Optimizing your QRadar system

To get the best results in QRadar® Advisor with Watson™, you can optimize IBM® QRadar by reviewing the custom mapping configuration and reviewing log sources that are used by QRadar Advisor with Watson.

Before you begin

You must have QRadar administrator privileges to optimize your QRadar system.

About this task

The QRadar Advisor with Watson app does not pull values from event or flow payloads; instead, it relies on defined QRadar custom properties and standard properties. To improve the quality of your results, review the custom properties and the log sources that are used by QRadar Advisor with Watson.

Procedure

  1. On the navigation menu ( Navigation menu icon ), click Admin.
  2. In the Apps section, under QRadar Advisor with Watson, click Configuration.
  3. Click Optional Settings to open the Optional Settings menu page.
  4. Click Optimization.
  5. Click Run Report.
  6. By default, the sum of the events that have mapped properties and are also in offenses is enabled. Click In offenses to disable the toggle and show all events that have mapped properties but aren't necessarily in offenses.
  7. Review the log sources and verify that all of the expected log sources are present. If a log source is not listed or does not have a substantial number of events that are used by QRadar Advisor with Watson, then it indicates that more mappings are required.
    Log sources screen
  8. In the Property Mapping section, review any custom properties that were added or modified since the configuration wizard was last run.
    If you have any properties that are not yet mapped, they are listed.
  9. Click the Add Mapping icon next to the property that you want to map for the app to use.
  10. Select a canonical name from the list and then click Add.
    Add mapping screen
  11. Click Complete.