IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

UP14 is here: QRadar's biggest leap forward in years

By Rohan Narula posted 3 hours ago

  

UP14 is here: QRadar's biggest leap forward in years. 

Enterprise-grade advancements front and back. A release built for tomorrow's SoC. 

When an incident breaks, your first battle is with time - how fast you can get to the right data, how quickly you make sense of it once you get there. This is a release that delivers on that objective in more ways than one. 

Widely acclaimed as "the most feature-rich release in years", we present an upgrade that innovates in every department from ingestion to investigation: making your searches faster, your rule tuning safer, your data pipelines more transparent, your storage more cost-efficient.

All without subtracting from the user experience you know and love. 

Here's how UP14 makes your operations simpler when you're at your desk, and more secure when you're away from it.

1. Your data architecture, redesigned. 

(A) Hot/warm tiered storage: speed meets cost-efficiency

With UP14, Tiered Storage keeps the newly ingested Ariel data in the "Hot" tier and, as it ages, automatically moves it to the lower-cost "Warm" storage tier based on your policy. This is a benefit that strikes the perfect balance: keeping your most recent/most frequently accessed data instantly accessible, while minimising your ownership cost in the long-term. 

This latter is especially relevant where frameworks require years‑long retention (e.g., HIPAA ~6 years, SOX ~7 years; others 3+ years depending on industry and jurisdiction).

But how much faster does this make ongoing investigations? Well, our performance tests really pushed the envelope with all kinds of IOC searches - like finding all events for a single IP over 24 hours - which would usually yield 15k entries (approx ~1.3 TB of data). The results? Search completion time of 146 seconds on the "Warm" tier and just 2 seconds on the "Hot" tier - a whopping 73 times faster for recent data. This is especially useful for threat hunts and fast triage windows, where analysts rarely look further back than 7–30 days.

 

(B) Smarter data pipelines: fewer unparsed events, better burst handling

UP14 tunes the parsing and correlation pipelines so that routing to storage decisions factor in real‑time utilization of the parsing and CRE thread pools. In practice, that means fewer events being prematurely routed to storage during load spikes and more events being fully parsed and correlated. 

Startup behavior is also improved. By pre‑allocating memory for data processing services at startup, QRadar handles post‑restart spikes more gracefully, reducing the risk that a service reboot becomes a performance pothole.

(C) Ariel write performance and LVM Phase 2: growth without the guesswork

Previous updates improved Ariel write performance on specific hardware profiles. UP14 broadens those gains across more host types, provided minimum CPU thresholds are met. The outcome for analysts is subtle but important: higher ingest capacity and more responsive queries as environments grow.

On top of that, LVM Phase 2 introduces better support for expanding Logical Volume Management (LVM) on appliance‑installed systems. For end users, this is about confidence that the platform can grow with the business without disruptive re‑provisioning projects.

  • Capacity planning becomes smoother: storage can be extended instead of re‑built.
  • Maintenance windows shrink, as admins can address growth more surgically.
  • The risk of “surprise” full disks during peak demand is reduced.

2. Experiment, collaborate and investigate - with a safety net.  

(A) Rule versioning: edit with context, revert with confidence. 

With UP14, Rule Versioning now tracks every change - what changed, when it was made, who made it, and how it affected efficiency relative to prior versions.  With performance metrics captured at every step, analysts can now objectively compare versions and even add "commit comments".  These are practical guardrails - paper trails that let you collaborate on rule tuning without worrying about human error. 

(B) Magnitude filtering and clearer offense assignment

You can now set magnitude thresholds when creating rule tests. This helps you prioritize offenses based on criticality and focus on the most important threats first. Offense assignment is also simplified - UP14 now tracks only the most recent assignment timestamp, reducing ambiguity about who owns what during active investigations.

3. More context without the extra clicks. 

(A) Flow context with ASN enrichment

QFlow now automatically enriches network flows with Autonomous System Number (ASN) information.

With the ASN field populated right out of the box, your analysts have: 

  • Immediate visibility into the network or ISP behind an IP address.

  • Faster identification of traffic coming from high‑risk or unexpected networks.

  • One less external lookup step in the middle of triage.

It’s a modest change that shortens the path from “What is this IP?” to “Is this traffic expected?”

(B) Managed search, minus the mystery.  

UP14 adds a small but powerful boost to Managed Search:

  • Custom AQL searches are labeled by their actual query string rather than a generic name.

  • Hover tooltips show the full AQL body, and a Copy button makes reuse trivial.

  • Searches that lean on non‑indexed fields or raw payload pattern matching are visually flagged as potentially slow or expensive.

Over time this nudges teams toward better query discipline. The system becomes a shared asset instead of a shared bottleneck.

4. Real-time resilience that succeeds in every worst-case. 

(A) Partial Pairing enablement for the Data Sync app

UP14 adds the necessary APIs for the much-anticipated Partial Pairing feature coming soon to the DS App by year-end: a complete game-changer in the event of a failover. By mirroring only the MHs that sit with your primary console, the most critical data remains available during a site-wide outage, while remote hosts can be adopted dynamically. This is the foundation being poured for a more practical DR posture in complex, distributed deployments.

(B) QRM x Check Point HTTPS: policy visibility that moves the needle. 

QRadar Risk Manager (QRM) now supports integration with Check Point HTTPS, so analysts can receive firewall rule event logs directly from Check Point's Security Management Servers (SMS). In practice, this stream of rule‑level telemetry gives you:  

  • Real‑time monitoring of which Check Point rules are being hit most (or not at all).
  • Identification of rules that may be overly permissive or unnecessarily blocking access.
  • Detection of noisy rules that may impact performance.
  • Scheduled reporting on rule usage trends across managed devices.

this helps align three often-separate views, specifically: 

  • what the firewall policy says should happen,

  • what actually happens on the wire, and

  • what the SIEM surfaces as offenses.

This newfound alignment gives your network more secure, and your risk posture more explainable to third parties. 

The bottom line. 

UP14 doesn’t ask analysts to work differently; it reduces friction in your workflow from alert to action - whether you're an analyst, threat hunter, or IR lead.  And it shows: directly and indirectly, in the middle of an offense, where a few clicks can mean the difference between containment and compromise. If you're looking for greater detail, check out our official release notes and download links on IBM Fix Central if you're ready to upgrade. 

As always, we welcome your feedback. What new feature in UP14 are you most excited to use? 

0 comments
29 views

Permalink

https://community.ibm.com/community/user/blogs/rohan-narula/2025/11/05/update-14-is-here