QRadar - About QRadar support
What products are supported by the QRadar Support team and how can you receive assistance with those products?
1. Support Services & Supported Products
IBM's QRadar Support team currently offers full service support to the following products:
- IBM QRadar SIEM
QRadar Support takes cases for Consoles, all managed hosts, and appliance types. This includes parsing and categorization issues for officially supported device support modules (DSMs). For more information, see: QRadar Officially Supported DSMs .
QRadar Support takes cases for WinCollect agents, except for installations on operating systems considered End of Life by Microsoft. For more information, see the WinCollect system requirements .
- IBM QRadar Vulnerability Manager
QRadar Support takes all cases for QRadar Vulnerability Manager.
- IBM Security QRadar Risk Manager
QRadar Support takes all cases QRadar Risk Manager integrates with the core QRadar SIEM product to allow monitoring of device configurations, simulating changes to your network environment, and prioritizing risks and vulnerabilities in your network.
- IBM QRadar Incident Forensics
QRadar Incident Forensics integrates with the core QRadar SIEM product to allow users to retrace the actions of a potential attacker and conduct an in-depth forensics investigation of network security incidents.
- IBM QRadar Network Packet Capture
QRadar Network Packet Capture is an optional appliance to store and manage data that is used by QRadar Incident Forensics when no other network packet capture (PCAP) device is deployed.
For these products, customers are able to contact Support via email, support portal, or phone to receive assistance. Where applicable, the Support team can use WebEx to perform remote session and directly assist customers with their issues.
2. QRadar Forum Support
The following product questions are best resolved through the QRadar customer forums as support cases are intended for broken functionality or product issues. QRadar Support cannot assist with questions related to security posture, tuning, or development questions. The forums are intended for questions or advice on using QRadar, how-to questions, and general questions that do not require a support case. The QRadar customer forums are great for general questions, asking administrators and non-Support issues.
The following topics should be discussed in the QRadar customer forum:
- QRadar Rule Tuning
- QRadar RESTful API
- QRadar Ariel Query Language (AQL) questions
- Custom Device Support Module (DSM) creation & regular expression assistance
- Compliance or auditing recommendations
- Linux administration issues on Software Installations of QRadar.
- Hardware questions on non-IBM appliances.
- QRadar App Development & SDK questions (See the QRadar App Development FAQ page)
- General 'how-to' questions related to QRadar products
NOTE: You must have an IBM id to use the QRadar customer forums. Each question should use the qradar tag so that the question is visible to support, developers, and oter users. Posts can use up to 8 tags in total to help focus the topic of the post. Forum posts are not private or entitled. Never publish logs or personally identifiable information (PII) in the forums as this information is visible to anyone who wants to browse the forum content and can expose you to unforseen security risks.
If you have a specific issue accessing the forums, you can contact the moderator ( firstname.lastname@example.org ).
3. Unsupported products or product functionality
The following items are not supported by the IBM QRadar Support team:
- QRadar Community Edition (CE)
- Early Access IBM Apps
- QRadar Apps that are not developed by IBM
For non-IBM QRadar Apps, users should always start a case with the app developer listed on the X-Force App Exchange. QRadar Support will work with you via support cases to ensure that the QRadar framework hosting the app is working properly. With that verified, all further issues must be reported to the App's developer for assistance.
4. Support response goals
The IBM QRadar Support team is a global organization, with operating centers located around the world in order to better server our clients. Case work scheduling is determined by the severity setting of each case, as outlined below:
- System down
Administrators with systems that are down are considered priority cases. Administrators should indicate if their system is down when opening a case with QRadar Support. This allows the teams responsible for system down cases to prioritize their work load appropriately.
- Severity 1
Severity 1 cases are worked 24x7 with a response goal from IBM of 2 hours. Administrators and users should note that if you open a Sev 1, you are expected to have resources available constantly during that period to continue working on the issue with Support. If you are unable to do that, Support may lower the severity of the case until you are available to continue working.
- Severity 2 - 4
Sev 2 - 4 cases are worked during normal business hours for your region with a response goal of 2 business hours. For more information on support hours and response goals, see the IBM Support Handbook .
5. Support hours and regions
QRadar Support teams are available 24x7 for system down and severity 1 issues. These cases are reviewed and assigned as they are opened within the system. For example, if a severity 1 issue is raised, no matter where that severity 1 issue was raised geographically it is processed and handled by the region currently working. Standard QRadar cases that are assigned severity 2 to severity 4 are assigned and worked during normal business hours for that region.
Normal case hours (severity 2 to severity 4) by region
There are three QRadar Support regions within IBM and the hours are as follows:
- North America: 7am - 8pm (EST / GMT-4)
- Europe Middle East Africa: 6am - 5pm (GMT)
- Asia/Pacific: 10am (AEST) to 5.30pm (IST)
IMPORTANT: Administrators or users who open 'System down' or 'Severity 1' cases are expected to be available after they open a case using these high priority fields. If you are unavailable to work on the issue with QRadar Support, you should set your case as a Severity 2 issue or ensure that a non-business hours contact is designated within your organization. Users with System down or Severity 1 cases can add comment in their case with a secondary contact to ensure we contact the designated personnel.
For example, adding this type of comment allows us to follow-up with an alternate contact for your organization:
I am unable to work on case #TSxxxxxxxx after 6pm GMT. An alternate contact for this case is John Doe. They can be contacted via phone (preferred) or email with the following information: email@example.com, Office: 555-555-555.
6. Support languages
The IBM QRadar Support team offers direct support in English for all of our operating centers. Administrators and users are expected to be able to work in English with the exception of our Japan offices. Our Japan-based team offers direct Japanese language support to customers who are based in that country. IBM has a number of multi-language QRadar Support representatives; however, due to case volume for QRadar we are unable to ensure you will have access to a support representative who can work cases in your language. If an alternate language is required, IBM QRadar support may need to engage someone from IBM that has the language skill, but does not have the QRadar technical skill. The QRadar Support representative who has the QRadar technical skills will work the case in conjunction with the IBM Support representative with the language skill.
Where do you find more information?
More support for:
IBM QRadar SIEM
Component: General Information
Software version: Version Independent
Operating system(s): Platform Independent
Reference #: 2016359
Modified date: 25 February 2019