IBM Support

QRadar: Custom Property performance issues and support policies

Question & Answer


Question

This article informs administrators about QRadar® Support policies. QRadar Support assists administrators to investigate and correct software defects related to performance. This document outlines out-of-scope work for support cases where user-generated content might impact performance.

Answer

Important: Select a tab to read the policy for performance assistance.

Technical support for custom properties and performance

Custom properties are added to QRadar in officially supported DSMs, applications, or created by administrators. Custom properties parse specific data from events payloads to display information in the user interface as PropertyName(Custom). Custom properties can be used in rule tests, searches, reports, or dashboards.

 
Support type Description Responsibility
Custom property investigations & analysis
QRadar technical support can assist administrators to identify and narrow down potential custom event property issues.

Administrators can use QRadar technical support to:
  1. Review logs and system notifications related to custom properties errors.
  2. Verify the custom property is assigned to the designated log source type.
  3. Examine and identify resource expensive custom properties. This includes determination of non-performant custom properties that can cause data to be routed to storage.
  4. Review the number of enabled custom properties to determine impact to services.
  5. Confirm custom properties return expected search results.
  6. Confirm issues and provide support for IBM created custom properties that are provided with officially supported DSMs or IBM applications.
 QRadar technical support

To open a case or report a custom property error, contact QRadar technical support.
Performance, tuning and custom property management Administrators are responsible for user-generated custom properties, updates, and security policies. Assistance with security policies and use case coverage for custom properties, contact IBM Security Expert Labs for assistance.

The following activities are considered out-of-scope for technical support:
  • Create custom properties for user-generated log source types or custom integrations of event data. 
  • Write or tune user-generated regular expressions in custom properties.
  • Tune custom properties included in user-generated searches, rules, or reports.
  • Consolidate user-generated custom properties for multiple log sources or domains.
  • Complete security evaluations of custom properties.
Technical help for QRadar® performance issues is included for users with valid support contracts to assist administrators who need assistance diagnosing performance problems in QRadar. The QRadar technical support team will investigate all performance issues. If the cause of your performance issue is determined to be a non-performant system configuration, such as poorly performing regular expressions in the DSM Editor, rules or building block tuning, or offense performance, support can assist with identifying the cause.

QRadar performance assistance in support cases

Administrators can review the tabs at the top of the page for more details about log source, custom property, or rule performance support assistance. QRadar technical support teams can assist administrators with errors, questions, and performance issues, such as:

  • Interpreting system notifications and documentation.
  • Troubleshooting for administrators on supported versions.
  • Analysis of logs and errors to determine where performance issues occur. This includes:
    • Validation of parsing performance and log source configurations.
    • Identifying why events do not parse as expected.
    • Identifying custom properties with performance issues.
    • Identifying issues related to search performance.
    • Identify why rules do not trigger as expected for administrators.
  • Issue confirmation for problems after administrators tune or update event sources.

Out-of-scope performance issues


Due to the highly flexible nature of QRadar, a deep understanding of your use-cases, environment and overall security strategy is crucial to formulate an effective update plan. Administrators who are new to QRadar or need assistance with custom log source development, custom property performance, tuning rules or security use cases can contact IBM Security Expert Labs team to discuss performance issues that are out-of-scope for QRadar technical support. The following activities are considered out-of-scope for technical support cases:
 
  • Creating custom log source types for administrators in the DSM Editor.
  • Regular expression writing and tuning.
  • System tuning when large numbers of offenses are being generated.
  • System tuning where false positives are being generated.
  • Rule tuning for security policies for your organization.
  • Creating, maintaining, updating rule templates or rule planning and validation activities.
  • Providing dedicated support (staying online with you) during the normal update process.
  • Running post-update system health checks or performance checks.
     

Contact IBM Security Expert Labs

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtiAAA","label":"Performance"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Document Information

Modified date:
07 January 2022

UID

ibm16538926

Page Feedback