IBM QRadar

Hello.

I need a clarification, since I found different infos around: I need to filter some incoming events, in order to avoid to increase the EPS count. I found the possibility to use "Routing rules", but it is not clear if this is going to impact the EPS count of the platform.

Do you know the platform behavior on that? If the EPS are increased, which could be a way to apply such a filter on incoming syslog messages? 

I wasn't sure, so I just checked. In around 7.2.8 and 7.3.0, we added a concept of ""license givebacks"". In those releases, you could use a routing rule to mark events as ""dropped"". When you did that, you were given up to 60% of those events back in EPS, up to 2000 eps. So you could drop events, and get some of the EPS back.In 7.3.1, this concept has expanded. There is a new routing rule option, called ""log only"". Any events that match a set of criteria you give (ip, log source, event name, user, etc), that you mark as ""log only"", will:

1. be given back in EPS, at 100% rate, up to the maximum total eps of the appliance. You cannot ingest a higher EPS rate than the appliance itself will allow. 
2. completely bypass all rule correlations, and go directly to storage. They are still parsed, searchable with normalized properties, and can be used in reports. 
3. will not match rules if used in historical correlation. They are only logged to disk 
4. log only events follow retention bucket settings. These events could be routed to specific bucket, and kept for a different time period if desired.The logic of ""Drop Event"" in routing rules still exists as well, but similarly to 1) above, the full EPS dropped, is given back, but again, without going over the appliance maximum.If I get more details on this, I'll update this post. Full details should also be available in the 7.3.1 release notes, at:

https://www.ibm.com/support/knowledgecenter/SS42VS_7.3.1/com.ibm.qradar.doc/c_qradar_ov_whats_new_731.html

Exactly, you have the licences givebacks on 7.2.8 and 7.3.0 to a maxium 2K EPS giveback. On 7.3.1, no licenses are used on filtered events, so no givebacks needed. Basically, the counter is placed after the routing rule engine in the pipeline. You can can drop events or send them directly to storage. This means that it's not processed in the rules.

This feature is really good when the quality of the logs can't be modified at the source. It's a must KNOW for a Qradar admin.

------------------------------
Anthony Gayadeen
------------------------------

Original Message:
Sent: 02-06-2018 05:03 PM
From: Matthew Carle
Subject: Clarification on Filtering Different Events

I wasn't sure, so I just checked. In around 7.2.8 and 7.3.0, we added a concept of ""license givebacks"". In those releases, you could use a routing rule to mark events as ""dropped"". When you did that, you were given up to 60% of those events back in EPS, up to 2000 eps. So you could drop events, and get some of the EPS back.In 7.3.1, this concept has expanded. There is a new routing rule option, called ""log only"". Any events that match a set of criteria you give (ip, log source, event name, user, etc), that you mark as ""log only"", will:

1. be given back in EPS, at 100% rate, up to the maximum total eps of the appliance. You cannot ingest a higher EPS rate than the appliance itself will allow. 
2. completely bypass all rule correlations, and go directly to storage. They are still parsed, searchable with normalized properties, and can be used in reports. 
3. will not match rules if used in historical correlation. They are only logged to disk 
4. log only events follow retention bucket settings. These events could be routed to specific bucket, and kept for a different time period if desired.The logic of ""Drop Event"" in routing rules still exists as well, but similarly to 1) above, the full EPS dropped, is given back, but again, without going over the appliance maximum.If I get more details on this, I'll update this post. Full details should also be available in the 7.3.1 release notes, at:

https://www.ibm.com/support/knowledgecenter/SS42VS_7.3.1/com.ibm.qradar.doc/c_qradar_ov_whats_new_731.html