Types of resource restrictions

You can set limitations on searches by configuring either time or data set restrictions based on user, role, or tenant.

Resource restrictions are applied in the following order: user, user role, and tenant. For example, restrictions that are set for a user take precedence over restrictions that are set for the user role or tenant that the user is assigned to.

You can set the following types of restrictions on event and flow searches:
  • The length of time that a search runs before data is returned.
  • The time span of the data to be searched.
  • The number of records that are processed by the Ariel query server.
    Note: Ariel search stops when the record limit is reached, but all in-progress search results are returned to the search manager and are not truncated. Therefore, the search result set is often larger than the specified record limit.

User-based restrictions

User-based restrictions define limits for an individual user, and they take precedence over role and tenant restrictions.

For example, your organization hires university students to work with the junior analysts in your SOC. The students have the same user role as the other junior analysts, but you apply more restrictive user-based restrictions until the students are properly trained in building QRadar® queries.

Role-based restrictions

Role-based restrictions allow you to define groups of users who require different levels of access to your QRadar deployment. By setting role-based restrictions, you can balance the needs of different types of users.

For example, a junior security analyst might focus on security incidents that happened recently, while a senior security analyst might be more involved in forensic investigations that review data over a longer period of time. By setting role-based restrictions, you can limit a junior analyst to accessing only the last 7 days of data, while a senior analyst has access to a much larger time span of data.

Tenant-based restrictions

In a Managed Security Service Provider (MSSP) or a multi-divisional organization, tenant-based restrictions can help you ensure quality of service by preventing resource contention and degradation of services. You can prevent a tenant from querying terabytes of data that can negatively impact the system performance for all other tenants.

As an MSSP, you might define standard resource restrictions based on a set of criteria that each tenant is compared to. For example, the standard configuration for a medium-sized tenant might include resource restrictions that limit searches to accessing only the last 14 days of data and a maximum of 10,000 records returned.