IBM Support

IBM Security QRadar SOAR - About IBM Security QRadar SOAR support

Question & Answer


Question

What products are supported by the IBM Security QRadar SOAR Support team and how can you receive assistance with those products?

Answer

Quick Links

   

1. Support Services & Supported Products

The IBM SOAR Support team currently offers full-service support to the following products:

  • IBM SOAR
    IBM SOAR Support takes cases for virtual appliance (IBM SOAR, Disaster Recovery, MSSP, and App Host) and stand-alone (IBM SOAR, MSSP, and App Host) deployments.

  • IBM Resilient Circuits
    IBM SOAR Support takes cases for IBM Resilient Circuits when the code (apps or functions) is created by IBM or it is suspected that the problem lies with the underlying instance of IBM Resilient Circuits.

  • IBM Developed Applications
    IBM SOAR Support can take cases and questions about all IBM published applications for IBM SOAR.  IBM official applications can be identified by filtering for IBM Apps in the X-Force App Exchange.
    image-20190501102648-2
    image 6756

For these products, customers are able to contact Support from the support portal to receive assistance. Where applicable, the Support team can use Webex to perform remote session and directly assist customers with their issues. 

2.IBM SOAR Community

The following product questions are best resolved through the IBM SOAR community as support cases are intended for broken functionality or product issues. IBM SOAR Support cannot assist with questions related to security posture, tuning, or development questions. The Community is intended for questions or advice on using IBM SOAR, how-to questions, and general questions that do not require a support case. The IBM SOAR Community is great for general questions, asking administrators and non-Support issues.

The following topics are to be discussed in the IBM SOAR Community:

  • Advise on custom code
    • For general questions on Python scripting be it, in-product or external.
    • Advise on how to fulfill use cases with custom code.
    • Advise or assistance on code written yourself.
    • Code changes to the "example" workflows provided by IBM in the functions from the App Exchange are deemed to be custom code.
    • Code changes to "generic" or "sample" email parsing scripts.
    • Assistance with changes to the JINJA2 templates used by the IBM QRadar application.
  • IBM SOAR RESTful API
    • For general API questions, use cases, or how-to's.
    • For errors, incorrect results, or user interface problems open a case.
  • Community apps
    • For general questions, advice or problems, relating to community apps.
  • Best practice recommendations
    • For general advice, or questions related to best practices in IBM SOAR.
    • For general advice, or questions related to running multiple instances of IBM Resilient Circuits.
    • Advice on how to upgrade or run different versions of Python on an integration server.
    • Risk or impact assessments.
    • For general advice, or questions related to hardware requirements.
    • Capacity planning or management.
  • IBM supported apps
    • Advise or assistance on configuring optional features to enhance out of the box functionality.
      • Configuring Postgres to support persistent storage for apps.
  • Use of rules
    • For general advice, or questions related to configuring rules in IBM SOAR.
  • Guidance on the use of dashboards
  • Questions on example information provided in the IBM Documentation
    • Questions or advice on SNMP.

Community posts are not private or entitled. Never publish logs or personally identifiable information (PII) in the community as this information is visible to anyone who wants to browse the community content and can expose you to unforeseen security risks.

If you prefer to discuss these matters with IBM, reach out to IBM Security Expert Labs directly.

3. Unsupported products or product functionality and services

The following items are not supported by the IBM SOAR Support team:

  • Email Connector
    IBM SOAR V32 brought some functionality of the Email Connector in to the IBM SOAR application. Use cases that required the use of the Email Connector to read inbound emails sent to a designated mailbox and parse them into an incident within IBM SOAR might be better handled by the new functionality.

    By Q4 2019 support for the Email Connector ceased. Clients are urged to move the logic in their JavaScript templates to the new functionality. If you require assistance, you can reach out to IBM Security Expert Labs directly or post a question in the IBM SOAR Community.
  • Outbound Email Connector
    This Java based application is superseded by email functions on the App Exchange.
  • Custom Parsing Script – Email Connector
    In-depth customizations of the email connector:
  • Python or pip
    Problems involving the installation of packages from pypi.org or other repositories is out of scope as they are not IBM products. Python and pip have their own help forums where advice can be sought. You can use the IBM SOAR Community to ask for assistance.
  • Custom scripts or code (not developed by IBM)
    Scripts or code that is not written by IBM including "example" code provided by IBM, which is then altered.

    If there are problems with custom code based on IBM "example" code, consider reproducing with the "example" code to assess whether it is the customizations that are the cause of the problem.
  • Early Access IBM Apps
  • Business Partner or ThirdParty Apps (not developed by IBM)
    For Business Partner Apps, users can start a case with the app developer as listed on the X-Force App Exchange. If you feel your issue is related to IBM Resilient Circuits or App Host and is not app or function specific, IBM SOAR Support can work with you through support cases. IBM SOAR Support ensures that the underlying application hosting the app is working properly and that services are running.
  • Hardware or scaling questions
    Advice on sizing deployments of IBM SOAR cannot be handled by the IBM SOAR support team due to the complexity and understanding required of the proposed deployment. Security Expert Labs or the community might be able to assist.
  • Networking
    Problems relating to the network, firewalls, or proxies are out of scope. IBM SOAR support might identify, during routine investigation, that there is a connection-related problem. Further analysis such as firewall rules or packet tracing must be performed by the client. The client might prefer to enlist the help of Security Expert Labs or their internal support teams.
  • Hypervisor
    The IBM Documentation details the minimum requirements for VMWare. Problems relating to deployment of the OVA must be investigated by the client's internal teams or leverage any support agreements with VMWare themselves. IBM SOAR Support cannot assist with hypervisor problems.
  • Versions that reach end of support
    IBM SOAR Support Lifecycle details the versions of IBM SOAR that are supported.
  • Health checks
    Health checks are out of scope for the IBM SOAR Support team but IBM Security Expert Labs can assist.
  • Log parsing and monitoring tools
    Providing assistance with parsing log files with monitoring tools is out of scope for the IBM SOAR Support team. The configuration of such monitoring tools in relation to IBM SOAR is also out of scope. IBM Security Expert Labs can assist.
  • Installation of supported products
    Performing an end-to-end installation of supported products is out of scope for the IBM SOAR Support team. The IBM SOAR Support team is able to provide support for specific problems so that our customers can continue with the installation process on resolution of the problem. IBM Security Expert Labs are able to provide you with an end-to-end installation engagement.
  • Third-party software
    • IBM Support cannot provide guidance on the installation or configuration of third-party packages or programs you choose to install on the IBM Security QRadar SOAR server.
    • If third-party software is known to interfere with software that IBM provides support for you might be asked to remove the third-party software before IBM Support can continue assisting.
    • Removal of the software is the client's responsibility.
    • IBM Support recommends that you install third-party software on a nonproduction server first.
    • IBM does not test third-party software alongside IBM Security QRadar SOAR.
  • Playbooks
    The configuration and optimization of playbooks, often including workflows, functions, rules and scripts, require a deep understanding of a client's requirements and business logic, which are often complicated and propriety. IBM Security Expert Labs are better placed to handle such undertakings.
  • Operating configurations
    Changes to the operating system, not limited solely to:
    • Altering firewall configuration.
    • Extending disk partitions.
    • Creating bash or shell scripts.
    • Updating cron.
    • NTP or chrony.
    • Syslog, outside of the supported audit logging functionality.
  • Troubleshooting OS problems, not limited solely to:
    • NTP or chrony.
    • Yum or package problems.
    • Systemd services.
  • Python virtual environments
    • The configuration and support of such virtual environments is outside the scope of IBM Support.

image-20190501102459-1
image 6758

image 6757

4. Support response goals

The IBM SOAR Support team is a global organization, with operating centers located around the world in order to better server our clients. Case work scheduling is determined by the severity setting of each case:

  • System down
    Administrators with systems that are down are considered priority cases. Administrators can indicate whether their system is down. Teams responsible for system down cases can prioritize their work load.
  • Severity 1
    Severity 1 cases are worked 24x7 with a response goal from IBM of 2 hours. Administrators and users be aware that if you open a Severity 1, you are expected to have resources available constantly during that period to continue working on the issue with Support. If you are unable to do that, Support might decrease the severity of the case until you are available to continue working.
     
  • Severity 2 - 4
    Severity 2 - 4 cases are worked during normal business hours for your region with a response goal of 2 business hours. For more information on support hours and response goals, see the IBM Support Handbook .

5. Support hours and regions

IBM SOAR Support teams are available 24x7 for system down and severity 1 issues. These cases are reviewed and assigned as they are opened within the system. Standard IBM SOAR cases that are assigned severity 2 to severity 4 are assigned and worked during normal business hours for that region.

Normal case hours (severity 2 to severity 4) by region

There are three IBM SOAR Support regions within IBM and the hours are as follows:

  • United States - Monday – Friday 9 AM – 5 PM UTC – 5
  • Australia - Monday – Friday 9 AM – 5 PM UTC + 10
  • United Kingdom - Monday – Friday 9 AM – 5 PM UTC + 0

IMPORTANT: Administrators or users who open 'System down' or 'Severity 1' cases are expected to be available after they open a case by using these high priority fields. If you are unavailable to work on the issue with IBM SOAR Support, set your case as a severity 2 issue.

6. Support languages

The IBM SOAR Support team offers direct support in English for all of our operating centers. Administrators and users are expected to be able to work in English except for our Japan offices. Our Japan-based team offers direct Japanese language support to customers who are based in that country. IBM has a number of multi-language IBM SOAR Support representatives; however, due to case volumes we are unable to ensure you have access to a support representative who can work cases in your language. If an alternate language is required, IBM SOAR support might need to engage someone from IBM that has the language skill, but does not have the IBM SOAR technical skill. The IBM SOAR Support representative who has the IBM SOAR technical skills works the case along with the IBM Support representative with the language skill.

7. Security Expert Labs assets

Due to the highly flexible nature of IBM SOAR, a deep understanding of your use-cases, environment, and overall security strategy is crucial to developing custom code, playbooks or upgrade strategies. Security Expert Labs provides a wide range of services to clients, many of which include the writing of custom code or "assets."
Support for these assets is out of scope for support cases. If you have a problem with an asset provided by Security Expert Labs, get in touch with Security Expert Labs directly. Cases opened for such assets will be closed after IBM SOAR Support qualify that it is an asset provided by Security Expert Labs.
Visit the website for Security Expert Labs for details of how to contact them -> https://www.ibm.com/products/expertlabs/security

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSA230","label":"IBM Security QRadar SOAR"},"ARM Category":[{"code":"a8m0z000000cwJWAAY","label":"Support"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Type":"MASTER"},{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSEGM63","label":"IBM Security QRadar SOAR on Cloud"},"ARM Category":[{"code":"a8m0z000000cwJWAAY","label":"Support"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Type":"MASTER"}]

Document Information

Modified date:
11 April 2024

UID

ibm16350095

Page Feedback