IBM Support

Release of QRadar Incident Forensics 7.5.0 Update Package 13 ISO (2021.6.12.20250718011446)

Release Notes


Abstract

A list of the installation instructions, new features, and resolved issues for the release of QRadar Incident Forensics 7.5.0 Update Package 13 (2021.6.12.20250718011446) ISO. These instructions are intended for administrators who want to install QRadar Incident Forensics 7.5.0 Update Package 13 by using an ISO file.

Content

What's new 

For more information on new and changed features in QRadar Incident Forensic 7.5.0, see What's new in 7.5.0.

Console-Only Failover support:

Optimized backup validation response time during Disaster Recovery (DR) site activation, especially in large environments with over 1000+ backups at the Primary site, reducing delays and improving recovery efficiency

Infographic-based visualization in Offense tab

  • Introduced infographic-based visual summaries in the QRadar Offense tab, enhancing situational awareness through:
    • Timeline views of offenses to monitor activity trends.
    • Magnitude-based ranking to prioritize offenses effectively.
    • Host-based categorization to quickly identify targeted assets.
  • Infographic-based visual insights enable analysts to investigate and respond to threats more efficiently.

Enhanced Admin tab with Unified Interfaces

  • Consistent and streamlined user experience across:
    • Store and Forward
    • Domain Management
    • Centralized Credentials
    • Resource Restrictions
  • This enhancement simplifies system configuration and management through a consistent interface design.

Console-Only Apps Failover - Enabled seamless application continuity in console-only workflow when apps are hosted on console. This enhancement is fully supported in appliance installations, ensuring uninterrupted availability of critical application services after console-specific failover and failback scenarios.

Custom properties - Ability to use multiple capture groups and literals in regex custom properties:
Multiple capture groups for custom properties gives customers the ability to use format strings and literal characters when defining a property which allows you to extract non continuous strings in the payload.

QRadar Host Monitoring via SNMPwalk -  Enabled SNMPv3 and created UI to support SNMP polling (snmpwalk) of QRadar appliances. SNMPv3 is a secure protocol and is now supported for QRadar host monitoring to comply with modern security standards and IBM’s “Secure by Design” and “Secure by Default” paradigms.

Enhanced Partial Search Results Visibility for Running Searches - The number of partial search results visible during active queries in Log Activity and Network Activity has been increased from 40 to up to 1000 entries. This enhancement provides greater visibility into long-running searches, enabling users to explore more data in real-time and identify potential filters to refine results while the query is still executing.

Disaster Recovery and Data Centre backup and restore processes - Improved efficiency and reliability.

DSM Editor Enhanced Capabilities - 

  • Improved event parsing and mapping in F5 Networks, BIG-IP APM, VMware vCenter, Linux OS, McAfee ePolicy Orchestrator, and TLS Syslog
  • Improved auto-population of Event ID and Event Category fields in the “Create a New Event Mapping” dialog
  • Improved “Suggest Regex” feature for users with System Administrator capabilities

ERSPAN Traffic Support -  QRadar can now collect ERSPAN (Encapsulated Remote Switched Port Analyzer) traffic, which means it can see mirrored network data directly. This helps with:

  1. Seamless Visibility into Remote and Virtual Environments
    ERSPAN enables QRadar to receive mirrored traffic from remote or virtual network segments over IP, providing deep visibility into environments where physical sensors are impractical. This allows customers to monitor hybrid and cloud infrastructures more effectively, ensuring consistent traffic analysis across the entire network.
  2. Reduced Deployment Complexity and Cost
    By leveraging ERSPAN, customers can eliminate the need for dedicated packet capture appliances at every location. Network devices can send traffic directly to QRadar, simplifying the architecture and significantly lowering deployment and maintenance costs while speeding up time-to-value.
  3. Improved Threat Detection and Network Forensics
    With ERSPAN traffic support, QRadar can perform detailed packet inspection and enrich flow records, enabling detection of threats that may bypass traditional flow analysis. This enhances customers’ ability to identify APTs, and policy violations, thereby strengthening security posture.

Improved MAC Address Visibility in QRadar for Smarter Threat Detection -  QRadar now reads MAC addresses in key flow types like QFlow, SFlow, and Packeteer. This helps with:

1. Enhanced Asset Identification and Correlation
By incorporating MAC addresses into all flow data—including third-party sources—QRadar can more accurately identify and track network assets, even when IP addresses change due to DHCP. This helps customers maintain a more reliable and persistent asset inventory, improve correlation accuracy, and reduce false positives in threat detection.

2. Improved Network Forensics and Lateral Movement Detection
MAC addresses provide a lower-layer identifier that’s harder to spoof than IP addresses. Including MAC data in all flows enables QRadar to trace device movements across subnets, detect unauthorized devices, and reconstruct attack paths with greater precision. This significantly enhances investigations and the detection of stealthy movement within the network.

 3. Verifiable device identity
With consistent MAC-level visibility, QRadar can better monitor policy enforcement in segmented networks and detect violations at the hardware level. This helps ensuring that device identity is verifiable and auditable, regardless of IP reassignment or obfuscation. 

Enhanced Asset APIs:

a) DELETE API.  The Delete Assets API is a fundamental feature that has been missing from QRadar for a long time. With this API, customers can integrate their environments (e.g., CMDB) to remove outdated assets and maintain synchronized data with the QRadar environment.
Whenever applications need to interact with the asset model, APIs are the only available method. Therefore, this API has strong potential to be utilized by applications in the future.

b) Extended GET API.  Product information is required for assets so that any consumer can identify the type of asset based on the data. UEBA will be a potential consumer of this extended API, using the product details to enrich the context of monitored entities. This provides analysts with a clearer view, helping them identify which operating system is associated with a specific entity.

Upgraded the Analyst WorkFlow Out-of-the-Box (OOTB) application version - The Analyst Workflow application version is upgraded to v3.0.0.  QRadar releases will now contain the latest version of the Analyst Workflow Application out-of-the-box.

Resolved issues

The Known Issues listed below are resolved in QRadar Incident Forensic 7.5.0 Update Package 13. For a complete list of Known Issues, see Known Issues.

The Known Issues search page allows users to search for Known Issues by version or status.

  • DT397715: If the "qradar" postgresql database is in use during a configuration restore, it can cause the restore to fail, invalidating the database.
  • DT423482: podman_apps_registry_restore.sh stuck when registry keystore is broken.
  • DT435262: Reference set "does not exist in any/all of" filters return incorrect search results.
  • DT433453: Ariel queries with a criteria involving indexed properties open data files in cases where it should not, reducing search speed.
  • DT098936 IJ31082: 'ACCUMULATOR FALLING BEHIND' NOTIFICATIONS AFTER DEFAULT GLOBAL VIEWS FOR EVENT RATE AND FLOW RATE HAVE BEEN RECREATED.
  • DT435224: Warning message " /opt/qradar/bin/setComponentThreadSchedulerPolicy.sh: failed to set scheduler.
  • DT443486: Ariel out of memory due to map failed 
  • DT211814:  F5 networks big-ip apm events can display 'parsed but not mapped' in DSM Editor 
  • DT208415: Linux OS and McAfee ePolicy Orchestrator, TLS Syslog, some events parsing correctly in log activity but display as unknown in the DSM Editor 
  • DT259062: VMWare VCenter events show parsed but not mapped in DSM editor 
  • DT393964: The Event Id and Event Category values are not automatically populated in the 'Create a New Event Mapping' dialog box for some DSMs 
  • DT431870: Suggest Regex feature in DSM Editor does not work unless the user role is set to Admin 
  • DT257046: High Availability setup may fail on systems with very large drives
  • DT258339: High availability setup can fail or take an excessive amount of time to complete on hosts with large /store filesystems
  • DT386499: QRadar Trend Micro Deep Discovery Director and Inspector event mapping issue
  • DT389459: QRadar hosts installed using a RHEL8-based ISO and legacy BIOS cannot reinstall using the recovery ISO
  • DT423351: Parallel Patch -l option (limit bandwidth) not applied
  • DT425142: qradarca-monitor restarts services every hour when expiring cert is skipped for regeneration
  • DT425543: Upgrading QRadar environment on appliance installs in High Availability to 7.5.0 Update Package 11 can cause the secondary to fail
  • DT435327 UP11 : Export as Building Block is not visible in rule wizard in light mode
  • DT435505 QRadar: Search Parameter section in Edit or New Search has buttons covering items in some cases in Dark Mode.
  • DT438885 QRadar: CEP (Custom property) cache issues when a system has over 1000 properties.
  • DT439079: Header text is not visible in Offenses -> Rules table for Dark theme
  • DT439093: Some appliance are now getting a timebomb license with a month expiration
  • DT439346: License is over allocated after patching to UP11 with software ECs with QVM Scanners
  • DT440166: Backup failing after upgrade to UP12 or UP12 IF01
  • DT131234: IJ38812: TIME_SYNC.SH CAN FAIL TO COMPLETE SUCCESSFULLY IF SOCAT TAKES LONGER THAN 0.5 SECONDS TO CONNECT
  • DT211483 IJ46412: FRENCH LANGUAGE SYMANTEC ENDPOINT PROTECTION EVENTS DO NOT DISPLAY AS EXPECTED IN THE DSM EDITOR
  • DT252109 IJ47681: REPORT WIZARD CAN UNEXPECTED SELECT THE CSV FORMAT WHEN USERS CLICK THE BACK BUTTON
  • DT439080 Connection lost from EC to EP: Channel key IO Error
Known issues
  • DT446222: Hostcontext error visible in the logs when creating backup on the ui on backup and recovery
  • DT446199: SAML IdP server metadata generator page is not getting Open from Browser URL for QRadar IPV6 environment
  • DT446281: Data Sync App - Software Install setup : Apps Restore functionality showing validation and Failover is not getting initiated in the new DSApp v3.2.2

About this installation

These instructions are intended to assist you when you install QRadar Incident Forensics 7.5.0 Update Package 13 by using an ISO file. These instructions inform you how to update your deployment to the latest version. For more information, see the QRadar Incident Forensics Installation Guide.

The QRadar Incident Forensics 7.5.0 Update Package 13 ISO (7.5.0-QRADAR-QIFFULL-2021.6.12.20250718011446) can install QRadar Incident Forensics 7.5.0. However, this document does not cover all of the installation messages and requirements, such as changes to memory requirements or browser requirements for QRadar Incident Forensics.

Installing the QRadar 7.5.0 ISO Update Package 13

These instructions guide you through the process of installing QRadar Incident Forensics 7.5.0 Update Package 13.

Important: You can use the verify signature tool to validate the integrity of your downloads from IBM Fix Central. For more information, see How to verify downloads from IBM Fix Central are trusted and code signed.

Procedure

  1. Download the QRadar Incident Forensics 7.5.0 Update Package 13 ISO (6.3 GB) from the IBM Fix Central website: 7.5.0-QRADAR-QIFFULL-20250718011446
  2. Use SSH to log in to the Console as the root user.
    NOTE: When you log in, the SSH session should display 7.5.0 as the Console's version. This is verification that the QRadar Console has been updated to 7.5.0, which is required before you update your Incident Forensics appliance.
  3. Open an SSH session to the QRadar Incident Forensics appliance.
  4. To run the ISO installer, type the following command: /media/dvd/setup

    Important: Installing QRadar Incident Forensics 7.5.0 Update Package 13 can take 1 to 2 hours to complete on the appliance.

  5. Wait for the installation to complete.
Installation wrap up
  1. After all hosts are updated, send an email to your team to inform them that they will need to clear their browser cache before they log in to the QRadar Incident Forensics SIEM interface.
  2. To unmount the /media/dvd directory, type: umount /media/dvd
  3. Delete the ISO from the appliance.
  4. Review any static routes or customized routing. As mentioned in the administrator notes, all routes were removed and will need to be reconfigured after the upgrade completes.
  5. Review any iptable rules that are configured as the interface names have changed in QRadar Incident Forensics 7.5.0 Update Package 13 due to the Red Hat Enterprise 7 operating system updates. Update any iptables rules that use Red Hat 6 interface naming conventions.

Results

A summary of the ISO installation advises you of any issues. If there are no issues, you can now SSH to managed hosts and start the installer on each host to run the setup in parallel.

Security Bulletin

Security Bulletin:  IBM QRadar SIEM contains multiple vulnerabilities

[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.5.0"}]

Document Information

Modified date:
07 August 2025

UID

ibm17237934

Page Feedback