My account

Event Filtering in IBM QRadar


1,527
September 01, 2017

While configuring a SIEM tool (including IBM QRadar), administrators often make the wrong decision: “Let’s send all logs to SIEM, and then we’ll figure out what to do with them.”
Such actions most often lead to enormous license utilization, huge workload on a SIEM tool, appearance of a cache queue, and sometimes to event loss. In turn, this leads to the situation in which SIEM registers incidents far too late or does not register them at all. How to solve this task?

The primary option is to filter unnecessary events. To configure filtering, an initial analysis of the data that is delivered to SIEM tool is required. This is necessary to determine data that should be filtered out. After work on determining the necessary events is completed, you should transfer the settings to IBM QRadar.

Option 1
If Windows events are collected with WinCollect agent, they can be filtered as follows:

Go to ‘Admin‘ – ‘Log Sources‘. Open data source editing or create a new source from which events are collected with WinCollect agent.

In the LogSource settings, you need to fill in all required fields and select type of logs that should be collected. Select item ‘Exclusion Filter’ in the drop-down menu ‘* Log Filter Type.’ In the field ‘* Log Filter,’ specify the filter that meets the following requirements:
1. Event ID

Example: 17,338,873-875,1024
2. Services’ names (event IDs separated by commas or hyphens) that you want to filter.

Example: Sysmon (1-3.6); Ossec (55,4667)

Option 2
Another way of event filtering is the use of ‘Routing Rules.’
To do this, go to the tab ‘Admin’ – ‘Routing Rules.’

Select ‘Add.’

Fill in the required fields – ‘Name‘, etc.
In the ‘Event Filters’ menu, specify a filter that will become a base for event filtering.
Select ‘Drop’ in the ‘Routing Options’ menu.
Click ‘Save.’

After saving, the filtering rule will look like:

These two options for filtering events will allow you to significantly reduce EPS, improve license utilization, and thereby increase ROI of your SIEM tool. Performance and caching of events in IBM QRadar will remain at the proper level.

Remember, excessive filtering can remove important events from analysis and correlation. Be careful when adding filters and check the results of filtering.

 

Sergii Tyshchenko

Sergii Tyshchenko

Senior Technical Account Manager at SOC Prime
Sergii Tyshchenko

Latest posts by Sergii Tyshchenko (see all)

Related Posts