Indexing best practices

You can enable specific indexes to improve performance based on the types of offenses that you want to analyze.

The QRadar® Advisor with Watson™ app runs searches in QRadar. QRadar searches require indexes to complete quickly and with limited impact to the rest of the system. The result of missing indexes can include the following:

Increased frequency of SAR Sentinel warning messages in the QRadar Messages interface due to poor performing searches.
Analysis completes but no, or limited, local observables are found (Stage 1 graph).

Indexes should be enabled for all offense types that you want analyzed. Not all offense types have indexes that are enabled by default.

Note: Ensure that you optimize and enable all custom properties that are used for offense indexing. Using properties that are not optimized can have a negative impact on performance.

Table 1. Indexing specific offense types
Offense type	AQL field	Property to index	Enabled by default
All Custom Types	(Custom)	(Custom)	No
Rule	creEventList	Custom Rule	Events Only
Destination IPv6	destinationv6	IPv6 Destination	No
Source IPv6	sourcev6	IPv6 Source	No
Destination Port	destinationPort	Destination Port	Yes
Source Port	sourcePort	Source Port	No
Event Name	qid	Event Name	Events Only
Destination IP	destinationIP	Destination IP	Yes
Source IP	sourceIP	Source IP	Yes
Host Name	identityHostName	Identity Host Name	No
Log Source	logSourceId	Log Source	Yes
Destination MAC Address	destinationMAC	Destination MAC	No
Source MAC Address	sourceMAC	Source MAC	No
Username	userName	Username	Yes
App Id	applicationId	Application	Yes
Destination ASN	destinationASN	Destination ASN	No
Source ASN	sourceASN	Source ASN	No

Note: Enabling indexes does not affect past data. Contact IBM Customer Support for assistance indexing past data.

For more information on indexing in QRadar, see the following technote: https://www.ibm.com/support/docview.wss?uid=swg21689802.