QLEAN Metrics Description
INFO – Informational metrics
STAT – Statistical metrics
TRBL – Troubleshooting metrics
Generic
Console IP address (INFO)
IP Address of AiO/Console appliance.
Usage: identify specific deployment when running QLEAN reports on multiple QRadar instances.
Console UUID (INFO)
Unique hardware identifier.
Usage: use this value to request QLEAN license.
QRadar software version (INFO)
Current version of QRadar deployment.
Usage: use this value to request QLEAN license.
Version history (STAT)
List of major releases and patches installed since an initial deployment, including dates of installation and the number of installed or upgraded packages.
Usage: keep track of deployment updates; identify potentially faulty version, if some problem have started on particular date.
Users (STAT)
List of QRadar users with their roles.
Usage: track excess permissions, outdated or unwanted accounts.
Deployment: Hosts
QRadar hosts (STAT/TRBL)
List of Managed Hosts configured within deployment, including HA IP addresses and roles, performance information, disk usage details.
Usage: deployment overview, identify hosts in non-operational state, hosts running out of disk space; plan upgrades or migration.
Deployment: Health
Recent backups (STAT/TRBL)
List of last automatic configuration and data backups.
Usage: track auto backup’s status, assess disk space requirements, identify backup tasks failures.
Configuration: Number of displayed records can be adjusted via Backup number control in QLEAN Execution parameters.
Integrity of events / flows for recent 24h (TRBL)
Integrity information for events / flows Ariel data files for last 24 hours. Corresponding data hashing must be enabled in QRadar Ariel database settings.
Usage: identify disk failures or malicious corruption of data.
Last warnings and errors from System Notification (TRBL)
List of severe events from System Notification.
Usage: track important notifications that may be omitted or dismissed by mistake when browsing QRadar UI.
Configuration: Number of displayed records can be adjusted via Sys Notification Count control in QLEAN Execution parameters.
Available in QRadar UI.
Last autoupdate errors (TRBL)
List of failed automatic updates.
Usage: failed dependencies can be resolved manually by downloading and installing missing packages.
Configuration: Number of displayed records can be adjusted via Autoupdate Errors Count control in QLEAN Execution parameters.
Available in QRadar UI.
Environment: Log Sources
Last inactive log sources (TRBL)
List of Log Sources in N/A or Error state, from which no events were received in more than 12 hours. If particular Log Source has been modified in specific timeframe (24h by default, configurable globally across all metrics via Time range for Ariel queries parameter) before the last event was seen, corresponding QRadar user name is displayed. If modification happened beyond SIM Audit retention period, User value will be empty.
Usage: detect idle, faulty or misconfigured Log Sources; identify QRadar users who are responsible for their modification.
Configuration: Number of displayed records can be adjusted via Log Source Actions Count control in QLEAN Execution parameters.
Last disabled log sources (TRBL)
List of Log Sources in Disabled state. QRadar user name who has disabled the Log Source is displayed if the action was performed within SIM Audit retention period.
Usage: detect disabled Log Sources and QRadar users who are responsible for their disablement.
Configuration: Number of displayed records can be adjusted via Log Source Actions Count control in QLEAN Execution parameters.
Protocol configuration errors (TRBL)
List of Log Sources in WARN state, with corresponding failure reason. If particular Log Source has been modified in specific timeframe (24h by default, configurable globally across all metrics via Time range for Ariel queries parameter) before the last event was seen, corresponding QRadar user name is displayed. If modification happened beyond SIM Audit retention period, User value will be empty.
Usage: detect misconfigured Log Sources, that poll data periodically, and QRadar users who are responsible for their modification.
Configuration: Number of displayed records can be adjusted via Log Source Actions Count control in QLEAN Execution parameters.
Last added log sources (TRBL)
List of recently added and enabled Log Sources. If a Log Source has been added by QRadar user, and the action was performed within SIM Audit retention period, corresponding QRadar user name is displayed.
Usage: track new Log Sources, identify those ones that cause abnormal EPS capacity consumption.
Configuration: Number of displayed records can be adjusted via Log Source Actions Count control in QLEAN Execution parameters.
Last modified log sources (TRBL)
List of recently modified Log Sources. If a Log Source has been modified by QRadar user, and the action was performed within SIM Audit retention period, corresponding QRadar user name is displayed.
Usage: track Log Sources modification, identify causes of event pipeline changes, normalization failures.
Configuration: Number of displayed records can be adjusted via Log Source Actions Count control in QLEAN Execution parameters.
Last deleted log sources (TRBL)
List of recently deleted Log Sources. QRadar user name who has deleted the Log Source is displayed if the action was performed within SIM Audit retention period.
Usage: identify whether Log Sources have been deleted for optimization/troubleshooting purposes or maliciously, or mistakenly.
Configuration: Number of displayed records can be adjusted via Log Source Actions Count control in QLEAN Execution parameters.
All log sources (STAT/TRBL)
List of all external (not own QRadar services) Log Sources in details.
Usage: quickly sort, filter and search.
Available in QRadar UI: sort, filter, and edit a Log Source by clicking on its name.
Environment: EPS
EPS/FPM per managed host (STAT/TRBL)
List of event/flow processing hosts (21xx, 31xx, 16xx, 17xx, 18xx) with their EPS/FPM license limits and actual capacity utilization statistics for last interval (24 hours by default, configurable via Time range for Ariel queries parameter).
Usage: identify overloaded or idle hosts, re-consider licenses allocation or enhancement.
EPS per log source type (STAT/TRBL)
List of the most EPS consuming Log Sources grouped by Type (DSM). Average and peak EPS values are lifetime stats.
Usage: review audit baseline for Log Source Types that produce too many events and disable logging or filter out unwanted messages.
Configuration: Number of displayed records can be adjusted via Log Source Types Count control in QLEAN Execution parameters.
Environment: Raw EPS
Raw inbound events per second (STAT/TRBL)
Real amount of incoming events per Managed Host (including Event Collectors), without considering license limitations. Time frame depends on the amount of data available in last 3 instances of qradar.log file, and may normally vary from 1 to 5 days.
Usage: detect spikes and gaps, re-consider license allocation or enhancement.
Available in QRadar UI.
Environment: Raw FPM
Raw inbound flows per minute (STAT/TRBL)
Real amount of incoming flows per Managed Host (including Flow Collectors), without considering license limitations. Time frame depends on the amount of data available in last 3 instances of qradar.log file, and may normally vary from 1 to 5 days.
Usage: detect spikes and gaps, re-consider license allocation or enhancement.
Available in QRadar UI.
Environment: Data Quality by Device Type
Data quality by Device type (STAT/TRBL)
List of device Types (DSMs) in use, each containing:
- List of Event Categories for which no events were received in defined timeframe (24 hours by default, configurable globally across all metrics via Time range for Ariel queries parameter).
- Category coverage: percentage of seen Event Categories against all supported by DSM.
- List of seen Event Categories, including average event severity, number of seen Event Types, number of supported Event Types, total number of events seen in Category, and Event Coverage - percentage of seen Event Types against supported ones.
Note: Event Coverage 101% (Types Seen > Types Supported) means that specific DSM utilizes QIDs from other DSMs. For instance, LinuxServer shares many QIDs with OS Services.
Usage:
- Assess quality of audit configuration, when all Log Sources of one type are configured using the same baseline.
- Identify important categories missing in event pipeline; detect DSMs that require update or LSX.
- Compare several daily reports to identify Categories that are constantly missing.
Note: Data Quality metrics run multiple Ariel searches over all collected data, and therefore require notable amount of time to execute. To minimize QLEAN report generation time, either use Time range for Ariel queries parameter to narrow down the timeframe, or disable these metrics via Disable Data Quality Metrics checkbox.
Available in QRadar UI: sort, drill down to event types distribution by clicking on Category name. Drill down to raw events via right-click menu on Category name.
Environment: Data Quality by Log Source
Data quality by Log source (STAT/TRBL)
List of Device Types (DSMs) in use, each containing:
List of Log Sources with their event pipeline statistics for defined timeframe (24 hours by default, configurable globally across all metrics via Time range for Ariel queries parameter), regardless of Categories; each contains: Device Type (DSM), average event severity, number of seen Event Types, number of supported Event Types by DSM, total number of events, coverage - percentage of seen types against supported ones.
Usage: assess quality of audit configuration per Log Source instance, consider updating DSM or creating LSX/Custom DSM. Attention to Log Sources in the Worst Coverage list, ones with Types Seen =1 and low severity.
Note: usually DSMs include QIDs for multiple versions and optional components/features available for an application or appliance, thus 100% coverage is unlikely for most Device Types. Normally, coverage > 20% is supposed to be good enough.
Note: Data Quality metrics run multiple Ariel searches over all collected data, and therefore require notable amount of time to execute. To minimize QLEAN report generation time, either use Time range for Ariel queries parameter to narrow down the timeframe, or disable these metrics via Disable Data Quality Metrics checkbox.
Available in QRadar UI: sort, filter, drill down to event types distribution by clicking on Log Source name.
Environment: Data Quality - Unknown Events and Sources
Unknown events (TRBL)
List of Log Sources that have unknown events detected in defined timeframe (24 hours by default, configurable globally across all metrics via Time range for Ariel queries parameter), including total number of received events, number of unknown events, and percentage of the latter against the first.
Usage: detect Log Sources that produce significant amount of un-parsed data; either to disable noise, or to extract important security information.
Note: Data Quality metrics run multiple Ariel searches over all collected data, and therefore require notable amount of time to execute. To minimize QLEAN report generation time, either use Time range for Ariel queries parameter to narrow down the timeframe, or disable these metrics via Disable Data Quality Metrics checkbox.
Available in QRadar UI: sort, filter, drill down to events payload by clicking on Log Source name.
SIM Generic log sources (TRBL)
List of IP addresses from which un-identified events were received and not assigned to any existing Log Source in defined timeframe (24 hours by default, configurable globally across all metrics via Time range for Ariel queries parameter), including the number of such events.
Usage: detect unwanted noise, or important events that cannot be identified as belonging to particular Log Source because of message format, or Log Sources that must be created manually.
Available in QRadar UI: sort, drill down to events payload by clicking on source IP Address.
Environment: Runtime Statistics
Runtime JMX metrics (INFO/STAT)
Runtime (since the last hostcontext service restart) statistics covers the following event/flow information: average payload size, average record size, average rate, number of dropped records.
Usage: estimate disk requirements for collected data storage, identify collection issues.
Note: on some deployments, runtime metrics can take notable time to execute. To speed up report generation, use Disable Advanced Metrics checkbox in QLEAN Execution parameters.
Dump DSM information (INFO/STAT)
Output of dumpDSMinfo support script, contains system-level collection, parsing and normalization statistics for active DSMs.
Usage: identify parsing and normalization issues.
Note: on some deployments, runtime metrics can take notable time to execute. To speed up report generation, use Disable Advanced Metrics checkbox in QLEAN Execution parameters.
Environment: Assets
Top risky assets (STAT/TRBL)
List of Assets with the highest Risk Level and number of vulnerabilities.
Usage: identify endpoints that require software upgrade or additional protection.
Configuration: Number of displayed records can be adjusted via Top Assets Count control in QLEAN Execution parameters.
Correlation: Offenses
Top unique offenses (TRBL)
List of open Offenses involving the greatest number of events or flows, grouped by Offense description.
Usage: identify false-positives or actual attacks.
Configuration: Number of displayed records can be adjusted via Top Offenses Count control in QLEAN Execution parameters.
Available in QRadar UI: open list of similar offenses by clicking on Offense name.
Offense closing reasons (STAT)
List of reasons and partially notes used to close offenses during the recent 30 days.
Usage: identify most common incident types; assess the clarity of resolutions made by security team.
Offense analysis (STAT/TRBL)
List of enabled correlation rules along with offenses being generated by them, rules logic, and notes.
Stats are lifetime and depend on the configured offense retention period (30 days by default).
The second column shows the offense type (a property that the offense is indexed by) and appropriate values.
The third column header shows the rule type (common, events, flows, offense). Column values represent total number of events and flows involved in the offense.
The chart values shows how many times rules have been triggered.
Usage: identify false-positive offenses, common sources of incidents, fix rules logic accordingly.
Configuration: Use Offense Analysis: exclude inactive and Offense Analysis: include dismissed checkboxes in QLEAN Execution parameters to control whether hidden, closed and inactive offenses present in the output.
Available in QRadar UI: sort, drill down to offense details by clicking on its ID, open Rule Wizard by clicking on icon next to Rule name.
Correlation: Offenses (2)
Attacker to target (STAT/TRBL)
Represents links between Attackers networks from Network Hierarchy and specific Destination (Target) IP addresses.
Usage: identify common attack/incident directions.
Available in QRadar UI.
Top attackers (STAT/TRBL)
List of top 25 Attackers by their networks from Network Hierarchy.
Usage: identify the most common attacker networks.
Available in QRadar UI.
Top targets (STAT/TRBL)
List of top 25 target IP addresses in active offenses.
Usage: identify the most common targets.
Available in QRadar UI.
Offense per user (STAT/TRBL)
List of top-targeted networks from Network Hierarchy by Users participating in attacks.
Usage: identify the most common usernames attacking internal resources.
Available in QRadar UI.
Correlation: Rules
Rules counters (STAT)
Include number of enabled, disabled, custom (created by user) and modified rules, and the number of Building blocks.
Usage: high-level overview of QRadar tuning.
Rules performance (STAT/TRBL)
Lists of runtime (since the last hostcontext service restart) statistics based on findExpensiveCustomRules support script.
Usage: identify rules that require tuning (add tests to narrow down the amount of data to match, adjust thresholds, replace payload searches with custom properties, fix or disable Custom Action scripts).
Configuration: Number of displayed records can be adjusted via Rules Performance Count control in QLEAN Execution parameters.
Stats gathering interval can be set via Rules Performance Interval control. This value affects execution time of QLEAN report.
Available in QRadar UI: open Rule Wizard by clicking on the rule name.
Correlation: Rules (2)
Rule actions and responses (STAT/TRBL)
Lists of all correlation rules with their Action and Response options.
Usage: identify rules that generate offenses, add or remove information to/from Reference Sets and Reference Data, add events to existing offenses, modify magnitude metrics.
Available in QRadar UI: open Rule Wizard by clicking on the rule name.
Correlation: Reports
Top heavy reports (STAT/TRBL)
List of the most time consuming reports, along with their expected and actual execution time.
Usage: identify reports that take longer than usual to generate, refer to Last modified searches metric to check whether any search changes caused reports to slow down.
Configuration: Number of displayed records can be adjusted via Top Reports control in QLEAN Execution parameters.
Available in QRadar UI: open report properties by clicking on its name.
Last 10 recently modified searches (STAT/TRBL)
List of 10 saved searches that were recently modified.
Usage: identify a responsible person, if search modification caused incorrect sampling, increased report execution time, system overload, or affects correlation rules logic.
SOC KPI
Incident resolution time (STAT)
Distribution of offenses closed within 4h, 12h, 1d, 3d, 7d, 14d, 1m timeframes during last 31 days, or within a custom timeframe.
Usage: track analyst activities, assess SOC performance.
Configuration: define a custom time range via SOC KPI Data Range control in QLEAN Execution parameters. If not defined, or Reset time range button was pressed, data will be collected for the recent 31 days.
Incident response time (STAT)
Distribution of assigned or protected offenses within 4h, 12h, 1d, 3d, 7d, 14d, 1m timeframes during the last 31 days, or within a custom timeframe.
Usage: track analyst activities, assess SOC performance.
Configuration: define a custom time range via SOC KPI Data Range control in QLEAN Execution parameters. If not defined, or Reset time range button was pressed, data will be collected for the recent 31 days.
Incidents closed per user (STAT)
Distribution of offenses closed by analysts during the last 31 days, or within a custom timeframe.
Usage: track analyst activities, assess SOC performance.
Configuration: define a custom time range via SOC KPI Data Range control in QLEAN Execution parameters. If not defined, or Reset time range button was pressed, data will be collected for the recent 31 days.
Incidents detected (STAT)
Number of new offenses for the last 31 days, or within a custom timeframe.
Usage: assess quality of correlation tuning.
Configuration: define a custom time range via SOC KPI Data Range control in QLEAN Execution parameters. If not defined, or Reset time range button was pressed, data will be collected for the recent 31 days.
Incident severity (STAT)
Offense severity levels for the last 31 days, or within a custom timeframe.
Usage: assess quality of correlation tuning.
Configuration: define a custom time range via SOC KPI Data Range control in QLEAN Execution parameters. If not defined, or Reset time range button was pressed, data will be collected for the recent 31 days.
System tuning actions (STAT)
Number of modifications (reference sets, rules, log sources, etc.) performed during the last 31 days, or within a custom timeframe.
Usage: track analyst activities, assess SOC performance.
Configuration: define a custom time range via SOC KPI Data Range control in QLEAN Execution parameters. If not defined, or Reset time range button was pressed, data will be collected for the recent 31 days.
Fine Tuning
Untuned building blocks (STAT/TRBL)
List of active system (not modified) Building Blocks, mostly HostDefinitions, containing default IP address placeholders (127.0.0.2).
Usage: identify default BBs to update with proper values.
Available in QRadar UI: open Rule Wizard by clicking on a Building Block name.
Untuned network hierarchy elements (STAT/TRBL)
List of system networks containing default CIDRs.
Usage: identify default networks to update with proper values.
Available in QRadar UI: open network Hierarchy interface by clicking on an entry name.
Untuned network hierarchy correlation rules (STAT/TRBL)
List of correlation rules that utilize default network hierarchy elements.
Usage: refer to the list to either change rules filters or update corresponding Network Hierarchy entries to avoid false-positives or missed incidents.
Custom DSM unknown events (STAT/TRBL)
Shows amount of unknown events received from Custom DSM log sources.
Usage: Custom DSMs are assumed to recognize all events and therefore should not have any Unknowns. Identify event types that weren’t seen before and may contain important security information, and create matchers for them via DSM Editor.
Flow sources (STAT)
Inbound flows statistics per flow source for the last 24 hours.
Usage: identify most loaded flow capturing interfaces for balancing and tuning.
Unassigned log sources (STAT/TRBL)
List of Log Sources that are not assigned to any Log Source Group.
Usage: check the list to make sure that rules utilizing Log Source Groups in their logic capture all required data.
Performance
Global views performance (STAT/TRBL)
Output of collectGvStats support script, showing speed of saved searches and reports for log data and network activity.
Usage: identify and optimize searches that take too long to execute.
Regex relative performance (STAT/TRBL)
Assesses regular expressions speed by performing multiple matches against payload. Properties without a payload (Test Field in Custom Properties) are omitted.
Usage: identify and fix custom properties that slow down events processing.
Available in QRadar UI.