Chapter 4: Dashboard management (6% of exam):

4.1 Use the default QRadar dashboard to create, view, and

maintain a dashboard based on common searches
Dashboard management:
Use the Dashboard tab, which is the default view when you log into IBM QRadar, to focus
on specific areas of your network security. The workspace supports multiple dashboards
on which you can display your views of network security, activity, or data that is collected.
Tip: Use the QRadar Pulse app for an enhanced dashboard experience. The Pulse app is
included with QRadar 7.4.0 and later. For more information about the Pulse app,
see QRadar Pulse
app (https://www.ibm.com/support/knowledgecenter/SS42VS_SHR/com.ibm.Pulseapp.d
oc/c_Qapps_PulseDashboard_intro.html?cp=SS42VS_7.4).
You can customize your dashboard. The content that is displayed on the Dashboard tab is
user-specific. Changes that are made within a session affect only your system. For example,
you can make these customizations:
• Add and remove dashboard items from your dashboards.
• Move and position items to meet your requirements.
When you position items, each item is automatically resized in proportion to the
dashboard.
• Add custom dashboard items that are based on any data.
For example, you can add a dashboard item that provides a time series graph or a
bar chart that represents top 10 network activity.
To create custom items, you can create saved searches on the Log Activity tab and
choose how you want the results that are represented in your dashboard. Each
dashboard chart displays real-time up-to-the-minute data. Time series graphs on
the dashboard refresh every 5 minutes.
• Default dashboards
Use the default dashboard to customize your items into functional views. These
functional views focus on specific areas of your network.
• Custom dashboards
You can customize your dashboards. The content that is displayed on
the Dashboard tab is user-specific. Changes that are made within a QRadar®
session affect only your system.
• Creating a custom dashboard
You can create a custom dashboard to view a group of dashboard items that meet a
particular requirement.
• Using the dashboard to investigate log or network activity
Search-based dashboard items provide a link to the Log Activity or Network
Activity tabs, allowing you to further investigate log or network activity.
 • Configuring dashboard chart types
You can configure different dashboard chart types for presenting your
organization's data in meaningful ways.
• Removing dashboard items
You can remove items from a dashboard and add the item again at any time.
• Detaching a dashboard item
You can detach an item from your dashboard and display the item in a new window
on your desktop system.
• Renaming a dashboard
You can rename a dashboard and update the description.
• Deleting a dashboard
You can delete a dashboard.
• Managing system notifications
You can specify the number of notifications that you want to display on your System
Notification dashboard item and close system notifications after you read them.
• Adding search-based dashboard items to the Add Items list
You can add search-based dashboard items to your Add Items menu.

The Dashboard tab is the default view when you log in.
• It provides a workspace environment that supports multiple dashboards on which
you can display your views of network security, activity, or data that is collected.
• Dashboards allow you to organize your dashboard items into functional views,
which enable you to focus on specific areas of your network.
• Use the Dashboard tab to monitor your security event behavior.
• You can customize your dashboard. The content that is displayed on
the Dashboard tab is user-specific. Changes that are made within a session affect
only your system.
Default dashboards:
Use the default dashboard to customize your items into functional views. These functional
views focus on specific areas of your network.
The Dashboard tab provides five default dashboards that are focused on security, network
activity, application activity, system monitoring, and compliance.
Each dashboard displays a default that is set of dashboard items. The dashboard items act
as starting point to navigate to more detailed data. The following table defines the default
dashboards.
Default
Items
dashboard
The Application Overview dashboard includes the following default items:
Application • Inbound Traffic by Country (Total Bytes)
Overview
• Outbound Traffic by Country (Total Bytes)
 • Top Applications (Total Bytes)
• Top Applications Inbound from Internet (Total Bytes)
• Top Applications Outbound to the Internet (Total Bytes)
• Top Services Denied through Firewalls (Event Count)
• DSCP - Precedence (Total Bytes)
The Compliance Overview dashboard includes the following default items:
• Top Authentications by User (Time Series)
• Top Authentication Failures by User (Event Count)
Compliance • Login Failures by User (real-time)
Overview • Compliance: Username Involved in Compliance Rules (time series)
• Compliance: Source IPs Involved in Compliance Rules (time series)
• Most Recent Reports
•
The Network Overview dashboard includes the following default items:
• Top Talkers (real time)
• ICMP Type/Code (Total Packets)
• Top Networks by Traffic Volume (Total Bytes)

Network • Firewall Deny by DST Port (Event Count)

Overview • Firewall Deny by DST IP (Event Count)
• Firewall Deny by SRC IP (Event Count)
• Top Applications (Total Bytes)
• Link Utilization (real-time)
• DSCP - Precedence (Total Bytes)
The System Monitoring dashboard includes the following default items:
• Top Log Sources (Event Count)
• Link Utilization (real-time)
System • System Notifications
Monitoring
• Event Processor Distribution (Event Count)
• Event Rate (Events per Second Coalesced - Average 1 Min)
• Flow Rate (Flows per Second - Peak 1 Min)
The Threat and Security Monitoring dashboard includes the following default
Threat and items:
Security • Default-IDS/IPS-All: Top Alarm Signatures (real-time)
Monitoring
• Top Systems Attacked (Event Count)
 • Top Systems Sourcing Attacks (Event Count)
• My Offenses
• Most Severe Offenses
• Most Recent Offenses
• Top Services Denied through Firewalls (Event Count)
• Internet Threat Information Center
• Flow Bias (Total Bytes)
• Top Category Types
• Top Sources
• Top Local Destinations
Table 1. Default dashboards

Configuring a time series chart:

You can display interactive time series charts that represent the records that are matched
by a specific time interval search.

Procedure
• In the chart title bar, click the Configure icon.
• In the Value to Graph list, select Destination IP (Unique Count).
• In the Chart Type list, select Time Series.
• Click Capture Time Series Data.
• Click Save.
• Click Update Details.
• Filter your search results:
• Right-click the event that you want to filter.
• Click Filter on Event Name is <Event Name>.
• To display the event list that is grouped by the user name, select Username from
the Display list.
• Verify that your search is visible on the Dashboard tab:
• Click the Dashboard tab.
• Click the New Dashboard icon.
• In the Name field, type Example Custom Dashboard.
• Click OK.
• In the Add Item list, select Log Activity > Event Searches > Example
Search 1.
Creating a custom dashboard:
You can create a custom dashboard to view a group of dashboard items that meet a particular
requirement.
After you create a custom dashboard, the new dashboard is displayed in the Dashboard tab and is
listed in the Show Dashboard list box. A new custom dashboard is empty by default; therefore, you
must add items to the dashboard.

Procedure
• Click the Dashboard tab.
• Click the New Dashboard icon.
• In the Name field, type a unique name for the dashboard. The maximum length is 65
characters.
• In the Description field, type a description of the dashboard. The maximum length
is 1024 characters. This description is displayed in the tooltip for the dashboard
name in the Show Dashboard list box.
• Click OK.
Managing system notifications:
You can specify the number of notifications that you want to display on your System
Notification dashboard item and close system notifications after you read them.
Ensure the System Notification dashboard item is added to your dashboard.

Procedure
• On the System Notification dashboard item header, click the Settings icon.
• From the Display list box, select the number of system notifications you want to
view.
• The options are 5, 10 (default), 20, 50, and All.
• To view all system notifications that are logged in the past 24 hours, click All.
• To close a system notification, click the Delete icon.
Configuring dashboard chart types:
Alternatively, use the IBM® QRadar® Pulse dashboard app to communicate insights and analysis
about your network. Visualize offenses, network data, threats, malicious user behavior, and cloud
environments from around the world in geographical maps, a built-in 3D threat globe, and auto
updating charts.

Procedure
• Click the Dashboard tab.
• From the Show Dashboard list box, select the dashboard that contains the item you
want to customize.
• On the header of the dashboard item you want to configure, click the Settings icon.
• Configure the chart parameters.
• From the Value to Graph list box, select the object type that you want to
graph on the chart. Options include all normalized and custom event or
flow parameters that are included in your search parameters.
• Select a chart type:
 • Bar, pie, and table charts are only available for grouped events or
flows.
• Data accumulates so that when you run a time series saved search, a
cache of event or flows data is available to display the data for the
previous time period. Accumulated parameters are indicated by an
asterisk (*) in the Value to Graph list box. If you select a value to
graph that is not accumulated (no asterisk), time series data is not
available.
Select the Capture Time Series Data checkbox to enable time series
capture. When you select this checkbox, the chart feature accumulates
data for time series charts. By default, this option is disabled.
Result: Your custom chart configurations are retained so that they are displayed as configured each
time that you access the Dashboard tab.

4.2 Use Pulse to create, view, and maintain(успоставити)

a dashboard based on common searches:
QRadar Pulse app:
IBM® QRadar® Pulse is a dashboard app that you can use to communicate insights and
analysis about your network. Take the pulse of your SOC with dynamic real-time
dashboards that provide meaningful insights into your security posture (држање) and
threat landscape(пејзаж). Visualize offenses, network data, threats, malicious user
behavior, and cloud environments from around the world in scatter(разбацати се) and
choropleth geographical maps and auto-updating charts. Share dashboards with
colleagues. See offenses unfold(одвијати) near real time and track your security threats
from around the globe.
QRadar Pulse includes the following key capabilities:
• Use predefined dashboard templates to get started before you create one of your
own.
• Use dashboard links or export dashboards to share them with colleagues.
• Create dashboard items based on AQL queries, QRadar offenses, or by using the
generic API to access a full range of data from QRadar or its apps.
• Fine-tune your display with themes and flexible dashboard layout.
• Expand dashboard items to display in a multi-screen SOC.
• Create unique dashboards to track and communicate insights and analysis about
your network.
• Explore insights by drilling down to a Pulse dashboard, a URL, or a specific page in
the calling application (QRadar or QRadar Analyst Workflow).
• What's new in HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_PulseDashboard_WhatsNew.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_PulseDashboard_WhatsNew.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_PulseDashboard_WhatsNew.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_PulseDashboard_WhatsNew.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_PulseDashboard_WhatsNew.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_PulseDashboard_WhatsNew.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_PulseDashboard_WhatsNew.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_PulseDashboard_WhatsNew.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_PulseDashboard_WhatsNew.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_PulseDashboard_WhatsNew.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_PulseDashboard_WhatsNew.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_PulseDashboard_WhatsNew.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_PulseDashboard_WhatsNew.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_PulseDashboard_WhatsNew.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_PulseDashboard_WhatsNew.html"QRadar HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_PulseDashboard_WhatsNew.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_PulseDashboard_WhatsNew.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_PulseDashboard_WhatsNew.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_PulseDashboard_WhatsNew.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_PulseDashboard_WhatsNew.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_PulseDashboard_WhatsNew.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_PulseDashboard_WhatsNew.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_PulseDashboard_WhatsNew.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_PulseDashboard_WhatsNew.html" HYPERLINK
 "https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_PulseDashboard_WhatsNew.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_PulseDashboard_WhatsNew.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_PulseDashboard_WhatsNew.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_PulseDashboard_WhatsNew.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_PulseDashboard_WhatsNew.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_PulseDashboard_WhatsNew.html" Pulse
Stay up to date with the new features that are available in IBM QRadar Pulse so that
you get the most out of your dashboard experience.
• Known issues
The IBM QRadar Pulse app has required information for known issues.
• Installing the HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/t_Qapps
_PulseDashboard_install.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/t_Qapps
_PulseDashboard_install.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/t_Qapps
_PulseDashboard_install.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/t_Qapps
_PulseDashboard_install.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/t_Qapps
_PulseDashboard_install.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/t_Qapps
_PulseDashboard_install.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/t_Qapps
_PulseDashboard_install.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/t_Qapps
_PulseDashboard_install.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/t_Qapps
_PulseDashboard_install.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/t_Qapps
_PulseDashboard_install.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/t_Qapps
_PulseDashboard_install.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/t_Qapps
_PulseDashboard_install.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/t_Qapps
_PulseDashboard_install.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/t_Qapps
_PulseDashboard_install.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/t_Qapps
 _PulseDashboard_install.html"QRadar HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/t_Qapps
_PulseDashboard_install.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/t_Qapps
_PulseDashboard_install.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/t_Qapps
_PulseDashboard_install.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/t_Qapps
_PulseDashboard_install.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/t_Qapps
_PulseDashboard_install.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/t_Qapps
_PulseDashboard_install.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/t_Qapps
_PulseDashboard_install.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/t_Qapps
_PulseDashboard_install.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/t_Qapps
_PulseDashboard_install.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/t_Qapps
_PulseDashboard_install.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/t_Qapps
_PulseDashboard_install.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/t_Qapps
_PulseDashboard_install.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/t_Qapps
_PulseDashboard_install.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/t_Qapps
_PulseDashboard_install.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/t_Qapps
_PulseDashboard_install.html" Pulse app
Use the IBM QRadar Assistant app to install the IBM QRadar Pulse app archive on
your QRadar computer.
• QRadar HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/t_Qapps
_PulseDashboard_import_export.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/t_Qapps
_PulseDashboard_import_export.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/t_Qapps
_PulseDashboard_import_export.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/t_Qapps
_PulseDashboard_import_export.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/t_Qapps
_PulseDashboard_import_export.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/t_Qapps
_PulseDashboard_import_export.html" HYPERLINK
 "https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/t_Qapps
_PulseDashboard_import_export.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/t_Qapps
_PulseDashboard_import_export.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/t_Qapps
_PulseDashboard_import_export.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/t_Qapps
_PulseDashboard_import_export.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/t_Qapps
_PulseDashboard_import_export.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/t_Qapps
_PulseDashboard_import_export.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/t_Qapps
_PulseDashboard_import_export.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/t_Qapps
_PulseDashboard_import_export.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/t_Qapps
_PulseDashboard_import_export.html" Pulse dashboard components and
workspaces
The IBM QRadar Pulse workspace comprises dashboards and widgets. Use it to
create an inventory of unique dashboards to track endpoint, user, cloud,
department, and company-wide security and operational data.
• Widgets
Create widgets to include in one or more of your dashboards. You can see only the
widgets and dashboards that you create in your workspace. However, you can share
them with others by exporting them or by opening a dashboard or widget onto a
shared monitor, like a SOC wall.
• Widget chart types
IBM QRadar Pulse provides many types of charts for presenting your data in a way
that is meaningful for your organization.
• Time series charts in HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_Pulse_Dashboard_time_series_charts.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_Pulse_Dashboard_time_series_charts.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_Pulse_Dashboard_time_series_charts.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_Pulse_Dashboard_time_series_charts.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_Pulse_Dashboard_time_series_charts.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_Pulse_Dashboard_time_series_charts.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_Pulse_Dashboard_time_series_charts.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_Pulse_Dashboard_time_series_charts.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_Pulse_Dashboard_time_series_charts.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_Pulse_Dashboard_time_series_charts.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_Pulse_Dashboard_time_series_charts.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_Pulse_Dashboard_time_series_charts.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_Pulse_Dashboard_time_series_charts.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_Pulse_Dashboard_time_series_charts.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_Pulse_Dashboard_time_series_charts.html"QRadar HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_Pulse_Dashboard_time_series_charts.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_Pulse_Dashboard_time_series_charts.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_Pulse_Dashboard_time_series_charts.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_Pulse_Dashboard_time_series_charts.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_Pulse_Dashboard_time_series_charts.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_Pulse_Dashboard_time_series_charts.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_Pulse_Dashboard_time_series_charts.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_Pulse_Dashboard_time_series_charts.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_Pulse_Dashboard_time_series_charts.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_Pulse_Dashboard_time_series_charts.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_Pulse_Dashboard_time_series_charts.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_Pulse_Dashboard_time_series_charts.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_Pulse_Dashboard_time_series_charts.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_Pulse_Dashboard_time_series_charts.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/c_Qapp
s_Pulse_Dashboard_time_series_charts.html" Pulse
At first glance, creating a time series chart from relational data in QRadar Pulse can
 be challenging. The amount of data that is returned by an AQL query can be
unwieldy, but with some background knowledge and careful planning, you can
produce relevant and meaningful time series charts.
• Displaying dashboards
Open a dashboard into a separate window; for example, on a SOC wall. Select a
specific dashboard to be the default dashboard every time you log in. Pin
dashboards or widgets to individual windows.
• Troubleshooting HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/ts_Qapp
s_PulseDashboard_troubleshoot.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/ts_Qapp
s_PulseDashboard_troubleshoot.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/ts_Qapp
s_PulseDashboard_troubleshoot.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/ts_Qapp
s_PulseDashboard_troubleshoot.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/ts_Qapp
s_PulseDashboard_troubleshoot.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/ts_Qapp
s_PulseDashboard_troubleshoot.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/ts_Qapp
s_PulseDashboard_troubleshoot.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/ts_Qapp
s_PulseDashboard_troubleshoot.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/ts_Qapp
s_PulseDashboard_troubleshoot.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/ts_Qapp
s_PulseDashboard_troubleshoot.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/ts_Qapp
s_PulseDashboard_troubleshoot.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/ts_Qapp
s_PulseDashboard_troubleshoot.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/ts_Qapp
s_PulseDashboard_troubleshoot.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/ts_Qapp
s_PulseDashboard_troubleshoot.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/ts_Qapp
s_PulseDashboard_troubleshoot.html"QRadar HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/ts_Qapp
s_PulseDashboard_troubleshoot.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/ts_Qapp
s_PulseDashboard_troubleshoot.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/ts_Qapp
s_PulseDashboard_troubleshoot.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/ts_Qapp
s_PulseDashboard_troubleshoot.html" HYPERLINK
 "https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/ts_Qapp
s_PulseDashboard_troubleshoot.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/ts_Qapp
s_PulseDashboard_troubleshoot.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/ts_Qapp
s_PulseDashboard_troubleshoot.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/ts_Qapp
s_PulseDashboard_troubleshoot.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/ts_Qapp
s_PulseDashboard_troubleshoot.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/ts_Qapp
s_PulseDashboard_troubleshoot.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/ts_Qapp
s_PulseDashboard_troubleshoot.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/ts_Qapp
s_PulseDashboard_troubleshoot.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/ts_Qapp
s_PulseDashboard_troubleshoot.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/ts_Qapp
s_PulseDashboard_troubleshoot.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.Pulseapp.doc/ts_Qapp
s_PulseDashboard_troubleshoot.html" Pulse
To isolate and resolve problems with IBM QRadar Pulse, use the troubleshooting
and support information.
• Privacy assessment
IBM QRadar Pulse is used to create dashboards and visualizations of IBM
QRadar data.
Dashboard management: (Imamo iznad)
QRadar Pulse dashboard components and workspaces:
The IBM® QRadar® Pulse workspace comprises(обухвата) dashboards and widgets. Use it
to create an inventory of unique dashboards to track endpoint, user, cloud, department,
and company-wide security and operational data.
Workspaces
Your workspace is what you see when you click the Pulse tab on the IBM QRadar Console.
Only you can see your workspace, but you can choose to share dashboards with colleagues
or expand specific dashboards onto a monitor on a SOC wall. Create AQL parameters for
your workspace that make it simpler to create AQL dashboard items and to update multiple
AQL queries at the same time.
The following image shows the default workspace view of the Offense
overview dashboard.
Dashboard templates
Use the default dashboard templates in QRadar Pulse as a starting point to build your own
customized dashboard inventory for your workspace. Each dashboard template offers
several(неколико) different dashboard items, which you can add to different dashboards.
Remove the dashboard items that don't apply to your organization.
The QRadar Pulse dashboards get their data from IBM QRadar, so some of them might
display data, such as the Events and flow metrics dashboard, immediately(одмах)
depending on how you set QRadar up to receive data. Other QRadar Pulse dashboards must
be edited to get data to appear(појавити) in the charts.
Dashboards
Dashboards contain widgets that monitor and display security events and issues that are
important to your organization. For example, the Offense overview dashboard contains
widgets that monitor the top offense categories, most severe(тешка) offenses, and so on.
Create your own dashboards specific to your organizational and network needs. Add
widgets from other dashboard templates or create your own. Open dashboard links or
import dashboards that colleagues share with you to eliminate the need for re-creating
existing content.
Widgets
Widgets contain a data source (AQL, QRadar offense, dynamic search, or generic API) and
one or more charts. You can add more charts as different views, such as a pie or bar chart.
For example, the Events per User widget in the Miscellanous metrics dashboard can
display as a pie chart or a bar chart. The bar chart view compares sets of data between
groups, such as usernames and the number of events per user. The pie chart view displays
the same information, but in percentages.
Parameters
Parameters make it easier to create widgets by reusing common elements in multiple AQL
or Generic API queries. You no longer need to create individual queries for similar entities.
Any query that uses the parameter can automatically use the parameter's value.
• Creating dashboards
Create new dashboards and then add widgets. Set a specific dashboard to be your
default dashboard every time you log in.
• Installing dashboard templates into your workspace
A dashboard template is a dashboard that an administrator shares with all users.
Browse the catalog of available templates that your administrator added for you,
and then select which dashboard templates that you want to install.
• Sharing dashboard links with others
As the author of a dashboard, you can share it with other IBM QRadar Pulse users by
sending them a dashboard link. When you share a dashboard link, other users see
the dashboard in read-only mode. Any updates that you make to the shared
dashboard are seen by the other users. Other users see only the dashboard items
that match their privileges. For example, if they're not allowed to view offenses
in IBM QRadar, they can't see them in QRadar Pulse.
• Opening shared dashboard links
When you open a dashboard link that another user shares with you, you see the
dashboard in read-only mode. You can see updates that are made to the dashboard
by the dashboard author. You see only the dashboard items that match your user
privileges. For example, if you're not allowed to view offenses in IBM QRadar, you
can't see them in IBM QRadar Pulse.
• Exporting dashboards to send to others
Export dashboards as JSON files that you can send to colleagues. Depending on their
user role and security profile, your colleagues might see different results after they
import your dashboard.
• Importing dashboards
When you import a dashboard that a colleague exported for you, you see only the
dashboard items that match your user privileges. For example, if you're not allowed
to view offenses in IBM QRadar, you can't see them in IBM QRadar Pulse.
• Changing the workspace theme and branding
Optimize QRadar Pulse for the SOC wall or for your personal use. Change the
workspace color scheme or remove the default IBM QRadar branding that
appears(појављује се) when you open any dashboard or widget in a new window.
Sharing dashboard links with others:
As the author of a dashboard, you can share it with other IBM® QRadar® Pulse users by sending
them a dashboard link. When you share a dashboard link, other users see the dashboard in read-
only mode. Any updates that you make to the shared dashboard are seen by the other users. Other
users see only the dashboard items that match their privileges. For example, if they're not allowed
to view offenses in IBM QRadar, they can't see them in QRadar Pulse.

Limited capabilities are available to users of read-only dashboards. Users can't see default
dashboard parameter values, but they can set parameters by using the Parameters card or
by drilling down within the dashboard. In addition, users can open dashboards or items in
a new window and click the More options menu to see other read-only capabilities such as
pinning and scaling dashboards.
Drilling down to other QRadar Pulse dashboards is preserved(очуван) only if the target
dashboards are also shared; the links do not appear if the target QRadar Pulse dashboards
are not shared.
Users can't share dashboards that you share with them.
Users can import shared dashboards. By importing a shared dashboard, users create an
editable copy that is saved separately to their dashboard list. The copy does not receive
updates that you make to the shared dashboard.
You can stop sharing a dashboard at any time. If a user tries to open a previously shared
dashboard, a message appears indicating that the dashboard is unavailable.

Procedure
• Open the dashboard that you want to share, and click the Share this

dashboard icon ( ).
• To start sharing the dashboard, set Has share link to Yes, copy the provided URL,
and share the URL with other users (such as by email).
If the shared dashboard drills down to other dashboards, the target dashboards are
listed. Decide whether to share the target dashboards. If you don't share the target
dashboards, the drill-down links do not appear for other users.
Trouble: If the shared link does not work, replace the link's IP address with the IBM
QRadar console fully qualified domain name.
• Optional: To stop sharing the dashboard, set Has share link to No.
QRadar Pulse lists the users who opened the shared dashboard so that you can see
who is affected if you stop sharing the dashboard. After you stop sharing the
dashboard, users who try to open the dashboard see a message that indicates that
the dashboard is unavailable.
Result: In the dashboard list, tags indicate whether dashboards are Shared by <user>, Shared by
me, or if they have an Update available. To make it easier to find a particular dashboard, filter the
dashboards based on these criteria.

Chapter 5: Reporting (16% of exam)

The Analyst can create, edit, distribute, and manage reports, including flexible options to satisfy your
organization’s various regulatory standards, such as PCI compliance, and offense and threat related
reports.

5.1 Perform an advanced search

-ima i u chapter 1
Advanced search options:
Use the Advanced Search field to enter an Ariel Query Language (AQL) that specifies the
fields that you want and how you want to group them to run a query.
Note: When you type an AQL query, use single quotation marks for a string comparison, and use
double quotation marks for a property value comparison.

The Advanced Search field has auto completion and syntax highlighting.
Use auto completion and syntax highlighting to help create queries. For information about
supported web browsers, see Supported web browsers
Note: If you use a quick filter on the Log Activity tab, you must refresh your browser window
before you run an advanced search.

Accessing Advanced Search

Access the Advanced Search option from the Search toolbar that is on the Network
Activity and Log Activity tabs to type an AQL query.
Select Advanced Search from the list box on the Search toolbar.
Expand the Advanced Search field by following these steps:

• Drag the expand icon that is at the right of the field.

• Press Shift + Enter to go to the next line.
• Press Enter.
You can right-click any value in the search result and filter on that value.
Double-click any row in the search result to see more detail.
All searches, including AQL searches, are included in the audit log.

AQL search string examples

The following table provides examples of AQL search strings.
The following table provides examples of AQL search strings for X-Force®.

For more information about functions, search fields and operators, see the Ariel Query
Language guide.
• AQL search string examples
Use the Ariel Query Language (AQL) to retrieve specific fields from the events, flows,
and simarc tables in the Ariel database.
 • Converting a saved search to an AQL string
Convert a saved search to an AQL string and modify it to create your own searches
to quickly find the data you want. Now you can create searches faster than by typing
the search criteria. You can also save the search for future use.
Querying with dynamic search:
Use the dynamic search API to search for data that involves(подразумева) aggregated functions,
such as COUNT, SUM, MAX, and AVG. For example, you can count the number of asset IDs per asset
hostname by using the COUNT_PER function.
You can build your query on the following data sources:

• Assets
• Offenses
• Vulninstances
You can add a field without a function as a simple field, or you can add a field with a
function as a complex field to build columns. You can also add conditions to filter your data.

Procedure
• Click the Admin tab.
• In the Dynamic Search section, click Dynamic Search.
• Select a Data Source.
• Complete the Available Columns and Available Filters sections.
• To add a name, description, range of the search, retention period, or search type to
your query, enable one or more Extra Search Properties.
• To copy your JSON script, click Generate JSON.
Your results appear in the JSON generated by your query section. Click Copy to
Clipboard to copy your JSON script.
• To reset your selections, click Reset.
• Click Run Query.
Result: The results of your query are listed in plain text or link format. For example, if you chose to
query the ASSET_ID field, you can click the results to view the Asset Summary window for each
asset ID.

Searching Your QRadar Data Efficiently: Part 1 – Quick

Filters:
Problem
How can users improve search speed using the Quick Filter feature in QRadar?

Resolving The Problem

About the Quick Filter
The Quick Filter is a search bar that is displayed on both the Log Activity and Network
Activity tab in QRadar; and is one of the fastest methods for searching event or flow data.
The Quick filter works similar to a 'Google-style' search where you can add in one or
more terms, or use regular expressions. If the quick filter is used with other search
parameters, the quick filter runs first, and the remaining search parameters are
leveraged(полуге) to further filter the results.

The Quick Filter requires a Payload Index was created, when data was first received by
QRadar to work efficiently. If a Payload Index does not exist for the timeframe being
searched, QRadar will create a Payload Index for all data, contained within the time
frame, which will cause this initial search to take longer to complete. Subsequent
searches against the same data, done within the same day are quicker, as the appliance
can use the newly created Payload Indexes. Payload Indexes created that are outside the
Payload Index Retention are removed overnight.

Figure 1: Utilizing the quick filter, we are able to search 267 MB of data in just over one
second.

Location of the Quick Filter?

The Quick Filter is a search bar that is displayed on both the Log Activity and Network
Activity tab in QRadar.
Figure 2: Location of the Quick Filter on the Log Activity tab in QRadar 7.2.3 and above (click to
enlarge).

Figure 3: Location of the Quick Filter on the Log Activity tab in QRadar 7.1 MR2 (click to
enlarge).

Payload Retention(zadrzavanje) Index Settings

To adjust(прилагодити) the Payload Index Retention settings from Console:
1) Clicking the Admin tab
2) Select System Settings
3) Locate the Database Settings section and adjusting the retention period.
4) Set the Payload Index Retention only to the timeframe typically searched, as Payload
Indexes do use extra disk.

The default Payload Index Retention period is 30 days, the minimum is 1 day, and the
maximum is 2 years.
Note: Administrators who want to retain payload indexes longer than the default value
should be aware(свесни) that extra disk space that will be used to retain the index for a
longer time period. The retention values should reflect the time spans that the users or
security operators are typically searching. After an increase is made to the Payload Index
Retention field, administrators should monitor system notifications to ensure that they
do not fill disk space by setting unnecessarily long Payload Index Retention.

Figure 4: Quick filter indexes are based on of the Payload Index Retention setting (click
to enlarge).

Quick Filter - Using Advanced Search Parameters

The Quick Filter only searches raw, uncorrelated, payload data, and cannot differentiate
between fields. For example, the quick filter cannot differentiate if an IP address is the
source or destination.

The quick filter can be used for more than just single searches for an IP address or user
names. Since the Quick Filter is based on Lucene search technology, the quick filter has
the ability to do complex logical queries or include brackets, double quotation marks,
AND, OR, NOT, +/-, or wildcards ( * ) operators. It is important that any word operators
be uppercase (AND, OR, AND NOT) to prevent the filter from thinking the operator is a
search term. All of these logical operators can be used to quickly find results from the
indexes of your event or flow payloads. Leveraging operators makes even more complex
Quick Filter searches very efficient in QRadar.

Example 1: How to exclude search terms from your

quick filter results
To exclude search results, users can leverage the AND NOT, or a minus symbol ( - ) as a
method to reduce the amount of returned results from a quick search. If you have specific
text that appears(појављује се) with spaces, you can add double-quotes ( "term" ) to
encapsulate the exact text you want the quick filter to locate. If your text was broken in to
two words, such as Session Token, you could use "Session Token" in the quick filter as
the search term expects the space to be present in the search when encapsulated in
quotes.

OR

Figure 5 & 6: An alternate method of completing the same search result is to use a minus
symbol (-) in the Quick Filter field.

Example 2: How to search for multiple terms

The following images show two examples of a combination search to locate an event that
contains the term firewall or "firewall accept", but also contains the words nobody or
admin.
 OR

Figure 7 & 8: Using the quick filter to search multiple terms using AND/OR values.

Example 3: Using simple regex within a Lucene search

The following images show a example of using regex to search for information within the quick
filter. Regular expressions must be bracketed by forward slashes, such as /my_regex_pattern/ in
the quick filter. Valid regex that falls between the forward slashes is evaluated by QRadar.

Helpful implementations of regular expressions could include:

• Events with files that end in .exe or .pdf could be located with the regular
expression /.*.pdf/ OR /.*.exe/
• URLs, such as /.*baddomain.com/
• Email addresses can be located with the regular expression /.*\@.*\..*/
 OR

Figure 9 & 10: Values between the forward slashes can contain simple regular
expression patterns.

Example 4: Using Lucene searches with special

characters
The following image shows a example of using regex to search where you need to escape
special characters. For examples, a username with a hyphen might need to be escaped to
return an exact match. Optionally, the user could quick filter search john AND
smith or john +smith, but is not as exact as searching for the exact user name of john-
smith. The following special characters that are part of the search term must be
escaped: + - && || ! ( ) { } [ ] ^ " * ? : \
Figure 11: Using the quick filter to search for a hyphenated user name.

Example 5: Name=Value pair searches in Lucene

To complete name=value pair searches in QRadar or look for specific terms separated by
special characters, users can leverage(полуга) proximity(близина) searches to locate a
specific payload combination, such as a name=value pair. A proximity search looks for
terms that are within a specific distance from one another. Special characters that
appear(појавити) within a text string can be escaped and searched; however,
certain(известан) values are reserved, so a proximity search allows users to find values
located next to each other or separated by mathematical operators.

Where is a proximity search useful?

A payload might contain multiple repeated values of an IP, username, port, or other
relevant information. For example, typing root in the Quick Filter search will return all
instances of that value, especially where an IP or username could appear(појавити)
repeatedly(у више наврата) in different name=value pairs. By searching for the specific
name=value pair and combining it with other search terms, users gain search flexibility
and the search is extremely fast.
Are there system resource minimums for full payload
indexing?
Yes, if you plan to enable full payload indexing, your appliance requires a minimum of 24 GB of
RAM. The 24 GB minimum applies to both virtual and physical appliances. However, in most cases
we suggest that appliances have 48 GB of RAM when they enable this feature. The minimum and
suggested RAM values for full text payload indexing applies to all systems that are processing
events or flows, such as 16xx, 17xx, or 18xx appliances, as well as 31xx Consoles or All-in-One
Console appliances.

Creating widgets from a Dynamic query data source:

The Dynamic Search data source uses the IBM® QRadar® dynamic search API to search for data
that involves(подразумева) aggregated functions such as COUNT, SUM, MAX, and AVG. For example,
you can count the number of asset IDs per asset hostname by using the COUNT_PER function.

Your administrator must provide a dynamic search in the form of a JSON script.
The Dynamic Search option requires QRadar 7.4.1.2020.3.2.20201112005343 (Fix Pack 2)
or later.
If the QRadar version is 7.4.3 or later and you are an administrator, click the Dynamic
search query builder link so that you can build a query and save it as a JSON script to
import into QRadar Pulse.
You can build your query on the following data sources:
• Assets
• Offenses
• Vulninstances
You can add a field without a function as a simple field, or you can add a field with a
function as a complex field to build columns. You can also add conditions to filter your data.

Procedure
• Click Configure dashboard.
The Configure dashboard screen displays a library of available widgets, with
details about each widget.
• Click Create new widget.
• On the New Dashboard Item page, enter a name and a description for the widget.
• Select Dynamic Search from the data source list in the Query section, and enter a
JSON query.
• Optional: If the QRadar version is 7.4.3 or later and you are an administrator, click
the Dynamic search query builder link to build a query.
• Select a Data Source.
• Complete the Available Columns and Available Filters sections.
• To add a name, description, range of the search, retention period, or search
type to your query, enable one or more Extra Search Properties.
 • To copy your JSON script, click Generate JSON.
Your results appear in the JSON generated by your query section.
Click Copy to Clipboard to copy your JSON script.
• In QRadar Pulse, paste the copied JSON script.
• Optional: Add parameters to the dynamic search query.
• Insert existing parameters in the query. Click the Insert Parameter icon, and
then click Insert for each relevant parameter.
Important: In dynamic search queries, parameters must be preceded with a
dollar sign (for example, ${NumberOfRules}).
• To change the default value of the parameter, click the View
Parameters icon, and click Save after you set the default value.
When you change the default value for a parameter, you're changing the
value everywhere the parameter is used in your workspace, except in
expanded or pinned dashboards and widgets. If you don't set the value as the
default value, the updated change applies only to the current session.
However, if you set the value as the default, the current session value also
uses that value.
The predefined SYSTEM:username parameter returns the username of the
user who is logged in. System parameters are read only and you cannot
change the default value.
• To add a parameter to your workspace, click Add, give the parameter a name
and default value, if needed, and then click Save.
After you add parameters to a widget on a dashboard for the first time,
the Parameters card appears on the dashboard. If you remove parameters
from the widget, and no other widget in that dashboard uses the parameter,
the Parameters card disappears.
• Click Run Query.
When you first create the widget, you can't configure the charts when no data
results are returned. Try making the criteria in the fields less strict and run the
query again.
• Create a dashboard chart in the Views section.
Because you can create multiple views and charts from the same query, give the
view a unique name. By default, the chart's title and status on the title bar are
displayed; to hide them, click the More options icon and switch the settings to Off.
• Select a chart type and configure the relevant properties. For use cases to help you
decide which chart type to use, see Widget chart types.
 • Preview how the chart looks and then click Save.
Tip: The labels for the chart come from the queries that are used. If they are
unintelligible in the preview, edit the labels in the View section.
QRadar technical sales foundations:
PDF File od 215 strana iz guide-a
5.2 Explain the different uses for each search type:
Offense searches:
You can search offenses by using specific criteria to display offenses that match the search
criteria in a results list.
You can create a new search or load a previously saved set of search criteria.
• Searching offenses on the My Offenses and All Offenses pages
On the My Offenses and All Offenses pages of the Offense tab, you can search for
offenses that match your criteria.
• Searching offenses on the By Source IP page
This topic provides the procedure for how to search offenses on the By Source
IP page of the Offense tab.
 • Searching offenses on the By Destination IP page
On the By Destination IP page of the Offense tab, you can search offenses that are
grouped by the destination IP address.
• Searching offenses on the By Networks page
On the By Network page of the Offense tab, you can search offenses that are
grouped by the associated networks.
• Saving search criteria on the Offenses tab
On the Offenses tab, you can save configured search criteria so that you can reuse
the criteria for future searches. Saved search criteria does not expire.
• Searching for offenses that are indexed on a custom property
Define search criteria to filter the offense list and make it easier to see which
offenses you need to investigate. You can use the offense type in your search criteria
to find all offenses that are based on a custom property. You can filter the query
results to show offenses that have a specific custom property capture result.
Advanced search options: (Pomenuto vec iznad)
Creating a customized search:
You can search for data that match your criteria by using more specific search options. For example,
you can specify columns for your search, which you can group and reorder to more efficiently
browse your search results.

The duration(трајање) of your search varies depending on the size of your database.
You can add new search options to filter through search results to find a specific event or
flow that you are looking for.
The following table describes the search options that you can use to search event and
flow data:
Procedure
• Choose a search option:
• To search events, click the Log Activity tab.
• To search flows, click the Network Activity tab.
• From the Search list, select New Search.
• Select a previously saved search.
• To create a search, in the Time Range pane, select the options for the time range that
you want to capture for this search.
Note: The time range that you select might impact performance, when the time
range is large.
• Enable unique counts in the Data Accumulation pane.
Note: Enabling unique counts on accumulated data, which is shared with many
other saved searches and reports might decrease system performance.
• In the Search Parameters pane, define your search criteria.
a. From the first list, select a parameter that you want to search for.
b. From the second list, select the modifier that you want to use for the search.
Note:
To search for an event or flow whose custom property does not have a value,
use the "is N/A" operator. To search for an event or flow whose custom
property has a value, use the "is not N/A" operator.
a. From the entry field, type specific information that is related to your search
parameter.
b. Click Add Filter.
c. Repeat these steps for each filter that you are adding to the search criteria.
 • To automatically save the search results when the search is complete, select
the Save results when search is complete check box, and then type a name for the
saved search.
• In the Column Definition pane, define the columns and column layout that you want
to use to view the results:
a. From the Display list, select the preconfigured column that is set to associate with
this search.
b. Click the arrow next to Advanced View Definition to display advanced search
parameters.
c. Customize the columns to display in the search results.
d. In the Results Limit field, type the number of rows that you want the search to
return.
Tip: If you configure a log source that belongs to multiple log source groups but has
only one event that matches your search criteria, the search generates results for
each log source group (including the parent group) that the event belongs to. This is
expected behavior.
• Click Filter.
• Creating a custom column layout
Create a custom column layout by adding or removing columns in an existing layout.
• Deleting a custom column layout
You can delete an existing user-created column layout.
Offense indexing considerations(разматрања):
It is important to understand how offense indexing impacts your IBM®
QRadar® deployment.
System performance
Ensure that you optimize and enable all custom properties that are used for offense
indexing. Using properties that are not optimized can have a negative impact on
performance.
When you create a rule, you cannot select non-optimized properties in the Index offense
based on field. However, if an existing rule is indexed on a custom property, and then the
custom property is de-optimized, the property is still available in the offense index list. Do
not de-optimize custom properties that are used in rules.
Rule action and response
When the indexed property value is null, an offense is not created, even when you select
the Ensure the detected event is part of an offense check box in the rule action. For
example, if a rule is configured to create an offense that is indexed by host name, but the
host name in the event is empty, an offense is not created even though all of the conditions
in the rule tests are met.
When the response limiter uses a custom property, and the custom property value is null,
the limit is applied to the null value. For example, if the response is Email, and the limiter
says Respond no more than 1 time per 1 hour per custom property, if the rule fires a
second time with a null property within 1 hour, an email will not be sent.
When you index using a custom property, the properties that you can use in the rule index
and response limiter field depends on the type of rule that you are creating. An event rule
accepts custom event properties in the rule index and response limiter fields, while a flow
rule accepts only custom flow properties. A common rule accepts either custom event or
custom flow properties in the rule index and response limiter fields.
You cannot use custom properties to index an offense that is created by a dispatched event.

Payload contents
Offenses that are indexed by the Ariel Query Language (AQL), a regular expression (regex),
or by a calculated property include the same payload as the initial event that generated the
offense.
Offenses that are indexed by a normalized event field, such as Source IP or Destination IP,
include the event name and description as the custom rules engine (CRE) payload.

Saving search criteria on the Offenses tab:

On the Offenses tab, you can save configured search criteria so that you can reuse the
criteria for future searches. Saved search criteria does not expire.
Procedure
• Procedure
• Perform a search. See Offense searches.
• Click Save Criteria.
• Enter values for the following parameters:
 • Click OK.
Searching offenses on the By Destination IP page:
On the By Destination IP page of the Offense tab, you can search offenses that are grouped by the
destination IP address.
The following table describes the search options that you can use to search offenses on the By
Destination IP page:
Procedure
• Click the Offenses tab.
• On the navigation menu, click By Destination IP.
• From the Search list box, select New Search.
• On the Time Range pane, select an option for the time range you want to capture for
this search. See Table 1.
• On the Search Parameters pane, define your specific search criteria. See Table 1.
• On the Column Definition pane, define the order in which you want to sort the
results:
• From the first list box, select the column by which you want to sort the
search results.
• From the second list box, select the order in which you want to display the
search results. Options include Descending and Ascending.
• Click Search.
Searching offenses on the By Networks page:
On the By Network page of the Offense tab, you can search offenses that are grouped by the
associated networks.
The following table describes the search options that you can use to search offense data on the By
Networks page:

Procedure
• Click the Offenses tab.
• Click By Networks.
• From the Search list box, select New Search.
• On the Search Parameters pane, define your specific search criteria. See Table 1.
• On the Column Definition pane, define the order in which you want to sort the
results:
• From the first list box, select the column by which you want to sort the
search results.
• From the second list box, select the order in which you want to display the
search results. Options include Descending and Ascending.
• Click Search.
Searching offenses on the By Source IP page:
This topic provides the procedure for how to search offenses on the By Source IP page of
the Offense tab.
The following table describes the search options that you can use to search offense data on the By
Source IP page:
Procedure
• Click the Offenses tab.
• Click By Source IP.
• From the Search list box, select New Search.
• On the Time Range pane, select an option for the time range you want to capture for
this search. See Table 1.
• On the Search Parameters pane, define your specific search criteria. See Table 1.
• On the Column Definition pane, define the order in which you want to sort the
results:
• From the first list box, select the column by which you want to sort the
search results.
• From the second list box, select the order that you want to display for the
search results. Options include Descending and Ascending.
 • Click Search.
Searching for offenses that are indexed on a custom
property:
Define search criteria to filter the offense list and make it easier to see which offenses you need to
investigate. You can use the offense type in your search criteria to find all offenses that are based on
a custom property. You can filter the query results to show offenses that have a specific custom
property capture result.
The custom property must be used as a rule index. For more information, see Offense indexing.

Procedure
• Click the Offenses tab.
• From the Search list, select New Search.
• On the Offense Source pane, select the custom property in the Offense Type list.
The Offense Type list shows only normalized fields and custom properties that are
used as rule indexes. You cannot use Offense Source to search DateTime properties.
• Optional: To search for offenses that have a specific value in the custom property
capture result, type the value that you want to search for in the filter box.
• Configure other search parameters to satisfy your search requirements.
• Click Search.
Results: All offenses that meet the search criteria are shown in the offense list. When you view the
offense summary, the custom property that you searched on is shown in the Offense Type field.
The custom property capture result is shown in the Custom Property Value field in the Offense
Source Summary pane.

Searching offenses on the By Networks page:

On the By Network page of the Offense tab, you can search offenses that are grouped by the
associated networks.
The following table describes the search options that you can use to search offense data on the By
Networks page:
Procedure
• Click the Offenses tab.
• Click By Networks.
• From the Search list box, select New Search.
• On the Search Parameters pane, define your specific search criteria. See Table 1.
• On the Column Definition pane, define the order in which you want to sort the
results:
• From the first list box, select the column by which you want to sort the
search results.
• From the second list box, select the order in which you want to display the
search results. Options include Descending and Ascending.
• Click Search.
5.3 Filter search results:
5.3.1 Initiate a Search
-- From Log Activity Tab
--- Click Search -> New Search
--- Select properties to view in the search
--- In the time frame -> select recent -> last 1 hour

5.3.2 Group and Filter by Username

-- From the Search Results
--- Select Username from Display column (This will group results by username)
--- Add Filter for Username Is Not N/A
--- Double click on the top username. (This will filter the results for that username)

5.3.3 Filter by Log Source Type

-- From the search results

--- Click Add Filter
--- Select Log Source Type from the properties
--- Select Microsoft Windows Security Event Log
5.3.4 Filter using Reference Set
-- From the search results
--- Select Reference Set from the Parameter List
--- For Value ->Data Entry -> Select Source IP
--- Operator -> Exists in any of
--- Reference Set -> Malicious Ips

5.3.5 Filter using Regex Expression

-- From the search results
--- Select Username from Parameter
--- Select Matches Expression from Operator
--- Add ^adm* and Click + and Add Filter
--- (This will filter search results with usernames starting with adm)

5.4 Build threat reports

Creating custom reports:
Use the Report wizard to create and customize a new report.
You must have appropriate network permissions to share a generated report with other users.

The Report wizard provides a step-by-step guide on how to design, schedule, and generate
reports.
The wizard uses the following key elements to help you create a report:
• Layout - Position and size of each container
• Container - Placeholder for the featured content
• Content - Definition of the chart that is placed in the container
After you create a report that generates weekly or monthly, the scheduled time must elapse
before the generated report returns results. For a scheduled report, you must wait the
scheduled time period for the results to build. For example, a weekly search requires seven
days to build the data. This search will return results after 7 days.
When you specify the output format for the report, consider(размотрити) that the file size
of generated reports can be one to 2 megabytes, depending on the selected output format.
PDF format is smaller in size and does not use a large quantity of disk storage space.

Procedure
• Click the Reports tab.
• From the Actions list box, select Create.
• On the Welcome to the Report wizard! window, click Next.
• Select one of the following options:
• In the Allow this report to generate manually pane, Yes or No.
• Configure the layout of your report:
• From the Orientation list box, select Portrait or Landscape for the page
orientation.
• Select one of the six layout options that are displayed on the Report wizard.
• Click Next .
• Specify values for the following parameters:
• Configure each container in the report:
• From the Chart Type list box, select a chart type.
• On the Container Details window, configure the chart parameters.
Note: You can also create asset saved searches. From the Search to use list
box, select your saved search.
• Click Save Container Details.
• If you selected more than one container, repeat steps a to c.
• Click Next .
• Preview the Layout Preview page, and then click Next.
• Select the check boxes for the report formats you want to generate, and then
click Next.
Important: Extensible Markup Language is only available for tables.
• Select the distribution channels for your report, and then click Next. Options include
the following distribution channels:
• On the Finishing Up page, enter values for the following parameters.

• Click Next to view the report summary.

14 On the Report Summary page, select the tabs available on the summary report to
preview your report configuration.
 Results: The report immediately generates. If you cleared the Would you like to run the
report now check box on the final page of the wizard, the report is saved and generates at the
scheduled time. The report title is the default title for the generated report. If you reconfigure
a report to enter a new report title, the report is saved as a new report with the new name;
however, the original report remains the same.

5.5 Preform a quick search

5.5.1 Do a Quick Search

--Click Log Activity Tab

-- Click Quick Searches drop down
-- Select Event Rate (EPS) - Last 15 Minutes

Quick filters: (POMENUTO IZNAD)

5.6 View the most commonly triggered rules:
(Youtube video demonstrations)
QRadar Use Case Manager app:
Use the guided tips in the IBM® QRadar® Use Case Manager app to help you ensure
that IBM QRadar is optimally configured to accurately detect threats throughout the attack
chain.
QRadar Use Case Manager includes a use case explorer that offers flexible reports that are
related to your rules. QRadar Use Case Manager also exposes(излаже) pre-defined
mappings to system rules and helps you map your own custom rules to MITRE ATT&CK
tactics and techniques.
Explore rules through visualization and generated reports
• Explore the rules through different filters to ensure that they work as
intended(намењен).
• Generate reports from predefined templates, such as searches based on rule
response and actions, log source coverage, and many others.
• Customize reports to see only the information that is critical to your analysis.

Tune your environment based on built-in analysis

• Gain tuning recommendations unique to your environment right within the app.
• Identify the topmost offense-generating or CRE-generating rules, and then follow
the guide to tune them.
• Reduce the number of false positives by reviewing the most common configuration
steps. Easily update network hierarchy, building blocks, and server discovery based
on recommendations.
Visualize threat coverage across the MITRE ATT&CK
framework
• Visually understand your ability to detect threats based on ATT&CK tactics and
techniques.
• View predefined QRadar tactic and technique mappings and add your own custom
mappings to help ensure complete coverage.
• Use new insights to prioritize the rollout of new use cases and apps to effectively
strengthen your security posture.
• What's new in HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_WhatsNew.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_WhatsNew.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_WhatsNew.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_WhatsNew.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_WhatsNew.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_WhatsNew.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_WhatsNew.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_WhatsNew.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_WhatsNew.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_WhatsNew.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_WhatsNew.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_WhatsNew.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_WhatsNew.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_WhatsNew.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_WhatsNew.html"QRadar HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_WhatsNew.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_WhatsNew.html" HYPERLINK
 "https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_WhatsNew.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_WhatsNew.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_WhatsNew.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_WhatsNew.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_WhatsNew.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_WhatsNew.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_WhatsNew.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_WhatsNew.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_WhatsNew.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_WhatsNew.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_WhatsNew.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_WhatsNew.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_WhatsNew.html" Use Case Manager
Stay up to date with the new features that are available in the IBM QRadar Use Case
Manager app so that you get the most out of your use case management experience.
• Known issues
The IBM QRadar Use Case Manager app has required information for known issues.
• Video demonstrations
Watch video tutorials to learn how to use the workflows and features in IBM QRadar
Use Case Manager.
• Supported environments for HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_browsers.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_browsers.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_browsers.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_browsers.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_browsers.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_browsers.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_browsers.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_browsers.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_browsers.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_browsers.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_browsers.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_browsers.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_browsers.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_browsers.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_browsers.html"QRadar HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_browsers.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_browsers.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_browsers.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_browsers.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_browsers.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_browsers.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_browsers.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_browsers.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_browsers.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_browsers.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_browsers.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_browsers.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_browsers.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_browsers.html" HYPERLINK
 "https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_browsers.html" Use Case Manager
For the features in IBM QRadar products to work properly, you must use the
supported environments.
• Installation and configuration checklist
As you install the IBM QRadar Use Case Manager app, review and complete all of the
necessary tasks on the installation checklist.
• MITRE ATT HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_mitre_mappings.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_mitre_mappings.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_mitre_mappings.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_mitre_mappings.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_mitre_mappings.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_mitre_mappings.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_mitre_mappings.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_mitre_mappings.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_mitre_mappings.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_mitre_mappings.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_mitre_mappings.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_mitre_mappings.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_mitre_mappings.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_mitre_mappings.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_mitre_mappings.html"& HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_mitre_mappings.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_mitre_mappings.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_mitre_mappings.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_mitre_mappings.html" HYPERLINK
 "https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_mitre_mappings.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_mitre_mappings.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_mitre_mappings.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_mitre_mappings.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_mitre_mappings.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_mitre_mappings.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_mitre_mappings.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_mitre_mappings.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_mitre_mappings.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_mitre_mappings.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/c_Qap
ps_Tuning_mitre_mappings.html"CK mapping and visualization
The MITRE ATT&CK framework represents adversary tactics that are used in a
security attack. It documents common tactics, techniques, and procedures that can
be used in advanced persistent threats against enterprise networks.
• Investigating tuning findings
Sometimes, rules or building blocks might be incorrectly defined. Use the Tuning
Finding report to investigate whether the rule or building block needs to be edited
for more robust information, or if the rule is working as designed. Then, you can
hide the finding if it’s not relevant (for example you set the rule up that way) or is a
false positive.
• Accessing report data by using HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qaap
s_Tuning_download_csv_with_api.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qaap
s_Tuning_download_csv_with_api.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qaap
s_Tuning_download_csv_with_api.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qaap
s_Tuning_download_csv_with_api.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qaap
s_Tuning_download_csv_with_api.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qaap
s_Tuning_download_csv_with_api.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qaap
s_Tuning_download_csv_with_api.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qaap
s_Tuning_download_csv_with_api.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qaap
s_Tuning_download_csv_with_api.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qaap
s_Tuning_download_csv_with_api.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qaap
s_Tuning_download_csv_with_api.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qaap
s_Tuning_download_csv_with_api.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qaap
s_Tuning_download_csv_with_api.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qaap
s_Tuning_download_csv_with_api.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qaap
s_Tuning_download_csv_with_api.html"QRadar HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qaap
s_Tuning_download_csv_with_api.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qaap
s_Tuning_download_csv_with_api.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qaap
s_Tuning_download_csv_with_api.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qaap
s_Tuning_download_csv_with_api.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qaap
s_Tuning_download_csv_with_api.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qaap
s_Tuning_download_csv_with_api.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qaap
s_Tuning_download_csv_with_api.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qaap
s_Tuning_download_csv_with_api.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qaap
s_Tuning_download_csv_with_api.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qaap
s_Tuning_download_csv_with_api.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qaap
s_Tuning_download_csv_with_api.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qaap
s_Tuning_download_csv_with_api.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qaap
s_Tuning_download_csv_with_api.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qaap
s_Tuning_download_csv_with_api.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qaap
s_Tuning_download_csv_with_api.html" Use Case Manager APIs
 As an alternative to using the interface in IBM QRadar Use Case Manager, you can
use APIs to download report data to CSV or JSON files. Try using the interactive API
documentation interface to test the APIs before you use them in your scripts.
Tuning the active rules that generate offenses:
Tuning the top most noisy rules can have a significant impact on reducing false positives. To
investigate IBM® QRadar® offenses, you must view the rules that created the offense.
Unapplied filter tags appear in the filters row with a lighter colored background. After you
apply the filters, the tags change to a darker colored background.

Procedure
• From the QRadar Use Case Manager main menu, click Active Rules.
• Apply filters to the active rules to fine-tune your investigation.
• Filter the rules that started to contribute to offenses according to the
calendar or by timeframe. The default date is in the last three days. Change
the timeframe, or choose to filter the rules that began to contribute to
offenses between specific dates and times.
• Select parameters to exclude offenses from the results, such as hidden or
closed offenses. Offenses that are marked for follow-up are flagged for
further investigation. You might have offenses that you want to retain
regardless of the retention period; those offenses are protected to prevent
them from being removed from QRadar after the retention period elapses.
Inactive offenses can be removed from visualization so that reports aren't
cluttered(претрпан).
• Select the closure reason for an offense. For example, you can filter to see
which rules generated the offenses that were closed as false positives. Rules
with many false positives likely need tuning. Offenses that are closed as a
non-issue are usually considered not critical to your organization.
• Click Apply Filters.
• Review the Offenses by rule, Offenses by category and rule, Closed offenses by
reason and rule, Events count trend by rule, and Offense creation trend by
rule charts.
Tip: The Offense creation trend by rule chart is supported on QRadar 7.4.1 Fix
Pack 2 or later.
• Hover over the chart segments to see more details about an offense.
• Hide or show chart legends.
• Click legend keys to fine-tune the chart display.
• Zoom in for further investigation.
• Expand bar and timeline charts to full screen.
• Export bar and timeline charts to CSV, PNG, or JPG formats.
• View bar and timeline chart data in tabular format. Then, export the data in
CSV format to view offline or share with colleagues.
• In the table, tune the rules by choosing from the following methods:
• Toggle between the top noisy rules or all the rules from the list.
 • Add more rules to investigate by selecting a group of rule or an individual
rule from the list.
Tip: The Event count column in the report indicates how many events the
rule associated to the offenses counted in the Offense count column.
The Event count column is supported on QRadar 7.4.1 Fix Pack 2 or later.
• Click Investigate.
• Watch a short video to learn how to use the rule wizard.
• Review each individual rule and the BBs that contribute to the active rule.
For each rule, you can further investigate it by clicking Show dependency
tree or Edit in rule wizard.
• Use the visualization diagram to further fine-tune any related options for the
rule or building block, such as log source types, custom properties, or
reference sets.
• Review the offenses that are generated by each active rule.
• Review the values in the various groups of tests, and tune if necessary.
• Review the MITRE ATT&CK mappings for the rule, and edit if necessary.
• To add custom rule attributes to the selected rule or building block, see Step
10 in Investigating HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qa
pps_Tuning_explore_rules.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qa
pps_Tuning_explore_rules.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qa
pps_Tuning_explore_rules.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qa
pps_Tuning_explore_rules.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qa
pps_Tuning_explore_rules.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qa
pps_Tuning_explore_rules.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qa
pps_Tuning_explore_rules.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qa
pps_Tuning_explore_rules.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qa
pps_Tuning_explore_rules.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qa
pps_Tuning_explore_rules.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qa
pps_Tuning_explore_rules.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qa
pps_Tuning_explore_rules.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qa
pps_Tuning_explore_rules.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qa
pps_Tuning_explore_rules.html" HYPERLINK
 "https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qa
pps_Tuning_explore_rules.html"QRadar HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qa
pps_Tuning_explore_rules.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qa
pps_Tuning_explore_rules.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qa
pps_Tuning_explore_rules.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qa
pps_Tuning_explore_rules.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qa
pps_Tuning_explore_rules.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qa
pps_Tuning_explore_rules.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qa
pps_Tuning_explore_rules.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qa
pps_Tuning_explore_rules.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qa
pps_Tuning_explore_rules.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qa
pps_Tuning_explore_rules.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qa
pps_Tuning_explore_rules.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qa
pps_Tuning_explore_rules.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qa
pps_Tuning_explore_rules.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qa
pps_Tuning_explore_rules.html" HYPERLINK
"https://www.ibm.com/docs/en/SS42VS_SHR/com.ibm.tuningapp.doc/t_Qa
pps_Tuning_explore_rules.html" rules and building blocks.
• To investigate QRadar User Behavior Analytics rules, see Investigating user
behavior analytics rules.
• To return to the Active Rules page, click Active Rules in the breadcrumbs.
• To export selected rule data in the report to CSV format that you can further process
or view in Excel, select the relevant checkboxes and then click Export.
• Reviewing your network hierarchy
A well-defined and maintained network hierarchy can help prevent the generation
of false positive offenses. The network hierarchy is used to define which IP
addresses and subnets are part of your network. Ensure that all internal address
spaces, both routable and non-routable, are defined within your IBM
QRadar network hierarchy. QRadar can then distinguish your local network from
the remote network. Event and flow context is based on whether the source and
destination IPs are local or remote. Event and flow context, and data from your
network hierarchy are used in rule tests.
 • Reviewing building blocks
Building blocks are a reusable set of rule tests that can be used within rules when
needed. Host definition building blocks (BB:HostDefinition) categorize assets and
server types into CIDR/IP ranges. By populating host definition building blocks, IBM
QRadar can identify the type of appliance that belongs to an address or address
range. These building blocks can then be used in rules to exclude or include entire
asset categories in rule tests.
Viewing rues that are deployed:
You can view the rules that are deployed in your IBM® QRadar® deployment. For example,
you can determine which rules are most active in generating offenses.
Procedure
• Click the Offenses tab.
• On the navigation menu, click Rules.
• To determine which rules are most active in generating offenses, from the rules
page, click Offense Count to reorder the column in descending order.
• Double-click any rule to display the Rule Wizard. You can configure a response to
each rule.
Tip: For more information about your CRE configuration, see the IBM QRadar User
Guide.
Use the IBM QRadar Use Case Manager to tune the most active rules that create
offenses and to tune the rules that generate CRE events. Download the app at
the IBM Security App
Exchange (https://exchange.xforce.ibmcloud.com/hub/extension/bf01ee398bde8e
5866fe51d0e1ee684a).
5.7 Report events correlated in the offense
(Nema reference)
5.8 Export Search results in CSV or XML
5.8.2 Exporting Events

-- Export events in Extensible Markup Language (XML) or Comma-Separated Values (CSV) format.
--- Export to XML > Visible Columns - Select this option to export only the columns that are visible on the
Log Activity tab.
--- Export to XML > Full Export (All Columns) - Select this option to export all event parameters. A full
export can take an extended period of time to complete.
--- Export to CSV > Visible Columns - Select this option to export only the columns that are visible on the
Log Activity tab.
--- Export to CSV > Full Export (All Columns) - Select this option to export all event parameters. A full
export can take an extended period of time to complete.

Exporting offenses:
Export offenses when you want to reuse the data or when you want to store the data
externally. For example, you can use the offense data to create reports in a third-party
application. You can also export offenses as a secondary long-term retention strategy.
Customer Support might require you to export offenses for troubleshooting purposes.
You can export offenses in Extensible Markup Language (XML) or comma-separated values
(CSV) format. The resulting XML or CSV file includes the parameters that are specified in
the Column Definition pane of the search parameters. The length of time that is required to
export the data depends on the number of parameters specified.
Procedure
• Click the Offenses tab.
• Select the offenses that you want to export.
To select multiple offenses, hold the Control key while you select each offense.
• Choose one of the following options:
• To export the offenses in XML format, select Actions > Export to XML.
• To export the offenses in CSV format, select Actions > Export to CSV
Note: If you use Microsoft Excel to import the CSV file, you must select the
correct locale to ensure that the data displays correctly.
.
• Choose one of the following options:
• To open the file for immediate(непосредан) viewing, select Open with and
select an application from the list.
• To save the file, select Save File.
• Click OK.
The file, <date>-data_export.xml.zip, is saved in the default download folder on your
computer.
Exporting events:
You can export events in Extensible Markup Language (XML) or Comma-Separated Values
(CSV) format.
The length of time that is required to export your data depends on the number of parameters
specified.

Procedure
• Click the Log Activity tab.
• Optional. If you are viewing events in streaming mode, click the Pause icon to pause
streaming.
• From the Actions list box, select one of the following options:
• Export to XML > Visible Columns - Select this option to export only the
columns that are visible on the Log Activity tab. This is the recommended
option.
• Export to XML > Full Export (All Columns) - Select this option to export all
event parameters. A full export can take an extended period of time to
complete.
 • Export to CSV > Visible Columns - Select this option to export only the
columns that are visible on the Log Activity tab. This is the recommended
option.
• Export to CSV > Full Export (All Columns) - Select this option to export all
event parameters. A full export can take an extended period of time to
complete.
• If you want to resume your activities while the export is in progress, click Notify
When Done.
Result: When the export is complete, you receive notification that the export is complete. If
you did not select the Notify When Done icon, the status window is displayed.

Q: How do you get column headers included in your

‘Export to CSV output?’
By default the Include Header in CSV Export setting is No.

By default, CSV column headers are disabled. You can enable the headers using this
procedure.
• Click the Admin tab > System Settings icon.
• Scroll down to the Data Export Settings.
• Under Include Header in CSV Export, Change the value from No to Yes.
• Click Save.
• From the Admin tab > Deploy Changes.

Result: Exports will now include the headers in the CSV.

5.9 Create reports and advanced reports out of

offenses
5.9.1 Create Search to Show Offense Data
-- From QRadar Web UI, Click Log Activity Tab* Click Search -> Edit Search
-- Under Search Parameters -> Select Associated With Offense Equal True, Select Log Source Type is
Custom Rule Engine
-- Click Filter to do the
-- Click Search -> Save Search -> Offense Data
5.9.2 Create report from Saved Search Offense Data
-- Go to Reports and Click Actions -> Create
-- Create a new report using the saved search Offense Data

Creating a search for a report to show Offense Data:

nije bas jasno--
Procedure to create a search to report Offense Data
• From the QRadar web user interface, go to the Log Activity tab.
Click Search > Edit Search.
• Under Search Parameters
• Select Associated With Offense Equal True.
• Select Log Source Type is Custom Rule Engine.

• Click Filter to do a search.

• When the results come back, open one of the events and select Extract Property.
• Enter a name in New Property for example NewCustom.
In the RegEx, use
(.+?)\t
• Add a Log Source Type and select a Category of High Level
Category Any and Low Level Category Any to pull the exact property,
otherwise(иначе) it will be locked down to just one QID.
• Go back to your saved search.
• Under Column Definitions, use this new Custom Event Property and put this
in Group By. Also put Source IP in Group By. You can also select any additional
columns by putting these in Columns.
 Result: You can now save this as a Saved Search and run Reports against it.

5.10 Share reports with users

5.10.1 Share a report.
-- Click the Reports tab.
-- Select the reports that you want to share.
-- From the Actions list box, click Share.
-- From the list of users, select the users with whom you want to share this report.

Sharing a report:
You can share reports with other users. When you share a report, you provide a copy of the
selected report to another user to edit or schedule.

Any updates that the user makes to a shared report does not affect the original version of
the report.
You must have administrative privileges to share reports. Also, for a new user to view and
access reports, an administrative user must share all the necessary reports with the new
user.
You can only share the report with users that have the appropriate access.

Procedure
• Click the Reports tab.
• Select the reports that you want to share.
 • From the Actions list box, click Share.
• From the list of users, select the users with whom you want to share this report.
5.11 Search using indexed and non-indexed
properties
5.11.1 Search using indexed and non-indexed properties
-- Indexed Filters
--- Click Log Activity Tab
--- Click Add Filter
--- Review Indexed Properties (Properties with the tag (Indexed) in the end)
--- Add one of the indexed parameter
--- Click Add Filter

Index management:
Use Index Management to control database indexing on event and flow properties. To
improve the speed of searches in IBM® QRadar®, narrow the overall data by adding an
indexed field in your search query.
An index is a set of items that specify information about data in a file and its location in the
file system. Data indexes are built in real-time as data is streamed or are built upon request
after data is collected. Searching is more efficient because systems that use indexes don't
have to read through every piece of data to locate matches. The index contains references
to unique terms in the data and their locations. Because indexes use disk space, storage
space might be used to decrease search time.
Use indexing event and flow properties first to optimize your searches. You can enable
indexing on any property that is listed in the Index Management window and you can
enable indexing on more than one property. When a search starts in QRadar, the search
engine first filters the data set by indexed properties. The indexed filter eliminates portions
of the data set and reduces the overall data volume and number of event or flow logs that
must be searched. Without any filters, QRadar takes more time to return the results for
large data sets.
For example, you might want to find all the logs in the past six months that match the
text: The operation is not allowed. By default, QRadar stores full text indexing for the
past 30 days. Therefore, to complete a search from the last 6 months, the system must
reread every payload value from every event or flow in that time frame to find matches.
Your results display faster when you search with an indexed value filter such as a Log
Source Type, Event Name, or Source IP.
The Index Management feature also provides statistics, such as:
• The percentage of saved searches running in your deployment that include the
indexed property
• The volume of data that is written to the disk by the index during the selected time
frame
To enable payload indexing, you must enable indexing on the Quick Filter property.
 • Enabling indexes
The Index Management window lists all event and flow properties that can be
indexed and provides statistics for the properties. Toolbar options allow you to
enable and disable indexing on selected event and flow properties.
• Enabling payload indexing to optimize search times
You use the Quick Filter feature on the Log Activity and Network Activity tab to
search event and flow payloads by using a text string. To optimize event and flow
search times, enable payload indexing on the Quick Filter property.
• Configuring the retention period for payload indexes
By default, IBM QRadar sets 30 days for the data retention period of the payload
index. You can search for specific values in quick filter indexes beyond 30 days by
changing the default retention in QRadar.
Referenca: IBM QRadar User Guide (256 strana)
https://www.ibm.com/docs/en/SS42VS_7.4/pdf/b_qradar_users_guide.pd
f

5.12 Create and generate scheduled and manual

reports
5.12.1 Manually Generate a Report
-- Click the Reports tab.
-- Select the report that you want to generate.
-- Click Run Report

5.12.2 Create a Report.

-- Click the Reports tab.
-- From the Actions list box, select Create.
-- On the Welcome to the Report wizard! window, click Next.
- Select the option "Manually" or Schedule frequency of Hourly, Daily, Weekly or Monthly
-- In the Allow this report to generate manually pane, Select Yes.
-- Configure the layout of your report:
-- From the Orientation list box, select Portrait or Landscape for the page orientation.
-- Select one of the six layout options that are displayed on the Report wizard.
-- Click Next
-- Specify values for the following parameters (Report title, Logo, Pagination options, Report
Classification)
-- Configure each container in the report:
--- From the Chart Type list box, select a chart type.
--- On the Container Details window, configure the chart parameter
--- Click Save Container Details.
-- Preview the Layout Preview page, and then click Next.

-- Select the check boxes for the report formats you want to generate, and then click Next.
-- Select the distribution channels for your report, and then click Next. Options include the following
distribution channels:
--- Report console, select user, select all users, email, enter the distribution email address(es), include
report as attachment, include link to report console
-- On the Finishing Up page, enter values for the following parameters: Report description,
-- Select group for the report to show for, Run the report now.
-- Click Next to view the report summary.
-- On the Report Summary page, select the tabs available on the summary report to preview your
report configuration.

5.12.3 Brand a report

-- Click the Reports tab.
-- On the navigation menu, click Branding.
-- Click Browse to browse the files that are located on your system.
-- Select the file that contains the logo you want to upload. Click Open.
-- Click Upload Image.
-- Select the logo that you want to use as the default and click Set Default Image.

Branding reports:
To brand reports, you can import logos and specific images. To brand reports with custom
logos, you must upload and configure the logos before you begin using the Report wizard.

Ensure that the graphic you want to use is 144 x 50 pixels with a white background.
To make sure that your browser displays the new logo, clear your browser cache.
Report branding is beneficial for your enterprise if you support more than one logo. When
you upload an image, the image is automatically saved as a Portable Network Graphic
(PNG).
When you upload a new image and set the image as your default, the new default image is
not applied to reports that have been previously generated. Updating the logo on
previously generated reports requires you to manually generate new content from the
report.
If you upload an image that is larger in length than the report header can support, the
image automatically resizes to fit the header; this is approximately 50 pixels in height.

Procedure
• Click the Reports tab.
• On the navigation menu, click Branding.
• Click Browse to browse the files that are located on your system.
• Select the file that contains the logo you want to upload. Click Open.
• Click Upload Image.
• Select the logo that you want to use as the default and click Set Default Image.
Chart types:
When you create a report, you must choose a chart type for each chart you include in your
report.
The chart type determines how the data and network objects appear in your report.
You can use any of the following types of charts:
 Report groups:
You can sort reports into functional groups. If you categorize reports into groups, you can
efficiently organize and find reports.
For example, you can view all reports that are related to Payment Card Industry Data
Security Standard (PCIDSS) compliance.
By default, the Reports tab displays the list of all reports, however, you can categorize
reports into groups such as:
• Compliance
• Executive
• Log Sources
 • Network Management
• Security
• VoIP
• Other
When you create a new report, you can assign the report to an existing group or create a
new group. You must have administrative access to create, edit, or delete groups.
For more information about user roles, see the IBM® QRadar® Administration Guide.
• Creating a report group
You can create new groups.
• Editing a group
You can edit a report group to change the name or description.
• Sharing report groups
You can share report groups with other users.
• Assign a report to a group
You can use the Assign Groups option to assign a report to another group.
• Copying a report to another group
Use the Copy icon to copy a report to one or more report groups.
• Removing a report
Use the Remove icon to remove a report from a group.
Creating custom reports:
(POMENUTO IZNAD)
Viewing generated reports:
On the Reports tab, an icon is displayed in the Formats column if a report has generated
content. You can click the icon to view the report.

When a report has generated content, the Generated Reports column displays a list box.
The list box displays all generated content, which is organized by the time-stamp of the
report. The most recent reports are displayed at the top of the list. If a report has no
generated content, the None value is displayed in the Generated Reports column.
Icons representing the report format of the generated report are displayed in
the Formats column.
Reports can be generated in PDF, HTML, XML, and XLS formats.
Note: The XML and XLS formats are available only for reports that use a single chart table format
(portrait or landscape).

You can view only the reports to which you have been given access from the administrator.
Administrative users can access all reports.

Procedure
• Click the Reports tab.
• From the list box in the Generated Reports column, select the time-stamp of report
you want to view.
• Click the icon for the format you want to view.