Health Check Framework for IBM QRadar SIEM

Attend to your SIEM solution’s health to ensure impeccable defense

Continious monitoring of your QRadar SIEM deployment


  • Can you guarantee efficiency of internal control for you incident management process?
  • Do you have evidence of your SIEM performance?
  • Does your SIEM management team use any metrics to measure SIEM performance?
  • Do you have an overall view of how effectively your security plan is working?

Neglecting the state of your SIEM system’s performance means compromising its efficiency and overlooking real-time attacks that lead to severe security breaches. To enable constant control over your SIEM solution’s health, ScienceSoft developed Health Check Framework (HCF) for IBM Security QRadar SIEM, an automated monitoring tool that allows security administrators to continuously sustain the platform’s operability.

HCF for QRadar SIEM provides security administrators with 60+ performance and behavioral metrics, as well as includes 25 Health Markers for quick assessment of the solution’s functioning. The tool ensures a comprehensive view of an organization’s SIEM system by letting security specialists detect operational deviations along with data losses, and helping to troubleshoot them promptly. 



To let security administrators monitor their QRadar environment from within, HCF for QRadar SIEM provides a set of configurable Health Markers and comprehensive Health Check Report revealing performance issues and offering pertinent recommendations to overhaul them.

Prompt diagnostics with Health Markers

Prompt diagnostics with Health Markers

An integral part of HCF for QRadar SIEM, 25 Health Markers enable security administrators to get a holistic overview of the system performance evaluated against specified threshold values that can be fine-tuned according to your particular network. All the important QRadar metrics are automatically summarized into 25 Health Markers, and then sent to QRadar administrators in a detailed notification email. The notification contains all detected performance issues along with recommendations to fix them.

The Markers draw an accurate portrait of the system, stressing such important aspects as:

  • Mistakes in correlation rules
  • Presence of uncategorized or unknown events
  • Critical modification to log sources
  • Detected auto-update errors
  • Excessive time of correlation rule execution
  • Slow response of correlation rules, and more

Health Check Report to analyze your QRadar SIEM fitness

Health Check Report to analyze your QRadar SIEM fitness

Apart from the Health Markers giving a quick overview of QRadar SIEM performance, HCF subscribers also get access to a comprehensive Health Check Report that includes 60+ performance and behavioral metrics. The Report offers an extended description of identified problems, hence helps security administrators to choose possible actions to recover the system’s correct operability. Each report generated by HCF contains a detailed analysis with the following performance indicators:

  • Console summary of the system’s state (e.g. number of active log sources and assets, storage and memory available, top 10 unique offences)
  • EPS and FPI statistics
  • Events and Flows timelines
  • Disk, CPU and memory usage on managed hosts
  • Log Sources productivity
  • Incoming log data quality
  • Correlation rules and reports performance and more

Our SIEM team keeps enhancing the HCF functionality and enriches it with new features. See the full list of the HCF versions to stay tuned and refine your QRadar SIEM capabilities.


Our 12-year SIEM consulting experience showed that poor performance, low data quality along with complex and costly maintenance are the major factors that prevent companies from getting the most value from their SIEM deployments. It means that even with a SIEM solution in place, organizations often overlook critical security events occurring within their networks and still make considerable investments to support the system’s operability.

HCF for QRadar SIEM was created to keep security administrators alerted on the system’s configuration and performance issues and let companies overcome the most frequent drawbacks hindering their QRadar SIEM effectiveness.

Faultless performance

Faultless performance

HCF provides the system’s all-round profile by revealing pain spots that should be fine-tuned or reconfigured to ensure a higher level of protection:

  • EPS and FPM Timelines reflect the amount of events and flows processed within the system over a certain period of time, thus alerting security specialists when the enabled licenses don’t match the real number of data coming to the system.
  • Events and Rules reveal average and peak EPS per log types within a specified timeframe, as well as show how fast correlation rules are executed, their response time, the number of responses per correlation rule, etc. Therefore, security administrators can optimize badly configured or incorrect rules consuming too much resources.
  • Offense Analysis helps to identify correlation rules generating the abnormal number of false-positives, thus requiring to be fine-tuned.
  • Heavy Reports depict the reports that take the longest time to be generated, which points to the errors that are to be eliminated.

Homogeneous data

Homogeneous data

HCF helps to improve the quality of data collected from numerous log sources. This allows to minimize risks of missing important log data and overlooking critical security offenses due to log source misconfiguration. Via dedicated performance metrics, HCF for IBM QRadar SIEM informs security administrators about:

  • data generated by unknown/unsupported log sources
  • misconfigured log sources that show inadequate coverage of security events
  • maliciously misconfigured log sources
  • disabled log sources that don’t generate any security events, and more

Simplified maintenance

Simplified maintenance

HCF’s advanced operational analytics enables CISOs to stick to a proactive information security strategy and eliminates the necessity to create custom scripts and additional reporting tools. This allows security specialists to enhance QRadar’s performance with less time, effort and budget required to maintain the platform.

The tool enables quick and timely improvements of the QRadar deployment by in-house security specialists, which allows companies to maintain excellent network protection.

You are welcome to download the white paper on HCF for IBM Security QRadar SIEM and get additional information on the tool’s functionality and advantages along with the snapshots of the HCF dashboards and reports.

Read the white paper


To ensure a flexible set up and tuning of your HCF for QRadar SIEM, we created Health Check Framework Manager (HCF Manager) that is officially available at IBM® Security App Exchange. HCF Manager is a specialized application that helps security administrators to set up and manage HCF for IBM QRadar SIEM. The application is validated by IBM and available for download at IBM® Security App Exchange.

HCF Manager enables security administrators to update HCF for QRadar SIEM settings as well as configure management, execution and scheduling of report mailing lists and report downloading. The application allows security administrators to flexibly tailor their HCF deployment, thus guarantee quality monitoring of their all-in-one or distributed QRadar environments.


Feel free to address your questions on HCF functionality to our SIEM consultants who will provide a free consultation, explain the capabilities and organize a live demo to demonstrate the solution in action.