Hi,
You can raise RFE's on IBM Ideas at the following linkn
https://www.ibm.com/support/pages/qradar-requesting-new-features-ibm-ideas
For points 2 and 3 you can exclude a certain Event or Flow Processor or DataNode from a search. This is outlined at the following linnk
https://www.ibm.com/support/pages/node/6995901
Thanks
------------------------------
John Dawson
------------------------------
Original Message:
Sent: Tue November 28, 2023 05:09 AM
From: Ashok Kumar
Subject: Enhancements in QRadar
EPS Shuffling - In large QRadar distributed deployments, there are multiple event or flow processors where certain EPS is configured. However, during a spike or cyber incidents, if there is an increase, we need to manually adjust the EPS by redistributing it from other hosts. So, my point is, there should be some automation or logic to shuffle the EPS based on the spike and revert back to normal afterward.
Event or Flow Processor IO Error - In distributed environments, whenever there is an issue with the network connectivity between the console and event processor, or if the Event Processor is down due to some issue, the queries initiated by SOC users go into an error state, indicating an IO error. For this, IBM should build a simple option to temporarily disable the event processor without removing it from the deployment. This way, whenever the issue with the EP or network connectivity is fixed, it can be easily re-enabled. This is important because in large deployments, it's difficult to exclude all event processors one by one in searches.
Event Processor Removal - Referring to the above second point, since there is no option to mark the event processor or exclude it in the search, we need to remove it from the deployment. After removing it, the event processor stops processing events, which is not good for cyber investigations because we are losing logs.
------------------------------
Ashok Kumar Cyber Security Consultant
------------------------------