Rule performance visualization

Rule performance visualization extends the current logging around performance degradation and the expensive custom rules in the QRadar pipeline. With rule performance visualization, you can easily determine the efficiency of rules in the QRadar pipeline, directly from the Rules page.

Note: You must be an Administrator to turn on rule performance visualization. After rule performance visualization is turned on, users can view performance metrics for rules. For more information about turning on rule performance visualization, see the IBM QRadar Administration Guide.
When rule performance visualization is turned on, the Performance column is added to the Rules page. The Performance column is blank until a performance issue occurs in the custom rule engine.
Figure 1. Performance column on the Rules page
Performance column on the Rules page

When events or flows are routed to storage, QRadar begins collecting metrics on enabled rules for efficiency measures. Metrics are collected on all event, common, and flow rules. When you save rule updates, the metrics are cleared for the rules that you updated to avoid any confusion around performance and updated rules. This option is configurable by an Administrator.

You can sort rules by their performance metrics and identify the more expensive rules. When you review the rules, you can adjust the tests to optimize each rule, and reduce the load on the system.

With rule performance visualization, you see how expensive the rules are. QRadar operations teams can monitor any expensive rules and ensure that they do not cause future performance issues.

By having rules run efficiently, the workload on the system can decrease. Over time, this efficiency can help QRadar avoid any performance degradations around rules, which cause rules to bypass rule correlation. As a result, potential suspect activity might not trigger a notification, potentially missing future security-related issues.

For more information about tuning rules, see the IBM® QRadar® Tuning Guide.

View the metrics for a rule

You can view the metrics for a rule from the Rules page when you move the mouse pointer over the colored bars in the Performance column, and in the Performance Analysis textbox, which is in the lower-right corner of the Rules page. You can also view the metrics for a rule in the Rule Wizard when you edit a rule. The timestamp in the Performance Analysis textbox shows when the metrics for the rule were updated. For more information about creating rules, see the Rules topic.

From the Network Activity tab or the Log Activity tab, click Rules to display the Rules page. Double-click a rule to open the Rule Wizard.
Figure 2. Performance Analysis on the Rules page
Performance Analysis on the Rules page
Figure 3. Performance Analysis in the Rule Wizard
Performance Analysis in the Rule Wizard

Colors and bars in the Performance column on the Rules page

The number of bars that display is a visual aid for color blindness.
One red bar
The rule is under-performing and needs to be tuned. The EPS/FPS throughput for this rule is below the lower limit. Open the rule and tune the tests.
Two orange bars
The rule might need some tuning.
Three green bars
The rule has a high throughput above the upper limit of the EPS/FPS threshold.
Note: The colors and number of bars can't be changed. The definition of a rule that is under-performing is configurable by an Administrator.
The following image shows the default Custom Rule Settings in QRadar.
Figure 4. Custom Rule Settings
Custom Rule Settings in QRadar

For more information about tuning rules, see Custom rule testing order.