Types of reference data collections
IBM® QRadar® has different types of reference data collections that can handle different levels of data complexity. The most common types are reference sets and reference maps.
If you want to use the same reference data in both QRadar SIEM and QRadar Risk Manager, use a reference set. You can't use other types of reference data collections with QRadar Risk Manager.
Type of collection | Description | How to use | Examples |
---|---|---|---|
Reference set | A collection of unique values. | Use a reference set to compare a property value against a list, such as IP addresses or user names. |
To verify whether a login ID that was used to log in to QRadar is assigned to a user, create a reference set with the LoginID parameter. |
Reference map | A collection of data that maps a unique key to a value. | Use a reference map to verify a unique combination of two property values. |
To correlate user activity on your network, create a reference map that uses the LoginID parameter as a key, and the Username as a value. |
Reference map of sets | A collection of data that maps a key to multiple values. Every key is unique and maps to one reference set. | Use a reference map of sets to verify a combination of two property values against a list. |
To test for authorized access to a patent, create a map of sets that uses a custom event property for Patent ID as the key, and the Username parameter as the value. Use the map of sets to populate a list of authorized users. |
Reference map of maps | A collection of data that maps one key to another key, which is then mapped to a single value. Every key is unique and maps to one reference map. | Use a reference map of maps to verify a combination of three property values. |
To test for network bandwidth violations, create a map of maps that uses the Source IP parameter as the first key, the Application parameter as the second key, and the Total Bytes parameter as the value. |
Reference table |
A collection of data that maps one key to another key, which is then mapped to a single value. The second key is assigned a data type. |
Use a reference table to verify a combination of three property values when one of the properties is a specific data type. |
Create a reference table that stores Username as the first key, Source IP as the second key with an assigned cidr data type, and Source Port as the value. |