IBM Support

QRadar: Flows and Network Activity support policies

Question & Answer


This article informs administrators about QRadar® Support policies. QRadar Support assists administrators to investigate and correct flow issues such as error messages, documentation questions, or troubleshooting. This document outlines out-of-scope work for flow cases and the responsibilities of the QRadar administrator. 


Responsibilities for Flow cases

QRadar® flows represent network activity by normalizing IP addresses, ports, byte and packet counts, and other data into flow records, which effectively are records of network sessions between two hosts. This article provides guidance to users on what support can assist with if you experience a flow issue.
Support type Description Responsibility
Flow assistance and error support
Administrators can use QRadar technical support to assist administrators with flows with errors or undocumented behavior. For example, QRadar Support can:
  • Review issues where the Network Activity tab does not display flow data.
  • Troubleshoot issues when users do a search and an IO error is displayed.
  • Troubleshoot interfaces on QRadar appliances.
  • Confirm flows from a flow source are being received.
  • Troubleshoot behavior not documented in the QRadar administration guide.
QRadar technical support

To open a case or report flow issues, contact QRadar technical support
Out-of-scope for QRadar Support
The following activities are considered out-of-scope for technical support. QRadar Support reserves the right to close cases related to the following issues:
  1. Validating or analyze flow data.
  2. Provide assistance configuring non-IBM flow source products or TAPs on hardware, such as Cisco or Gigamon.
  3. Provide advice to users on network products or security configurations for non-IBM appliances.
  4. Troubleshooting network issues on network TAPs or SPAN ports.
  5. Requests to create searches or AQL queries in the Network Activity tab for flow data.
  6. Requests to create Custom Flow Properties.
  7. Custom application mappings.
  8. Tuning or creating rules based on flow data including behavioral rules.
  9. Requests to capture data for administrators. Administrators must supply network capture data from Wireshark or other network tools as part of the initial case for QRadar Support to confirm a product issue.

For assistance configuring and creating rules. Custom Event Properties, and searches for flows, contact IBM Security® Expert Labs.

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
07 January 2022