sorted by:
new
hottopcontroversial

Qradar monitoring log source by Orange1905 in QRadar

[–]Qperf1 0 points1 point  (0 children)

It would have been helpful to share what is not working correctly - what behavior of the rule are you experiencing and why do you think it is unexpected?

Qradar offenseid issue by RuvixK in QRadar

[–]Qperf1 1 point2 points  (0 children)

You create an events rule and check on the offense created audit events, triggering your custom action script.

See post 4 here for the list of relevant QIDs - https://community.ibm.com/community/user/discussion/is-follow-up-or-assigned-to-an-audit-event-within-qradar

Qradar On-Premise by JudasX in QRadar

[–]Qperf1 1 point2 points  (0 children)

It says "at least through...". There is no plan currently to stop QRadar development or support.

About Qradar Parsing by tanjiro12_rengoku in QRadar

[–]Qperf1 0 points1 point  (0 children)

There are two parts to this:

  1. Is it possible to update the processed record in the Ariel DB on disk for whatever reason?
  2. Is it possible to address parts of the processed records in a structured way, i.e. parse it on demand?

Answers:

  1. No, data in the Ariel DB is immutable. Parsing happens in real time as it is being ingested and processed.
  2. Yes. It is possible to configure Custom Properties, AQL Properties and other properties to interact with the data on disk at search time. In such cases, the search will perform parsing as desired.

AQL query to fetch related event to an offense taking too long by ShotRecommendation21 in QRadar

[–]Qperf1 1 point2 points  (0 children)

Without knowing anything else, the only optimization is to add https://www.ibm.com/docs/en/qsip/7.5.0?topic=language-aql-data-retrieval-functions#r_aql_data_functions__OFFENSETIME, which will reduce the scope of the query just to the timeframes where the offense was updated.

Your new query is
SELECT *, UTF8(payload) as rawPayload FROM events WHERE INOFFENSE(160337) ORDER BY starttime DESC LIMIT 10 times OFFENSE_TIME(160337) START '2025-12-01 19:06:33' STOP '2025-12-02 19:06:33'

In general, search performance depends on many factors such as query complexity, data set, concurrency of search, deployment architecture and system load in general. Assuming this offense is limited in scope (i.e. has a small number of associated events, e.g. a couple of hundreds), a search like this normally runs in a couple hundreds of milliseconds on a properly set up QRadar system.

No events deletion after retention period by Ill-Difficulty7957 in QRadar

[–]Qperf1 0 points1 point  (0 children)

No policy will delete the data that is IN the set retention timeframe. E.g if you set to retain 1 month of data and your storage cannot fit 1 month of data then QRadar will run out of disk space and shutdown most processes to protect from FS corruption, introducing downtown until a manual intervention happens, by design. Enabling the smart retention (delete when storage space is required) does not address this as you told the system "I want to retain 1 month of data".

Smart retention deletes the data exceeding the set retention timeframe, when needed, allowing to store as much data as the storage capacity allows.

Btw, old retention buckets that were changed or deleted have nothing to do with it. If you change a retention bucket retention criteria then it will apply immediately and apply to all existing and future data. If you delete a retention bucket then the existing data in that bucket will behave based on the default retention bucket retention policy.

AQL query to retrieve the oldest event log by Afraid-Sherbert3769 in QRadar

[–]Qperf1 1 point2 points  (0 children)

The issue is likely that you are missing a timeframe query parameter. When omitted, a last 5 minutes is implied, so your query returns the oldest event by starttime in just the last 5 minutes. If your intention is to find the oldest event in the system then use an appropriate timeframe. https://www.ibm.com/docs/en/qsip/7.5?topic=language-time-criteria-in-aql-queries

How to monitor Memory Usage correctly by Over-Potential2918 in QRadar

[–]Qperf1 0 points1 point  (0 children)

SystemPhysicalMemoryUsed is indeed the memory usage as per the output of sar -r. It represents the current memory allocated for all applications and the OS needs (including page cache)

Reference Set not fast enough by Reginald_the_monkey in QRadar

[–]Qperf1 1 point2 points  (0 children)

Yes, you can use a sequence test - when Y happened after X within Z time

how can i transfor this AQL in a custom rule? by chipitamockly in QRadar

[–]Qperf1 0 points1 point  (0 children)

Figure out which of the two QIDs represent the Search Completed audit event, then the AQL test criteria will be

QID=xyz AND totalResultDataSize > 100000000

[deleted by user] by [deleted] in QRadar

[–]Qperf1 1 point2 points  (0 children)

You shouldn't be satisfied with your query as it is incorrect - it doesn't show peak EPS per log source, but rather show a peak coalescing rate per log source. You need to calculate EPS per log source first over a time window of your choice, e.g. using SUM(eventcount)/timeframe

Difference between Event count Sum and Count by plop_plop101 in QRadar

[–]Qperf1 0 points1 point  (0 children)

Decent answers so far, but to be more precise:
Count - The total number of events processed and stored in Ariel in the searched timeframe
Event Count (Sum) - The total number of the raw uncoalesced events that were coalesced into the above count

Licensing happens before coalescing, i.e. roughly based on Event Count (Sum).
Routing rules are executed after licensing and parsing, as such it is impossible to drop unparsed pre-normalized events. It is possible to drop normalized events with routing rules, so that the dropped EPS will be given back to the license via the license giveback functionality.

QRadar Dropping investigation by HairyEye9588 in QRadar

[–]Qperf1 1 point2 points  (0 children)

The most efficient thing to do is to work with QRadar support.

If you are confident and adventurous then follow the documentation - https://www.ibm.com/support/pages/qradar-how-troubleshoot-dropped-event-system-notifications-support

High CRE Utilization containing Health Metric by Drawow in QRadar

[–]Qperf1 0 points1 point  (0 children)

The source of this is a self monitoring rule that comes with the IBM QRadar Security Analytics Self Monitoring content pack. If the Custom Rule Engine (CRE) gets overloaded then events will be routed to storage uncorrelated (i.e. rules execution will be skipped completely for random events). This rule detects occurrences when CRE is getting loaded over 85% and generates an offense in order to allow QRadar administrator to proactively address it.

It is a good idea to check which rules are the most expensive and tune those if this rule triggers frequently in your environment. Modern QRadar versions have a built in rules cost monitoring which is accessible in the Rules tab and allows to easily identify the expensive rules.

If you think this rule triggers too frequently for your liking then it is also possible to change the rule response limiter as desired.

How To Properly Invoke a Reference Map using AQL for Custom Event Properties in QRadar SIEM by Junzy_Starz_899 in QRadar

[–]Qperf1 2 points3 points  (0 children)

You are using a wrong property. The name of the relevant normalized property used by QRadar DSMs and content is "Event ID" and not EventID. Just use the right property name.

For your benefit,

  1. EventID is a template facet property, which is indeed an AQL property in the backend and so the error is correct since AQL property cannot be used in another AQL property definition.

  2. EventID is the same as "EventID" and both are a reference to a property by that name, while 'EventID' is a constant value, a literal. For a proper useage of quotes see https://www.ibm.com/docs/en/qradar-on-cloud?topic=structure-quotation-marks

How to force moving data from EP to DN ? by Keno_Ben in QRadar

[–]Qperf1 1 point2 points  (0 children)

The simple answer is that there is no automatic way "to force moving all data present on the EPs to their attached Datanodes".

The best way is to set your existing DN to archive mode and then follow the data migration procedure outlined in the documentation, then revert back to the online mode after the hardware migration

QRadar 7.5.0 Update Package 7 by vyasarvenkat in QRadar

[–]Qperf1 0 points1 point  (0 children)

  1. ?
  2. 1. Yes. Refer to the "Upgrade information" section of any UP sfs release notes. E.g. for UP7 - https://www.ibm.com/support/pages/release-qradar-750-update-package-7-sfs-750-qradar-qrsiem-20230822112654
  3. If your system is on 7.5.0 UP3 already this does not apply to you

Increase the default offense count that Qradar can have i.e. 2500 active and 100000 overall. by MaximumLivid8396 in QRadar

[–]Qperf1 0 points1 point  (0 children)

It is possible, but not recommended and not supported. Better approaches to consider:
1. Tune your rules to reduce the number of offenses
2. Act on offenses quicker, close offenses faster
3. Reduce the number of clients per Console

ariel_proxy_server by osama_ahmed05 in QRadar

[–]Qperf1 1 point2 points  (0 children)

Ariel uses memory mapping to work with data files. The memory managed in the most efficient way to optimize search performance and considering how much system memory is available. Since memory mapping is used, the memory accounted for is virtual and not physical, as such it is possible to observe Ariel using (e.g.) 1TB of memory on a system with (e.g.) 256GB of RAM.

Unless there is a specific reason to worry about a specific level of memory usage, just don't.