Question & Answer
Technical support for custom properties and performance
Custom properties are added to QRadar in officially supported DSMs, applications, or created by administrators. Custom properties parse specific data from events payloads to display information in the user interface as PropertyName(Custom). Custom properties can be used in rule tests, searches, reports, or dashboards.
|Custom property investigations & analysis||
QRadar technical support can assist administrators to identify and narrow down potential custom event property issues.
Administrators can use QRadar technical support to:
|QRadar technical support
To open a case or report a custom property error, contact QRadar technical support.
|Performance, tuning and custom property management||Administrators are responsible for user-generated custom properties, updates, and security policies. Assistance with security policies and use case coverage for custom properties, contact IBM Security Expert Labs for assistance.
The following activities are considered out-of-scope for technical support:
QRadar performance assistance in support cases
Administrators can review the tabs at the top of the page for more details about log source, custom property, or rule performance support assistance. QRadar technical support teams can assist administrators with errors, questions, and performance issues, such as:
- Interpreting system notifications and documentation.
- Troubleshooting for administrators on supported versions.
- Analysis of logs and errors to determine where performance issues occur. This includes:
- Validation of parsing performance and log source configurations.
- Identifying why events do not parse as expected.
- Identifying custom properties with performance issues.
- Identifying issues related to search performance.
- Identify why rules do not trigger as expected for administrators.
- Issue confirmation for problems after administrators tune or update event sources.
Out-of-scope performance issues
Due to the highly flexible nature of QRadar, a deep understanding of your use-cases, environment and overall security strategy is crucial to formulate an effective update plan. Administrators who are new to QRadar or need assistance with custom log source development, custom property performance, tuning rules or security use cases can contact IBM Security Expert Labs team to discuss performance issues that are out-of-scope for QRadar technical support. The following activities are considered out-of-scope for technical support cases:
- Creating custom log source types for administrators in the DSM Editor.
- Regular expression writing and tuning.
- System tuning when large numbers of offenses are being generated.
- System tuning where false positives are being generated.
- Rule tuning for security policies for your organization.
- Creating, maintaining, updating rule templates or rule planning and validation activities.
- Providing dedicated support (staying online with you) during the normal update process.
- Running post-update system health checks or performance checks.
Was this topic helpful?
07 January 2022