Frequently asked questions

Get answers to the most commonly asked questions about this product.

Data Store is configured using a simple collection filter in QRadar. By selecting the data source, or the event criteria from the data source, you can easily define which data is sent directly to Data Store. This filter can be changed at any time and immediately pushed into production.

Some do, and some do not. Because Data Store data does not go through analysis or correlation, analytics-driven apps may not be able to fully leverage data collected using Data Store. All other capabilities, such as reporting, parsing, custom properties and dashboards, should work as expected.

Customers must be on 7.3.1 or higher.

Data Store is a QRadar licensing overlay that leverages existing storage and processing capacity on Event Processors and Data Nodes to collect, process and store data identified for Data Store. No new appliances are required, but additional Data Nodes may be purchased to support data storage needs.

Data Store is primarily used for log management, so its data is excluded from correlation and advanced security analytics capabilities. However, Data Store data can be used by most other capabilities, such as searching, reporting, visualization and custom apps built using the QRadar App Framework.

Data Store data cannot be used for historical correlation. However, the filtering policy that separates Data Store data from SIEM data can easily be changed. As soon as the policy is updated, all future data collected will be included in all analytics and correlation processes within QRadar.

See how it works