Excessive events in a spike cause a System Notification that advises the customer to increase their EPS license allocation.

QRadar EPS license allocation is implemented with a hard cutoff to ensure resources are not saturated.

During the spike, excess events are written to a queue, and they are processed after the EPS rate drops.

QRadar EPS licensing is measured as an average over a 24-hour period, which allows spikes to be handled gracefully.

Determine whether the rule matches too many conditions in the traffic.

In the offense output, scroll down and review the “Excessive” flags.

Confirm that the rule is enabled.

Use the QRadar Pulse app to map noisy offense output.

A network object can have multiple CIDR ranges assigned to it.

A network object must have at least one CIDR range per QRadar domain.

A network object represents a single asset that is connected to a network.

A network object is a group of assets that are connected to a network.

Per-tenant EPS limits can be set, but any events over the EPS will be dropped from the pipeline; over-license buffering will not be used to handle EPS spikes.

Per-tenant EPS limits can be set if the tenants are defined by event collectors. Then over-license buffering can be used to handle EPS spikes.

If each domain and tenant is defined by log source groups, the EPS limit can be shared by the log source groups used for each tenant. Over-license buffering is defined at the event collector.

The domain sets EPS limits, so each tenant needs to have only one domain. This way, over-license buffering can be used to handle EPS spikes.

/store/imports/inbound

/store/backupHost/inbound

/storetmp/backups

/storetmp/imports/backups