Indexing best practices
You can enable specific indexes to improve performance based on the types of offenses that you want to analyze.
The QRadar® Advisor with Watson™ app runs searches in QRadar. QRadar searches require indexes to complete quickly and with limited impact to the rest of the system. The result of missing indexes can include the following:
- Increased frequency of SAR Sentinel warning messages in the QRadar Messages interface due to poor performing searches.
- Analysis completes but no, or limited, local observables are found (Stage 1 graph).
Indexes should be enabled for all offense types that you want analyzed. Not all offense types
have indexes that are enabled by default.
Note: Ensure
that you optimize and enable all custom properties that are used for offense indexing. Using
properties that are not optimized can have a negative impact on performance.
Offense type | AQL field | Property to index | Enabled by default |
---|---|---|---|
All Custom Types | (Custom) | (Custom) | No |
Rule | creEventList | Custom Rule | Events Only |
Destination IPv6 | destinationv6 | IPv6 Destination | No |
Source IPv6 | sourcev6 | IPv6 Source | No |
Destination Port | destinationPort | Destination Port | Yes |
Source Port | sourcePort | Source Port | No |
Event Name | qid | Event Name | Events Only |
Destination IP | destinationIP | Destination IP | Yes |
Source IP | sourceIP | Source IP | Yes |
Host Name | identityHostName | Identity Host Name | No |
Log Source | logSourceId | Log Source | Yes |
Destination MAC Address | destinationMAC | Destination MAC | No |
Source MAC Address | sourceMAC | Source MAC | No |
Username | userName | Username | Yes |
App Id | applicationId | Application | Yes |
Destination ASN | destinationASN | Destination ASN | No |
Source ASN | sourceASN | Source ASN | No |
Note: Enabling indexes does not affect past data. Contact IBM Customer Support for assistance
indexing past data.
For more information on indexing in QRadar, see the following technote: https://www.ibm.com/support/docview.wss?uid=swg21689802.