IBM Security QRadar SIEM V7.4.3 Administration — Question 15

A QRadar deployment professional designs a multi-tenant environment where each tenant is permitted a quantity of events per second (EPS).
In a discussion with the service provider (who provides the security monitoring services to each tenant), how should the deployment professional describe the licensing options available?

Answer options

• A. Per-tenant EPS limits can be set, but any events over the EPS will be dropped from the pipeline; over-license buffering will not be used to handle EPS spikes.
• B. Per-tenant EPS limits can be set if the tenants are defined by event collectors. Then over-license buffering can be used to handle EPS spikes.
• C. If each domain and tenant is defined by log source groups, the EPS limit can be shared by the log source groups used for each tenant. Over-license buffering is defined at the event collector.
• D. The domain sets EPS limits, so each tenant needs to have only one domain. This way, over-license buffering can be used to handle EPS spikes.

Correct answer: D

Explanation

The correct answer is D because having a single domain for each tenant allows for effective EPS limit management and over-license buffering during spikes. Options A and B are incorrect as they either drop events or require specific configurations that don't guarantee the same level of management. Option C misrepresents how EPS limits and log source groups interact within a multi-tenant structure.