IBM Support

Release of QRadar 7.6.0 SFS (2026.4.0.20260621205226)

Release Notes


Abstract

This technical note contains installation instructions, and a list of new features and resolved issues for the IBM Security QRadar 7.6.0 (2026.4.0.20260621205226 SFS). These instructions are intended for administrators who are upgrading to QRadar 7.6.0 by using an SFS file.

Content

 

Important: QRadar Incident Forensics Compatibility Notice
QRadar Incident Forensics is not available in the QRadar 7.6.x release stream. Customers currently using QRadar Incident Forensics should remain on, or upgrade to, QRadar version 7.5.0 Update Package 15 (UP15) to maintain support.

Upcoming Auto Update Infrastructure Changes
A new QRadar SIEM Auto Update (AU) server is scheduled to be commissioned as part of a future deployment. Customers will be informed of any necessary steps to maintain uninterrupted access to Auto Update packages.

 

What's New


For more information on new and changed features in QRadar 7.6.0, see What's new in 7.6.0.


Attack Timeline 

QRadar introduces the Attack Timeline to provide a chronological view of offense progression. The timeline displays key milestones, including the initial offense trigger, rule contributions, and when new users, hosts, or log sources are involved. Each milestone includes contextual details such as event names, IP addresses, hostnames, and contributing rules. Analysts can open a drilldown panel to review additional details without leaving the timeline. Progressive loading is used to support investigations with high event volumes. Rendering is optimized to maintain responsiveness during extended analysis sessions. The feature scales from individual analyst workstations to shared SOC displays. Administrators can configure availability and systemlevel limits to manage performance.

Multi‑Value Custom Event Properties (CEP) 

QRadar now supports extracting and storing multiple values for a single custom event property. The DSM editor can capture repeated matches and persist them as a list. Events that contain repeating fields retain all relevant values instead of a single parsed instance. The user interface indicates when a custom property contains multiple values. UI searches evaluate all values associated with the property. AQL queries also process all captured values consistently. Parsing and query performance are preserved through optimized handling. This update improves analysis of modern event formats with listbased data.

Custom Event Property Parsing Order (API Control) 

QRadar adds API support for retrieving and modifying the execution order of custom event property parsing expressions. Administrators can use the API to standardize parsing order across environments. Changes made through the API are reflected in the DSM editor for visibility. Impact analysis identifies potential parsing conflicts before changes are applied. This capability supports automated configuration management workflows. Predictable parsing behavior is maintained when multiple expressions apply to the same event data. The update reduces inconsistencies in field extraction. Event classification accuracy is improved at scale.

RDP Fingerprinting (RDFP) 

QRadar Network Insights (QNI) now provide monitor RDP (Remote Desktop Protocol) by identifying insecure encryption, inspecting payloads for threats, and detecting anomalous behavior, such as unauthorized access, using high-level visibility. QNI analyzes RDP traffic (layer 7), allowing detection of non-standard ports or suspicious authentication attempts. For this RDP, Fingerprints are stored in Ariel for correlation and search. Analysts can review fingerprint information in network activity to detect possible lateral movement, generate offenses, and take timely action.

Bulk Asset Management APIs 

QRadar introduces APIs that support bulk creation and deletion of assets. With this Bulk Assets API, users can perform multiple operations, such as creating and deleting assets, in a single request. These operations are processed asynchronously in the background, allowing users to track progress and view results through a status endpoint. The status endpoint provides detailed information for each operation, including any failure error messages, helping reduce manual effort and making asset management easier and more efficient.

Red Hat NetworkManager Adoption 

The transition to Red Hat NetworkManager provides QRadar with a modern, standardized infrastructure for managing network devices and configurations. This approach aligns with Red Hat’s roadmap for RHEL 9 and RHEL 10, ensuring long-term compatibility and support. NetworkManager introduces flexible management options through multiple interfaces, including CLI, API, and message bus, enabling deeper integration with QRadar deployment workflows. 

By replacing older custom scripts with NetworkManager, QRadar simplifies network configuration and reduces complexity, minimizing the risk of errors during setup and maintenance. Administrators benefit from improved efficiency and consistency, making it easier to manage network settings across deployments. This update also provides the foundation for future enhancements in security and scalability, while delivering general stability and usability improvements for a more reliable experience.

Editable Log and Network Activity Filters 

Search filters in Log Activity and Network Activity are now editable, simplifying workflows and improving efficiency. Filter input functionality has also been improved to support lists of values and configurable delimiters. The “Offense is” filter remains excluded from editing.

Cloud High Availability (AWS) Preparation 

Preparation work for Cloud High Availability on AWS is completed. NetworkManager migration is finalized for multihost deployments. Packaging supports both new AMI installations and upgrade scenarios. Signed RPMs are included for secure deployment. Healthcheck documentation supports operational verification. Troubleshooting guidance is provided for common issues. Internal support workflows are aligned with the changes. This work establishes a foundation for AWS Cloud HA enablement.

DC-DR Health-Check Dashboard API for 24x7 Resilience Validation (Phase 1)

Available in QRadar 7.6.0, this API enables network connectivity checks between DC and DR environments and is invoked by the Data Synchronization app. Support will be included in Data Synchronization app version 4.0.0. The DC-DR Health Dashboard provides a single-pane view of resilience posture with automated failover/failback validation checks, available on demand or on a schedule. It includes network connectivity, backup and storage, deployment topology, and system configuration checks to help reduce operational risk during site outages.

Improved Search Filtering Capabilities 

The Managed Search Results page now includes a new text‑based filter, enabling administrators to efficiently filter search results across most search properties.

TLS 1.3 Decryption Capability (QNI) 

QRadar Network Insights now supports controlled decryption of TLS 1.3 traffic when organizations use approved SSL proxies or key-based setups. This helps SOC teams see the full content of network traffic for better threat detection and investigation. The feature is designed with strict policy and audit controls to ensure it is used only where allowed. Users can choose between basic metadata view or full decrypted inspection based on their security needs and compliance rules.

Performance improvements

  • Building on the search performance improvements introduced in QRadar 7.5 UP15, search performance when searching events and flows using Reference Set filters was further improved, for up to 5x speedup. 
  • The maximum rate of the CRE rule responses adding data to Reference Data structures was increased by 2x

Attention

Following changes in QRadar 7.6.0 , high availability systems that host apps (either the Console or an Apphost) will now use the shared VIP IP address for any routing done by applications that communicate with the internet. This may cause issues with internet communication by QRadar apps in some environments.

If any 3rd party devices or software (VPN, firewall, etc.) are configured to use the HA host's physical IPs in order to allow internet communication from the QRadar host/apps, communication may break after upgrading to 7.6.0 if any such device is not expecting the VIP.

As the change implemented in 7.6.0 is by design, adjustments should be made on the 3rd party device(s) to factor in the VIP now being used for communication in between QRadar apps and the internet. IBM QRadar Support cannot assist with, or support 3rd party software.

Resolved Issues


The Known Issues listed below are resolved in QRadar 7.6.0. For a complete list of Known Issues, see Known Issues. The Known Issues search page allows users to search for Known Issues by version or status.

Some Known Issues links might take 24 hours to display properly after a software release is posted to IBM Fix Central.

The following is a list of Known Issues fixed in QRadar 7.6.0:


  • DT446559 QRadar backup archives over 512MB are too large to be uploaded via the Admin tab / Configuration Backup and Restore UI

  • DT100500 IJ30910: HOVER OVER EVENT USERNAME LDAP LOOKUP FEATURE DOES NOT WORK AS EXPECTED

  • DT251834 IJ33118: BOTH EVENT AND FLOW DATA BACKUPS ARE PERFORMED WHEN ONLY EVENT OR FLOW DATA IS SELECTED

  • DT252117 IJ47680: CISCO FIREPOWER MANAGEMENT CENTER TRUSTSTORE FILES ARE NOT INCLUDED IN THE NIGHTLY CONFIGURATION BACKUP

  • DT398595 Podman memory error during application install

  • DT245654 IJ48884: SAML MODULE CAN WRITE XML TO QRADAR.LOG CAUSING SIM GENERIC EVENTS ON THE LOG ACTIVITY TAB

  • DT366017 No message is logged, if the weekly and monthly reports fail to generate when aggregated properties are not found

  • DT393676 QRadar: LDAP groups mapped to User Roles or Security Profiles with special characters in their names are not visible in the UI after a deployment

  • DT397709 Changes in System Settings can be made using the mouse scroll wheel

  • DT419502 After uninstalling high availability in QRadar on a hardware appliance, the standalone primary host might fail to boot

  • DT449628 DSM Editor crashes and becomes unstable when opened for Custom Log Source types due to bad regex parsing.

  • DT450797 After upgrade to 7.5.0 UP12, reports are queued and no report is executed with exception java.lang.NoClassDefFoundError: javax.xml.ws.Service

  • DT453707 Support for 0.0.0.0 and 255.255.255.255 IP addresses were removed following IPv6-related core changes, causing incorrect source IP handling in log activity

  • DT457033 QNI & QIF X-Force DB's are not as current as X-Force Threat Intelligence's live feed

  • DT457664 XML root element disappears from DSM Editor Workspace when using XML Expression with path "/", preventing accurate field extraction setup.

  • DT457449 Data Synchonization App: Unable to purge old backup files due to concurrent modification exception

  • DT462547 TCPSyslog: Blank Payload Events Visible When Empty Syslog Messages Are Received via UDP

  • DT450761 Error During Restore "asset_reporting.vulninstance_daily" does not exist

    DT460478 QRadar: jsch jar removed from ecs-ec-ingress packaging in UP14 IF02

  • DT461358 While deleting/modifying a Custom Event Property the Dependency check sometimes fails displaying the message "Error occurred while searching for dependents."

    DT461409 Report generation fails when payload contains special characters

  • DT469594 Deployment fails if QNI flow source has DTLS Enabled

  • DT464621 Report PDF generation fails with `fo:static-content is not a valid child of fo:table-body` when report data spans multiple page sequences

  • DT465347 Backup and Restore | POST API | Backup API to take config backup fails with 500 Internal server error

  • DT466765 Backups are failing after patching to UP15 IF01

  • DT471698 QRadar: Legacy patch mode skips or ignores manual input if the patch.conf file exists

 

  Known Issues

  • DT473994 Attack Timeline Filter Error for Special Character Username with Backend Exceptions in qradar.error

  • DT474000 Reports - Limit not applying on MV CEP

  • DT472949 Editing bonds can cause the bond and interfaces to become disabled

  • DT474010 CEP Regex test returning incorrect result 

  • DT473913 EP/EFP/FP timebomb license will not update to PERPETUAL after expiry

  • DT474013 Dashboard Widget Displays "An exception has occurred" Error While Saving Widget Configuration

 

Upgrade information


QRadar 7.6.0 resolves reported issues from users and administrators from previous QRadar versions. This cumulative software update fixes known software issues in your QRadar deployment. QRadar software updates are installed by using an SFS file, and update all appliances attached to the QRadar Console.

The 760-QRADAR-QRSIEM-2026.4.0.20260621205226 SFS file can upgrade the following QRadar versions to QRadar 7.6.0:

  • QRadar 7.5.0 Update Package 10
  • QRadar 7.5.0 Update Package 10 Interim Fix 01 to Interim Fix 02
  • QRadar 7.5.0 Update Package 11
  • QRadar 7.5.0 Update Package 11 Interim Fix 01 to Interim Fix 04
  • QRadar 7.5.0 Update Package 12
  • QRadar 7.5.0 Update Package 12 Interim Fix 01 to Interim Fix 03
  • QRadar 7.5.0 Update Package 13
  • QRadar 7.5.0 Update Package 13 Interim Fix 01 to Interim Fix 02
  • QRadar 7.5.0 Update Package 14
  • QRadar 7.5.0 Update Package 14 Interim Fix 01 to Interim Fix 05
  • QRadar 7.5.0 Update Package 15
  • QRadar 7.5.0 Update Package 15 Interim Fix 01 to Interim Fix 04
 

This document does not cover all of the installation messages and requirements, such as changes to appliance memory requirements or browser requirements for QRadar. To review any additional requirements, see the QRadar Upgrade Guide.

See QRadar: Software update check list for administrators for a list of steps to review before you update your QRadar deployment.

Before you begin

Ensure that you take the following precautions:

  • Back up your data before you begin any software upgrade. For more information about backup and recovery, see the QRadar Administration Guide.
  • To avoid access errors in your log file, close all open QRadar sessions.
  • The QRadar software update cannot be installed on a managed host that is at a different software version from the Console. All appliances in the deployment must be at the same software revision to update the entire deployment.
  • Verify that all changes are deployed on your appliances. The update cannot install on appliances that have changes that are not deployed.
  • If this is a new installation, review the instructions in the QRadar Installation Guide.
 

Installing the QRadar 7.6.0 Software Update


These instructions guide you through the process of upgrading an existing QRadar version to QRadar 7.6.0. To update appliances in parallel, see QRadar: How to Update Appliances in Parallel.

Procedure

  1. Download the software update to install QRadar 7.6.0 from the IBM Fix Central website: 7.6.0-QRADAR-QRSIEM-20260621205226

    Important: Please confirm that you are installing the correct SFS file by checking the sha256sum value as found on Fix Central

    Note: To confirm QRadar 7.6.0 is code signed by IBM, you must use the latest code signing utility 1.0.2. For more information, see https://ibm.biz/qradarcodesigning.
  2. Use SSH to log in to your Console as the root user.
  3. To verify you have enough space (10GB) in /store/tmp for the QRadar Console, type the following command:

      df -h /tmp /storetmp /store/transient | tee diskchecks.txt
    • Best directory option: /storetmp

      It is available on all appliance types at all versions. In QRadar 7.6.0 versions /store/tmp is a symlink to the /storetmp partition.

If the disk check command fails, retype the quotation marks from your terminal, then rerun the command. This command returns the details to both the command window and to a file on the Console named diskchecks.txt. Review this file to ensure that all appliances have at minimum 10GB of space available in a directory to copy the SFS before attempting to move the file to a managed host. If required, free up disk space on any host that fails to have less that 10GB available.

Note: In QRadar 7.3.0 and later, an update to directory structure for STIG-compliant directories reduces the size of several partitions. This can impact moving large files to QRadar.

  1. To create the /media/updates directory, type the following command:

      mkdir -p /media/updates
  2. Use SCP to copy the files to the QRadar Console to the /storetmp directory or a location with 10GB of disk space.
  3. Change to the directory where you copied the patch file. For example,

      cd /storetmp
  4. To mount the patch file to the /media/updates directory, type the following command:

      mount -o loop /storetmp/760-QRADAR-QRSIEM-2026.4.0.20260621205226.sfs /media/updates
    
  5. To run the patch installer, type the following command:

      /media/updates/installer 

    Note: The first time that you run the software update, there might be a delay before the software update installation menu is displayed.

  6. Using the patch installer, select all.
    • The all option updates the software on all appliances in the following order:
      1. Console
      2. No order required for remaining appliances. All remaining appliances can be updated in any order that you require.
    • If you do not select the all option, you must select your Console appliance.

      As of QRadar 7.2.6 Patch 4 and later, you are only provided the option to update all or update the Console appliance. Managed hosts are not displayed in the installation menu to ensure that the Console is patched first. After the Console is patched, a list of managed hosts that can be updated is displayed in the installation menu. This change was made starting with QRadar 7.2.6 Patch 4 to ensure that the Console appliance is always updated before managed hosts to prevent upgrade issues.

      If you want to patch systems in series, you can update the Console first, then copy the patch to all other appliances and run the patch installer individually on each managed host. The Console must be patched before you can run the installer on managed hosts. When updating in parallel, there is no order required in how you update appliances after the Console is updated.

      If your Secure Shell (SSH) session is disconnected while the upgrade is in progress, the upgrade continues. When you reopen your SSH session and rerun the installer, the patch installation resumes.

Installation wrap-up

  1. After the system reboot is not initiated after the patch completes and you have exited the installer, type the following command:

      umount /media/updates
  2. Clear your browser cache before you log in to the Console.
  3. Delete the SFS file from all appliances.
  4. For administrators with managed WinCollect 7 agents, upgrades to 7.6.0 require WinCollect version 7.3.1 Patch 4. Depending on your upgrade path, you might be required to update your WinCollect agent version on the Console. For more information, see the WinCollect 7.3.1 Patch 4 release notes.
  5. To run AQL queries that use geographic data or the flags on the Log Activity tab, update to the latest database from Maxmind after you upgrade to QRadar 7.6.0. 
     

Results

A summary of the software update installation advises you of any managed hosts that were not updated. If the software update fails to update a managed host, you can copy the software update to the host and run the installation locally.

After all hosts are updated, send an email to your team to inform them that they will need to clear their browser cache before they log in to the QRadar SIEM interface.

 

 

[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtdAAA","label":"Upgrade"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.6.0"}]

Document Information

Modified date:
30 June 2026

UID

ibm17274475