IBM Support

QRadar: Regular expression (regex) cases and support policies

Question & Answer


Question

This article informs administrators about QRadar® Support policies. QRadar Support assists administrators to investigate and correct software defects related to regular expression assistance. This document outlines out-of-scope cases for QRadar users. 

Answer

Responsibilities for Regular Expression issues

Regular expressions are used to match patterns of text in Log Source events. Administrators can scan messages for patterns of letters, numbers, or a combination of both. For example, you can create regular expressions that match source and destination IP addresses, ports, MAC addresses, and more. Regular expressions are used in Log Source extensions, custom event properties.

Support type Description Responsibility
Regular Expressions and support
QRadar® Support can assist with error messages or confirm product functionality for IBM created regular expressions. For example, QRadar Support can:
  1. Review cases where the regular expression provided in an IBM Custom Event Property causes performance issues or incorrectly captures data.
  2. Explain documentation and review cases where a regular expression example in the documentation is incorrect.
  3. Parsing issues where the DSM Editor does not display an override properly in the user interface. For example, a user creates an override for an event property, but it does not display values in the user interface for the DSM Editor.
  4. Identify searches when users create "Payload contains" searches with regular expressions. Payload contains queries are extremely expensive to process and are known to cause performance issues. QRadar Support can provide guidance to administrators to locate searches that cause performance issues, but support does not assist with tuning "Payload contains" searches.
  5. Review logs for errors related to performance and the use of regular expressions.
  6. Error messages or defects with regard to regular expressions provided by an IBM application from the X-Force App Exchange.
 QRadar technical support

To open a case or report a regular expression issue, contact QRadar technical support.
Out-of-scope for QRadar Support Administrators are responsible for their regular expressions. The following activities are considered out-of-scope for technical support and IBM reserves the right to close cases related to:
  1. Requests for assistance to write, modify, test, or tuning of custom regular expressions for administrators.
  2. Review or questions related to potential performance issues. QRadar Support does not review hypothetical questions related to performance. For example, "Is this regular expression optimized for my event payload?"
Administrators need to be able to create, modify, test, and tune their regular expressions. For assistance administrators can test their expressions with online tools, like regex 101. IBM offers tuning for regular expressions and custom property assistance through IBM Security® Expert Labs.

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
08 June 2021

UID

ibm16427781

Page Feedback