IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Choosing Appliance model for deployment

    Posted Tue July 28, 2020 01:17 PM

    Hi All,

    This is my first post on here, I am looking for information about choosing the appliance for my deployment.

    Currently we are already using QRadar in our SOC and I am working on adding 2x appliances in Active/Passive for ingesting new feeds from a new acquisition.

    This new company I have to integrate is already using their own SIEM (Graylog) with values as follow:

    • Average EPS is around 300/400EPS
    • Peaks are at just over 1000EPS for few seconds (with some events tweaking I believe we can lower and better contain that)
    • Current network bandwidth is 1MB/Sec (this is not fully utilise, it is what is available however)
    • SOC is in India, with a DataCentre also in the Netherlands with an Event Collector and an Event Processor there
    • My Customer is based in Romania

    Are there any other things I shall consider for the deployment?

    Having researched on the IBM QRadar pages I am not sure what is the best appliance model to choose, any help is appreciated.

    I am fully versed with Arcsight SIEM and I am new to QRadar, though I have attended some training.

    Regards,

    Salvatore



    #QRadar
    #Support
    #SupportMigration


  • 2.  RE: Choosing Appliance model for deployment

    Posted Wed July 29, 2020 01:26 PM

    I would suggest you for an Event Collector (EC) in HA sitting at the new company. That will take care of your requirements since your EPS from the new company is pretty low. This new EC in HA will report to your existing Event Processor.

    If however due to your compliance requirements, the data needs to reside locally in the new company then you can instead get an Event Processor (EP) in HA sitting at this new company and reporting to your existing Console. However the EC HA option mentioned previously would ofcourse be cheaper.

    I would also suggest you to check with your Technical Sales rep from IBM who can help you out more with your hardware sizing keeping in mind your future growth from an EPS perspective.



    #QRadar
    #Support
    #SupportMigration


  • 3.  RE: Choosing Appliance model for deployment

    Posted Wed July 29, 2020 02:09 PM

    Hi  bochakra0,

    Thanks for your reply, yes I have looked at the issue regarding moving and storing data across different countries and have sorted it.

    What I am not sure of is what appliance model will best suit my needs. Looking on the IBM website is not that clear to me and am also looking to find out who is my technical Sales rep.



    #QRadar
    #Support
    #SupportMigration


  • 4.  RE: Choosing Appliance model for deployment

    Posted Wed July 29, 2020 02:14 PM

    A 1501 EC in HA (https://www.ibm.com/support/knowledgecenter/SS42VS_7.4.0/com.ibm.qradar.doc/c_hwg_eventcllctr1501.html) should suffice if you are looking at the EC option.

    Your contact from IBM Sales or your IBM Accounts Manager can help you in getting touch with our TechSales team to help you out with your sizing.



    #QRadar
    #Support
    #SupportMigration


Related Content