QRadar: Rules and rule performance support policies

Rule performance

IBM creates and offers a broad variety of Custom Rules and Building Blocks that allow better visibility of incidents through the deployment. QRadar technical support provides administrators assistance with expensive rules that route events to storage, performance issues that buffer events to disk, and general rule or offense issues.

Support type	Description	Responsibility
Rule investigations	QRadar technical support can assist administrators to identify and narrow down potential custom event property issues. Administrators can use QRadar technical support to: Review logs and system notifications related to rules. Identify known issues and software defects related to rules and individual rule tests. Investigate and confirm issues related to IBM generated rules and building blocks. Identify performance issues related to slow (expensive) rules. Investigate and confirm rule responses that do not trigger as expected. Identify rules that are firing too often with log activity and offense searches. Identify how many enabled rules the customer has and if they are IBM or user-generated. Assist QRadar administrators to disable user-generated rules causing performance or offense model issues. Assist the administrator to remove rules associated to IBM developed content packs. Note: QRadar technical support reserves the right to direct users to IBM Security Expert labs when more than five user-generated rules are identified to cause performance issues on the appliance. Technical support can recommend that expensive rules be disabled to lessen impact appliance performance.	QRadar Support To open a case or report a rule error, contact QRadar technical support.
Rule tuning and use cases	Administrators are responsible for user modified rules, updates, and security policies. Assistance with modifying rules to reduce false positives or tuning rules can contact IBM Security Expert Labs for assistance with security policies and use case coverage. The following activities are considered out-of-scope for technical support: Write or modify custom rules for particular use cases or security policies. Assist administrators to tune user-generated rules or building blocks. Rule health checks and maintenance schedules based on organizational need. Tune rules added by Business Partner applications. Audit assistance for rules or building blocks.	Administrator IBM Security Expert Labs

Technical help for QRadar® performance issues is included for users with valid support contracts to assist administrators who need assistance diagnosing performance problems in QRadar. The QRadar technical support team will investigate all performance issues. If the cause of your performance issue is determined to be a non-performant system configuration, such as poorly performing regular expressions in the DSM Editor, rules or building block tuning, or offense performance, support can assist with identifying the cause.

QRadar performance assistance in support cases

Administrators can review the tabs at the top of the page for more details about log source, custom property, or rule performance support assistance. QRadar technical support teams can assist administrators with errors, questions, and performance issues, such as:

• Interpreting system notifications and documentation.
• Troubleshooting for administrators on supported versions.
• Analysis of logs and errors to determine where performance issues occur. This includes:
  • Validation of parsing performance and log source configurations.
  • Identifying why events do not parse as expected.
  • Identifying custom properties with performance issues.
  • Identifying issues related to search performance.
  • Identify why rules do not trigger as expected for administrators.
• Issue confirmation for problems after administrators tune or update event sources.

Out-of-scope performance issues

Due to the highly flexible nature of QRadar, a deep understanding of your use-cases, environment and overall security strategy is crucial to formulate an effective update plan. Administrators who are new to QRadar or need assistance with custom log source development, custom property performance, tuning rules or security use cases can contact IBM Security Expert Labs team to discuss performance issues that are out-of-scope for QRadar technical support. The following activities are considered out-of-scope for technical support cases:
 

• Creating custom log source types for administrators in the DSM Editor.
• Regular expression writing and tuning.
• System tuning when large numbers of offenses are being generated.
• System tuning where false positives are being generated.
• Rule tuning for security policies for your organization.
• Creating, maintaining, updating rule templates or rule planning and validation activities.
• Providing dedicated support (staying online with you) during the normal update process.
• Running post-update system health checks or performance checks.
   

Contact IBM Security Expert Labs