IBM Security QRadar

 View Only
  • 1.  Enhancements in QRadar

    Posted Tue November 28, 2023 05:09 AM

    1. EPS Shuffling - In large QRadar distributed deployments, there are multiple event or flow processors where certain EPS is configured. However, during a spike or cyber incidents, if there is an increase, we need to manually adjust the EPS by redistributing it from other hosts. So, my point is, there should be some automation or logic to shuffle the EPS based on the spike and revert back to normal afterward.

    2. Event or Flow Processor IO Error - In distributed environments, whenever there is an issue with the network connectivity between the console and event processor, or if the Event Processor is down due to some issue, the queries initiated by SOC users go into an error state, indicating an IO error. For this, IBM should build a simple option to temporarily disable the event processor without removing it from the deployment. This way, whenever the issue with the EP or network connectivity is fixed, it can be easily re-enabled. This is important because in large deployments, it's difficult to exclude all event processors one by one in searches.

    3. Event Processor Removal - Referring to the above second point, since there is no option to mark the event processor or exclude it in the search, we need to remove it from the deployment. After removing it, the event processor stops processing events, which is not good for cyber investigations because we are losing logs.



    ------------------------------
    Ashok Kumar Cyber Security Consultant
    ------------------------------


  • 2.  RE: Enhancements in QRadar

    Posted Tue November 28, 2023 08:59 AM

    Hi,

    You can raise RFE's on IBM Ideas at the following linkn

    https://www.ibm.com/support/pages/qradar-requesting-new-features-ibm-ideas

    For points 2 and 3 you can exclude a certain Event or Flow Processor or DataNode from a search.  This is outlined at the following linnk

    https://www.ibm.com/support/pages/node/6995901

    Thanks



    ------------------------------
    John Dawson
    ------------------------------



  • 3.  RE: Enhancements in QRadar

    IBM Champion
    Posted Wed November 29, 2023 08:11 AM

    To your point 1) usually there are event collectors in large environments that are between the EP and the log source.  These do buffer spikes and collect while connections to EP's cannot be made, same with flow collectors to flow processors.

    To point 2) The EP's should not lose connection to the console as processing offenses etc. can be interrupted.  We do have some on continents, but you do pickup latency and of course searches can fail during periods of network instability.



    ------------------------------
    Frank Eargle
    ------------------------------