QRadar - About QRadar support

Answer

Quick Links

• 1. QRadar Support Services & Supported Products
• 2. QRadar Forum Support
• 3. Unsupported products or product functionality
• 4. Support response goals
• 5. QRadar Support hours
• 6. QRadar Support languages

1. Support Services & Supported Products

IBM's QRadar Support team currently offers full service support to the following products:

• IBM QRadar SIEM
  QRadar Support takes cases for Consoles, all managed hosts, and appliance types. This includes parsing and categorization issues for officially supported device support modules (DSMs). For more information, see: QRadar Officially Supported DSMs .


• WinCollect
  QRadar Support takes cases for WinCollect agents, except for installations on operating systems considered End of Life by Microsoft. For more information, see the WinCollect system requirements .


• IBM QRadar Vulnerability Manager
  QRadar Support takes all cases for QRadar Vulnerability Manager.


• IBM Security QRadar Risk Manager
  QRadar Support takes all cases QRadar Risk Manager integrates with the core QRadar SIEM product to allow monitoring of device configurations, simulating changes to your network environment, and prioritizing risks and vulnerabilities in your network.


• IBM QRadar Incident Forensics
  QRadar Incident Forensics integrates with the core QRadar SIEM product to allow users to retrace the actions of a potential attacker and conduct an in-depth forensics investigation of network security incidents.


• IBM QRadar Network Packet Capture
  QRadar Network Packet Capture is an optional appliance to store and manage data that is used by QRadar Incident Forensics when no other network packet capture (PCAP) device is deployed.
   
• QRadar App Host installations (QRadar 7.3.2)
  QRadar App Hosts replace App Node appliances with the release of QRadar 7.3.2. App Hosts bring the management of the operating system and make the App Host appliance part of the QRadar deployment. Applications installed on the App Nodes or App Host appliance are supported by the application developer as listed on the X-Force App Exchange.
   
• IBM Developed Applications
  QRadar Support can take cases and questions about all IBM published applications for QRadar.  IBM official applications can be identified by filtering for IBM Apps or by reviewing the Support panel for any apps that you have installed from the X-Force App Exchange.
  
  

For these products, customers are able to contact Support via email, support portal, or phone to receive assistance. Where applicable, the Support team can use WebEx to perform remote session and directly assist customers with their issues.


 

2. QRadar Forum Support

The following product questions are best resolved through the QRadar customer forums as support cases are intended for broken functionality or product issues. QRadar Support cannot assist with questions related to security posture, tuning, or development questions. The forums are intended for questions or advice on using QRadar, how-to questions, and general questions that do not require a support case. The QRadar customer forums are great for general questions, asking administrators and non-Support issues.

Important: You must include a product tag with your question. For the best visibility, we recommend the QRadar product tag for visibility. You can have up to 7 additional tags on your forum post. For a list of QRadar specific forum tags, see: QRadar 101 Forum topic list

The following topics should be discussed in the QRadar customer forum, unless you are receiving errors or incorrect data:

• QRadar Rule Tuning
  • For general rule questions, rule test inquiries, or questions on how to write a rule, ask in our forums.
  • For errors, rule wizard issues, or rule test issues open a QRadar support case.
• QRadar RESTful API
  • For general API questions, use cases, or how-to's related to the QRadar REST API, ask in our forums.
  • For errors, incorrect results, or user interface problems open a QRadar support case.
• QRadar Ariel Query Language (AQL)
  • For general AQL questions, advice, or questions related to writing searches in QRadar, as in our forums.
  • For errors, incorrect data results, or user interface problems open a QRadar support case.

NOTE: You must have an IBM id to use the QRadar customer forums. Forum posts are not private or entitled. Never publish logs or personally identifiable information (PII) in the forums as this information is visible to anyone who wants to browse the forum content and can expose you to unforseen security risks.

If you have a specific issue accessing the forums, you can contact the moderator (jonathan.pechta1@ibm.com).

3. Unsupported products or product functionality

The following items are not supported by the IBM QRadar Support team:
 

• QRadar Community Edition (CE)
• Early Access IBM Apps
• Business Partner Apps /Third Party Apps (not developed by IBM)
  For Business Partner Apps, users should always start a case with the app developer as listed on the X-Force App Exchange. Cases for Business Partner apps should start with the partner's app development team. If you feel your issue is an application framework problem, QRadar Support will work with you via support cases to ensure that the QRadar framework hosting the app is working properly and that services are running.
  
  

4. Support response goals

The IBM QRadar Support team is a global organization, with operating centers located around the world in order to better server our clients. Case work scheduling is determined by the severity setting of each case, as outlined below:

• System down
  Administrators with systems that are down are considered priority cases. Administrators should indicate if their system is down when opening a case with QRadar Support. This allows the teams responsible for system down cases to prioritize their work load appropriately.
   
• Severity 1
  Severity 1 cases are worked 24x7 with a response goal from IBM of 2 hours. Administrators and users should note that if you open a Sev 1, you are expected to have resources available constantly during that period to continue working on the issue with Support. If you are unable to do that, Support may lower the severity of the case until you are available to continue working.
   
• Severity 2 - 4
  Sev 2 - 4 cases are worked during normal business hours for your region with a response goal of 2 business hours. For more information on support hours and response goals, see the IBM Support Handbook .

5. Support hours and regions

QRadar Support teams are available 24x7 for system down and severity 1 issues. These cases are reviewed and assigned as they are opened within the system. For example, if a severity 1 issue is raised, no matter where that severity 1 issue was raised geographically it is processed and handled by the region currently working. Standard QRadar cases that are assigned severity 2 to severity 4 are assigned and worked during normal business hours for that region.

Normal case hours (severity 2 to severity 4) by region

There are three QRadar Support regions within IBM and the hours are as follows:

• North America: 7am - 8pm (EST / GMT-4)
• Europe Middle East Africa: 6am - 5pm (GMT)
• Asia/Pacific: 10am (AEST) to 5.30pm (IST)

IMPORTANT: Administrators or users who open 'System down' or 'Severity 1' cases are expected to be available after they open a case using these high priority fields. If you are unavailable to work on the issue with QRadar Support, you should set your case as a Severity 2 issue or ensure that a non-business hours contact is designated within your organization. Users with System down or Severity 1 cases can add comment in their case with a secondary contact to ensure we contact the designated personnel.

For example, adding this type of comment allows us to follow-up with an alternate contact for your organization:

I am unable to work on case #TSxxxxxxxx after 6pm GMT. An alternate contact for this case is John Doe. They can be contacted via phone (preferred) or email with the following information: john.doe@example.com, Office: 555-555-555.