Hello,
We have multi-tenant deployment QRadar. We have so many small domains/tenants (20+) and 60K+ EPS in total.
There are an average of 150 rules for each domain here. (There are also BBs.) > Because for each domain a different unique parameter (for example in rule; not xx username for domain1, not yy username for domain2) or different response (different mail address)
(Currently, the same rule is written separately for each domain, detail below)
Rule-1
and when the domain is one of the following Domain-1
and when an event matches any of the following BB:XX1 or BB:XX2
and when the event matches xxx
Rule-2
and when the domain is one of the following Domain-2
and when an event matches any of the following BB:XX1 or BB:XX2
and when the event matches xxx
That's why we have too many rules and this is now causing a performance problem.
I can combine these rules to create offense, but that would also involve too many domains, more logs and more EPS.
Rule-3
and when the domain is one of the following Domain-1 or Domain-2
and when an event matches any of the following BB:XX1 or BB:XX2
and when the event matches xxx
Here, both for such an example and for your general experience; what should be the best rule optimization scenario in a multi-tenant deployment?
Thanks.
------------------------------
Ali Kerem Gunal
------------------------------