IBM Support

QRadar: Creating a QRadar Aggregated Data View

Question & Answer


Question

What is an Aggregated Data View (ADV) and how can it be created?

Cause

An Aggregated Data View (ADV) is sometimes needed to help with the following:
  • Decrease the number of global views present on a QRadar deployment.
  • Decrease the amount of CPU time taken by the accumulator process during interval processing.
  • Reducing the amount of disk space consumed by global views on the /store partition
  • After created, Virtual Views can be created which leverage the ADV data.

Answer

Configuring the Search
Column Definition: The ADV requires all the columns added to "Group By" that are what are required in your reports (virtual views).  All the virtual views which leverage the ADV must all contain the exact same set of criteria.
Available Columns: The column set chosen is not as important as the Filters or "Group By". The Columns are selected from available columns. The columns are updated as required by the searches/virtual views that work with the Aggregated Global View (AGV). Going forward, which nonaggregated columns selected in the nonaggregated columns are the only criteria that can change.
 
Group By Criteria: When selecting a "Group By", it is important to keep in mind that any Criteria, which you want to Filter on must be used in the "Group By". So if you want to filter on Custom Rule is MyRule, the Custom Rule must be a Group By.
Things to remember when creating the search:
  • The "Group By" criteria selected be the same as the ADV, we cannot change them.
  • All of the filters applied be contained in the "Group By".
  • You are able to add more columns to the search but they cannot be filtered on, or selected as a "Group By".
  • The Ariel Property "Source or Destination IP" is different than "Source IP" and "Destination IP"

The following steps can be followed to create the ADV
  1. Create the Aggregated Data View Search.
    1. Navigate to the Log Activity or Network Activity tabs.
    2. Click Search > New Search.
    3. In the search, specify a Time Range.
    4. Select Recent > Last 5 Minutes.
      Note: The Time Range cannot be streaming.
      image-20221108080050-2
    5. Scroll to Column Definition.
      Note:  When you modify the columns, the Display type is automatically changed to Custom.
    6. Enter a Name for the Column Layout.
    7. Click Save Column Layout.
      image-20221108074343-1
    8. Use the arrows to select the Group By criteria from Available Columns.
    9. Select Columns from Available columns.
      image-20221108080212-3
    10. Select the Filters. For the ADV, unless there is a specific filter that is used in all of its existing searches, leave the Filters empty.
      image-20221108081042-4
    11. Click Search.
    12. Choose Time Series data. In the leftmost chart is a graph, which returns with raw events after the search completes.
    13. Click the Green Configure Gear located in the upper right of this graph widget.
    14. Select Chart Type > Time Series.
    15. Click the Capture Time Series Data check box > click Save.
      Note: Repeat this step for all of the "Value to Graph" selections.


       
    16. Enter the required information in the Save Criteria menu.
             Criteria includes Search Name, Assign Search to Group, Time span options, Search options.
      image-20221108083034-1


      Results
      There is a pop-up menu that displays "Your search was saved successfully" and Time Series Configuration update completed".  After clicking OK to both menus, your view is complete and your ADV is ready for use.
      image-20221108083145-2image-20221108083641-3


       
  2. Creating the Virtual View

    The quickest way to creating the search is to:
    1. Click either the Log Activity or Network Activity tabs.
    2. Locate your search under Saved Searches.
      image-20221108084029-4
    3. Click Load
    4. Click Edit Search.
    5. Check the required boxes.
    6. Click Search.
    7. After the search is created, test it by clicking the Gear in the graph widget.
      image-20221108085952-1


      Results
      Time Series data is present there and can go back as far as the ADV's creation date.

       


 

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.4.3;7.5.0"}]

Document Information

Modified date:
08 November 2022

UID

swg21669183

Page Feedback