IBM QRadar Data Store normalizes and stores both security and operational log data for future analysis and review.
A new offering, IBM QRadar Data Store, normalizes and stores both security and operational log data for future analysis and review. The offering supports the storage of an unlimited number of logs without counting against your organization’s Events Per Second QRadar SIEM license, and enables your organization to build custom apps and reports based on this stored data to gain deeper insights into your IT environments.
Enhancements to the routing rules require entitlement for QRadar Data Store, but is not currently enforced. In the future, when entitlement is enforced, access to the collected event data will be restricted to properly licensed systems. When the license is applied, and the routing rule enhancement is selected, events that match the routing rule (marked as "Log Only") will be stored to disk and will be available to view and for searches. The events bypass the custom rule engine and no real-time correlation or analytics occur. The events can't contribute to offenses and are ignored when historical correlation runs.
For more information, see: https://www.ibm.com/support/knowledgecenter/SS42VS_7.3.1/com.ibm.qradar.doc/t_qradar_adm_data_store.html
16 June 2018