number of data sources,
raw event size,
parsed event size,
enriched event size,
number of indexed fields,
maximum query search time, etc... and plan for the future.
Detects Suspicious Commands on Linux systemswhere the converted default QRadar query will use the AQL function
Payload Containswhich is very resource and time demanding. This is of course easily customizable using sigmac file.