IBM QRadar

 View Only

  • 1.  Apphost | UBA & ML | 215GB huge amount of disk space to analytics.db

    Posted 8 days ago

    Hi community,

    today, i discovered another unexpected behavior related to the Apphost disk space... This System Notification shows up: Disk sentry System - System Disk usage back to normal levels..

    Further investigation shows, that this .db file on the Apphost uses a huge amount of diskspace. I have an idea what it's related to, because of using UBA and ML. But what kind of "tuning" options are available to "shrink" the size of this db? Maybe disabling ML Models? 

    Any similar experience or tuning tipps, except of increasing the general apphost disk volume :) ? Maybe from @IBM Support?

    Regards,

    Ralph



    ------------------------------
    Ralph Belfiore
    Managing Consultant | SIEM Security Advocate
    connecT SYSTEMHAUS AG
    Siegen
    ------------------------------


  • 2.  RE: Apphost | UBA & ML | 215GB huge amount of disk space to analytics.db

    Posted 7 days ago

    Hey Ralph

    Hope you are well.  This is most likely due to the ML models.  You can consider reducing the retention period of the data in the model.  The followin link outlines the ML app settings

    https://www.ibm.com/docs/en/qradar-common?topic=app-machine-learning-user-models

    In the Data Retention Period field, set the number of days you want to save the model data. The default value is 30

    Thanks



    ------------------------------
    John Dawson
    Qradar Support Architect
    IBM
    ------------------------------

    Original Message


  • 3.  RE: Apphost | UBA & ML | 215GB huge amount of disk space to analytics.db

    Posted 7 days ago

    Hey John,

    i'm fine, what about you? Thanks for this advise and hint.
    Right away i checked this Data Retention Period field value you mentioned, but it says, that the value needs to be between 30 and 90...

    Any other options?

    Regards,

    Ralph



    ------------------------------
    Ralph Belfiore
    Managing Consultant | SIEM Security Advocate
    connecT SYSTEMHAUS AG
    Siegen
    ------------------------------

    Original Message


  • 4.  RE: Apphost | UBA & ML | 215GB huge amount of disk space to analytics.db

    Posted 6 days ago

    Hey Ralph, John;  We filter very carefully what gets by the BB: UBA: Common Event Filters rule to keep out anything that has no value, machine accounts, externals in some cases, and anything that isn't a real username due to bad parsing, etc.; in some really large cases, you have to have more than one UBA instance to handle the different domains, but that requires a LOT of CPU, RAM, Disk, etc.  You could always build a new Apphost with larger volumes, that takes a lot of work of course.                                                                                                                                         



    ------------------------------
    Frank Eargle
    ------------------------------

    Original Message