Configuring routing rules to use the QRadar Data Store

A new offering, IBM QRadar® Data Store, normalizes and stores both security and operational log data for future analysis and review. The offering supports the storage of an unlimited number of logs without counting against your organization’s Events Per Second QRadar SIEM license, and enables your organization to build custom apps and reports based on this stored data to gain deeper insights into your environments.

About this task

Using the Log Only (Exclude Analytics) option requires entitlement for QRadar Data Store, but is not currently enforced. In the future, when entitlement is enforced, access to the collected event data will be restricted to properly licensed systems. When the license is applied and the Log Only (Exclude Analytics) option is selected, events that match the routing rule will be stored to disk and will be available to view and for searches. The events bypass the custom rule engine and no real-time correlation or analytics occur. The events can't contribute to offenses and are ignored when historical correlation runs.

The following apps also ignore Log Only events:
  • QRadar User Behavior Analytics
  • QRadar Advisor with Watson™
Restriction: QRadar on Cloud users must open a support ticket to create forwarding destinations and to forward data to other systems. For more information, see QRadar on Cloud work items that require a support ticket.

Procedure

  1. On the navigation menu ( Navigation menu icon ), click Admin.
  2. In the System Configuration section, click Routing Rules.
  3. On the toolbar, click Add.
  4. In the Routing Rule window, type a name and description for your routing rule.
  5. In the Mode field, select Online.
  6. In the Forwarding Event Collector list, select the event collector on which you want to apply the Log Only (Exclude Analytics) option.
  7. In the Data Source field, select Events.
  8. Specify which events to apply the Log Only (Exclude Analytics) option to by applying filters:
    1. To apply the Log Only (Exclude Analytics) option to all incoming data, select the Match All Incoming Events check box.
      Restriction: If you select this check box, you cannot add a filter.
    2. To apply the Log Only (Exclude Analytics) option to only some events, specify the filter criteria, and then click Add Filter.
  9. To apply the Log Only (Exclude Analytics) option to log data that matches the specified filters, select Log Only (Exclude Analytics).
    Note: The Log Only (Exclude Analytics) option specifies that events are stored and flagged in the database as Log Only and bypass CRE. These events are not available for historical correlation, and are credited back 100% to the license. This option is not available for flows.

    You can combine the Forward and Log Only (Exclude Analytics) options. Events are forwarded to the specified forwarding destination in online mode. Events are stored and flagged in the database as Log Only and bypass CRE. These events are not available for historical correlation, and are credited back 100% to the license. This option is not available in offline mode.

    If data matches multiple rules, the safest routing option is applied. For example, if data that matches a rule that is configured to drop and a rule to bypass CRE processing, the data is not dropped. Instead, the data bypasses the CRE and is stored in the database.

  10. Click Save.