IBM Support

QRadar: Search and Advanced search (AQL) case support policies

Question & Answer


Question

This article informs administrators about QRadar® Support policies. QRadar Support assists administrators to investigate and correct software defects-related to Searches or Ariel Query Language (AQL) such as error messages, documentation questions, or troubleshooting. This document outlines out-of-scope work for Search and Advanced Searches (AQL) cases and the responsibilities of the QRadar administrator. 

Answer

Responsibilities for Search and Ariel Query Language (AQL) issues

Searches allow users to filter data such as events or flows. The Ariel Query Language (AQL) is a structured query language that you users can create to query data in QRadar. Advanced queries (AQL) can be used to format and display data from events and flows.

Support type Description Responsibility
Search and Ariel Query Language support
QRadar® Support can assist with error messages or confirm product functionality for searches. For example, QRadar Support can:
  1. Review logs for errors when a search is run in the user interface.
  2. Attempt to replicate a search to determine whether a product issue exists, provided the case contains evidence or data to support the hypothesis that a search or AQL function provided by IBM is not working.
  3. Review default (unmodified) searches that are provided by QRadar installations or IBM Content Extensions on the X-Force App Exchange. QRadar Support can review default searches with the "Show AQL" function to determine whether a search issue exists in default queries provided by IBM.
  4. Explain documentation or review issues where an example in the documentation is incorrect.
 QRadar technical support

To open a case or report a Search or Ariel Query Language error, contact QRadar technical support.
Out-of-scope for QRadar Support
The following activities are considered out-of-scope for technical support. QRadar Support reserves the right to close cases related to the following issues:
  1. Requests to create or tune searches or advanced searches (AQL) for users.
  2. Review changes to searches, AQL queries, or complete search validation for custom queries after a product upgrade.
  3. Requests to write search widgets for apps, like QRadar Pulse, which can create Dashboards widgets based on an AQL data sources, dynamic JSON queries, or API query widgets.
  4. Provide advice or troubleshoot advanced queries and the security posture or security coverage of a search. For example, "I'm developing AQL queries for multi-domain users in our custom SOC application and need advice on what function is best to use."
  5. QRadar Support does not troubleshoot searches or AQL queries added by content extensions from non-IBM sources, such as IBM Business Partners or AQL queries added by non-IBM applications. Support contact information can be found in the sidebar for each application on the X-Force App Exchange. For example, "I need assistance troubleshooting the 'User at Risk' AQL query to restrict data returned added by the Symantec EDR application."
  6. Developing or troubleshooting Custom AQL functions. Custom functions are a programmatic feature and users who have development questions or require assistance troubleshooting a function can ask in the forums.
Resources:
Reference information:

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
02 March 2022

UID

ibm16427779

Page Feedback