Monday, December 22, 2014

QRadar SIEM 101: Find Expensive Custom Rules

Is your SIEM slow? Perhaps this command will help.

    [xxx@yyy support]# ./

    NOTE: This is typically found in /opt/qradar/support/

It'll then tell you where it stored the data

    Data can be found in ./CustomRule-xxxx-xx-xx-yyyyyyy.tar.gz

Then you can extract that folder and view the contents

    [xxx@yyy support]# tar -zxvf CustomRule-xxxx-xx-xx-yyyyyyy.tar.gz

Good luck parsing through the data! At a high level, I think the top folder's txt/xml file tries to summarize it all. So look in there for the first rule that shows up that is one you wrote. If you need more details, go into the reports folder and do the same thing on each of those files.

Copyright © 2014, this post cannot be reproduced or retransmitted in any form without reference to the original post.

No comments:

Post a Comment