Topic
  • 4 replies
  • Latest Post - ‏2016-04-19T16:27:12Z by dwight s (IBM)
dwight s (IBM)
dwight s (IBM)
19 Posts

Pinned topic QRadar UI FAQ

‏2016-03-30T19:10:53Z |

The QRadar User Interface

Many users often ask us about shortcuts they can use in the user interface, ways to speed up their moving around in the UI, to try to reduce the time to find the information they want.  These tips , while just starting, aim to help users find quicker ways through the user interface.

If you have any questions about a specific activity, ask it in the comments below, and I'll try come up with a method to help.


Starting QRadar on a specific tab

If a user is interested in loading a particular tab by default in QRadar, rather than the dashboard, this is possible by updating your QRadar console bookmark.  To do this, add "?appName=tab" to the end of your bookmark, "https://qradar.console.address/console/qradar/jsp/QRadar.jsp?appName=ADMIN".  Each tab in QRadar has a unique name that can be targeted, including:

  • Dashboard (default): appName=DASHBOARD
  • Offense Manager: appName=SEM
  • Log Activity: appName=EVENTVIEWER
  • Network Activity: appName=FLOWVIEWER
  • QRM: appName=120
  • QVM: appName=130
  • Incident Forensics: appName=FORENSICS
  • Assets: appName=ASSETS
  • Reports: appName=REPORTS
  • Admin Tab: appName=ADMIN

 


 

Log & Network Activity - Searching

Recent changes in Log & Network activity have improved how quickly you can add filters to your search, so that you can adjust & refine the amount of information you are getting in your search results.  Some of the below are new, some are existing:

  • Right click on Event & Flow properties
    In addition to selecting "Add Filter" and choosing a filter to add, you can right click on values in the search results.  This lets you quickly include/exclude records from your search result.  The property you are filtering on, also depends on the column you click in. For example, you can right click on a Log Source, to filter & display only that source, or filter it out.  Similarly, you can click right click on an IP, Port, Application, etc, to filter & display only those records, or, exclude those particular events.
     
  • Adjusting search Time window
    As of QRadar 7.2.6, options were added in Log & Network Activity, that quickly allow you to increase/decrease/adjust the time period of your search.  For example, previously, only options for "last minutes/hours/days" were available.  Now, you can choose to adjust the Start & End times directly, adding as little as a minute if desired.
    viewer - adjust time.pngView Details
     
  • Other Search related materials

 

If you have any additional questions or comments on UI short cuts, feel free to ask below, and I'll expand them in this post.

thanks!
dwight s. 

  • MikeParkes
    MikeParkes
    12 Posts

    Re: QRadar UI FAQ

    ‏2016-04-19T09:14:01Z  

    Hi Dwight

    Can you start in the Admin tab and, if so, what is the appName value?

     

    Thanks
    Mike

  • dwight s (IBM)
    dwight s (IBM)
    19 Posts

    Re: QRadar UI FAQ

    ‏2016-04-19T13:11:12Z  

    Hi Dwight

    Can you start in the Admin tab and, if so, what is the appName value?

     

    Thanks
    Mike

    Hi Mike... 

    oops! indeed you can, thanks for pointing out my omission!  just tried it and "appName=ADMIN" worked.

    dwight

  • MikeParkes
    MikeParkes
    12 Posts

    Re: QRadar UI FAQ

    ‏2016-04-19T13:49:31Z  

    Thanks Dwight, I confess that I guessed it might be...

    The thought occurs to me that with the addition of the range of apps it might be useful if a user could logon directly to that product/app.

    For example, we have been playing with the Exabeam app and I could see a benefit for a user to be able to logon directly to their UI.

     

    Regards

    Mike

  • dwight s (IBM)
    dwight s (IBM)
    19 Posts

    Re: QRadar UI FAQ

    ‏2016-04-19T16:27:12Z  

    Thanks Dwight, I confess that I guessed it might be...

    The thought occurs to me that with the addition of the range of apps it might be useful if a user could logon directly to that product/app.

    For example, we have been playing with the Exabeam app and I could see a benefit for a user to be able to logon directly to their UI.

     

    Regards

    Mike

    I would agree with that idea, whole-heartedly, Mike.  I think we have an open request for it, but it's not currently on the roadmap/schedule.  This was also prior to the new application options as well.  To be honest, if you want to log a request for enhancement at the RFE site for the idea, that would probably push it along!

    https://www.ibm.com/developerworks/rfe/?BRAND_ID=301

    dwight s.