Plugins 〉IBM Security QRadar


Developer

IBM


Sign up to receive occasional product news and updates:



Data Source
commercial

IBM Security QRadar

  • Overview
  • Installation
  • Change log
  • Related content

AQL query visualization in Grafana dashboards

Use the IBM Security QRadar® AQL Plugin to run Ariel Query Language (AQL) queries against your IBM Security QRadar instance.
A Grafana dashboard panel displays your query results.
The Grafana plugin distribution also includes sample dashboard JSON.

For more information about the plugin, see IBM Security QRadar AQL Plugin User Documentation.
For more information about AQL queries, see Ariel Query Language (AQL) overview.

Important: IBM Security QRadar AQL Plugin supports the events, flows and globalview Ariel databases. AQL function syntax is the same for all queries.

Configuring an IBM Security QRadar data source in Grafana

Configure an external data source for the IBM Security QRadar AQL Plugin in your Grafana instance to communicate with IBM Security QRadar.

Before you begin

Verify that the IBM Security QRadar AQL Plugin is installed.

  1. In your Grafana instance, from the navigation menu, click Administration > Plugins and data > Plugins.
  2. In the Search field, enter IBM Security QRadar.
  3. Click the IBM Security QRadar tile.
  4. Click Install. To configure an IBM Security QRadar data source in Grafana, you must complete the following tasks:
  • Obtain your IBM Security QRadar URL from your IBM Security QRadar instance.
  • Collaborate with an IBM Security QRadar administrator to obtain an IBM Security QRadar SSL certificate and authorized service token.

Procedure

  1. In your Grafana instance, from the navigation menu, click Administration > Data Sources.
  2. On the Data sources page, click Add new data source.
  3. In the Filter by name or type field, enter IBM Security QRadar, and then select the IBM Security QRadar tile.
  4. In the QRadar Host field, enter your QRadar URL.
  5. In the QRadar Port field, enter your QRadar port (default is 443).
  6. In the Results Range field, enter the global results range for all queries (default is 0-49).
  7. In the Plugin Timeout field, enter a response timeout limit for all queries. Timeout value format is xxhxxmxxs (default is 5 m).
  8. In the Plugin TimeZone field, enter the time zone for all queries, eg. Europe/London (default is UTC).
  9. In the SSL Certificate field, enter your QRadar SSL certificate.
  10. In the Authorized Service Token field, enter your QRadar authorized service token.
  11. Click Save & test. If your configuration is successful, a Data source is working message is displayed.

Importing sample dashboards

JSON files of pre-constructed dashboards are available on the IBM Security QRadar data source configuration page.
Use the sample dashboards as a reference for creating your own dashboards.

About this task

If you change a sample dashboard, you are prompted to save or overwrite your changes.
If you want to save your changes to a new dashboard, click Save as. Otherwise, your changes are lost.

Important

If you save a copy of a sample dashboard, the unique identifier (UID) value in the dashboard's data link URL changes.
You must update both the UID value and name in the data link URL of any dashboards that reference the dashboard that you saved.
For more information, see Configure data links.

Procedure

  1. In your Grafana instance, from the navigation menu, click Connections > Data sources.
  2. On the Data sources page, select the IBM Security QRadar data source from the table.
  3. On the IBM Security QRadar page, click the Dashboards tab.
  4. Find the row of the sample dashboard that you would like to import and click Import.
  5. From the navigation menu, click the Dashboards icon.
  6. On the Dashboards page, click the sample dashboard that you imported. The sample dashboard is displayed.

Installing IBM Security QRadar on Grafana Cloud:

For more information, visit the docs on plugin installation.

Changelog

1.1.1

Updates: . security updates

1.1

Updates: . support for: . AQL IF conditional operator . Ariel globalview database . MaxMind GEO LOOKUP integration data

. new plugin timezone configuration setting . improved dashboard performance . bug fixes & security updates

1.0 GA

Updates: . query editor Run Query button spinner while query running.

0.2 (unreleased)

Updates: . AQL query builder . sample dashboard content . data source health check . user configured plugin timeout . dashboard panel QRadar Ariel search API range field . enhanced AQL query & result set parsing . improved plugin logging

0.1.1 (unreleased)

Updates: . query editor QRadar Ariel search API error messages . improved config editor error messaging . vulnerability & bug fixes . config editor tooltips . AQL subquery support . config editor QRadar Ariel search API range field . support for Ariel flows database queries

0.1 (unreleased)

Initial release. . QRadar connection authentication . AQL query editor . Grafana time series visualization . Grafana date picker support . Grafana dashboard template variable support . QRadar Ariel Search API data type support . user documentation & README