Escape complex QRadar SIEM maintenance, data quality issues and inefficiencies in the performance of rules and reports
QLean is ScienceSoft’s proprietary tool to systematically check QRadar’s health. With QLean demo, you’ll take a closer look at selected reporting tabs (Data Quality by Log Source, Data Quality by Device Type, Log Sources, Offense Analysis, Rules Performance and Data Quality: Unknown and Stored) which make QRadar performance management easy and transparent.
Start exploring Qlean with Data Quality by Log Source tab. It allows you to check the quality of data received from various log sources and the amount of log events that are collected but are not properly normalized and parsed by QRadar.
For example, two charts The worst coverage (top 10) and The best coverage (top 10) give you information about log sources having the lowest and the highest percentage of successfully recognized and categorized events.
Do you want to get more detailed information on log sources? The tables below the charts give the following details:
Pay special attention to Coverage column. It reflects the percentage of event types that are actually seen by QRadar against the supported ones. This information will help you to identify misconfigured log sources, the percentage of overlooked logs and events, thus you’ll start log source fine-tuning promptly.
Identify problems common to all the log sources of the same type. For example, none of your Linux servers generates events in the “User login success” category, so you don’t get any data about users’ logins. This reveals an incorrect audit baseline that needs tuning. Issues indicated by Data quality by device type metric allow seeing if specific out-of-the-box DSM has to be updated, enhanced via LSE or your QRadar deployment needs custom DSM/LSX.
Get a single-page view on all the log sources connected to QRadar. Using the tab, you can quickly sort, search and filter through all the log sources, which is extremely time-consuming if fulfilled with standard QRadar capabilities.
The information from the tab helps to detect the following issues:
Get a clearly-arranged statistics of offenses originated by certain rules.
See the rules that trigger the most number of offenses in the Rules hit (top 10) chart. Our QLean demo allows you to study each rule thoroughly. One click on the rule, and you’ll see the rule description, logic and a list of triggered offenses with a unique offense identifier, the offense source (index) and the number of involved events, flows and offenses.
These insights complement the “Offenses” tab in QRadar UI and are useful for correlation rule fine-tuning.
Get a snapshot of correlation rules performance.
Here you will find answers to such questions, as:
Details you get from the tab allow you to eliminate incorrectly created, improperly fine-tuned rules, heavy rules with irrelevant building blocks and false-positives.
Understand what events are collected but are not properly normalized and parsed by QRadar, hence do not bring any value and can’t be used to identify real offenses. The tab also lists all the log sources and device types that send data but are not properly discovered or identified by QRadar. Comparing the total number of event types corresponding to a particular log source or a device type with the number of normalized and parsed events, you can easily identify those types of devices and log sources that have issues.
QLean demo has just introduced you to several features of our proprietary tool. If you want to discover more, contact our team to get deeper insights.