Guidelines for tuning system performance

How you tune IBM QRadar depends on different scenarios and whether you have one target or many targets within your network.

To ensure reliable system performance, you must consider the following guidelines:

Disable rules that produce numerous unwanted offenses.
To tune CRE rules, increase the rule threshold by doubling the numeric parameters and the time interval.
Consider modifying rules to consider the local network context rather than the remote network context.
When you edit a rule with the attach events for the next 300 seconds option enabled, wait 300 seconds before you close the related offenses.

For more information, see the IBM QRadar User Guide.

The following table provides information on how to tune false positives according to these differing scenarios.

Table 1. Tuning methodology.
Scenario	One Target	Many Targets
One attacker, one event	Use the False Positive Wizard to tune the specific event.	Use the False Positive Wizard to tune the specific event.
One attacker, many unique events in the same category	Use the False Positive Wizard to tune the category.	Use the False Positive Wizard to tune the category.
Many attackers, one event	Use the False Positive Wizard to tune the specific event.	Edit the building blocks by using the Custom Rules Editor to tune the specific event.
Many attackers, many events in the same category	Use the False Positive Wizard to tune the category.	Edit building blocks by using the Custom Rules Editor to tune the category.
One attacker, many unique events in different categories	Investigate the offense and determine the nature of the attacker. If the offense or offenses can be tuned out, edit the building blocks by using the Custom Rules Editor to tune categories for the host IP address.	Investigate the offense and determine the nature of the attacker. If the offense or offenses can be tuned out, edit the building blocks by using the Custom Rules Editor to tune the categories for the host IP address.
Many attackers, many unique events in different categories	Edit the building blocks by using the Custom Rules Editor to tune the categories.	Edit the building blocks by using the Custom Rules Editor to tune the categories.