IBM Support

QRadar - About QRadar support

Question & Answer


Question

What products are supported by the QRadar Support team and how can you receive assistance with those products?

Answer

Quick Links

   

   

1. Support Services & Supported Products

IBM's QRadar Support team currently offers full service support to the following products:

  • IBM QRadar SIEM
    QRadar Support takes cases for Consoles, all managed hosts, and appliance types. This includes parsing and categorization issues for officially supported device support modules (DSMs). For more information, see: QRadar Officially Supported DSMs .

  • WinCollect
    QRadar Support takes cases for WinCollect agents, except for installations on operating systems considered End of Life by Microsoft. For more information, see the WinCollect system requirements .

  • IBM QRadar Vulnerability Manager
    QRadar Support takes all cases for QRadar Vulnerability Manager.

  • IBM Security QRadar Risk Manager
    QRadar Support takes all cases QRadar Risk Manager integrates with the core QRadar SIEM product to allow monitoring of device configurations, simulating changes to your network environment, and prioritizing risks and vulnerabilities in your network.

  • IBM QRadar Incident Forensics
    QRadar Incident Forensics integrates with the core QRadar SIEM product to allow users to retrace the actions of a potential attacker and conduct an in-depth forensics investigation of network security incidents.

  • IBM QRadar Network Packet Capture
    QRadar Network Packet Capture is an optional appliance to store and manage data that is used by QRadar Incident Forensics when no other network packet capture (PCAP) device is deployed.
     
  • QRadar App Host installations (QRadar 7.3.2)
    QRadar App Hosts replace App Node appliances with the release of QRadar 7.3.2. App Hosts bring the management of the operating system and make the App Host appliance part of the QRadar deployment. Applications installed on the App Nodes or App Host appliance are supported by the application developer as listed on the X-Force App Exchange.
     
  • IBM Developed Applications
    QRadar Support can take cases and questions about all IBM published applications for QRadar.  IBM official applications can be identified by filtering for IBM Apps or by reviewing the Support panel for any apps that you have installed from the X-Force App Exchange.
    image-20190501102648-2
    image-20190501102719-3


For these products, customers are able to contact Support via email, support portal, or phone to receive assistance. Where applicable, the Support team can use WebEx to perform remote session and directly assist customers with their issues.


 

   

   

2. QRadar Forum Support

The following product questions are best resolved through the QRadar customer forums as support cases are intended for broken functionality or product issues. QRadar Support cannot assist with questions related to security posture, tuning, or development questions. The forums are intended for questions or advice on using QRadar, how-to questions, and general questions that do not require a support case. The QRadar customer forums are great for general questions, asking administrators and non-Support issues.

How-to's and general questions for the following topics should be discussed in the QRadar customer forum:

  • QRadar Rule Tuning
    • For general rule questions, rule test inquiries, or questions on how to write a rule, ask in our forums.
    • For errors, rule wizard issues, or rule test issues open a QRadar support case.
  • QRadar RESTful API
    • For general API questions, use cases, or how-to's related to the QRadar REST API, ask in our forums.
    • For errors, incorrect results, or user interface problems open a QRadar support case.
  • QRadar Ariel Query Language (AQL)
    • For general AQL questions, advice, or questions related to writing searches in QRadar, as in our forums.
    • For errors, incorrect data results, or user interface problems open a QRadar support case.
  • Custom Device Support Module (DSM) creation & regular expression assistance.
  • Compliance or auditing recommendations.
  • Linux administration issues on Software Installations of QRadar.
  • Hardware questions on non-IBM appliances.
  • QRadar App Development & SDK questions (See the QRadar App Development FAQ page)
  • General 'how-to' questions related to QRadar products.
     

NOTE: You must have an IBM id to use the QRadar customer forums. Each question should use the qradar tag so that the question is visible to support, developers, and oter users. Posts can use up to 8 tags in total to help focus the topic of the post. Forum posts are not private or entitled. Never publish logs or personally identifiable information (PII) in the forums as this information is visible to anyone who wants to browse the forum content and can expose you to unforseen security risks.

If you have a specific issue accessing the forums, you can contact the moderator ( jonathan.pechta1@ibm.com ).

   

   

3. Unsupported products or product functionality

The following items are not supported by the IBM QRadar Support team:
 

  • QRadar Community Edition (CE)
  • Early Access IBM Apps
  • Business Partner Apps /Third Party Apps (not developed by IBM)
    For Business Partner Apps, users should always start a case with the app developer as listed on the X-Force App Exchange. Cases for Business Partner apps should start with the partner's app development team. If you feel your issue is an application framework problem, QRadar Support will work with you via support cases to ensure that the QRadar framework hosting the app is working properly and that services are running.
    image-20190501102459-1
    image-20190501103216-4

  

   

   

4. Support response goals

The IBM QRadar Support team is a global organization, with operating centers located around the world in order to better server our clients. Case work scheduling is determined by the severity setting of each case, as outlined below:

  • System down
    Administrators with systems that are down are considered priority cases. Administrators should indicate if their system is down when opening a case with QRadar Support. This allows the teams responsible for system down cases to prioritize their work load appropriately.
     
  • Severity 1
    Severity 1 cases are worked 24x7 with a response goal from IBM of 2 hours. Administrators and users should note that if you open a Sev 1, you are expected to have resources available constantly during that period to continue working on the issue with Support. If you are unable to do that, Support may lower the severity of the case until you are available to continue working.
     
  • Severity 2 - 4
    Sev 2 - 4 cases are worked during normal business hours for your region with a response goal of 2 business hours. For more information on support hours and response goals, see the IBM Support Handbook .

   

   

5. Support hours and regions

QRadar Support teams are available 24x7 for system down and severity 1 issues. These cases are reviewed and assigned as they are opened within the system. For example, if a severity 1 issue is raised, no matter where that severity 1 issue was raised geographically it is processed and handled by the region currently working. Standard QRadar cases that are assigned severity 2 to severity 4 are assigned and worked during normal business hours for that region.

Normal case hours (severity 2 to severity 4) by region

There are three QRadar Support regions within IBM and the hours are as follows:

  • North America: 7am - 8pm (EST / GMT-4)
  • Europe Middle East Africa: 6am - 5pm (GMT)
  • Asia/Pacific: 10am (AEST) to 5.30pm (IST)


IMPORTANT: Administrators or users who open 'System down' or 'Severity 1' cases are expected to be available after they open a case using these high priority fields. If you are unavailable to work on the issue with QRadar Support, you should set your case as a Severity 2 issue or ensure that a non-business hours contact is designated within your organization. Users with System down or Severity 1 cases can add comment in their case with a secondary contact to ensure we contact the designated personnel.

For example, adding this type of comment allows us to follow-up with an alternate contact for your organization:

I am unable to work on case #TSxxxxxxxx after 6pm GMT. An alternate contact for this case is John Doe. They can be contacted via phone (preferred) or email with the following information: john.doe@example.com, Office: 555-555-555.

image-20190708111551-1

   

6. Support languages

The IBM QRadar Support team offers direct support in English for all of our operating centers. Administrators and users are expected to be able to work in English with the exception of our Japan offices. Our Japan-based team offers direct Japanese language support to customers who are based in that country. IBM has a number of multi-language QRadar Support representatives; however, due to case volume for QRadar we are unable to ensure you will have access to a support representative who can work cases in your language. If an alternate language is required, IBM QRadar support may need to engage someone from IBM that has the language skill, but does not have the QRadar technical skill. The QRadar Support representative who has the QRadar technical skills will work the case in conjunction with the IBM Support representative with the language skill.

  

   

   

Where do I find more information?


[{"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"General Information","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":""}]

Document Information

Modified date:
20 August 2019

UID

swg22016359