Hi all.

I've got a question about rule processing performance.

I've got two rules:
In the first rule I'm checking log source type at first and then QID number.
In the second rule I'm checking just a QID number.

Which one would be better in terms of rule processing performance? 

------------------------------
Bohdan
------------------------------

Bohdan

that depends on index being set or not.
in case of logsource type this is by default and will reduce the number of events by factor 10 to 20 at least.
in case of QID I'm not so sure about default setting but should be indexed as well. Please refer to management of index in admin tab.
the main difference is that there are millions of qids versus hundreds of log source types. So qid index is more expensive to process compared to logsource types. When using both tests put that one for logsource type 1st. Use event category whenever possible to reduce number of events further. QID test is an alternative. Maybe someone from IBM can comment on that with more expertise.
BR
Karl

------------------------------
[Karl] [Jaeger] [Business Partner]
[QRadar Specialist]
[pro4bizz]
[Karlsruhe] [Germany]
[4972190981722]
------------------------------

Original Message:
Sent: Mon April 24, 2023 06:13 AM
From: Bohdan
Subject: Qradar 7.5.0 UP5 Rule performance optimisation

Hi all.

I've got a question about rule processing performance.

I've got two rules:
In the first rule I'm checking log source type at first and then QID number.
In the second rule I'm checking just a QID number.

Which one would be better in terms of rule processing performance? 

------------------------------
Bohdan
------------------------------

Whilst there is a convention that a QID should apply to just one log source type, it is not enforced.  So, it will depend on your specific configuration if those two approaches mean the same thing or not.

As far as test efficiency goes, they are both considered 'cheap' tests - so there would be almost no difference between "type then QID" vs "QID then type" should both be TRUE.  However, as QID is by far the most selective - having it first will drastically reduce the instances where both would actually be evaluated.

Personally, I feel is it much more maintainable to indicate the Log Source Type in a Rule.  As a QID doesn't really convey that at all - to a human observer.

And. for the record, indexes are not relevant when talking about CRE performance (except in the 'Historic Correlation' edge case).

pfh

------------------------------
Paul Ford-Hutchinson
------------------------------

Original Message:
Sent: Mon April 24, 2023 06:13 AM
From: Bohdan
Subject: Qradar 7.5.0 UP5 Rule performance optimisation

Hi all.

I've got a question about rule processing performance.

I've got two rules:
In the first rule I'm checking log source type at first and then QID number.
In the second rule I'm checking just a QID number.

Which one would be better in terms of rule processing performance? 

------------------------------
Bohdan
------------------------------

Paul
thanks for your clearing this.
when indexes are relevant for searching only, that's what I have understood, question is what is relevant for rule tests.
Is there a list of expensive versus low cost tests?
If test order is not an issue in this case what about number of tests?
We regular receive CRE notice about expensive rules using complex Time conditions on top of other tests.
What about this list:
event category 1st
not condition 2nd like logsource type
time test 3rd like more than x events in y minutes observed 
Karl

------------------------------
[Karl] [Jaeger] [Business Partner]
[QRadar Specialist]
[pro4bizz]
[Karlsruhe] [Germany]
[4972190981722]
------------------------------

Original Message:
Sent: Thu April 27, 2023 04:58 PM
From: Paul Ford-Hutchinson
Subject: Qradar 7.5.0 UP5 Rule performance optimisation

Whilst there is a convention that a QID should apply to just one log source type, it is not enforced.  So, it will depend on your specific configuration if those two approaches mean the same thing or not.

As far as test efficiency goes, they are both considered 'cheap' tests - so there would be almost no difference between "type then QID" vs "QID then type" should both be TRUE.  However, as QID is by far the most selective - having it first will drastically reduce the instances where both would actually be evaluated.

Personally, I feel is it much more maintainable to indicate the Log Source Type in a Rule.  As a QID doesn't really convey that at all - to a human observer.

And. for the record, indexes are not relevant when talking about CRE performance (except in the 'Historic Correlation' edge case).

pfh

------------------------------
Paul Ford-Hutchinson

Original Message:
Sent: Mon April 24, 2023 06:13 AM
From: Bohdan
Subject: Qradar 7.5.0 UP5 Rule performance optimisation

Hi all.

I've got a question about rule processing performance.

I've got two rules:
In the first rule I'm checking log source type at first and then QID number.
In the second rule I'm checking just a QID number.

Which one would be better in terms of rule processing performance? 

------------------------------
Bohdan
------------------------------