IBM Support

Release of QRadar 7.5.0 Update Package 14 ISO (2021.6.14.20251017194912)

Release Notes


Abstract

A list of the installation instructions, new features, and resolved issues for the release of IBM Security QRadar 7.5.0 Update Package 14 (7.5.0-QRADAR-QRFULL-2021.6.14.20251017194912). These release notes apply to QRadar, QRadar Vulnerability Manager, QRadar Risk Manager, and QRadar Network Insights. These instructions are intended for administrators who want to install QRadar 7.5.0 Update Package 14 by using an ISO file.

Content

 

What's new

 
For more information on new and changed features in QRadar 7.5.0, see What's new in 7.5.0.
 

Support for Tiered Storage 

A new approach to managing QRadar (Ariel) data that improves search performance and cost of ownership and includes.  

  • Hot and Warm Tiers: Newly ingested data is stored in the Hot tier for fast access and is automatically migrated to the Warm tier as it ages, based on a defined data migration policy.  
  • Improved Performance and Efficiency: By keeping recent data readily accessible and moving older data to more cost-effective storage, Tiered Storage helps balance search speed, cost, and deployment footprint. 

Improved Performance in the Pipelines (Parsing, CRE) to Reduce Routing to Storage 

QRadar is now smarter when making the routing to storage decisions in the data processing pipeline, accounting for the processing utilization of the Parsing and CRE data processing thread pools, significantly reducing false-positive routing to storage and increasing the security posture by reducing the number of unparsed and uncorrelated events. 

Improved event/flow burst handling capability on services startup 

The QRadar data processing pipeline services now allocate process memory on startup, improving performance and stability of those real-time processes. This improves handling of event spikes after services startup.   

Performance Tuning for Pipeline Scheduling - Increase in ariel writing speed 

The Ariel Database Writer performance is improved in additional configurations, improving the events and flows writing speed and the data processing pipeline performance. The original work introduced in QRadar UP11 applied only to the 1629, 1648, 1729, 1748 appliance types when using the appliance install. This QRadar UP14 work further expands the scope of the improvements to include all 31xx, 16xx, 17xx, 18xx, 14xx hosts with at least 32 CPUs.  

LVM Phase 2 

This release introduces enhancements focused on improving the management of Logical Volume Management (LVM) on appliance-installed systems. The key areas of improvements are enabling LVM expansion for appliance installations.

Enhanced Visibility and user experience for Custom AQL Queries in Managed Search Results 

In previous QRadar versions, custom AQL searches on the Managed Search Results screen were labeled generically as "Custom AQL Query", with no visibility into the actual query logic until the user clicked into the search. This enhancement improves usability by:  

  • Replacing the generic name, "Custom AQL Query", with the actual AQL query string for custom AQL searches 
  • Displaying the full AQL query in a tooltip on hover 
  • Adding a Copy to Clipboard button for quick and easy reuse.  

These improvements streamline the user experience and make working with custom AQL searches more efficient.  

Managed Search Results Enhancements 

The Managed Search Results screen now includes visual indicators for searches that may be slow, expensive and degrade system efficiency including: 

  • Non-Indexed Fields: Searches that do not utilize indexed fields are flagged to highlight potential performance bottlenecks.  
  • Pattern matching usage without additional filters: Searches using strictly the "payload contains" or "payload matches" operations are flagged due to their inefficiency and potential high resource consumption  

These indicators help users identify and revise inefficient queries, promoting best practices for building performant searches.  

Version History for Rules 

This enhancement gives you the flexibility to revert changes to any previous version of a rule not just the original, making it easier to manage updates and recover from mistakes. You can now see who made changes, what was changed, and when, giving your team full visibility into rule modifications. Authors also have the option to add a brief note explaining the reason for each change, helping everyone stay aligned and informed. These updates are automatically tracked and displayed, so you don't need to modify your existing notes. This release brings greater transparency, accountability, and control to how your rules change over time. 

Offence Enhancements: Rule Test Filter by Magnitude Value 

You can now set magnitude thresholds when creating rule tests. This helps you prioritize offenses based on their criticality making iteasier to focus on the most important threats and respond faster. 

Enhanced Offences Tracking 

This update tracks only the most recent time an offense was assigned to a user along with the assignment timestamp.  

QRadar (QFlow) - Autonomous System Number (ASN) information 

QFlow now automatically enriches network flows with Autonomous System Number (ASN) information. The ASN field is now populated, increasing an analyst’s ability to determine the origin of IP traffic. Now, QRadar automatically performs ASN lookups, providing valuable context such as the network or ISP associated with each IP address.Benefitsare to:  

  • Gain immediate visibility into the ownership and origin of IP traffic 
  • Quickly identify traffic from suspicious or high-risk networks 
  • Eliminate the need for manual ASN enrichment   
  • Enhance correlation rules and threat detection with enriched flow metadata   

This improvement helps security teams respond faster, improve triage accuracy, and align with modern SIEM expectations for enriched, actionable data.  

QRadar Risk Manager (QRM) Supports Check Point HTTPS integration 

QRadar Risk Manager now receives firewall rule event logs directly from Check Point Security Management Servers (SMS). This enhancement enables real-time monitoring of firewall rule event counts, helping customers manage and optimize the effectiveness of their firewall rule policies across all managed devices.Benefits are: 

  • Identifymost and least used Checkpoint HTTPS firewall rules  
  • Detect rules that may unnecessarily block network access  
  • Highlight frequently triggered rules that may impact performance  
  • View detailed rule event data for analysis  
  • Schedule reports to improve policy management and visibility  

This helps users to monitor and optimize Check Point firewall rules in real time for improved security and network efficiency.  

Resolved issues

The Known Issues listed below are resolved in QRadar 7.5.0 Update Package 14. For a complete list of Known Issues, see Known Issues. The Known Issues search page allows users to search for Known Issues by version or status.

  • DT448933 : Offense rule email will not work in UP13 because of duplicate common-lang3 jar in ecs-ep pipeline 

     

  • DT447357 : Forwarding events over TLS may cause an error after upgrading to UP12: SelectiveForwarding can trigger 'too many open files' errors and events are not forwarded

     

  • DT446281 : Data Sync App - Software Install setup : Apps Restore functionality showing validation and Failover is not getting initiated in the new DSApp v3.2.2 

     

  • DT444845 : Known_hosts file on managed hosts is being cleared 

     

  •  DT443486 : Ariel out of memory due to map failed 

     

  • DT442680 : Risk Manager rule counting for Check Point not working 

     

  • DT444714 : QRadar UP12 Java 11 warning messages on accumulator_rollup 

     

  • DT439080 : Connection lost from EC to EP: Channel key IO Error 

     

  • DT435875 : AppFW health check time attributes in nva.conf are not honored

     

  • DT439591 : JSON property extraction does not work with stringify nested objects 

     

  • DT436082 : Applications that uses CentOs and Python2.x base image will not work on QRadar 

     

  • DT423736 : Deployment Configuration option can be inadvertently disabled in config restore page 

     

  • DT423733 : Config restore page checkboxes are not being checked automatically 

     

  • DT400332 : QFlow always consumes a full CPU, even when not doing any work 

     

  • DT423480 : Missing entry in /etc/hosts since change to podman causes unnecessary dns requests 

     

  • DT394273 : Qradar GUI is displaying wrong time on console using Africa/Cairo timezone 

     

  • DT269861 : DSM Editor not parsing if JSON Keys have '\' (backslash) for escape characters 

     

  • DT252085 IJ49388 : ADMINISTRATORS CANNOT CHANGE THE DAY AUTO UPDATES RUNS WHEN THE SCHEDULE IS MONTHLY 

     

  • DT252130 IJ48908 : ASSETS DETAILS UI CAN DISPLAY MULTIPLE INSTANCES OF THE SAME IPV6 ADDRESS 

     

  • DT252119 IJ48732 : ADMINISTRATORS CAN UNEXPECTEDLY RESTORE A DATA SYNCHRONIZATION APPLICATION INITIATED BACKUP FROM THE ADMIN TAB 

     

  • DT252037 IJ46413 : RESTORING A NIGHTLY CONFIG BACKUP FAILS AS DESELECTING LICENSE INCORRECTLY UNCHECKS DEPLOYMENT CONFIGURATION 

     

  • DT217529 IJ46414 : AUTO UPDATES CAN GENERATE 'COULD NOT APPLY QIDMAP UPDATE WITH SERIAL XXXXXXXXX' ERRORS 

     

  • DT242579 IJ44464 : FIELD EXTRACTION BASED ON CUSTOM PROPERTY ONLY EXTRACTS THE LAST PART OF THE VALUE WHEN A SPACE EXISTS IN VALUE 

     

  • DT195808 IJ42551 : SYSTEM MONITORING DASHBOARD EPS/FPM GRAPHS MIGHT NOT DISPLAY AS EXPECTED DUE TO A MULTIKEYCREATOREXPRESSION PREDICATE EXCEPTION

About this installation

These instructions are intended to assist you when you install QRadar 7.5.0 Update Package 14 by using an ISO file. This ISO can install QRadar, QRadar Risk Manager, QRadar Vulnerability Manager, and QRadar Network Insights products to version 7.5.0 Update Package 14.

See QRadar: Software update checklist for administrators for a list of steps to review before you update your QRadar deployment.
 

Installing the QRadar 7.5.0 ISO Update Package 14

These instructions guide you through the process of installing QRadar 7.5.0 Update Package 14.

Important: You can use the verify signature tool to validate the integrity of your downloads from IBM Fix Central. For more information, see How to verify downloads from IBM Fix Central are trusted and code signed.

Procedure

  1. Download the QRadar 7.5.0 Update Package 14 ISO (5.31 GB) from the IBM Fix Central website: 7.5.0-QRADAR-QRFULL-20251017194912


    IMPORTANT: QRadar Incident Forensics uses a unique ISO file to install 7.5.0 Update Package 14. See the Fix Central page for that product to download the correct file.

  2. Use SSH to log in to the Console as the root user.
  3. To run the ISO installer on the Console, type the following command: /media/cdrom/setup
    Important: Installing QRadar 7.5.0 Update Package 14 should take approximately 2 hours on a Console appliance.

  4. Wait for the Console primary update to complete.

    Note: In QRadar 7.3.1 Patch 6, a kernel update was introduced to address issues with appliances failing to log in or list unit files. These issues could prevent the appliance from rebooting. This new kernel does not take effect until the appliance is rebooted. You might need to reboot your system manually for the kernel update to take effect.

    To work around this issue, you must perform a restart of the appliance. To do this, type the reboot command, or use Integrated Management Module (IMM).

Installation wrap up

  1. After all hosts are updated, advise your team that they must clear their browser cache before logging in to QRadar SIEM.
  2. To unmount the /media/cdrom directory on all hosts, type:
    /opt/qradar/support/all_servers.sh -C -k “umount /media/cdrom"
  3. Delete the ISO from all appliances.
  4. If you use WinCollect agents version 7.2.6 or later, you must reinstall the SFS file on the QRadar Console. This is due to issues where the ISO replaces the SFS on the Console with WinCollect 7.2.5 as described here: APAR IV96364. To install the latest WinCollect SFS on the Console, see the WinCollect release notes at WinCollect 101.
  5. Review any static routes or customized routing. As mentioned in the administrator notes, all routes were removed and will need to be reconfigured after the upgrade is complete.
  6. Review any iptable rules that are configured to see if the interface names have changed in QRadar 7.5.0 Update Package 14 due to the Red Hat Enterprise 7 operating system updates affecting them. Update any iptables rules that use Red Hat 6 interface naming conventions.

Results

A summary of the ISO installation advises you of any issues. If there are no issues, you can now SSH to managed hosts and start the installer on each host to run the setup in parallel.

Security Bulletins

IBM QRadar SIEM contains multiple vulnerabilities

IBM QRadar SIEM is affected by privilege escalation (CVE-2025-36007)

IBM QRadar SIEM is affected by cross-site scripting (CVE-2025-36170, CVE-2025-36138)

 

[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.5.0"}]

Document Information

Modified date:
29 October 2025

UID

ibm17244260

Page Feedback