Question & Answer
Question
This article informs administrators of their responsibilities for updating QRadar deployments, how software update cases are handled, and discusses out-of-scope work for the technical support team.
Answer
Technical help for QRadar software updates allows users with valid support contracts to receive troubleshooting assistance for technical issues and answers to common questions from administrators. The QRadar Support Team can assist administrators with basic planning, installation issues, and post-installation issues or questions. This document also describes work that is considered out-of-scope for QRadar Technical Support and provides support alternatives for issues that cannot be addressed in a support case.
Technical support can assist administrators with:
QRadar update cases are handled differently depending on whether you are in the middle of an update or you have not started updating yet.
Update Planning Support
Planning phase QRadar update cases are usually marked with a lower case severity (Severity 2-4). QRadar Support typically recommends administrators run the update checklist two weeks before applying a software update. Starting the checklist early allows time for errors to be investigated or questions to be answered before your change window occurs. Administrators are encouraged to provide their software update timeline to the technical support team so we can plan to assist you if errors occur.
In-progress Update Support
QRadar software update failures or errors are generally treated as system down cases (Severity 1). After a technical problem is resolved, support representatives will generally disengage from the Webex while the administrator continues the software updates on other appliances.
Update Validation Support
Post-update functionality checks are to be done by the administrators and cases can be opened if issues are found. Software defects and issues discovered during a post-update checklist review can range in severity (Severity 1-4). How-to-questions and usage questions related to new features should be assigned a lower severity (Severity 3-4).
Due to the highly flexible nature of QRadar, a deep understanding of your use-cases, environment, and overall security strategy is crucial to formulate an effective update plan. QRadar Technical Support does not have this knowledge about your deployment, so the following activities are considered out-of-scope for support cases:
QRadar software update assistance
Technical support can assist administrators with:
- Interpreting software installation and update documentation. See the 'Update Planning Support' tab.
- Basic planning and pre-update checklist questions. See the 'Update Planning Support' tab.
- Troubleshooting for administrators on supported versions. See the 'In-progress Update Support' tab.
- Analysis of logs and errors during software updates. See the 'In-progress Update Support' tab.
- Issue confirmation for problems experienced after completing a software update. See the 'Update Validation Support' tab.
- System notifications and questions related to the post-installation checklist. See the 'Update Validation Support' tab.
Severity and handling of software update cases
QRadar update cases are handled differently depending on whether you are in the middle of an update or you have not started updating yet.
Update Planning Support
Planning phase QRadar update cases are usually marked with a lower case severity (Severity 2-4). QRadar Support typically recommends administrators run the update checklist two weeks before applying a software update. Starting the checklist early allows time for errors to be investigated or questions to be answered before your change window occurs. Administrators are encouraged to provide their software update timeline to the technical support team so we can plan to assist you if errors occur.
In-progress Update Support
QRadar software update failures or errors are generally treated as system down cases (Severity 1). After a technical problem is resolved, support representatives will generally disengage from the Webex while the administrator continues the software updates on other appliances.
Update Validation Support
Post-update functionality checks are to be done by the administrators and cases can be opened if issues are found. Software defects and issues discovered during a post-update checklist review can range in severity (Severity 1-4). How-to-questions and usage questions related to new features should be assigned a lower severity (Severity 3-4).
IBM Security Expert Labs assistance
Due to the highly flexible nature of QRadar, a deep understanding of your use-cases, environment, and overall security strategy is crucial to formulate an effective update plan. QRadar Technical Support does not have this knowledge about your deployment, so the following activities are considered out-of-scope for support cases:
- Developing or creating update strategies for administration teams.
- Recommending QRadar version updates based on security posture.
- Completing the pre-update checklist for administrators.
- Managing or completing software updates across multiple appliances or deployments.
- Providing dedicated support (staying online with you) during the normal update process.
- Running post-update system health checks or performance checks.
Clients are responsible for completing the steps from the QRadar software update checklist before you begin your software update. Administrators who have questions or concerns about the software update checklist can open a case for technical support.
QRadar software update planning assistance
Technical support for QRadar can assist administrators with the following update planning tasks:
- Provide the pre-update checklist and answer questions or investigate errors when administrators run commands.
- Answer questions for administrators about software updates or questions regarding IBM update documentation.
- Verifying systems in the deployment are appliances or software installations. The update process is different for software installs where administrators provide their own hardware.
- Ensuring that third-party monitoring software, such as nagios, telegraf, or besclient are not installed. Unapproved software can cause failures and dependency conflicts during software updates.
- Confirm applications are at the latest version and running before administrators start a software update.
- Confirm that remote access is available via SSH and via IMM (or other out of band management interfaces) before you begin a software update.
- Verifying that you permit remote support via Webex and that you can provide logs if required. If no access is available, we may recommend that you request onsite assistance for update from IBM Lab Services.
- Notifying QRadar Technical Support staff when your planned updates are scheduled. If you provide us with a date and time for the planned update activity, the support team that will be on shift during the update will be alerted so that they know to expect possible contact from you.
Important: Due to case schedules, time zones, and case hand-offs, responses can be provided from multiple support engineers. IBM does not dedicate a single point of contact for software update activities, even if the date and time of the maintenance window is provided. If you require a dedicated IBM point of contact to manage the software update and validation, you can contact IBM Lab Services.
Out-of-scope software planning tasks
The following planning activities are considered out-of-scope for QRadar Technical Support:
- Developing, reviewing, or maintaining update strategies for your QRadar deployment.
- Advising on updates for appliances where IBM Professional Services has implemented custom storage, disaster recovery, or custom software applications or modules.
- Recommending which version of QRadar to update to. You can use the QRadar Master Software 101 to find this information for yourself.
- Completing the QRadar pre-update checklist for administrators on appliances.
Due to the intensive and involved nature of QRadar updates, software update should only be performed by the client. Performing a software update for administrators is not within the normal capabilities of a support engineer and is considered “out-of-scope”. Technical support is not able to start, monitor, or manage software updates for the administrators.
QRadar software update cases
Administrators who encounter software errors that prevent a successful update should open a Severity 1 case for priority assistance. Your case must describe the problem and it is recommended that you provide secondary contact information or a backup contact for your case. If the situation is urgent, you can contact the IBM Duty Manager and reference the severity 1 case number for escalation.
Open a case with QRadar Support
Out-of-scope software update cases
The following case activities are considered out-of-scope:
- Managing software updates after errors are resolved. For example, completing software updates on other appliances after resolving a software issue.
- Providing dedicated support (staying online with you) during the normal update process.
- Staying on a Webex for extended periods of time waiting for administrators with special permissions to join. For example, keeping a Webex session open for more than 30 minutes waiting for a network, storage, or database administrator to join.
Post-installation technical issues are not necessarily considered system down. Any issue reported after a recent software update must be opened by the client as a new support case.
QRadar software update validation assistance
After administrators update their software, they should review the appliance to ensure that it is functioning as expected. If you identify an issue, QRadar Technical Support can assist with new cases to confirm any errors or perform additional troubleshooting.
Administrators can open new cases after a successful update for assistance with:
Administrators can open new cases after a successful update for assistance with:
- Troubleshooting errors for software features that do not function properly after a successful software update.
- Reviewing system notifications that appear after an update completes.
- Assisting with new application, search, report, or offense issues.
Out-of-scope software validation cases
The following post-update activities are considered out-of-scope for QRadar Technical Support:
- Completing system health checks for administrators. QRadar Technical Support provides a list of post-installation items for administrators to review.
- Validating data integrity or offboard storage issues after an update completes successfully.
- Validating the status of high availability (HA) appliances or running failover tests on appliances.
- Planning future software updates for organizations.
[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtdAAA","label":"Upgrade"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]
Was this topic helpful?
Document Information
Modified date:
09 November 2020
UID
ibm16338691