Tests cheat sheet

Fast tests
 Building Blocks
 Normalized Properties
 Identity Information
 Identity username
 Identity IP
 Identity Host Name
 Identity MAC
 Identity Group Name
 Identity Extended Field
 Identity NetBios Name
 Additional Information
 Protocol
 Log Source
 Event Information
 Event Name
 Username
 Relevance
 Severity
 Credibility
 Event Category
 Log Source Time
 Source and Destination Information
 Source IP
 Destination IP
 Source Port
 Destination Port
 Source MAC
 Destination MAC
 Source IPv6
 Destination IPv6
 Pre NAT Source IP
 Pre NAT Source Port
 Post NAT Source Port
 Post NAT Source IP
 Pre NAT Destination IP
 Pre NAT Destination Port
 Post NAT Destination IP
 Post NAT Destination Port
 Custom Properties
 Numerical tests are faster than all the others.
 Boolean
 Equality
 Greater-than
  Less-than
 Then come the alphanumerical comparisons
 Equality
 Subset

Medium tests
Medium test are not good or bad per se, they depend on the context of utilization.
An AQL function can be very fast if you are testing a source IP, can be very bad if you are
using the Lookup function with no additional filtering before.
Reference Data can be very cheap tests, if the scope is limited either in the amount of data
tested by the rule or the amount included in the reference data.
 AQL tests
 Reference Data
Example of efficient tests:
qid=65465477
username='Unicorn'
MyFavoriteCounterCP>69
Example of inefficient tests:
STR(username) ilike 'Unicorn' -> ilike instead of a simple comparison
LONG(SUBSTRING(UTF8(payload),12, 18, ))>69 -> parsing in AQL filter instead of using
a Custom Property

Slow tests
 Payload contains
 Match (regular expression)

If you are interested in reading more about QRadar Security Content, you can find the
complete list of blog entries here.