IBM Support

Release of QRadar 7.5.0 Update Package 14 SFS (2021.6.14.20251017194912)

Release Notes


Abstract

This technical note contains installation instructions, and a list of new features and resolved issues for the IBM Security QRadar 7.5.0 Update Package 14 (2021.6.14.20251017194912 SFS). These instructions are intended for administrators who are upgrading to QRadar 7.5.0 Update Package 14 by using an SFS file.

Content

What's New


For more information on new and changed features in QRadar 7.5.0, see What's new in 7.5.0.
 

Support for Tiered Storage 

A new approach to managing QRadar (Ariel) data that improves search performance and cost of ownership and includes.  

  • Hot and Warm Tiers: Newly ingested data is stored in the Hot tier for fast access and is automatically migrated to the Warm tier as it ages, based on a defined data migration policy.  
  • Improved Performance and Efficiency: By keeping recent data readily accessible and moving older data to more cost-effective storage, Tiered Storage helps balance search speed, cost, and deployment footprint. 

Improved Performance in the Pipelines (Parsing, CRE) to Reduce Routing to Storage 

QRadar is now smarter when making the routing to storage decisions in the data processing pipeline, accounting for the processing utilization of the Parsing and CRE data processing thread pools, significantly reducing false-positive routing to storage and increasing the security posture by reducing the number of unparsed and uncorrelated events. 

Improved event/flow burst handling capability on services startup 

The QRadar data processing pipeline services now allocate process memory on startup, improving performance and stability of those real-time processes. This improves handling of event spikes after services startup.   

Performance Tuning for Pipeline Scheduling - Increase in ariel writing speed 

The Ariel Database Writer performance is improved in additional configurations, improving the events and flows writing speed and the data processing pipeline performance. The original work introduced in QRadar UP11 applied only to the 1629, 1648, 1729, 1748 appliance types when using the appliance install. This QRadar UP14 work further expands the scope of the improvements to include all 31xx, 16xx, 17xx, 18xx, 14xx hosts with at least 32 CPUs.  

LVM Phase 2 

This release introduces enhancements focused on improving the management of Logical Volume Management (LVM) on appliance-installed systems. The key areas of improvements are enabling LVM expansion for appliance installations.

Enhanced Visibility and user experience for Custom AQL Queries in Managed Search Results 

In previous QRadar versions, custom AQL searches on the Managed Search Results screen were labeled generically as "Custom AQL Query", with no visibility into the actual query logic until the user clicked into the search. This enhancement improves usability by:  

  • Replacing the generic name, "Custom AQL Query", with the actual AQL query string for custom AQL searches 
  • Displaying the full AQL query in a tooltip on hover 
  • Adding a Copy to Clipboard button for quick and easy reuse.  

These improvements streamline the user experience and make working with custom AQL searches more efficient.  

Managed Search Results Enhancements 

The Managed Search Results screen now includes visual indicators for searches that may be slow, expensive and degrade system efficiency including: 

  • Non-Indexed Fields: Searches that do not utilize indexed fields are flagged to highlight potential performance bottlenecks.  
  • Pattern matching usage without additional filters: Searches using strictly the "payload contains" or "payload matches" operations are flagged due to their inefficiency and potential high resource consumption  

These indicators help users identify and revise inefficient queries, promoting best practices for building performant searches.  

Version History for Rules 

This enhancement gives you the flexibility to revert changes to any previous version of a rule not just the original, making it easier to manage updates and recover from mistakes. You can now see who made changes, what was changed, and when, giving your team full visibility into rule modifications. Authors also have the option to add a brief note explaining the reason for each change, helping everyone stay aligned and informed. These updates are automatically tracked and displayed, so you don't need to modify your existing notes. This release brings greater transparency, accountability, and control to how your rules change over time. 

Offence Enhancements: Rule Test Filter by Magnitude Value 

You can now set magnitude thresholds when creating rule tests. This helps you prioritize offenses based on their criticality making iteasier to focus on the most important threats and respond faster. 

Enhanced Offences Tracking 

This update tracks only the most recent time an offense was assigned to a user along with the assignment timestamp.  

QRadar (QFlow) - Autonomous System Number (ASN) information 

QFlow now automatically enriches network flows with Autonomous System Number (ASN) information. The ASN field is now populated, increasing an analyst’s ability to determine the origin of IP traffic. Now, QRadar automatically performs ASN lookups, providing valuable context such as the network or ISP associated with each IP address.Benefitsare to:  

  • Gain immediate visibility into the ownership and origin of IP traffic 
  • Quickly identify traffic from suspicious or high-risk networks 
  • Eliminate the need for manual ASN enrichment   
  • Enhance correlation rules and threat detection with enriched flow metadata   

This improvement helps security teams respond faster, improve triage accuracy, and align with modern SIEM expectations for enriched, actionable data.  

QRadar Risk Manager (QRM) Supports Check Point HTTPS integration 

QRadar Risk Manager now receives firewall rule event logs directly from Check Point Security Management Servers (SMS). This enhancement enables real-time monitoring of firewall rule event counts, helping customers manage and optimize the effectiveness of their firewall rule policies across all managed devices.Benefits are: 

  • Identifymost and least used Checkpoint HTTPS firewall rules  
  • Detect rules that may unnecessarily block network access  
  • Highlight frequently triggered rules that may impact performance  
  • View detailed rule event data for analysis  
  • Schedule reports to improve policy management and visibility  

This helps users to monitor and optimize Check Point firewall rules in real time for improved security and network efficiency.  

Resolved Issues


The Known Issues listed below are resolved in QRadar 7.5.0 Update Package 14. For a complete list of Known Issues, see Known Issues. The Known Issues search page allows users to search for Known Issues by version or status.

Some Known Issues links might take 24 hours to display properly after a software release is posted to IBM Fix Central.

The following is a list of Known Issues fixed in QRadar 7.5.0 Update Package 14:

  • DT448933 : Offense rule email will not work in UP13 because of duplicate common-lang3 jar in ecs-ep pipeline 

     

  • DT447357 : Forwarding events over TLS may cause an error after upgrading to UP12: SelectiveForwarding can trigger 'too many open files' errors and events are not forwarded

     

  • DT446281 : Data Sync App - Software Install setup : Apps Restore functionality showing validation and Failover is not getting initiated in the new DSApp v3.2.2 

     

  • DT444845 : Known_hosts file on managed hosts is being cleared 

     

  •  DT443486 : Ariel out of memory due to map failed 

     

  • DT442680 : Risk Manager rule counting for Check Point not working 

     

  • DT444714 : QRadar UP12 Java 11 warning messages on accumulator_rollup 

     

  • DT439080 : Connection lost from EC to EP: Channel key IO Error 

     

  • DT435875 : AppFW health check time attributes in nva.conf are not honored

     

  • DT439591 : JSON property extraction does not work with stringify nested objects 

     

  • DT436082 : Applications that uses CentOs and Python2.x base image will not work on QRadar 

     

  • DT423736 : Deployment Configuration option can be inadvertently disabled in config restore page 

     

  • DT423733 : Config restore page checkboxes are not being checked automatically 

     

  • DT400332 : QFlow always consumes a full CPU, even when not doing any work 

     

  • DT423480 : Missing entry in /etc/hosts since change to podman causes unnecessary dns requests 

     

  • DT394273 : Qradar GUI is displaying wrong time on console using Africa/Cairo timezone 

     

  • DT269861 : DSM Editor not parsing if JSON Keys have '\' (backslash) for escape characters 

     

  • DT252085 IJ49388 : ADMINISTRATORS CANNOT CHANGE THE DAY AUTO UPDATES RUNS WHEN THE SCHEDULE IS MONTHLY 

     

  • DT252130 IJ48908 : ASSETS DETAILS UI CAN DISPLAY MULTIPLE INSTANCES OF THE SAME IPV6 ADDRESS 

     

  • DT252119 IJ48732 : ADMINISTRATORS CAN UNEXPECTEDLY RESTORE A DATA SYNCHRONIZATION APPLICATION INITIATED BACKUP FROM THE ADMIN TAB 

     

  • DT252037 IJ46413 : RESTORING A NIGHTLY CONFIG BACKUP FAILS AS DESELECTING LICENSE INCORRECTLY UNCHECKS DEPLOYMENT CONFIGURATION 

     

  • DT217529 IJ46414 : AUTO UPDATES CAN GENERATE 'COULD NOT APPLY QIDMAP UPDATE WITH SERIAL XXXXXXXXX' ERRORS 

     

  • DT242579 IJ44464 : FIELD EXTRACTION BASED ON CUSTOM PROPERTY ONLY EXTRACTS THE LAST PART OF THE VALUE WHEN A SPACE EXISTS IN VALUE 

     

  • DT195808 IJ42551 : SYSTEM MONITORING DASHBOARD EPS/FPM GRAPHS MIGHT NOT DISPLAY AS EXPECTED DUE TO A MULTIKEYCREATOREXPRESSION PREDICATE EXCEPTION

     

 

Upgrade information


QRadar 7.5.0 Update Package 14 resolves reported issues from users and administrators from previous QRadar versions. This cumulative software update fixes known software issues in your QRadar deployment. QRadar software updates are installed by using an SFS file, and update all appliances attached to the QRadar Console.

The 750-QRADAR-QRSIEM-2021.6.14.20251017194912 SFS file can upgrade the following QRadar versions to QRadar 7.5.0 Update Package 14:

  • QRadar 7.5.0 Update Package 10
  • QRadar 7.5.0 Update Package 10 Interim Fix 01 to Interim Fix 02
  • QRadar 7.5.0 Update Package 11
  • QRadar 7.5.0 Update Package 11 Interim Fix 01 to Interim Fix 04
  • QRadar 7.5.0 Update Package 12
  • QRadar 7.5.0 Update Package 12 Interim Fix 01 to Interim Fix 03
  • QRadar 7.5.0 Update Package 13
  • QRadar 7.5.0 Update Package 13 Interim Fix 01 to Interim Fix 02
 

This document does not cover all of the installation messages and requirements, such as changes to appliance memory requirements or browser requirements for QRadar. To review any additional requirements, see the QRadar Upgrade Guide.

See QRadar: Software update check list for administrators for a list of steps to review before you update your QRadar deployment.

Before you begin

Ensure that you take the following precautions:

  • Back up your data before you begin any software upgrade. For more information about backup and recovery, see the QRadar Administration Guide.
  • To avoid access errors in your log file, close all open QRadar sessions.
  • The QRadar software update cannot be installed on a managed host that is at a different software version from the Console. All appliances in the deployment must be at the same software revision to update the entire deployment.
  • Verify that all changes are deployed on your appliances. The update cannot install on appliances that have changes that are not deployed.
  • If this is a new installation, review the instructions in the QRadar Installation Guide.
 

Installing the QRadar 7.5.0 Update Package 14 Software Update


These instructions guide you through the process of upgrading an existing QRadar version to QRadar 7.5.0 Update Package 14. To update appliances in parallel, see QRadar: How to Update Appliances in Parallel.

Procedure

  1. Download the software update to install QRadar 7.5.0 Update Package 14 from the IBM Fix Central website: 7.5.0-QRADAR-QRSIEM-20251017194912

    Important: Please confirm that you are installing the correct SFS file by checking the sha256sum value as found on Fix Central

    Note: To confirm QRadar 7.5.0 Update Package 14 is code signed by IBM, you must use the latest code signing utility 1.0.2. For more information, see https://ibm.biz/qradarcodesigning.
  2. Use SSH to log in to your Console as the root user.

  3. To verify you have enough space (10GB) in /store/tmp for the QRadar Console, type the following command:

      df -h /tmp /storetmp /store/transient | tee diskchecks.txt

    • Best directory option: /storetmp

      It is available on all appliance types at all versions. In QRadar 7.5.0 versions /store/tmp is a symlink to the /storetmp partition.

If the disk check command fails, retype the quotation marks from your terminal, then rerun the command. This command returns the details to both the command window and to a file on the Console named diskchecks.txt. Review this file to ensure that all appliances have at minimum 10GB of space available in a directory to copy the SFS before attempting to move the file to a managed host. If required, free up disk space on any host that fails to have less that 10GB available.

Note: In QRadar 7.3.0 and later, an update to directory structure for STIG-compliant directories reduces the size of several partitions. This can impact moving large files to QRadar.

  1. To create the /media/updates directory, type the following command:

      mkdir -p /media/updates
  2. Use SCP to copy the files to the QRadar Console to the /storetmp directory or a location with 10GB of disk space.

  3. Change to the directory where you copied the patch file. For example,

      cd /storetmp

  4. To mount the patch file to the /media/updates directory, type the following command:

      mount -o loop /storetmp/750-QRADAR-QRSIEM-2021.6.14.20251017194912.sfs /media/updates

  5. To run the patch installer, type the following command:

      /media/updates/installer

    Note: The first time that you run the software update, there might be a delay before the software update installation menu is displayed.

  6. Using the patch installer, select all.
    • The all option updates the software on all appliances in the following order:
      1. Console
      2. No order required for remaining appliances. All remaining appliances can be updated in any order that you require.

    • If you do not select the all option, you must select your Console appliance.

      As of QRadar 7.2.6 Patch 4 and later, you are only provided the option to update all or update the Console appliance. Managed hosts are not displayed in the installation menu to ensure that the Console is patched first. After the Console is patched, a list of managed hosts that can be updated is displayed in the installation menu. This change was made starting with QRadar 7.2.6 Patch 4 to ensure that the Console appliance is always updated before managed hosts to prevent upgrade issues.

      If you want to patch systems in series, you can update the Console first, then copy the patch to all other appliances and run the patch installer individually on each managed host. The Console must be patched before you can run the installer on managed hosts. When updating in parallel, there is no order required in how you update appliances after the Console is updated.

      If your Secure Shell (SSH) session is disconnected while the upgrade is in progress, the upgrade continues. When you reopen your SSH session and rerun the installer, the patch installation resumes.

Installation wrap-up

  1. After the system reboot is not initiated after the patch completes and you have exited the installer, type the following command:

      umount /media/updates
  2. Clear your browser cache before you log in to the Console.
  3. Delete the SFS file from all appliances.
  4. For administrators with managed WinCollect 7 agents, upgrades to 7.5.0 Update Package 14 require WinCollect version 7.3.1 Patch 4. Depending on your upgrade path, you might be required to update your WinCollect agent version on the Console. For more information, see the WinCollect 7.3.1 Patch 4 release notes.
  5. To run AQL queries that use geographic data or the flags on the Log Activity tab, update to the latest database from Maxmind after you upgrade to QRadar 7.5.0 Update Package 14. 
     

Results

A summary of the software update installation advises you of any managed hosts that were not updated. If the software update fails to update a managed host, you can copy the software update to the host and run the installation locally.

After all hosts are updated, send an email to your team to inform them that they will need to clear their browser cache before they log in to the QRadar SIEM interface.

 

Security Bulletins

IBM QRadar SIEM contains multiple vulnerabilities

IBM QRadar SIEM is affected by privilege escalation (CVE-2025-36007)

IBM QRadar SIEM is affected by cross-site scripting (CVE-2025-36170, CVE-2025-36138)

 

[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtdAAA","label":"Upgrade"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.5.0"}]

Document Information

Modified date:
29 October 2025

UID

ibm17244257

Page Feedback