SOAR sizing guidelines introduction
This guide provides system configuration recommendations to assist in deploying and maintaining the IBM Security® QRadar® SOAR Platform.
The recommendations apply only to the SOAR Virtual Appliance, which is provided as a virtual application (vApp) in Open Virtualization format (.ova file). They are not meant for the standalone installation. Also, the recommendations do not include the use of SOAR for MSSPs add-on SOAR for MSSPs add-onoptional module.
The configurations in this guide represent the minimum settings recommended to maintain acceptable response time during steady state operation and are expected to be used as starting points. Administrators may need to adjust resources to account for their specific workloads. The default SOAR virtual appliance configuration is 4 CPUs (cores), 16GB of RAM, and a 150GB disk.
- Active Users: Number of users logged in and actively managing incidents.
- Automation: SOAR platform features, including rules, workflows, scripts, functions, and apps. Effect on system performance depends on complexity.
- Incident Rate: Number of incidents created per unit time. Includes incidents generated manually as well as by automation.
- Workload: Requests generated by users and automation. Varies depending on metrics such as active users, incident rate, and automation complexity.
- Typical: 5 incidents created per user per day, and 2 workflows that are triggered upon incident creation.
- Moderate: 7 incidents created per user per day, and 4 workflows that are triggered upon incident creation.
- Heavy: 9 incidents created per user per day, and 6 workflows that are triggered upon incident creation.
For the purposes of creating these guidelines, each workflow is considered to be configured identically and consist of 2 scripts, 2 functions, and 4 tasks; workflows are configured to cascade so that each workflow triggers the next one.