IBM QRadar

Hello! I am glad there is a group out there for topics and discussions. My question is, I have recently been assigned to my companies SIEM which is QRadar. The question is, we have a 500 EPS license and we go over sometimes. Is there a way to look into the log source that is sending the most EPS for that time and see what events are causing the issue? I have read some articles where a firewall can be sending events that arent needed. I also have an event collector set up and its helping out alot. I have also placed some routing rules in place and they are helping also...but we still go over.

------------------------------
matthew maynard
------------------------------

Hello

Try to display top events by security devices  or by time then you can see the device that send many events 
After this you must check if those events are important or not befor you take decision to send it or not ,

Thankx

------------------------------
ATOUB Hemza
------------------------------

Original Message:
Sent: 05-29-2018 15:10
From: matthew maynard
Subject: EPS Question

Hello! I am glad there is a group out there for topics and discussions. My question is, I have recently been assigned to my companies SIEM which is QRadar. The question is, we have a 500 EPS license and we go over sometimes. Is there a way to look into the log source that is sending the most EPS for that time and see what events are causing the issue? I have read some articles where a firewall can be sending events that arent needed. I also have an event collector set up and its helping out alot. I have also placed some routing rules in place and they are helping also...but we still go over.

------------------------------
matthew maynard
------------------------------

If this were my system, I would try to figure out where your spikes are and what log sources are sending those spikes. This is the Advanced/AQL query we typically use to look for EPS rates over a specific interval by individual log sources.

SELECT LOGSOURCENAME(logsourceid) AS "Log Source", LONG(SUM(eventcount)) AS "Number of Events in Interval", LONG(SUM(eventcount) / 86400) AS "EPS in Interval" FROM events GROUP BY "Log Source" ORDER BY "EPS in Interval" DESC LAST 1 DAYS

If you want to edit this query to expand or change the time frame, make sure you update the number of days (`1`) and the number of seconds in those days (`86400`) to reflect whatever period you're looking for.

For example, here is a 7 day query:
SELECT LOGSOURCENAME(logsourceid) AS "Log Source", LONG(SUM(eventcount)) AS "Number of Events in Interval", LONG(SUM(eventcount) / 604800) AS "EPS in Interval" FROM events GROUP BY "Log Source" ORDER BY "EPS in Interval" DESC LAST 7 DAYS

If you want to identify the last time you exceeded your license, you can put this value in to a quick filter search: 38750008  as this is the QRadar Identifier that is tied to the 'The appliance exceeded the EPS or FPM allocation within the last hour.' system notification.


Take a look at what I've posted here and let me know if you have follow-up questions.



------------------------------
Jonathan Pechta
QRadar Support Content Lead
Moderator at https://ibm.biz/qradarforums.
------------------------------

Original Message:
Sent: 05-29-2018 15:10
From: matthew maynard
Subject: EPS Question

Hello! I am glad there is a group out there for topics and discussions. My question is, I have recently been assigned to my companies SIEM which is QRadar. The question is, we have a 500 EPS license and we go over sometimes. Is there a way to look into the log source that is sending the most EPS for that time and see what events are causing the issue? I have read some articles where a firewall can be sending events that arent needed. I also have an event collector set up and its helping out alot. I have also placed some routing rules in place and they are helping also...but we still go over.

------------------------------
matthew maynard
------------------------------