Question & Answer
Question
What items are outside the scope of standard IBM Support for QRadar on Cloud?
Answer
The following is a list of QRadar on Cloud work items that are outside the scope of standard IBM Support. IBM extended support or services options that can include many of the items list. For more information, contact IBM Sales. If you are unsure about a process or need clarification, QRadar on Cloud users can open a support case for more assistance.
The following tables describe the work items that are outside of the scope of standard IBM Support.
Table 1. QRadar on Cloud Architecture work items
|
Work item
|
Important Client Information
|
|
Stand-Alone WinCollect
|
For an overview of WinCollect along with instructions on how to deploy on QRadar on Cloud, see WinCollect overview.
|
|
Disconnected Log Collectors
|
Disconnected Log Collectors (DLC) are installed and maintained by the client. After every major QRadar release, check for DLC version releases. Having a version mismatch between your console and DLC can cause performance problems. For more information, see upgrading the DLC.
|
|
Disconnected Log Collector setup
|
DLCs are treated as log sources. To connect the DLC quickly to the deployment, see this community post.
|
|
Data Gateway Network Requirements
|
For more information about Data Gateway Network requirements, see the Data Gateway (DG) section of the QRadar on Cloud: Support FAQ and common questions.
|
|
Network bandwidth requirements between the Data Gateway and a QRadar on Cloud Console connection
|
For more information about Data Gateway Network requirements, see the Data Gateway (DG) section of the QRadar on Cloud: Support FAQ and common questions.
|
|
Network troubleshooting between QRadar components that are outside of the IBM Cloud
|
Network bandwidth and latency testing to IBM Cloud must be completed by the customer Network Administrator. Ingress and egress from proxies in the customer environment, the customer's data center, network provider, cloud provider are common networking failure points.
If you encounter issues, see QRadar on Cloud: Troubleshooting Data Gateway appliance connectivity and QRadar on Cloud: Troubleshooting Data Gateways in UKNOWN state. To help speed up your investigation, provide latency and bandwidth tests from both your Data Gateway, and another device connecting to the IBM Firewall following as similar a route as possible. Before you open an IBM Support case, contact your network team since more diagnostics are required by IBM Support.
|
Table 2. Data Gateway (DG) Administration
|
Work item
|
Important Client Information
|
|
Monitoring license pool and data gateway rebalancing
|
Standard IBM support does not monitor for license pool or dropped events. Clients do not have access to view per managed host license information. In the self-serve app, the client can view the total license. To see a holistic view of your license usage, open a support case and request a screen capture of your total license usage on a per MH basis. For more information, see How to troubleshoot peak Events Per Second, Event and flow burst handling, and Editing a target processor for your data gateway.
|
|
Vulnerability scanning on Data Gateways
|
IBM regularly scans internal systems and RPMs before patch release. The hardware outside of the IBM firewall is owned by the customer, and as such, vulnerability scanning follows our normal on-prem procedure, and any customer internal vulnerability scanning or remediation is customer responsibility. CVEs are patched regularly. Any questions regarding release dates for CVE patches require a support case. Some monitoring utilities, such as SentinelOne, have negative system performance impacts. This impact is outside the scope of support to determine and test. QRadar data gateways do not require or support traditional anti-virus or malware agents, or support the installation of third-party packages or programs.
|
|
Data Gateway Health Monitoring
|
IBM monitors for disk space. Standard IBM Support does not monitor for hardware problems.
If the customer is notified of a hardware issue, refer to "Hardware issues with QRadar appliances". QRadar data gateways do not support the installation of third-party packages or programs.
|
|
SSH Access to Data Gateways
|
Any user attempting to connect to a Data Gateway added to your QRadar deployment is blocked by default. Use the Self-Serve App to add or remove SSH access to the data gateway. If SSH access does not work as expected, then open a support case.
|
Table 3. QRadar on Cloud general administration, monitoring, and maintenance
|
Work item
|
Important Client Information
|
|
Failed Auto-updates
|
For failed auto-update notifications, open a support ticket and include what time the updates can be reinstalled.
Note: this change requires a full deployment and event collection restart.
|
|
Installing applications
|
There are a few applications such as the Self-Serve App, the Assistant app, and the Log source management application that are installed by default with QRadar on Cloud. For all other application installations, see the Application FAQ.
|
|
Upgrading applications
|
For more information about upgrading the applications, see the Application FAQ
|
|
User management
|
It is outside the scope of standard IBM support to create and maintain users in the environment. For more information, see User Management
|
|
User Roles
|
Customers on pre-7.5.0 UP3 versions are required to open a support ticket. For customers on version 7.5 UP3 and later, users with the Security Administrator Role have the ability to create user roles in the Admin section
|
|
Disabling and Deleting user accounts
|
It is outside the scope of standard IBM support to disable user accounts or monitor for users that need to be deleted. If a user needs to be deleted, then the customer must create a support ticket. For more information about user accounts, see User management.
|
|
Security Profiles
|
For more information about configuration, see Security profile management.
|
|
Forwarding Destinations and Routing Rules
|
As of 7.4.3, clients have the ability to create their own routing rules for data gateways. No routing rules can be created for event processors, flow processors, event and flow combo processors, or the Console. For more information about forwarding destinations, see Adding forwarding destinations.
|
|
Reference Sets
|
Reference set general maintenance is outside the scope of standard IBM Support. For best performance, keeping reference sets under 500000 elements is suggested.
|
|
Migration to and from on-premises environment to QRadar on Cloud
|
When you migrate from on-premises to QRadar on Cloud, clients are entitled to schedule an engagement with IBM Security Expert Labs to migrate their data and configuration over to QRadar on Cloud.
If you move away from QRadar on Cloud to on-premises, it is suggested to work with IBM Security Expert Labs as IBM Support assists with technical support on processes that do not work like they are documented to. However, it is outside the scope of standard IBM Support to walk a client through all of the steps needed or to do the process for them. |
|
Content Management Tool (CMT)
|
The CMT is used to import and export configuration data from and to QRadar and QRadar on Cloud. For best practices, see QRadar: Best practices when you use the Content Management Tool to export custom data.
|
|
Rule Performance Tuning
|
If it is not tuned properly, custom rules can cause performance issues. Standard IBM Support does not monitor for information on performance degradation messages, such as "ECS Queue Monitor has detected a total of X dropped event(s). X event(s) were dropped in the last 60 seconds. EP Queues: X dropped event(s)". If the errors occur frequently in the environment, then open a support case, run findExpensiveCustomRules.sh, and upload the results for you to the case. See QRadar: Troubleshooting Custom Rule performance with findExpensiveCustomRules.sh to determine whether there are rules causing performance issues.
|
|
Custom Event Properties
|
If the notification, "Performance degradation was detected in the event pipeline. Expensive custom properties were found" is generated, follow these instructions to mitigate the issue. If there are questions about performance, see QRadar: Performance overview and support policies.
|
|
DSM performance
|
If there is a question about DSM performance, see QRadar: Log source configuration and performance support policy.
|
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSKMKU","label":"IBM QRadar on Cloud"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
26 January 2023
UID
ibm16825265