Visual insights, faster investigations, simpler deployments.

When your team investigates dozens of offenses daily, every click counts. With Update 13, we addressed pain points and made key improvements to help you see more, investigate better and deploy faster. Network visibility that once required procurement cycles now happens instantly. Device tracking is more resilient in dynamic environments. These aren't incremental improvements; they're solutions to the friction points that slow down every SOC.

Here's how Update 13 transforms your security operations.

1. Understand Threats at a Glance

(A) Infographic-Based Visualizations in the Offense Tab

The new Infographic Offense View transforms how analysts understand security incidents. Instead of clicking through multiple screens to piece together what happened, you now get:

• Timeline views of offenses to monitor activity trends.

• Magnitude-based ranking to prioritize offenses effectively.

• Host-based categorization to quickly identify targeted assets.

(B) Partial search result visibility

The same spirit translates to search. During active investigations, you can now see up to 1,000 partial search results (up from 40) while your query is still running. This enhancement provides greater visibility into long-running searches, enabling users to explore more data in real-time and identify potential filters to refine results while the query is still executing. 

Taken together, this obviates the need to switch between multiple screens to understand the context of an attack; analysts can do so in one glance.

2. Better Network Visibility without the Extra Hardware 

Update 13 introduces two key capabilities that expand what QRadar SIEM can see across your network:

(A) ERSPAN Traffic Support

QRadar SIEM now accepts ERSPAN (Encapsulated Remote Switched Port Analyzer) traffic directly from your network switches. This means:

• It allows customers to monitor hybrid and cloud infrastructures more effectively, ensuring consistent traffic analysis across the entire network.

• With ERSPAN traffic support, QRadar can perform detailed packet inspection and enrich flow records, enabling detection of threats that may bypass traditional flow analysis. This enhances customers’ ability to identify APTs, and policy violations, thereby strengthening security posture.

• Significant cost savings by eliminating the need for additional hardware at every site

(B) MAC Address Tracking with qFlow, sFlow and Packeteer data

Layer-2 fidelity also gets a lift with MAC-aware flows. Previously, flow records in QRadar only consisted of IP-based identifiers. Update 13 doubles down with the addition of MAC-addresses, so you can:

• identify assets even if IP addresses keep changing due to DHCP

• improve Network Forensics and Lateral Movement Detection

• improve correlation accuracy and reduces false positives in threat detection

• better monitor policy enforcement in segmented networks and detect violations at the hardware level

Additionally, flows now carry a layer-2 “fingerprint” identifier to QFlow, sFlow and Packeteer data; allowing for unauthorized devices to be detected across subnets, thereby bolstering device correlation and reducing false positives.

3. Streamlining the Admin Tab

The Admin tab received a complete redesign with unified interfaces across:

• Store and Forward

• Domain Management

• Centralized Credentials

• Resource Restrictions

This consistency means less training time for newer team members, and fewer clicks to accomplish common tasks.

(A) Enhanced Custom Properties

Custom properties now support multiple regex capture groups, allowing you to extract complex data patterns that previously required external scripts or manual processing.

(B) QRadar Host Monitoring via SNMPwalk

Enabled SNMPv3 and created UI to support SNMP polling (snmpwalk) of QRadar appliances. SNMPv3 is a secure protocol and is now supported for QRadar host monitoring to comply with modern security standards and IBM’s “Secure by Design” and “Secure by Default” paradigms.

4. Improved Reliability & Recovery

(A) Console-Only Failover

The App Host is now protected in both primary and disaster recovery sites. Backup validation during DR site activation has been optimized, especially for large environments with over 1,000 backups, significantly reducing recovery time.

(B) Faster Disaster Recovery

Backup validation during DR site activation has been optimized, especially for large environments with over 1,000 backups, significantly reducing recovery time.

5. A More Complete API for Asset Management

Two new API capabilities make asset management more powerful:

(A) DELETE API

Finally, you can programmatically remove outdated assets from QRadar. This long-requested feature allows integration with your CMDB to keep asset inventories synchronized and accurate.

(B) Extended GET API

The GET API now returns operating system and installed product information for assets. This data enriches threat detection capabilities and helps analysts quickly understand what type of system they're investigating.

6. Additional Polish

(A) DSM Editor Enhancements

Key improvements to event parsing and mapping accuracy reduce the manual effort needed to configure log sources and improve threat detection reliability.

(B) Analyst Workflow v3.0.0

The latest version of the Analyst Workflow application now ships directly with QRadar, so new installations start with the most currenr offense and search management capabilities from day one.

7. What These Improvements Mean for your SOC

8. Ready to get started?

Update 13 represents practical progress: clearer visualization, smarter data collection, and smoother operations. These aren't just features; they're solutions to real challenges security teams face every day.

To get started:

1. Download the ISO from Fix Central

2. Snapshot your console

3. Test in your staging environment

4. Plan your production rollout

For complete installation instructions and more technical details, check out the official release notes for QRadar 7.5.0 Update Package 13.