The modern day deployment defined by its complexity. With the frequency of unplanned outages and the astronomical cost of encountering one, SoCs need to be able to continuously evolve just as the threat landscape does.
The objective of UP15 is to address these operational imperatives - making your security posture more audit-ready, your critical data quantum-resistant, and your business-critical workflows more context-aware; helping you stay ahead of threats in an environment standing still means falling behind.
(A) Introducing FIPS-Compliant, Quantum-Resistant Hashing for Validating Backups & JA4 Fingerprinting for TLS Encryption
As malicious actors increasingly target both live telemetry and historical storage, modernizing the cryptographic standards utilized by the SIEM is critical. In an era where ransomware syndicates actively target backup repositories to prevent organizations from recovering without paying a ransom, the mathematical integrity of historical log data is paramount. For SOC admins, IR teams and external auditors, we introduce a crucial lifeline: a FIPS-compliant, industry-grade and quantum-resistant backup hashing function with SHA-512 for cryptographic validation of backups.
This level of sovereign control begins the moment a backup is initiated. Without requiring manual intervention, QRadar autonomously evaluates its internal cryptographic health, generating or rotating Certificate Authority (CA) and Signer certificates as needed to ensure an unbroken chain of trust. Security architects retain granular control over this lifecycle via the backupsign_sample.properties configuration, allowing them to precisely dictate validity periods; such as the default 365-day lifespan for Signer certificates and 730 days for the root CA. To strictly enforce operational authority, this entire trust architecture is bound by an encrypted passphrase; any unauthorized tampering instantly invalidates the certificates, neutralizing potential insider threats or administrative misconfigurations.
The true strategic value of this framework is realized during a crisis. Restoring a compromised backup could permanently corrupt the SIEM or reinfect a recovering network. UP15 mitigates this by requiring a simple validation check during native restorations, forcing the system to authenticate the digital signature before a single byte of historical data is merged.
While administrators can manually seed the required cryptographic trust into a destination's truststore , advanced enterprise environments leveraging the QRadar Data Synchronization App benefit from total automation. The app works silently in the background to automatically synchronize signature files, newly generated certificates, and rotation alignments across paired systems. Dictated by the system's core backup recovery policies, this ensures that during an automated failover, strict verification cannot be bypassed. Coupled with the newly upgraded SHA-512 hashing function; which deprecates older, vulnerable algorithms- this framework mathematically guarantees data authenticity and qualifies as a NIST-approved cryptographic hashing function.
So if your contingency plans meant for the worst case turn into a real-life use case, your SoC admins can breathe a sigh of relief because this verification extends across boundaries.
But protecting at-rest data is only half the battle; defending against in-transit threats requires equally robust mechanisms. This provides a massive advantage for Threat Hunters, Incident Responders, and SOC Analysts tasked with detecting malware command-and-control (C2) beaconing, botnet communications, and data exfiltration hiding within encrypted TLS sessions. Because threat actors constantly randomize TLS handshakes to evade legacy JA3 fingerprinting, analysts need to reliably identify malicious traffic without breaking compliance rules by decrypting payloads.
Recognizing this, UP15 introduces profound advancements natively into QRadar Network Insights via JA4 TLS fingerprinting. JA4 represents the next generation of TLS client identification, categorizing attributes through a highly resilient hash-based fingerprint. By integrating the TLS JA4 Hash field directly into the QRadar ecosystem, analysts can instantly identify anomalous clients and detect unusual patterns within complex filters and correlation rules, fundamentally strengthening threat analysis workflows.
(B) Tiered Storage Phase 2: per-cluster configurability for enterprise-grade scalability
To effectively support these cryptographic safeguards, your SIEM would require an underlying architecture capable of sustaining immense data loads without buckling. Moreover with gobal data retention compliance mandates like those from HIPAA and GDPR, massive ingestion bursts consistently push enterprise architectures to their physical limits. As though that wasn't enough, data sovereignty requires strict control over exactly where and how data resides and is managed. For storage/infrastructure HW admins, managing massive volumes of logs to meet long-term mandates or surviving sudden ingestion bursts—such as those generated during a volumetric DDoS attack - is a daily challenge. If the primary Hot Tier runs out of disk space, it can severely degrade search performance or halt log ingestion entirely.
All that changes with with this update pack. Now, you get to intelligently manage the offloading of hot (active query) and cold (historical retention) data tiers; so QRadar gets significantly faster, concurrent re-indexing algorithms and smarter error handling that gracefully resumes operations if a massive storage migration is interrupted. Administrators are now granted unprecedented control through per-cluster policies and the ability to bulk edit these configurations directly through the UI and API. Crucially, new built-in safeguards actively protect Hot Tier disk space from being overwhelmed during sudden log influxes, ensuring large-scale storage environments remain predictable and highly optimized.
Beyond raw storage optimization, whether you're an L1 Analyst or an IR team lead, you've probably faced more than a few bottlenecks executing massive threat-hunting queries across vast spans of historical data. Historically, checking massive databases against huge threat-intelligence lists (Reference Data) caused severe I/O bottlenecks and locked databases, stalling queries and delaying critical incident triage.
To resolve this, UP15 massively improves locking scalability within the DomainizedStorage2 framework. This structural optimization yields an astonishing speedup up to 50x (fifty) times when executing searches against events and flows using Reference Data filters. This unlocks lightning-fast queries, allowing organizations—especially those leveraging robust storage infrastructures like the QRadar 1648 enterprise appliances - to realize profound search acceleration during response & recovery investigations.
(C) Historical rule versioning, AQL visibility & more: proactive adaptability for your workflows
Yet, raw storage and search velocity are functionally useless without a governance model that empowers personnel to manage logic, troubleshoot errors, and maintain seamless operations securely. Data sovereignty requirements, in fact, heavily emphasize this need for auditable governance, requiring organizations to know exactly who operates the platform and how changes are governed.
This is an absolute game-changer for who spend their days tuning complex correlation rules or conducting post-incident audits. As SOC operations mature, rule sets inevitably become highly complex. Without rigorous version control, a junior analyst might accidentally break a rule or change a threshold, leading to catastrophic alert fatigue or the silent suppression of genuine security alerts.
UP15 completely revolutionizes this workflow with Phase 2 of Custom Rule Engine (CRE) versioning featuring history tracking like never before. providing the exact audit-ready evidence and strict operational authority required to maintain a sovereign environment. This robust framework allows administrators to execute highly detailed, side-by-side comparisons of any two distinct rule versions, and mandates that analysts capture detailed commit messages upon saving a modification. Furthermore, intelligent dependency checks continuously analyze interconnected system components; if an analyst attempts to revert a rule that threatens to break downstream configurations, the dependency check flags it immediately, minimizing your operational overhead when it comes to rule management.
Lastly, your admins, operators and devs building custom API automation scripts or writing complex threat-hunting queries directly in AQL will find their workflows vastly accelerated. Previously, when a custom query failed or took too long, analysts had to guess which fields were natively indexed or painstakingly hunt down missing syntax characters, wasting valuable investigation time. Even AQL handling gets a major boost, with the Ariel API's is indexed property, accessible via the GET /ariel/databases/{database_name} endpoint; granting users immediate visibility into which specific fields are indexed so they can perfectly optimize query performance, syntax error detection and therefore drastically reduce troubleshooting time.
So what's next for QRadar®?
Check out all things UP15 along with our official instructions here - with 7 features across SIEM, Apps and NDR - it's a much, much more than a standard security patch. This one update represents a foundational step in IBM's broader "Journey to Quantum Safe", least privilege, data sovereignty, security by design, hybrid & quantum-readiness, and above all, cyber-resilience.
If there's any improvements, enhancements, or feature requests you have in mind, feel free to submit the same on on the ideas portal here for a comprehensive review. From UP13 to 14, 14 to 15 and now from 15 to perhaps the most eagerly anticipated release in 7.6.0 - it's always your feedback that's paramount; and your needs we strive to meet at every click and every dashboard; whether it's business as usual for your SoC or preserving your critical workflows in response & recovery.
Rohan Narula
Product Manager
© International Business Machines Corporation, 2026 | All rights reserved.