Question & Answer
Question
This article informs administrators about QRadar® Support policies. QRadar Support assists administrators to investigate and correct software defects related to performance. This document outlines out-of-scope work for support cases where user-generated content might impact performance.
Answer
Technical help for QRadar® performance issues is included for users with valid support contracts to assist administrators who need assistance diagnosing performance problems in QRadar. The QRadar technical support team will investigate all performance issues. If the cause of your performance issue is determined to be a non-performant system configuration, such as poorly performing regular expressions in the DSM Editor, rules or building block tuning, or offense performance, support can assist with identifying the cause.
Due to the highly flexible nature of QRadar, a deep understanding of your use-cases, environment and overall security strategy is crucial to formulate an effective update plan. Administrators who are new to QRadar or need assistance with custom log source development, custom property performance, tuning rules or security use cases can contact IBM Security Expert Labs team to discuss performance issues that are out-of-scope for QRadar technical support. The following activities are considered out-of-scope for technical support cases:
QRadar performance assistance in support cases
Administrators can review individual articles for more details about log source configuration support, custom property, or rule performance support assistance. QRadar technical support teams can assist administrators with errors, questions, and performance issues, such as:
- Interpreting system notifications and documentation.
- Troubleshooting for administrators on supported versions.
- Analysis of logs and errors to determine where performance issues occur. This includes:
- Validation of parsing performance and log source configurations.
- Identifying why events do not parse as expected.
- Identifying custom properties with performance issues.
- Identifying issues related to search performance.
- Identify why rules do not trigger as expected for administrators.
- Issue confirmation for problems after administrators tune or update event sources.
For more information, select a topic:
Custom Properties and performance Log source configuration and performance Rules and rule performance support
Out-of-scope performance issues
Due to the highly flexible nature of QRadar, a deep understanding of your use-cases, environment and overall security strategy is crucial to formulate an effective update plan. Administrators who are new to QRadar or need assistance with custom log source development, custom property performance, tuning rules or security use cases can contact IBM Security Expert Labs team to discuss performance issues that are out-of-scope for QRadar technical support. The following activities are considered out-of-scope for technical support cases:
- Creating custom log source types for administrators in the DSM Editor.
- Regular expression writing and tuning.
- System tuning when large numbers of offenses are being generated.
- System tuning where false positives are being generated.
- Rule tuning for security policies for your organization.
- Creating, maintaining, updating rule templates or rule planning and validation activities.
- Providing dedicated support (staying online with you) during the normal update process.
- Running post-update system health checks or performance checks.
[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtiAAA","label":"Performance"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]
Was this topic helpful?
Document Information
Modified date:
07 January 2022
UID
ibm16336529