Turning on and configuring rule performance visualization

Use the Custom Rule Settings feature to turn on and configure metrics for rule performance analysis. Rule performance visualization extends the current logging around performance degradation and the expensive custom rules in the QRadar® pipeline. With rule performance visualization, you can determine the efficiency of rules in the QRadar pipeline directly from the Rules page.

About this task

After you turn on rule performance visualization, the metrics remain blank unless an event or flow performance issue occurs.

Procedure

  1. On the navigation menu ( Navigation menu icon ), click Admin.
  2. In the System Configuration section, click System Settings.
  3. On the System Settings page, click Advanced.
  4. Configure the Custom Rule Settings.
    Table 1. Custom Rule Settings
    Setting Description
    Enable Performance Analysis Enable cost performance analysis tracking for custom rules. The default is False.
    Reset Metrics on Rule Change Enable the reset of the rule performance analysis metrics when a rule is modified. The default is True.
    Tip: To reset metrics on a rule, edit the rule, and then save it. The metrics are cleared for the rule that you modified.
    Performance Analysis Upper Limit The upper threshold (in EPS or FPS) that is used to determine the performance bar value for a rule.
    • If the throughput for a rule drops below this limit and is above the Performance Analysis Lower Limit, the performance is displayed as two orange bars.
    • If the throughput for a rule is above this limit, the performance is displayed as three green bars.
    The default is 50,000.
    Performance Analysis Lower Limit The lower threshold (in EPS or FPS) used to determine the performance bar value for a rule. If the throughput for a rule drops below this limit, the performance is displayed as one red bar.

    The default is 12,500.
  5. Click Save.
  6. On the navigation menu ( Navigation menu icon ), click Admin.
  7. Click Deploy Changes.

Results

When rule performance visualization is turned on, the Performance column is added to the Rules page. The Performance column on the Rules page is blank until a performance issue occurs in the custom rule engine.

For more information about Rule performance visualization, see the IBM QRadar User Guide.