Frequently asked questions

Get answers to the most commonly asked questions about this product.

FAQ

Getting started with this product

How is Data Store configured to separate data for storage from data for analysis?

Data Store is configured using a simple collection filter in QRadar. By selecting the data source, or the event criteria from the data source, you can easily define which data is sent directly to Data Store. This filter can be changed at any time and immediately pushed into production.

Do the apps I install from the App Exchange use Data Store data?

Some do, and some do not. Because Data Store data does not go through analysis or correlation, analytics-driven apps may not be able to fully leverage data collected using Data Store. All other capabilities, such as reporting, parsing, custom properties and dashboards, should work as expected.

Support

What version of QRadar is necessary to use Data Store?

Customers must be on 7.3.1 or higher.

What types of appliances support the Data Store capability?

Data Store is a QRadar licensing overlay that leverages existing storage and processing capacity on Event Processors and Data Nodes to collect, process and store data identified for Data Store. No new appliances are required, but additional Data Nodes may be purchased to support data storage needs.

Security

What capabilities of QRadar will work with Data Store collected data?

Data Store is primarily used for log management, so its data is excluded from correlation and advanced security analytics capabilities. However, Data Store data can be used by most other capabilities, such as searching, reporting, visualization and custom apps built using the QRadar App Framework.

Can data collected using the Data Store be converted and used later for security use cases?

Data Store data cannot be used for historical correlation. However, the filtering policy that separates Data Store data from SIEM data can easily be changed. As soon as the policy is updated, all future data collected will be included in all analytics and correlation processes within QRadar.