IBM Support

Release of QRadar Incident Forensics 7.5.0 Update Package 13 SFS (2021.6.13.20250718011446)

Release Notes


Abstract

This technical note contains installation instructions and a list of new features and resolved issues for the IBM Security QRadar Incident Forensics 7.5.0 Update Package 13 SFS. These instructions are intended for administrators who are upgrading to QRadar Incident Forensics 7.5.0 Update Package 13 by using an SFS file.

Content

What's New


For more information on new and changed features in QRadar Incident Forensic 7.5.0, see What's new in 7.5.0.

Console-Only Failover support:

Optimized backup validation response time during Disaster Recovery (DR) site activation, especially in large environments with over 1000+ backups at the Primary site, reducing delays and improving recovery efficiency

Infographic-based visualization in Offense tab

  • Introduced infographic-based visual summaries in the QRadar Offense tab, enhancing situational awareness through:
    • Timeline views of offenses to monitor activity trends.
    • Magnitude-based ranking to prioritize offenses effectively.
    • Host-based categorization to quickly identify targeted assets.
  • Infographic-based visual insights enable analysts to investigate and respond to threats more efficiently.

Enhanced Admin tab with Unified Interfaces

  • Consistent and streamlined user experience across:
    • Store and Forward
    • Domain Management
    • Centralized Credentials
    • Resource Restrictions
  • This enhancement simplifies system configuration and management through a consistent interface design.

Console-Only Apps Failover - Enabled seamless application continuity in console-only workflow when apps are hosted on console. This enhancement is fully supported in appliance installations, ensuring uninterrupted availability of critical application services after console-specific failover and failback scenarios.

Custom properties - Ability to use multiple capture groups and literals in regex custom properties:
Multiple capture groups for custom properties gives customers the ability to use format strings and literal characters when defining a property which allows you to extract non continuous strings in the payload.

QRadar Host Monitoring via SNMPwalk -  Enabled SNMPv3 and created UI to support SNMP polling (snmpwalk) of QRadar appliances. SNMPv3 is a secure protocol and is now supported for QRadar host monitoring to comply with modern security standards and IBM’s “Secure by Design” and “Secure by Default” paradigms.

Enhanced Partial Search Results Visibility for Running Searches - The number of partial search results visible during active queries in Log Activity and Network Activity has been increased from 40 to up to 1000 entries. This enhancement provides greater visibility into long-running searches, enabling users to explore more data in real-time and identify potential filters to refine results while the query is still executing.

Disaster Recovery and Data Centre backup and restore processes - Improved efficiency and reliability.

DSM Editor Enhanced Capabilities - 

  • Improved event parsing and mapping in F5 Networks, BIG-IP APM, VMware vCenter, Linux OS, McAfee ePolicy Orchestrator, and TLS Syslog
  • Improved auto-population of Event ID and Event Category fields in the “Create a New Event Mapping” dialog
  • Improved “Suggest Regex” feature for users with System Administrator capabilities

ERSPAN Traffic Support -  QRadar can now collect ERSPAN (Encapsulated Remote Switched Port Analyzer) traffic, which means it can see mirrored network data directly. This helps with:

  1. Seamless Visibility into Remote and Virtual Environments
    ERSPAN enables QRadar to receive mirrored traffic from remote or virtual network segments over IP, providing deep visibility into environments where physical sensors are impractical. This allows customers to monitor hybrid and cloud infrastructures more effectively, ensuring consistent traffic analysis across the entire network.
  2. Reduced Deployment Complexity and Cost
    By leveraging ERSPAN, customers can eliminate the need for dedicated packet capture appliances at every location. Network devices can send traffic directly to QRadar, simplifying the architecture and significantly lowering deployment and maintenance costs while speeding up time-to-value.
  3. Improved Threat Detection and Network Forensics
    With ERSPAN traffic support, QRadar can perform detailed packet inspection and enrich flow records, enabling detection of threats that may bypass traditional flow analysis. This enhances customers’ ability to identify APTs, and policy violations, thereby strengthening security posture.

Improved MAC Address Visibility in QRadar for Smarter Threat Detection -  QRadar now reads MAC addresses in key flow types like QFlow, SFlow, and Packeteer. This helps with:

1. Enhanced Asset Identification and Correlation
By incorporating MAC addresses into all flow data—including third-party sources—QRadar can more accurately identify and track network assets, even when IP addresses change due to DHCP. This helps customers maintain a more reliable and persistent asset inventory, improve correlation accuracy, and reduce false positives in threat detection.

2. Improved Network Forensics and Lateral Movement Detection
MAC addresses provide a lower-layer identifier that’s harder to spoof than IP addresses. Including MAC data in all flows enables QRadar to trace device movements across subnets, detect unauthorized devices, and reconstruct attack paths with greater precision. This significantly enhances investigations and the detection of stealthy movement within the network.

 3. Verifiable device identity
With consistent MAC-level visibility, QRadar can better monitor policy enforcement in segmented networks and detect violations at the hardware level. This helps ensuring that device identity is verifiable and auditable, regardless of IP reassignment or obfuscation. 

Enhanced Asset APIs:

a) DELETE API.  The Delete Assets API is a fundamental feature that has been missing from QRadar for a long time. With this API, customers can integrate their environments (e.g., CMDB) to remove outdated assets and maintain synchronized data with the QRadar environment.
Whenever applications need to interact with the asset model, APIs are the only available method. Therefore, this API has strong potential to be utilized by applications in the future.

b) Extended GET API.  Product information is required for assets so that any consumer can identify the type of asset based on the data. UEBA will be a potential consumer of this extended API, using the product details to enrich the context of monitored entities. This provides analysts with a clearer view, helping them identify which operating system is associated with a specific entity.

Upgraded the Analyst WorkFlow Out-of-the-Box (OOTB) application version - The Analyst Workflow application version is upgraded to v3.0.0.  QRadar releases will now contain the latest version of the Analyst Workflow Application out-of-the-box

Resolved Issues


For a list of Known Issues links of resolved issues in QRadar Incident Forensic 7.5.0 Update Package 13, see Known Issues. The Known Issues search page allows users to search for Known Issues by version or status.

Some Known Issues links might take 24 hours to display properly after a software release is posted to IBM Fix Central.

The following is a list of Known Issues fixed in QRadar Incident Forensic 7.5.0 Update Package 13:

on or status.

  • DT397715: If the "qradar" postgresql database is in use during a configuration restore, it can cause the restore to fail, invalidating the database.
  • DT423482: podman_apps_registry_restore.sh stuck when registry keystore is broken.
  • DT435262: Reference set "does not exist in any/all of" filters return incorrect search results.
  • DT433453: Ariel queries with a criteria involving indexed properties open data files in cases where it should not, reducing search speed.
  • DT098936 IJ31082: 'ACCUMULATOR FALLING BEHIND' NOTIFICATIONS AFTER DEFAULT GLOBAL VIEWS FOR EVENT RATE AND FLOW RATE HAVE BEEN RECREATED.
  • DT435224: Warning message " /opt/qradar/bin/setComponentThreadSchedulerPolicy.sh: failed to set scheduler.
  • DT443486: Ariel out of memory due to map failed 
  • DT211814:  F5 networks big-ip apm events can display 'parsed but not mapped' in DSM Editor 
  • DT208415: Linux OS and McAfee ePolicy Orchestrator, TLS Syslog, some events parsing correctly in log activity but display as unknown in the DSM Editor 
  • DT259062: VMWare VCenter events show parsed but not mapped in DSM editor 
  • DT393964: The Event Id and Event Category values are not automatically populated in the 'Create a New Event Mapping' dialog box for some DSMs 
  • DT431870: Suggest Regex feature in DSM Editor does not work unless the user role is set to Admin 
  • DT257046: High Availability setup may fail on systems with very large drives
  • DT258339: High availability setup can fail or take an excessive amount of time to complete on hosts with large /store filesystems
  • DT386499: QRadar Trend Micro Deep Discovery Director and Inspector event mapping issue
  • DT389459: QRadar hosts installed using a RHEL8-based ISO and legacy BIOS cannot reinstall using the recovery ISO
  • DT423351: Parallel Patch -l option (limit bandwidth) not applied
  • DT425142: qradarca-monitor restarts services every hour when expiring cert is skipped for regeneration
  • DT425543: Upgrading QRadar environment on appliance installs in High Availability to 7.5.0 Update Package 11 can cause the secondary to fail
  • DT435327 UP11 : Export as Building Block is not visible in rule wizard in light mode
  • DT435505 QRadar: Search Parameter section in Edit or New Search has buttons covering items in some cases in Dark Mode.
  • DT438885 QRadar: CEP (Custom property) cache issues when a system has over 1000 properties.
  • DT439079: Header text is not visible in Offenses -> Rules table for Dark theme
  • DT439093: Some appliance are now getting a timebomb license with a month expiration
  • DT439346: License is over allocated after patching to UP11 with software ECs with QVM Scanners
  • DT440166: Backup failing after upgrade to UP12 or UP12 IF01
  • DT131234: IJ38812: TIME_SYNC.SH CAN FAIL TO COMPLETE SUCCESSFULLY IF SOCAT TAKES LONGER THAN 0.5 SECONDS TO CONNECT
  • DT211483 IJ46412: FRENCH LANGUAGE SYMANTEC ENDPOINT PROTECTION EVENTS DO NOT DISPLAY AS EXPECTED IN THE DSM EDITOR
  • DT252109 IJ47681: REPORT WIZARD CAN UNEXPECTED SELECT THE CSV FORMAT WHEN USERS CLICK THE BACK BUTTON
  • DT439080 Connection lost from EC to EP: Channel key IO Error

Known issues

  • DT446222: Hostcontext error visible in the logs when creating backup on the ui on backup and recovery
  • DT446199: SAML IdP server metadata generator page is not getting Open from Browser URL for QRadar IPV6 environment
  • DT446281: Data Sync App - Software Install setup : Apps Restore functionality showing validation and Failover is not getting initiated in the new DSApp v3.2.2

Upgrade information


QRadar Incident Forensic 7.5.0 Update Package 13 resolves reported issues from users and administrators from previous QRadar Incident Forensic versions. This cumulative software update fixes known software issues in your QRadar Incident Forensic deployment. QRadar Incident Forensic software updates are installed by using an SFS file, and update all appliances attached to the QRadar Console.

The 750-QRADAR-QIFSFS-2021.6.13.20250718011446 SFS file can upgrade the following QRadar Incident Forensics versions to QRadar Incident Forensics 7.5.0 Update Package 13:

  • QRadar Incident Forensic 7.5.0 Update Package 10
  • QRadar Incident Forensic 7.5.0 Update Package 10 Interim Fix 01 to Interim Fix 02
  • QRadar Incident Forensic 7.5.0 Update Package 11
  • QRadar Incident Forensic 7.5.0 Update Package 11 Interim Fix 01 to Interim Fix 04
  • QRadar Incident Forensic 7.5.0 Update Package 12
  • QRadar Incident Forensic 7.5.0 Update Package 12 Interim Fix 01 to Interim Fix 03

This document does not cover all the installation messages and requirements, such as changes to appliance memory requirements or browser requirements for QRadar Incident Forensic. To review any additional requirements, see the QRadar Upgrade Guide.

See QRadar: Software update check list for administrators for a list of steps to review before you update your QRadar Incident Forensic deployment.

Before you begin

Ensure that you take the following precautions:

  • Back up your data before you begin any software upgrade. For more information about backup and recovery, see the QRadar Administration Guide.
  • To avoid access errors in your log file, close all open QRadar sessions.
  • The QRadar Incident Forensic software update cannot be installed on a managed host that is at a different software version from the Console. All appliances in the deployment must be at the same software revision to update the entire deployment.
  • Verify that all changes are deployed on your appliances. The update cannot install on appliances that have changes that are not deployed.
  • If you are attempting a new installation of QRadar, review the instructions in the QRadar Installation Guide.
     

Installing the QRadar Incident Forensic 7.5.0 Update Package 13 Software Update


These instructions guide you through the process of upgrading an existing QRadar version to QRadar Incident Forensic 7.5.0 Update Package 13. To update appliances in parallel, see: QRadar: How to Update Appliances in Parallel.

Procedure

  1. Download the software update to install QRadar Incident Forensic 7.5.0 Update Package 13 from the IBM Fix Central website:   7.5.0-QRADAR-QIFSFS-20250718011446

    Important:  Please confirm that you are installing the latest SFS file posted on 07/29/2025.  The updated file sha256sum is a2cb3ee1c7bd762dfee64ef381b177ff95a1ccb0aaae46b0e4c751a75255cf9c
  2. Use SSH to log in to your Console as the root user.
  3. To verify you have enough space (10GB) in /store/tmp for the QRadar Console, type the following command: 
      df -h /tmp /storetmp /store/transient | tee diskchecks.txt
    • Best directory option: /storetmp

      It is available on all appliance types at all versions. In QRadar Incident Forensic 7.5.0 versions, /store/tmp is a symlink to the /storetmp partition.

If the disk check command fails, retype the quotation marks from your terminal, then rerun the command. This command returns the details to both the command window and to a file on the Console named diskchecks.txt. Review this file to ensure that all appliances have at minimum 10GB of space available in a directory to copy the SFS before you attempt to move the file to a managed host. If required, free up disk space on any host that fails to have less that 10GB available.

  1. To create the /media/updates directory, type the following command: 
      mkdir -p /media/updates
  2. Use SCP to copy the files to the QRadar Console to the /storetmp directory or a location with 10GB of disk space.
  3. Change to the directory where you copied the patch file. For example, 
      cd /storetmp
  4. To mount the patch file to the /media/updates directory, type the following command: 
      mount -o loop -t squashfs /storetmp/750-QRADAR-QIFSFS-2021.6.13.20250718011446.sfs /media/updates
  5. To run the patch installer, type the following command: 
      /media/updates/installer

    Note: The first time that you run the software update, there might be a delay before the software update installation menu is displayed.

  6. Using the patch installer, select all.
    • The all option updates the software on all appliances in the following order:
      1. Console
      2. No order required for remaining appliances. All remaining appliances can be updated in any order that you require.

    • If you do not select the all option, you must select your Console appliance.

      As of QRadar Incident Forensic 7.2.6 Patch 4 and later, you are only provided the option to update all or update the Console appliance. Managed hosts are not displayed in the installation menu to ensure that the Console is patched first. After the Console is patched, a list of managed hosts that can be updated is displayed in the installation menu. This change was made starting with QRadar Incident Forensic 7.2.6 Patch 4 to ensure that the Console appliance is always updated before managed hosts to prevent upgrade issues.

      If you want to patch systems in series, you can update the Console first, then copy the patch to all other appliances and run the patch installer individually on each managed host. The Console must be patched before you can run the installer on managed hosts. When you update in parallel, there is no order required in how you update appliances after the Console is updated.

      If your Secure Shell (SSH) session is disconnected while the upgrade is in progress, the upgrade continues. When you reopen your SSH session and rerun the installer, the patch installation resumes.

Installation wrap-up

  1. After the system reboot is not initiated after the patch completes and you have exited the installer, type the following command: 
      umount /media/updates
  2. Clear your browser cache before you log in to the Console.
  3. Delete the SFS file from all appliances.
  4. To run AQL queries that use geographic data or the flags on the Log Activity tab, update to the latest database from Maxmind after you upgrade to 7.5.0 Update Package 13.

Results

A summary of the software update installation advises you of any managed hosts that were not updated. If the software update fails to update a managed host, you can copy the software update to the host and run the installation locally.

After all hosts are updated, send an email to your team to inform them that they will need to clear their browser cache before they log in to the QRadar Incident Forensic interface.

Security Bulletin

Security Bulletin:  IBM QRadar SIEM contains multiple vulnerabilities

[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtdAAA","label":"Upgrade"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.5.0"},{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSUK44","label":"IBM Security QRadar Incident Forensics"},"ARM Category":[{"code":"a8m0z000000cwtdAAA","label":"Upgrade"}],"Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.5.0"}]

Product Synonym

QRadar Incident Forensics

Document Information

Modified date:
07 August 2025

UID

ibm17236488

Page Feedback