Release of QRadar 7.5.0 Update Package 13 ISO (2021.6.13.20250718011446)

Release Notes

Abstract

A list of the installation instructions, new features, and resolved issues for the release of IBM Security QRadar 7.5.0 Update Package 13 (7.5.0-QRADAR-QRFULL-2021.6.13.20250718011446). These release notes apply to QRadar, QRadar Vulnerability Manager, QRadar Risk Manager, and QRadar Network Insights. These instructions are intended for administrators who want to install QRadar 7.5.0 Update Package 13 by using an ISO file.

Content

What's new

For more information on new and changed features in QRadar 7.5.0, see What's new in 7.5.0.

Console-Only Failover support:

Optimized backup validation response time during Disaster Recovery (DR) site activation, especially in large environments with over 1000+ backups at the Primary site, reducing delays and improving recovery efficiency

Infographic-based visualization in Offense tab

Introduced infographic-based visual summaries in the QRadar Offense tab, enhancing situational awareness through:
- Timeline views of offenses to monitor activity trends.
- Magnitude-based ranking to prioritize offenses effectively.
- Host-based categorization to quickly identify targeted assets.
Infographic-based visual insights enable analysts to investigate and respond to threats more efficiently.

Enhanced Admin tab with Unified Interfaces

Consistent and streamlined user experience across:
- Store and Forward
- Domain Management
- Centralized Credentials
- Resource Restrictions
This enhancement simplifies system configuration and management through a consistent interface design.

Console-Only Apps Failover - Enabled seamless application continuity in console-only workflow when apps are hosted on console. This enhancement is fully supported in appliance installations, ensuring uninterrupted availability of critical application services after console-specific failover and failback scenarios.

Custom properties - Ability to use multiple capture groups and literals in regex custom properties:
Multiple capture groups for custom properties gives customers the ability to use format strings and literal characters when defining a property which allows you to extract non continuous strings in the payload.

QRadar Host Monitoring via SNMPwalk - Enabled SNMPv3 and created UI to support SNMP polling (snmpwalk) of QRadar appliances. SNMPv3 is a secure protocol and is now supported for QRadar host monitoring to comply with modern security standards and IBM’s “Secure by Design” and “Secure by Default” paradigms.

Enhanced Partial Search Results Visibility for Running Searches - The number of partial search results visible during active queries in Log Activity and Network Activity has been increased from 40 to up to 1000 entries. This enhancement provides greater visibility into long-running searches, enabling users to explore more data in real-time and identify potential filters to refine results while the query is still executing.

Disaster Recovery and Data Centre backup and restore processes - Improved efficiency and reliability.

DSM Editor Enhanced Capabilities -

Improved event parsing and mapping in F5 Networks, BIG-IP APM, VMware vCenter, Linux OS, McAfee ePolicy Orchestrator, and TLS Syslog
Improved auto-population of Event ID and Event Category fields in the “Create a New Event Mapping” dialog
Improved “Suggest Regex” feature for users with System Administrator capabilities

ERSPAN Traffic Support - QRadar can now collect ERSPAN (Encapsulated Remote Switched Port Analyzer) traffic, which means it can see mirrored network data directly. This helps with:

Seamless Visibility into Remote and Virtual Environments
ERSPAN enables QRadar to receive mirrored traffic from remote or virtual network segments over IP, providing deep visibility into environments where physical sensors are impractical. This allows customers to monitor hybrid and cloud infrastructures more effectively, ensuring consistent traffic analysis across the entire network.
Reduced Deployment Complexity and Cost
By leveraging ERSPAN, customers can eliminate the need for dedicated packet capture appliances at every location. Network devices can send traffic directly to QRadar, simplifying the architecture and significantly lowering deployment and maintenance costs while speeding up time-to-value.
Improved Threat Detection and Network Forensics
With ERSPAN traffic support, QRadar can perform detailed packet inspection and enrich flow records, enabling detection of threats that may bypass traditional flow analysis. This enhances customers’ ability to identify APTs, and policy violations, thereby strengthening security posture.

Improved MAC Address Visibility in QRadar for Smarter Threat Detection - QRadar now reads MAC addresses in key flow types like QFlow, SFlow, and Packeteer. This helps with:

1. Enhanced Asset Identification and Correlation
By incorporating MAC addresses into all flow data—including third-party sources—QRadar can more accurately identify and track network assets, even when IP addresses change due to DHCP. This helps customers maintain a more reliable and persistent asset inventory, improve correlation accuracy, and reduce false positives in threat detection.

2. Improved Network Forensics and Lateral Movement Detection
MAC addresses provide a lower-layer identifier that’s harder to spoof than IP addresses. Including MAC data in all flows enables QRadar to trace device movements across subnets, detect unauthorized devices, and reconstruct attack paths with greater precision. This significantly enhances investigations and the detection of stealthy movement within the network.

3. Verifiable device identity
With consistent MAC-level visibility, QRadar can better monitor policy enforcement in segmented networks and detect violations at the hardware level. This helps ensuring that device identity is verifiable and auditable, regardless of IP reassignment or obfuscation.

Enhanced Asset APIs:

a) DELETE API. The Delete Assets API is a fundamental feature that has been missing from QRadar for a long time. With this API, customers can integrate their environments (e.g., CMDB) to remove outdated assets and maintain synchronized data with the QRadar environment.
Whenever applications need to interact with the asset model, APIs are the only available method. Therefore, this API has strong potential to be utilized by applications in the future.

b) Extended GET API. Product information is required for assets so that any consumer can identify the type of asset based on the data. UEBA will be a potential consumer of this extended API, using the product details to enrich the context of monitored entities. This provides analysts with a clearer view, helping them identify which operating system is associated with a specific entity.

Upgraded the Analyst WorkFlow Out-of-the-Box (OOTB) application version - The Analyst Workflow application version is upgraded to v3.0.0. QRadar releases will now contain the latest version of the Analyst Workflow Application out-of-the-box

Resolved issues

The Known Issues listed below are resolved in QRadar 7.5.0 Update Package 13. For a complete list of Known Issues, see Known Issues. The Known Issues search page allows users to search for Known Issues by version or status.

DT397715: If the "qradar" postgresql database is in use during a configuration restore, it can cause the restore to fail, invalidating the database.
DT423482: podman_apps_registry_restore.sh stuck when registry keystore is broken.
DT435262: Reference set "does not exist in any/all of" filters return incorrect search results.
DT433453: Ariel queries with a criteria involving indexed properties open data files in cases where it should not, reducing search speed.
DT098936 IJ31082: 'ACCUMULATOR FALLING BEHIND' NOTIFICATIONS AFTER DEFAULT GLOBAL VIEWS FOR EVENT RATE AND FLOW RATE HAVE BEEN RECREATED.
DT435224: Warning message " /opt/qradar/bin/setComponentThreadSchedulerPolicy.sh: failed to set scheduler.
DT443486: Ariel out of memory due to map failed
DT211814: F5 networks big-ip apm events can display 'parsed but not mapped' in DSM Editor
DT208415: Linux OS and McAfee ePolicy Orchestrator, TLS Syslog, some events parsing correctly in log activity but display as unknown in the DSM Editor
DT259062: VMWare VCenter events show parsed but not mapped in DSM editor
DT393964: The Event Id and Event Category values are not automatically populated in the 'Create a New Event Mapping' dialog box for some DSMs
DT431870: Suggest Regex feature in DSM Editor does not work unless the user role is set to Admin
DT257046: High Availability setup may fail on systems with very large drives
DT258339: High availability setup can fail or take an excessive amount of time to complete on hosts with large /store filesystems
DT386499: QRadar Trend Micro Deep Discovery Director and Inspector event mapping issue
DT389459: QRadar hosts installed using a RHEL8-based ISO and legacy BIOS cannot reinstall using the recovery ISO
DT423351: Parallel Patch -l option (limit bandwidth) not applied
DT425142: qradarca-monitor restarts services every hour when expiring cert is skipped for regeneration
DT425543: Upgrading QRadar environment on appliance installs in High Availability to 7.5.0 Update Package 11 can cause the secondary to fail
DT435327 UP11 : Export as Building Block is not visible in rule wizard in light mode
DT435505 QRadar: Search Parameter section in Edit or New Search has buttons covering items in some cases in Dark Mode.
DT438885 QRadar: CEP (Custom property) cache issues when a system has over 1000 properties.
DT439079: Header text is not visible in Offenses -> Rules table for Dark theme
DT439093: Some appliance are now getting a timebomb license with a month expiration
DT439346: License is over allocated after patching to UP11 with software ECs with QVM Scanners
DT440166: Backup failing after upgrade to UP12 or UP12 IF01
DT131234: IJ38812: TIME_SYNC.SH CAN FAIL TO COMPLETE SUCCESSFULLY IF SOCAT TAKES LONGER THAN 0.5 SECONDS TO CONNECT
DT211483 IJ46412: FRENCH LANGUAGE SYMANTEC ENDPOINT PROTECTION EVENTS DO NOT DISPLAY AS EXPECTED IN THE DSM EDITOR
DT252109 IJ47681: REPORT WIZARD CAN UNEXPECTED SELECT THE CSV FORMAT WHEN USERS CLICK THE BACK BUTTON
DT439080 Connection lost from EC to EP: Channel key IO Error

Known issues

DT446222: Hostcontext error visible in the logs when creating backup on the ui on backup and recovery
DT446199: SAML IdP server metadata generator page is not getting Open from Browser URL for QRadar IPV6 environment
DT446281: Data Sync App - Software Install setup : Apps Restore functionality showing validation and Failover is not getting initiated in the new DSApp v3.2.2

About this installation

These instructions are intended to assist you when you install QRadar 7.5.0 Update Package 13 by using an ISO file. This ISO can install QRadar, QRadar Risk Manager, QRadar Vulnerability Manager, and QRadar Network Insights products to version 7.5.0 Update Package 13.

See QRadar: Software update checklist for administrators for a list of steps to review before you update your QRadar deployment.

Installing the QRadar 7.5.0 ISO Update Package 13

These instructions guide you through the process of installing QRadar 7.5.0 Update Package 13.

Important: You can use the verify signature tool to validate the integrity of your downloads from IBM Fix Central. For more information, see How to verify downloads from IBM Fix Central are trusted and code signed.

Procedure

Download the QRadar 7.5.0 Update Package 13 ISO (5.31 GB) from the IBM Fix Central website:7.5.0-QRADAR-QRFULL-20250718011446

IMPORTANT: QRadar Incident Forensics uses a unique ISO file to install 7.5.0 Update Package 13. See the Fix Central page for that product to download the correct file.
Use SSH to log in to the Console as the root user.
To run the ISO installer on the Console, type the following command: /media/cdrom/setup
Important: Installing QRadar 7.5.0 Update Package 13 should take approximately 2 hours on a Console appliance.
Wait for the Console primary update to complete.
Note: In QRadar 7.3.1 Patch 6, a kernel update was introduced to address issues with appliances failing to log in or list unit files. These issues could prevent the appliance from rebooting. This new kernel does not take effect until the appliance is rebooted. You might need to reboot your system manually for the kernel update to take effect.

To work around this issue, you must perform a restart of the appliance. To do this, type the reboot command, or use Integrated Management Module (IMM).

Installation wrap up

After all hosts are updated, advise your team that they must clear their browser cache before logging in to QRadar SIEM.
To unmount the /media/cdrom directory on all hosts, type:
/opt/qradar/support/all_servers.sh -C -k “umount /media/cdrom"
Delete the ISO from all appliances.
If you use WinCollect agents version 7.2.6 or later, you must reinstall the SFS file on the QRadar Console. This is due to issues where the ISO replaces the SFS on the Console with WinCollect 7.2.5 as described here: APAR IV96364. To install the latest WinCollect SFS on the Console, see the WinCollect release notes at WinCollect 101.
Review any static routes or customized routing. As mentioned in the administrator notes, all routes were removed and will need to be reconfigured after the upgrade is complete.
Review any iptable rules that are configured to see if the interface names have changed in QRadar 7.5.0 Update Package 13 due to the Red Hat Enterprise 7 operating system updates affecting them. Update any iptables rules that use Red Hat 6 interface naming conventions.

Results

A summary of the ISO installation advises you of any issues. If there are no issues, you can now SSH to managed hosts and start the installer on each host to run the setup in parallel.

Security Bulletin

Security Bulletin: IBM QRadar SIEM contains multiple vulnerabilities

[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.5.0"}]

Tips