CVES
IV95246	THERE ARE NOT ENOUGH UNALLOCATED EPS IN THE POOL TO MAINTAIN THE EVENT RATE LIMITS THAT ARE ASSIGNED TO THE MANAGED HOSTS
IV94784	QRADAR USER INTERFACE OUTAGES WITH LOGS DISPLAYING HOSTCONTEXT '...TOO MANY OPEN FILES' MESSAGES
IV94700	FORENSICS APPLIANCE UPGRADE TO QRADAR 7.3 CAN SOMETIMES FAIL
IV93961	'DELETE LISTED' OPTION WHILE FILTERED ON A REFERENCE SET DATA LIST CAN DELETE ALL REFERENCE SET DATA
IV93459	SYSTEM AND LICENSE MANAGEMENT CAN TAKE A LONGER THAN EXPECTED TIME TO LOAD IN LARGE QRADAR DEPLOYMENTS
IV92977	VULNERABILITY SEARCH DASHBOARD ITEMS CHANGES DO NOT PERSIST AFTER LOG OUT OF THE QRADAR USER INTERFACE
IV92852	REPORTS RUNNING ON 'ACCUMULATED DATA' CAN SOMETIMES FAIL DUE TO THE GLOBAL VIEW DAILY ROLLUPS FAILING
IV92466	QRADAR SEARCHES CAN FAIL TO COMPLETE AND/OR DASHBOARD DATA CAN FAIL TO LOAD DUE TO AN ARIEL CONNECTION LEAK
IV91679	I/O ERROR FOR MANAGED HOST(S) DISPLAYED IN THE SEARCH WINDOW WHILE RUNNING LOG AND/OR NETWORK ACTIVITY SEARCHES
IV91675	AN 'APPLICATION ERROR' CAN BE DISPLAYED FOR NEW USERS LOGGING INTO THE QRADAR USER INTERFACE INSTEAD OF A DEFAULT DASHBOARD
IV91634	ARIEL SEARCHES THAT ARE RUN USING API VERSION 7.0+ DO NOT RETURN PAYLOAD PROPERLY FOR PARSING
IV91615	'ERROR: COULD NOT FIND OR LOAD MAIN CLASS COM.Q1LABS.CORE.UTIL . PASSWORDENCRYPT' WHEN CONFIGURING LDAP HOVER FEATURE
IV91607	'UNEXPECTED ERROR WHILE RETRIEVING GET_LOGS STATUS' WHEN A NON-ADMIN USER ACCESSES SYSTEM AND LICENCE MANAGEMENT
IV90795	DRILLING INTO A SEARCH THAT WAS GROUPED BY A CUSTOM EVENT PROPERTY WITH PARENTHESIS DOES NOT WORK AS EXPECTED
IV90792	USERS WITH DEFAULT DOMAIN PERMISSIONS CANNOT VIEW LOG SOURCE AND LOG SOURCE GROUP EVENT FILTERS
IV90791	'APPLICATION ERROR' WHEN OPENING SOME OFFENSES
IV89591	LARGE CSV EXPORTS FROM QVM 'SCAN RESULTS' CAN TAKE AN UNEXPECTEDLY LONG TIME TO COMPLETE
IV89558	FILTERING BY PHRASE OR VENDOR IN A SCAN POLICY VULNERABILITY SEARCH RETURNS INCOMPLETE RESULTS
IV77665	SOME QRADAR ADVANCED SEARCHES DO NOT COMPLETE, DISPLAYING 'IN PROGRESS 0% COMPLETE'
IV75242	NETFLOW FORWARDING CAN BE INCONSISTENT FROM A HIGH AVAILABILITY PAIR

**Issues resolved in QRadar 7.3.0**
Number	Description
IV94244	QRADAR PATCHING TO 7.3.0 CAN FAIL AT 'ERROR: THE UPGRADE PHASE SCRIPT 40-PRESERVE_PROTECTED_SEARCH_RESULTS.SH FAILED...'
IV91030	QRADAR APPS THAT REQUIRE SPECIFIC USER ROLE PERMISSIONS CAN STOP WORKING AFTER PATCHING TO QRADAR 7.2.8 PATCH 1
IV88705	ASSET UI SCREEN APPLICATION ERROR DISPLAYED DUE TO DELETED ASSET SEARCH
IV89204	QRADAR ASSET PROFILER TREATS HOSTNAMES WITH DIFFERENT CASE CHARACTERS AS SEPARATE ASSETS
IV84736	TOMCAT OUT OF MEMORY CAN OCCUR CAUSING THE USER INTERFACE TO BECOME INACCESSIBLE
IV91288	OFFENSES CAN SOMETIMES STOP GENERATING WHEN OFFENSES ARE INDEXED ON CUSTOM PROPERTIES
IV88270	USING COMPLEX FILTERS ON LOG AND/OR NETWORK ACTIVITY PAGE SEARCHES CAN CAUSE PIPELINE PERFORMANCE ISSUES/NOTIFICATION
IV90364	SETTING A CUSTOMIZED 'RULE RESPONSE' NAME/DESCRIPTION FOR THE 'LACK OF DEVICE' RULE TEST DOES NOT WORK AS EXPECTED
IV78366	THE ECS-EC PROCESS CAN SOMETIMES RUN OUT OF MEMORY WHEN A LARGE NUMBER OF EVENTS WITH CUSTOM PROPERTIES ARE RECEIVED
IV89556	ECS-EP PROCESS RUNNING, BUT EVENT/FLOW PROCESSING NOT OCCURING ON A QRADAR APPLIANCE
IV90906	TIMES SERIES NOT WORKING FOR SOME NON-ADMIN QRADAR USERS
IV91098	INVAILD SUPER INDEXES CAN CAUSE 'GENERAL FAILURE. PLEASE TRY AGAIN' MESSAGES WHEN USED IN A FILTER IN SEARCHES
IV89015	APPLICATION ERROR WHEN DOUBLE CLICKING THE RESULTS OF AN 'ADVANCED SEARCH' (AQL)
IV90007	TIMESERIES ACCUMULATION AND/OR REPORTS CAN FAIL TO GENERATE IN SOME INSTANCES AFTER PATCHING TO QRADAR 7.2.7.X
IV89209	REPEATED ARIEL PROCESS OUT OF MEMORY OCCURANCES WITH LARGE VOLUMES OF DATA IN /STORE/TRANSIENT
IV89207	OPENING AN EVENT FROM AN ADVANCED SEARCH (AQL) RESULTS LIST CAN OPEN THE INCORRECT EVENT IF A COLUMN SORT HAS BEEN PERFORMED
IV90601	FLOW RETENTION WINDOW DOES NOT ACCURATELY DISPLAY DISTRIBUTION USAGE PERCENTAGES
IV73227	INTERMITTENT AND/OR FREQUENT QRADAR SYSTEM NOTIFICATIONS: 'ACCUMULATOR FALLING BEHIND'
IV87313	'SOURCE' AND 'DESTINATION' NETWORK GROUP SHOW FULL NETWORK HIERARCHY NAME WHEN ADDED AS A COLUMN TO DISPLAY
IV90633	QRADAR DATABASE REPLICATION PROCESS CAN TAKE A LONGER THAN EXPECTED AMOUNT OF TIME
IV89022	CUSTOM PROPERTIES SAVED TO ADVANCED SEARCHES (AQL) WITH INVALID SYNTAX ARE UNABLE TO BE DELETED
IV91638	IMPORTING VULNERABILITY SCAN DATA FROM XML INTO QRADAR CAN SOMETIMES FAIL WITH AN EXCEPTION IN THE LOGS
IV85834	EMAIL ADDRESS VALIDATION IN QRADAR ONLY ALLOWS FOUR CHARACTERS IN THE LAST SECTION OF THE DOMAIN
IV89662	UNABLE TO EDIT BULK ADDED LOG SOURCES AFTER A QRADAR CONFIGURATION RESTORE IS PERFORMED
IV90376	SECURITY APP EXCHANGE APPLICATIONS CAN FAIL TO COMMUNICATE IN SOME HIGH AVAILABILITY QRADAR CONFIGURATIONS
IV91071	QRADAR XX48 APPLIANCE ISO BUILDS CAN FAIL WITH 'INVALID ACTIVATION KEY' MESSAGE
IV90089	HOSTCONTEXT PROCESS NAME IS NOT CONSISTENT IN ALL AREAS OF QRADAR
IV86682	SYSTEM NOTIFICATIONS STATING 'THE PRIMARY HIGH AVAILABILITY SYSTEM FAILED' WHEN NO FAILOVER HAS OCCURRED
IV85384	HIGH AVAILABILITY STANDBY APPLIANCE USING CROSSOVER CABLE CAN HAVE ROUTING INCORRECTLY UPDATED
IV85366	QRADAR CONSOLE CONTINUES TO PING THE IP OF A MANAGED HOST CLUSTER AFTER IT IS REMOVED FROM THE DEPLOYMENT
IV87497	IO ERRORS WHEN PERFORMING SEARCHES AFTER A DEPLOY FUNCTION WHERE AN ENCRYPTED MANAGED HOST EXISTS IN THE DEPLOYMENT
IV74231	QRADAR ADMIN TAB DISPLAYS MESSAGE 'THERE ARE UNDEPLOYED CHANGES...' WHEN NO CHANGES HAVE BEEN MADE
IV87856	QRADAR PATCHES THAT INCLUDE A JAVA VERSION UPDATE DO NOT MOVE THE US EXPORT JAR FILES INTO THE APPROPRIATE DIRECTORY
IV89587	KEYBOARD CURSOR/ARROW KEYS AND CTRL-A FUNCTIONS ARE INCONSISTENT ACROSS THE QRADAR USER INTERFACE
IV76165	FLOW SOURCE ALIASES DO NOT APPEAR IN THE ADD FILTER, FLOW INTERFACE, 'VALUE:' DROP DOWN FOR NETWORK ACTIVITY SEARCHES
IV90069	LIST OF OPERATING SYSTEMS AVAILABLE TO SELECT FOR ASSETS IS MISSING SOME OS VERSION ENTRIES
IV90066	'GENERAL FAILURE. PLEASE TRY AGAIN' WHEN PERFORMING A 'GROUP BY' SEARCH OF A PROPERTY, FILTERED AGAINST A REFERENCE SET
IV93147	NETWORK HIERARCHY SEARCH ATTEMPT RESULTS IN POP UP MESSAGE 'AN ERROR OCCURRED, ARGUMENT TYPE MISMATCH'
IV89519	RULES THAT TEST AGAINST REFERENCE MAP OF DATA SETS CAN SOMETIMES FIRE UNEXPECTEDLY
IV89341	SINGLE RUN HOURLY REPORT CAN SOMETIMES RUN TWICE
IV88805	DOMAINS BASED ON CEP VALUE BROKEN STARTING IN QRADAR 7.2.7
IV89363	MULTIPLE SIMULTANEOUS REFERENCE DATA ADDITIONS AND/OR DELETIONS USING THE API CAN CAUSE THE QRADAR UI TO BECOME UNRESPONSIVE
IV87507	SOME DASHBOARD ITEMS NO LONGER DISPLAY IN THE QRADAR USER INTERFACE

[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Release Notes","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3","Edition":"All Editions","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Tips