The QRadar User Interface
Many users often ask us about shortcuts they can use in the user interface, ways to speed up their moving around in the UI, to try to reduce the time to find the information they want. These tips , while just starting, aim to help users find quicker ways through the user interface.
If you have any questions about a specific activity, ask it in the comments below, and I'll try come up with a method to help.
Starting QRadar on a specific tab
If a user is interested in loading a particular tab by default in QRadar, rather than the dashboard, this is possible by updating your QRadar console bookmark. To do this, add "?appName=tab" to the end of your bookmark, "https://qradar.console.address/console/qradar/jsp/QRadar.jsp?appName=ADMIN". Each tab in QRadar has a unique name that can be targeted, including:
- Dashboard (default): appName=DASHBOARD
- Offense Manager: appName=SEM
- Log Activity: appName=EVENTVIEWER
- Network Activity: appName=FLOWVIEWER
- QRM: appName=120
- QVM: appName=130
- Incident Forensics: appName=FORENSICS
- Assets: appName=ASSETS
- Reports: appName=REPORTS
- Admin Tab: appName=ADMIN
Log & Network Activity - Searching
Recent changes in Log & Network activity have improved how quickly you can add filters to your search, so that you can adjust & refine the amount of information you are getting in your search results. Some of the below are new, some are existing:
Right click on Event & Flow properties
In addition to selecting "Add Filter" and choosing a filter to add, you can right click on values in the search results. This lets you quickly include/exclude records from your search result. The property you are filtering on, also depends on the column you click in. For example, you can right click on a Log Source, to filter & display only that source, or filter it out. Similarly, you can click right click on an IP, Port, Application, etc, to filter & display only those records, or, exclude those particular events.
Adjusting search Time window
As of QRadar 7.2.6, options were added in Log & Network Activity, that quickly allow you to increase/decrease/adjust the time period of your search. For example, previously, only options for "last minutes/hours/days" were available. Now, you can choose to adjust the Start & End times directly, adding as little as a minute if desired.
viewer - adjust time.pngView Details
- Other Search related materials
If you have any additional questions or comments on UI short cuts, feel free to ask below, and I'll expand them in this post.