There are 3 components in QRadar :-
The three components are,1)Event Collector.
It collects the logs from various log sources that are present in the network, either the logs are pushed from the network device or pulled from the tool itself.
It has various events :-
Collection:- Collection of various logs from various log sources.
Licence Throttle:- Checks the EPS are within the limit or not, if there are more events than the EPS limit, they will be stored in the buffer(which can hold upto 5gb of data).
Parsing:- Using DSM rules all the unstructured data is converted to structured format.
Traffic Analysis:- If the QRadar does not know the identity of the log source, then it "auto detects" and learns the source of the log and adds it to the UI.
Coalescing:- Aggregation of parsed events is done, and it also gives the event count.
CRE(Custom Rule Engine):- It is the intelligence part of the QRadar, it consists of Co-relation rules.
Ariel:- It is the custom storage of IBM, all the logs are stored in the Ariel.
If all the rules match a log then it sends the log as co-related events to MAGISTRATE in Console.
Console is the only component that has a web UI, all the work of SOC Analyst is done here,
Real Time Streaming:- One copy of all the logs is sent to real time streaming where we can see all the live log and network activity.
Magistrate:- The magistrate has Offence rules and it goes through the co-related events and if any log matches to the rules it categories it as a offence,(Offence Management).
Queries can be done using console.