QRadar EDR Support Scope

Question & Answer

Question

The role of the EDR Support team is to assist administrators in troubleshooting, investigating, and helping users resolve software defects in QRadar Endpoint Detection and Response (EDR). In addition, this document outlines out-of-scope work for support cases and informs administrators about support policies.

Answer

What types of issues can IBM assist with in your support case:

Error correction - IBM uses commercially reasonable diligence to correct verifiable and reproducible errors reported to QRadar EDR by standard reporting procedures as it is in effect and notified from time to time. Error corrections can be provided as a workaround to clients. The error correction might consist of programming and operating instructions to mitigate the issue.
Updates - IBM can issue updates of the QRadar EDR software containing error corrections or other improvements. IBM provides general instructions to assist the customer’s installation and operation of each new update. Each release includes the most recent files in the update package. If you skip an update, you might be required to download multiple update packages to receive the latest software changes. On the Hive-Cloud hosting platform, IBM manages QRadar EDR software upgrades and related dependencies.
Hardware - IBM manages hardware issues on the Hive-Cloud hosting platform.
Monitoring - IBM proactively monitors Hive-Cloud environments and notifies the customer through automated emails or Slack messages.
Troubleshooting - Support requires read-only access to customer's SaaS instances to troubleshoot alerts or event issues. The logs visible by support represent errors in the Hive Console user interface.

What types of issues are the responsibility of the client:

Fixing network configuration in an on-premises hosting environment.
Hard drive partition resizing.
Server activities that are not directly correlated to the QRadar EDR software.
Evaluation of alerts from a cybersecurity perspective is considered out of scope, and can be charged as extra-costs through your IBM Sales Representative as you engage IBM Blue Shield to assist.
Other than Destra's policies, QRadar EDR does not allow customization for the time being. Assistance, outside of what is offered by IBM QRadar EDR Support, users can contact IBM Security Expert Labs to discuss customizations. Destra is a core feature of Hive, the flagship product of QRadar EDR. Detection Strategy (Destra) is a Lua (extended) engine that allows security operators to write custom detection rules, which can be executed directly on the endpoints.

Destra implementation, changes to the existing ones and/or evaluation of the detection and protection capabilities are outside Support scope. Reach your Software Expert Labs representative to request code changes or new implementations. Be aware extra costs might apply.
```
if event.process.get_ofn() == "chrome.exe" then
    return false
end
```
IBM does not change, or modify, the Operating System (OS). If customers need support to validate that QRadar EDR is properly running after they finish any changes to the OS, we can validate that.
Kernel upgrades and 3rd party software upgrades.
Note: Installing QRadar EDR with other EDR solutions is not supported since it can lead to instability and introduce unpredictable behavior. QRadar EDR can co-exist with most major anti-virus solutions, but it is recommended to monitor performance and fine tune as needed (tuning is outside of QRadar EDR Support scope). Also, QRadar EDR with Anti-Malware module enabled can co-exist with Microsoft Defender. However, adding other AV solutions to this configuration is not supported.
Security patch upgrades.
Hardware upgrades or fixes.

The IBM QRadar EDR Support team is a global organization, with operating centers located around the world to better serve our clients. Case work scheduling is determined by the severity setting of each case.

Support representatives might reduce severity during an investigation to assist users and organize critical issues. It is important to clearly communicate how your case impacts your business for Support to triage your case and understand the urgency and severity of the issue.

When a user opens a case, the severity level is set, but the severity of a case can be adjusted during the life of the case as more information becomes available. Ensure that your case severity mirrors your associated business impact.

Note: IBM reserves the right to communicate and downgrade case severity where functionality is restored, but noncritical issues exist from Severity 1 to an appropriate level, such as 2, 3, or 4.

Severity	Business Impact	Detailed description
1	Critical	System or Service Down Business-critical functionality is inoperable or a critical interface failure. Severity 1 usually applies to a production environment and indicates an inability to access products or services, which result in a critical impact on operations. The failure condition requires an immediate solution. Administrators can indicate whether their system is down during the initial opening of a case. Important: Administrators or users who open 'System down' or 'Severity 1' cases are expected to be available after they open a case by using these high priority fields. If you are unavailable to work on the issue with IBM Support, set your case as a Severity 2 issue. Note: We work with you 24 hours a day, seven days a week to resolve Severity 1 problems provided you have a technical resource available to work during those hours. You must reasonably assist IBM with any problem diagnosis and resolution. Severity 1 cases are worked 24 x 7 with a response goal from IBM of 2 hours. Note: For IBM Cloud services, you must log a Service Down case within 24 hours of first becoming aware that there is a critical business impact and the Cloud service is not available.
2	Significant	A product, service, business feature, or function of the product or service is severely restricted in its use, or you are in jeopardy of missing business deadlines. Note: IBM is not responsible for meeting your teams' deadlines.
3	Some	The product, service, or functionality is usable, and the issue does not significantly impact operations.
4	Minimal	An inquiry or a nontechnical request.

Note: Severity 2 - 4 cases are worked during normal business hours for your region with a response goal of 2 business hours.

Note: To help avoid confusion, we recommend opening new cases for each new issue. Each case has one issue and one solution, which provides a better history for you to search when you need to reference your case history. Your team is not charged based on the number of cases that are opened. We are glad to help open cases on your teams behalf.

For case escalation or assistance, see QRadar EDR: Support case escalations.

How does QRadar EDR deal with performance cases?

There is a defined process in the support guidelines document on determining whether the machine or the application is causing problems. However, most of the time, things are fixed by creating allowlists. There are instances where xperf (on a Windows agent) logs are gathered and submitted to Dev. Additionally, for Windows Agents some events are gathered every minute and sent to the Hive Server, containing metrics such as CPU, Memory, and Queue size. These events can be accessed under Threat Hunting and the event name is Custom Event No Process. These events do NOT show up for Linux, MacOS, or Android, strictly Windows.
ReaQta support

Can QRadar EDR SaaS customers remove the IBM users that are created within their dashboards?

IBM creates around 15 user accounts under Administration > Manager Users on all QRadar EDR SaaS instances. These are read-only "Observer" accounts provisioned specifically for IBM support to log in to your dashboard and provide assistance when needed. The IBM support accounts provisioned do NOT count against the number of users you're allowed to create in the UI.

QRadar EDR customers have full admin access, so they can add or delete users including IBM accounts for support users. Removing these users prevent IBM Support from being able to provide you with assistance in a timely manner.

Forum support

The IBM Community is intended for questions or advice on using IBM QRadar EDR, how-to questions, and general questions that do not require a support case.

Important: Never publish logs or personally identifiable information (PII) in the community as this information is visible to anyone who wants to browse the community content and can expose you to unforeseen security risks.

Training and education resources

Instructor-led courses for QRadar EDR are listed on Security Training for public and private education. For products not listed on the site, contact our IBM Security Expert Labs for instructor-led courses.

For the latest videos from IBM Helps on YouTube, see the QRadar EDR video playlist.

Request features on the IBM Ideas Portal

Clients who open support cases where the issue is a feature request might be directed to the IBM Security Ideas Portal to log your feature request. It is recommended that users log feature requests, instead of support representatives as Product Management teams might have follow-up questions that only the client can answer. For more information, see IBM QRadar EDR feature requests.

Related Information

QRadar EDR: Common product questions

QRadar EDR SaaS: Support Frequently Asked Questions (FAQ)

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSVOEH","label":"IBM Security ReaQta"},"ARM Category":[{"code":"a8m3p000000hBSVAA2","label":"Agent-\u003EInstallation"},{"code":"a8m3p000000hBSaAAM","label":"Configuration"},{"code":"a8m3p000000hBSIAA2","label":"Hive-Backend"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Tips