IBM QRadar

Hi @Neel Jotani 

Thank you for your support.

In a QRadar Disaster Recovery (DR) setup, can the DR site function normally and remain fully operational before a disaster occurs, even with a DR license? I came across an article mentioning that DR site services might be suppressed in such cases.

https://community.ibm.com/community/user/security/blogs/joel-violette1/2020/09/08/ibm-qradar-data-sync-app

In my scenario, I have a fully operational main site and have purchased a DR license for the DR site. Some services are running separately at the DR site, and I want to configure it as a DR for the main site while still collecting logs from those independent services.

Could you clarify how this setup impacts the DR SOC team in the event of a failover? Would they continue their operations as usual, or would their workflows change? Additionally, in a failover scenario, would the DR SOC team still have access to historical data from the main site, or would they be limited to data replicated before the failure?

Please mention what Data is viewed in the DR for each phase 

Looking forward to your insights.

Hi Karim,

The following link outlines the QRadar DS Synchronization APP

https://www.ibm.com/support/pages/qradar-data-synchronization-app-faq

Section 3 outlines the features.

The data from the main site will be available in the destinaton site while it is in standby.

However you cannot send logs to the destination site while it is in standby.  It is also a rquirement that only one site is active at a time.

Thanks