QRadar XDR

  • 1.  Need help on deciding an EPS

    Posted Mon September 06, 2021 08:25 AM
    Hi All,

    I have been assigned a task where I need to present an EPS count which we need for future.
    Currently our EPS limit is 1000 EPS (Events per second), and approximate usage is 800 to 900 EPS (some time we reach or cross the limit of 1000).

    Now we are in a process of increasing our EPS and I need to give the count (How much to increase ) I have been presented with percentage of logs to be shipped to Qradar in future also we would be integrating our AV with Qradar.

    Column1                                                   ConfiguredTotalCurrent %New Additional Requirement/Wish ListTarget %Comments
    Azure AD 2 18 11% 6 44% Added Service Principal & Managed Identities
    KeyVaults 2 8 25% 2 50% Added Prod1 coverage
    Network Security Groups 27 68 40% 24 75% Added Prod1 coverage
    LoadBalancers 12 59 20% 13 42% Added Prod1 coverage
    Application gateway 3 8 38% 3 75% Added Prod1 coverage
    Public IP 27 68 40% 24 75% Added Prod1 coverage
    Event Hub Namespaces 7 16 44% 7 88% Added Prod1 coverage
    AKS 0 32 0% 28 88% This was disabled previously
    Recovery Services Vault 0 378 0% 0 0% More investigation required

    Need guidance here, How to calculate the future EPS requirement?

    Regards
    Asif Siddiqui

    ------------------------------
    Asif Siddiqui Senior Security Analyst
    ------------------------------


  • 2.  RE: Need help on deciding an EPS

    Posted Tue September 07, 2021 04:00 AM
    Hi Asif,

    this also depends on the requirements how the rules are written. In case there are many rules that dependt on events that needs to be processed within a short time frame you should calculate an EPS including all peaks and around 20% for extra spikes happening for example when something extraordinary happens (Aggressive Attack for example). If you use a lot of rueles with refsets or events that get pulled and are not real time you could use the buffer or even can soften the spikes by using event throtteling. In Dashboard - System Montioring - Top Log Sources you can get an idea how much eps at the moment you have. 

    Regards

    Martin

    ------------------------------
    Martin Schmitt
    ------------------------------



  • 3.  RE: Need help on deciding an EPS

    Posted Tue September 14, 2021 12:04 PM

    Hi Asif

    in addition to what Martin said correctly. You should calculate your increase based on event ids or better to say qids. Test is better than estimates based on other numbers.

    there are great statistics available in QRadar but I prefer to make my own based on search for logsource, qid over 24h summary divided by 24*3600. If you got more than 20 different qids use low level categories instead. Make sure the logsource your statistics are based on is typical for your event logging. If needed come up with types of low, medium and high data rate over 24h for your AV log source type.
    if your increase is 100% as in your namespace example you need at least count for that plus event peaks as discussed before. As license limit comes first when collecting events rule processing is less a concern. However you do not want to loose events in all cases. Event filtering can help but make sure not to produce false negatives when events are filtered out at logsource level. BTW coalescing will save some processing time but not EPS license. 

    Regards 



    ------------------------------
    [Karl] [Jaeger] [Business Partner]
    [QRadar Specialist]
    [pro4bizz]
    [Karlsruhe] [Germany]
    [4972190981722]
    ------------------------------