We are excited to announce the release of IBM QRadar SIEM 7.5.0 Update Package 12 (UP12) — delivering a powerful set of features, enhancements, and performance improvements designed to optimize the efficiency and functionality of your security operations centre (SOC).
Here's what is new in this release:
Search Performance Improvement in Multi-Tenant Deployments with Reference Set Filters
In previous versions, when reference sets were used as filters during searches in multi-domain environments, the system did not leverage indexing, leading to suboptimal performance.
With UP12, reference set filters now use indexing regardless of domain, dramatically improving search efficiency — in some cases by up to 100x. This enhancement offers a significant performance boost for large, complex deployments.
Enhanced Search Progress Visualization
Fig 1. Search Progress bar displaying remaining percentage and time to completion
Managing searches just got easier. Based on user feedback captured via the ideas portal, we’ve improved the search visualization on the Log Activity and Network Activity screens.
The outdated circular animation has been replaced with a dynamic progress bar showing:
This change gives analysts better visibility into ongoing searches and helps them make more informed decisions before initiating new ones.
Fig 2. List of searches displaying completion status and time remaining
Improved Scattering with Absolute Space Thresholds on larger Data Nodes
Data Nodes were introduced to increase the storage and processing capacity for QRadar SIEM. After the Data Nodes are added to the QRadar deployment the data is rebalanced as per following documentation. There can be a scenario where the data node storage is different from the other attached processors. In such scenarios, the free space available after rebalancing remains futile.
With QRadar's UP12 release we bring improvements to this area - scattering has been improved to use absolute space thresholds, optimizing space utilization on larger Data Nodes. This change ensures more efficient space management by comparing available free space with calculated thresholds, allowing for better handling of storage capacity without risk of shutdown.
Predictive Parsing for Custom Event Properties
QRadar SIEM 7.5.0 Update Pack 12 introduces Predictive Parsing for regex-based custom properties which provides a major performance boost for environments that rely heavily on regular expressions. This enhancement leverages a proven algorithm that predicts where data is located within events based on past patterns, significantly reducing the overhead of regex processing. The result is faster event pipeline performance, improved efficiency, and smarter parsing with a built-in fallback to standard regex when needed.
Predictive Parsing is available by default in UP12+ and applies to properties enabled for rules, forwarding, or search indexing. It can be toggled per property in the Custom Event Properties UI. While most users will benefit immediately, those working with unusually formatted data may need to fine-tune or disable the feature for specific expressions. To see it in action, check out our video walkthrough, and for a deeper dive, refer to the support documentation below.
🔗 Predictive Parsing for Custom Event Properties Video Walkthrough
🔗 Community Blog
🔗 Support Documentation
Enhanced Log Search by Event Collector Name
Previously, users had to search logs by Event Collector ID, which was less intuitive and inconsistent with search by Event Processor. UP12 adds support for searching directly by the Event Collector name, using a user-friendly drop-down list that auto-populates compatible values. The existing ID-based method remains available for backward compatibility.
Fig 3. Log search by Event Collector value
Add Creation Date to the offense summary page and the offense search page
Understanding exactly when an offense is triggered is critical for incident timelines. In UP12, QRadar introduces a new “Offense Creation Time” field, enabling:
-
Accurate time-stamping of when an offense was created
-
A new “Creation Date Between” filter for refined offense searches
-
Improved sorting and filtering in the offense list view
-
Built-in validations (e.g., preventing a “From” date that occurs after the “To” date)
-
Persistent saving of offense search criteria with date/time granularity
These updates enhance forensic accuracy, reduce investigation time, and improve incident response workflows.
Integrations and DSMs
New DSMs Released:
-
The package DSM DSM-JuniperJunOS-7.5-20240628064229.noarch has been added.
-
Released New DSM for Storage Protect: Storage Protect DSM Documentation
-
Released New DSM for Azure Monitor Agent(AMA) for Linux: Microsoft DSM Documentation
-
Parsing capabilities have been extended to support PAN-OS version 11.0, including DNS Security, FILE, Tunnel, and URL logs.
-
Released New Palo Alto Firewall PAN-OS Support
Protocol Enhancements:
-
Cisco Duo: Pagination improvements
-
Salesforce: Parsing enhancements
-
IBM QRadar EDR: Protocol enhancements
-
Updated Protocols: Common, UniversalCloudRESTAPI, TLSSyslog, BoxRESTAPI, CertificateUtilsCommon
For full details on DSM and protocol support: QRadar Supported DSMs
Additional Resources:
Learn more about QRadar UP12 in the release notes: 🔗 Support Pages
Download the UP12 package from Fix Central: 🔗 Fix Central QRadar UP12
Explore QRadar documentation: 🔗 Documentation
Have an idea for a future QRadar feature? Submit it here: 🔗 Ideas Portal