Release Notes
Abstract
A list of the installation instructions, new features, and resolved issues for the release of IBM Security QRadar 7.5.0 Update Package 15 (7.5.0-QRADAR-QRFULL-2021.6.15.20260306120301). These release notes apply to QRadar, QRadar Vulnerability Manager, QRadar Risk Manager, and QRadar Network Insights. These instructions are intended for administrators who want to install QRadar 7.5.0 Update Package 15 by using an ISO file.
Content
What's new
Enhancements to Tiered Storage
Tiered Storage has been significantly enhanced to improve performance and reliability during data migrations and rebalancing. The update introduces faster re-indexing with concurrency, smarter error handling, and automatic recovery from interruptions. Administrators can now bulk edit policies through both the UI and API, receive real-time notifications for ongoing operations, and view detailed status banners for better visibility. Additional safeguards protect Hot Tier disk space, and per-cluster policies provide granular control over storage configurations. These improvements make managing large-scale storage environments more predictable and efficient, ensuring better control and resource optimization.
Multiple Log Source Identifiers
Users with the appropriate permissions to edit a log source can now configure multiple identifiers for that log source. This provides greater flexibility when device hostnames, IP addresses, or other identifiers change during activities such as migrations. By allowing additional identifiers to be manually associated with an existing log source, this enhancement helps prevent duplicate entries and improves log source management.
Important clarifications:
No automatic changes after UP15: Updating to UP15 will not automatically modify any existing log sources in QRadar.
No automatic merging: The feature does not automatically add or combine identifiers. All additional identifiers must be manually configured by users with the appropriate permissions.
No multi‑identifier auto discovery: Auto discovered log sources will not be assigned multiple identifiers automatically.
Planned migrations: To maintain continuous log collection during activities like hostname changes, users should manually add new identifiers ahead of time to the existing log source.
This capability provides more flexibility and control in complex deployments, reduces the risk of duplicate log sources, and supports uninterrupted log ingestion during planned transitions.
Backup Generation and Restore with Digital Signature
Backup Generation and Restore with Digital Signature adds a secure process for creating and restoring backups with cryptographic validation. Beginning with this release, all new backups are automatically signed using the host’s private key and verified during restoration with the corresponding trusted public key. This ensures each backup’s authenticity and integrity, reducing the risk of data corruption, tampering, or unauthorized changes. The feature scales across all QRadar deployments after upgrade, aligning fully with the existing backup and restore framework. It also improves disaster recovery by enabling verified, trusted transfers across paired sites, helping minimize downtime and protect critical data. These enhancements strengthen security, support compliance, and provide greater confidence in overall system integrity. With this update, organizations gain a scalable and trusted backup solution that meets both regulatory and operational needs.
Improved AQL Error Handling and Indexed Field Visibility in Ariel API
This release strengthens AQL query handling with improved error reporting and visibility into indexed fields. The Ariel API now includes the “is indexed” property accessible through the endpoint GET /ariel/databases/{database_name}, enabling users to identify indexed fields for optimized query performance. Enhanced syntax error detection pinpoints issues and their exact location, reducing troubleshooting time.
Custom Rule Engine (CRE) Versioning and History
The rule versioning enhancements improve QRadar’s rule management by adding advanced version tracking and comparison capabilities. Users can now compare any two rule versions, capture detailed commit messages, and maintain accurate version history for user and modified rules. UI refinements and permission-based controls ensure a smoother experience and restrict actions to authorized users. Dependency checks help prevent misconfigurations during rule reverts, reducing operational risk. These improvements simplify troubleshooting and rollback processes, making rule management more efficient and reliable.
JA4 Fingerprinting in QNI
QRadar Network Insights (QNI) now supports JA4 fingerprinting for TLS traffic, enabling advanced analysis of encrypted sessions without exposing sensitive handshake details. This feature uses hash-based fingerprints to identify anomalous clients and detect unusual patterns in TLS communications. By improving detection accuracy while maintaining privacy, JA4 fingerprinting strengthens threat analysis workflows and aligns with modern security practices for encrypted traffic monitoring.
Improve locking scalability in DomainizedStorage2 for up to 50x speedup in search when using reference data filters
Search performance when searching events and flows using Reference Data filters was significantly improved by up to 50 times. The maximum benefit is achieved on systems where the storage system performance allows it, such as QRadar 1648 appliances.
Resolved issues
The Known Issues listed below are resolved in QRadar 7.5.0 Update Package 15. For a complete list of Known Issues, see Known Issues. The Known Issues search page allows users to search for Known Issues by version or status.
The following is a list of Known Issues fixed in QRadar 7.5.0 Update Package 15:
DT459103 - Hybrid DR setup flow - Remove stale references of deleted Managed Hosts and Managed Host HA prior to failover and failback
DT462724 - Rule Version History does not update Author properly
DT462261 - After UP14, QFlow continuously logs "ERSPAN is disabled" messages, flooding qradar.log and making it unusable for operational troubleshooting.
DT458513 - Unable to assign search to groups because the 'Assign Search to Group(s)' list doesn't load.
DT460873 - Hybrid Flow : Manage host_tokens.masterlist and host.token files during restoration
DT460865 - Hybrid Flow: After failover/failback system throwing time out in first attempt of deploy changes for paired MH on DR site
DT433277 - "Invalid License Key" Warning on QRadar UI
DT453179 - PROPERTY NAME IS NOT DISPLAYED AS EXPECTED FOR PROPERTIES USED IN AN AQL (ADVANCED SEARCH) UP7.5.x
DT119242 - IJ36282: PROPERTY NAME IS NOT DISPLAYED AS EXPECTED FOR PROPERTIES USED IN AN AQL (ADVANCED SEARCH)
DT214373 - IJ46429: QRADAR ASSET NAMES MIGHT NOT BE DISPLAYED ON THE ASSETS SCREEN OR NOT BE INCLUDED IN A VULNERABILITY REPORT AFTER BEING UPDATED
DT241221 - IJ48738: HA SECONDARY DISK SPACE ISSUES CAN OCCUR WHEN FILES FOR OLDER VERSIONS OF ECS ARE NOT REMOVED
DT252105 - IJ49396: DROPPED FLOW QRADAR SYSTEM NOTIFICATIONS ONLY DISPLAY FOR THE CONSOLE IP
DT391311- Disabling FIPS mode using the qradar_fips_update.sh script fails to update grub properly
DT396265- In high availability configurations- internet connections from QRadar apps use the active host's physical IP instead of the shared virtual IP
DT433440- QRadar: Unable to uncheck "Enable for use in Rules- Forwarding Profiles and Search Indexing" due to the incorrect dependency API call
DT422542- Autoupdate may fail due to long running transaction on Vulnerabilities database table
DT424465- Issues with CRE Event Names After Restoring Partial Configuration Backup
DT434387- When user select multiple CEP and try to deletes it directly deletes it without going for dependency check.
DT442472- Asset Quick Search is not working
DT444459- QNI fails to parse X.509 Common Names containing a comma followed by a space ('- ')
DT444767- Historical correlation won't start after patching from UP11- UP12 and UP13
DT450117- QRM Policy Questions Failing to Return Results Due to Missing Index in vulninstance Table
DT454175- Parallel Patching - "Check patching status" and "View live report" options show different results
DT450110- QRM Policy question throwing error "Question submission failed due an unexpected problem"
DT454173- LVM warning menu should not show up on MH that is not configured with LVM
DT451485- QRM Policy question monitor 'by policy" not working as expected
DT450854- QRadar: DSM Editor fails to map subsequent events after first mapping in Update Package (UP) 13
DT452406- QRadar: Log Activity- Network Activity- and Offenses Tab table width have changed and are no longer visible in a single view after UP11 if the screen aspect ratio is set to something other than 16:9.
DT456524- Persistent queues will not empty on Event Collectors disconnecting from port 32005 to event Processors
DT456361- Qflow Spoofing forwarding fails with error 'Failed to retrieve MAC address for 192.xx.xx.xx.'
DT455159- Risk Manager - "Rules of Device" Window- Event Button Greyed out.
DT455273- QRadar Risk Manager - Attack Path is displayed but unreadable
DT455164- Risk Manager - Search on Rules fails on multiple selections
DT458611- QRadar 7.5.0.14+ : Backup restoration fails on destination site due to foreign key constraint violation: fk_flowsource_lookup
DT096809- IJ31090: INDEX MANAGEMENT CAN DISPLAY ZEROS (0) ACROSS ALL COLUMNS WHEN A LARGE TIME RANGE IS CHOSEN
DT251833- IJ34636: RSS FEEDS WIDGET IS NO LONGER WORKING
DT461409- Report generation fails when payload contains special characters
DT464278- QuickFilter not taking advantage of the Lucene index, causing slow searching
Known Issues
DT464215 - Risk Manager - Search on Rules fails on multiple selections
DT465347 - Backup and Restore | POST API | Backup API to take config backup fails with 500 Internal server error
DT465384 - Syslog Event Timeout Resets to Default After Saving “Never timeout” Selection
DT465400 - Quick Log Source Creation Triggers an Error When “Use Default Timeout (720)” Is Selected
About this installation
These instructions are intended to assist you when you install QRadar 7.5.0 Update Package 15 by using an ISO file. This ISO can install QRadar, QRadar Risk Manager, QRadar Vulnerability Manager, and QRadar Network Insights products to version 7.5.0 Update Package 15.
See QRadar: Software update checklist for administrators for a list of steps to review before you update your QRadar deployment.
Installing the QRadar 7.5.0 ISO Update Package 15
These instructions guide you through the process of installing QRadar 7.5.0 Update Package 15.
Important: You can use the verify signature tool to validate the integrity of your downloads from IBM Fix Central. For more information, see How to verify downloads from IBM Fix Central are trusted and code signed.
Procedure
Download the QRadar 7.5.0 Update Package 15 ISO (5.31 GB) from the IBM Fix Central website: 7.5.0-QRADAR-QRFULL-20260306120301
IMPORTANT: QRadar Incident Forensics uses a unique ISO file to install 7.5.0 Update Package 15. See the Fix Central page for that product to download the correct file.- Use SSH to log in to the Console as the root user.
- To run the ISO installer on the Console, type the following command: /media/cdrom/setup
Important: Installing QRadar 7.5.0 Update Package 15 should take approximately 2 hours on a Console appliance. Wait for the Console primary update to complete.
Note: In QRadar 7.3.1 Patch 6, a kernel update was introduced to address issues with appliances failing to log in or list unit files. These issues could prevent the appliance from rebooting. This new kernel does not take effect until the appliance is rebooted. You might need to reboot your system manually for the kernel update to take effect.
To work around this issue, you must perform a restart of the appliance. To do this, type the reboot command, or use Integrated Management Module (IMM).
Installation wrap up
- After all hosts are updated, advise your team that they must clear their browser cache before logging in to QRadar SIEM.
- To unmount the /media/cdrom directory on all hosts, type:
/opt/qradar/support/all_servers.sh -C -k “umount /media/cdrom" - Delete the ISO from all appliances.
- If you use WinCollect agents version 7.2.6 or later, you must reinstall the SFS file on the QRadar Console. This is due to issues where the ISO replaces the SFS on the Console with WinCollect 7.2.5 as described here: APAR IV96364. To install the latest WinCollect SFS on the Console, see the WinCollect release notes at WinCollect 101.
- Review any static routes or customized routing. As mentioned in the administrator notes, all routes were removed and will need to be reconfigured after the upgrade is complete.
- Review any iptable rules that are configured to see if the interface names have changed in QRadar 7.5.0 Update Package 15 due to the Red Hat Enterprise 7 operating system updates affecting them. Update any iptables rules that use Red Hat 6 interface naming conventions.
Results
A summary of the ISO installation advises you of any issues. If there are no issues, you can now SSH to managed hosts and start the installer on each host to run the setup in parallel.
Security Bulletins
Was this topic helpful?
Document Information
Modified date:
18 March 2026
UID
ibm17257011