QRadar XDR

  • 1.  Log Source Event Coalescing

    Posted Wed October 13, 2021 02:45 PM
    Hi Folks,

    In the place where I work, there have been some discussions regarding QRadar Event coalescing on log sources so as to optimize memory consumption for event storage.

    I'm now researching the best practices & the pros and cons of doing or not such on different log source types and was wondering what you folks have to say.

    Thanks in advance!

    ------------------------------
    Nathan Pavlovsky
    ------------------------------


  • 2.  RE: Log Source Event Coalescing

    Posted Thu October 14, 2021 08:00 AM
    Coalescing on critical assets like firewalls, web servers, WAF devices is dangerous.  On stuff like workstations, it depends on security risks and compliance.

    Sent from my Mobile





  • 3.  RE: Log Source Event Coalescing

    Posted Thu October 14, 2021 02:22 PM
    Edited by Nathan Pavlovsky Thu October 14, 2021 02:23 PM
    Removed due to it being a duplicate of my other response below


  • 4.  RE: Log Source Event Coalescing

    Posted Thu October 14, 2021 09:52 AM
    Hi Nathan,
    in addition to what Frank said correctly, I would start with coalescing turned off when onboarding new logsource. This is especially true for Windows based logsources as they contain many custom properties which are not checked for coalescing criteria. When you do incident forensics thats not what you want as you are missing valuable info. Same is true for many other logsources as NG firewalls, cloud based logsources etc.
    If your really want to turn it on check a 24h interval of logged events first.
    BTW the additional storage consumption is relatively low as date gets compressed anyway as soon as data are coming in. Unfortunately coalescing is still turned on by default afaik.
    BR
    Karl

    ------------------------------
    [Karl] [Jaeger] [Business Partner]
    [QRadar Specialist]
    [pro4bizz]
    [Karlsruhe] [Germany]
    [4972190981722]
    ------------------------------



  • 5.  RE: Log Source Event Coalescing

    Posted Thu October 14, 2021 02:21 PM
    Edited by Nathan Pavlovsky Thu October 14, 2021 02:23 PM
    Many thanks for the effort writing this and for the tips. Definitely useful and will keep in mind. Wishing you both a great day!

    ------------------------------
    Nathan Pavlovsky
    ------------------------------