Plugins 〉IBM Security QRadar
IBM Security QRadar
AQL query visualization in Grafana dashboards
Use the IBM Security QRadar® AQL Plugin to run Ariel Query Language (AQL) queries against your IBM Security QRadar instance.
A Grafana dashboard panel displays your query results.
The Grafana plugin distribution also includes sample dashboard JSON.
For more information about the plugin, see IBM Security QRadar AQL Plugin User Documentation.
For more information about AQL queries, see Ariel Query Language (AQL) overview.
Important: IBM Security QRadar AQL Plugin supports the events, flows and globalview Ariel databases. AQL function syntax is the same for all queries.
Configuring an IBM Security QRadar data source in Grafana
Configure an external data source for the IBM Security QRadar AQL Plugin in your Grafana instance to communicate with IBM Security QRadar.
Before you begin
Verify that the IBM Security QRadar AQL Plugin is installed.
- In your Grafana instance, from the navigation menu, click Administration > Plugins and data > Plugins.
- In the Search field, enter IBM Security QRadar.
- Click the IBM Security QRadar tile.
- Click Install. To configure an IBM Security QRadar data source in Grafana, you must complete the following tasks:
- Obtain your IBM Security QRadar URL from your IBM Security QRadar instance.
- Collaborate with an IBM Security QRadar administrator to obtain an IBM Security QRadar SSL certificate and authorized service token.
Procedure
- In your Grafana instance, from the navigation menu, click Administration > Data Sources.
- On the Data sources page, click Add new data source.
- In the Filter by name or type field, enter IBM Security QRadar, and then select the IBM Security QRadar tile.
- In the QRadar Host field, enter your QRadar URL.
- In the QRadar Port field, enter your QRadar port (default is 443).
- In the Results Range field, enter the global results range for all queries (default is 0-49).
- In the Plugin Timeout field, enter a response timeout limit for all queries. Timeout value format is xxhxxmxxs (default is 5 m).
- In the Plugin TimeZone field, enter the time zone for all queries, eg. Europe/London (default is UTC).
- In the SSL Certificate field, enter your QRadar SSL certificate.
- In the Authorized Service Token field, enter your QRadar authorized service token.
- Click Save & test. If your configuration is successful, a Data source is working message is displayed.
Importing sample dashboards
JSON files of pre-constructed dashboards are available on the IBM Security QRadar data source configuration page.
Use the sample dashboards as a reference for creating your own dashboards.
About this task
If you change a sample dashboard, you are prompted to save or overwrite your changes.
If you want to save your changes to a new dashboard, click Save as. Otherwise, your changes are lost.
Important
If you save a copy of a sample dashboard, the unique identifier (UID) value in the dashboard's data link URL changes.
You must update both the UID value and name in the data link URL of any dashboards that reference the dashboard that you saved.
For more information, see Configure data links.
Procedure
- In your Grafana instance, from the navigation menu, click Connections > Data sources.
- On the Data sources page, select the IBM Security QRadar data source from the table.
- On the IBM Security QRadar page, click the Dashboards tab.
- Find the row of the sample dashboard that you would like to import and click Import.
- From the navigation menu, click the Dashboards icon.
- On the Dashboards page, click the sample dashboard that you imported. The sample dashboard is displayed.
Grafana Cloud Free
- Free tier: Limited to 3 users
- Paid plans: $55 / user / month above included usage
- Access to all Enterprise Plugins
- Fully managed service (not available to self-manage)
Self-hosted Grafana Enterprise
- Access to all Enterprise plugins
- All Grafana Enterprise features
- Self-manage on your own infrastructure
Grafana Cloud Free
- Free tier: Limited to 3 users
- Paid plans: $55 / user / month above included usage
- Access to all Enterprise Plugins
- Fully managed service (not available to self-manage)
Self-hosted Grafana Enterprise
- Access to all Enterprise plugins
- All Grafana Enterprise features
- Self-manage on your own infrastructure
Grafana Cloud Free
.h4 . .mb-0 }
- Free tier: Limited to 3 users
- Paid plans: $55 / user / month above included usage
- Access to all Enterprise Plugins
- Fully managed service (not available to self-manage)
Self-hosted Grafana Enterprise
- Access to all Enterprise plugins
- All Grafana Enterprise features
- Self-manage on your own infrastructure
Grafana Cloud Free
- Free tier: Limited to 3 users
- Paid plans: $55 / user / month above included usage
- Access to all Enterprise Plugins
- Fully managed service (not available to self-manage)
Self-hosted Grafana Enterprise
- Access to all Enterprise plugins
- All Grafana Enterprise features
- Self-manage on your own infrastructure
Grafana Cloud Free
- Free tier: Limited to 3 users
- Paid plans: $55 / user / month above included usage
- Access to all Enterprise Plugins
- Fully managed service (not available to self-manage)
Self-hosted Grafana Enterprise
- Access to all Enterprise plugins
- All Grafana Enterprise features
- Self-manage on your own infrastructure
Installing IBM Security QRadar on Grafana Cloud:
Installing plugins on a Grafana Cloud instance is a one-click install; same with updates. Cool, right?
Note that it could take up to 1 minute to see the plugin show up in your Grafana.
Installing plugins on a Grafana Cloud instance is a one-click install; same with updates. Cool, right?
Note that it could take up to 1 minute to see the plugin show up in your Grafana.
Installing plugins on a Grafana Cloud instance is a one-click install; same with updates. Cool, right?
Note that it could take up to 1 minute to see the plugin show up in your Grafana.
Installing plugins on a Grafana Cloud instance is a one-click install; same with updates. Cool, right?
Note that it could take up to 1 minute to see the plugin show up in your Grafana.
Installing plugins on a Grafana Cloud instance is a one-click install; same with updates. Cool, right?
Note that it could take up to 1 minute to see the plugin show up in your Grafana.
Installing plugins on a Grafana Cloud instance is a one-click install; same with updates. Cool, right?
Note that it could take up to 1 minute to see the plugin show up in your Grafana.
Installing plugins on a Grafana Cloud instance is a one-click install; same with updates. Cool, right?
Note that it could take up to 1 minute to see the plugin show up in your Grafana.
For more information, visit the docs on plugin installation.
Installing on a local Grafana:
For local instances, plugins are installed and updated via a simple CLI command. Plugins are not updated automatically, however you will be notified when updates are available right within your Grafana.
1. Install the Data Source
Use the grafana-cli tool to install IBM Security QRadar from the commandline:
grafana-cli plugins install
The plugin will be installed into your grafana plugins directory; the default is /var/lib/grafana/plugins. More information on the cli tool.
Alternatively, you can manually download the .zip file for your architecture below and unpack it into your grafana plugins directory.
Alternatively, you can manually download the .zip file and unpack it into your grafana plugins directory.
2. Configure the Data Source
Accessed from the Grafana main menu, newly installed data sources can be added immediately within the Data Sources section.
Next, click the Add data source button in the upper right. The data source will be available for selection in the Type select box.
To see a list of installed data sources, click the Plugins item in the main menu. Both core data sources and installed data sources will appear.
Changelog
1.1.1
Updates: . security updates
1.1
Updates: . support for: . AQL IF conditional operator . Ariel globalview database . MaxMind GEO LOOKUP integration data
. new plugin timezone configuration setting . improved dashboard performance . bug fixes & security updates
1.0 GA
Updates: . query editor Run Query button spinner while query running.
0.2 (unreleased)
Updates: . AQL query builder . sample dashboard content . data source health check . user configured plugin timeout . dashboard panel QRadar Ariel search API range field . enhanced AQL query & result set parsing . improved plugin logging
0.1.1 (unreleased)
Updates: . query editor QRadar Ariel search API error messages . improved config editor error messaging . vulnerability & bug fixes . config editor tooltips . AQL subquery support . config editor QRadar Ariel search API range field . support for Ariel flows database queries
0.1 (unreleased)
Initial release. . QRadar connection authentication . AQL query editor . Grafana time series visualization . Grafana date picker support . Grafana dashboard template variable support . QRadar Ariel Search API data type support . user documentation & README