Creating widgets from an QRadar offenses data source

Use the offense API endpoints as a data source for your widgets.

Before you begin

Your administrator must configure QRadar® Proxy for your account, and you need a valid authentication token so that you can connect to QRadar.

About this task

Administrators can't create widgets or dashboards for other users, but they can share their own dashboards with other users.

To query the QRadar offenses data source (/siem/offenses endpoint), you must have the Offenses permission. The data that is returned is restricted based on your security profile.

Procedure

  1. Click Configure dashboard.

    The Configure dashboard screen displays a library of available widgets, with details about each widget.

  2. Click Create new widget.
  3. On the New Dashboard Item page, enter a name and a description for the widget.
  4. Select Offense from the data source list in the Query section, and select the API fields that you want to view in the results from the Fields list. Use the Filter and Sort options to fine-tune the results.

    For more information about API fields, see the QRadar console API documentation (https://<ConsoleIPaddress>/api_doc/). The offense API fields are located in the GET /siem/offenses section.

    The following image shows an example of completed API parameters:
    Image that shows offense API parameters
    Note: In this example, the assigned_to filter must be set to the current user to retrieve results.
    Tip: You can filter by one or more log sources in an offense query. For example, in the Filter box, enter log_sources CONTAINS (type_name="IBM Trusteer" OR type_name="CREEvents") to see only IBM® Trusteer® or CREEvents log sources.
  5. Pick a refresh time for how often you poll the data source.
    Choose a refresh rate that is greater than the selected query time. The default refresh rate is every 5 minutes. The shorter the refresh time, the greater the performance impact on IBM QRadar.
  6. Click Run Query.
    When you first create the widget, you can't configure the charts when no data results are returned. Try making the criteria in the fields less strict and run the query again.
  7. Create a view in the Views section.
    Because you can create multiple views from the same query, give the view a unique name. By default, the chart's title and status on the title bar are displayed; to hide them, click the More options icon and switch the settings to Off.
  8. Select a chart type and complete the corresponding fields for the chart. For use cases to help you decide which chart type to use, see Widget chart types.
    Chart type Instructions
    Bar Creating a bar chart
    Big Number Creating a big number chart
    Geographic Creating a geographic chart
    Pie Creating a pie chart
    Scatter Creating a scatter chart
    Tabular Creating a tabular chart
    Time Series Creating a time series chart
  9. Preview how the chart looks and then click Save.

Results

You can edit a widget and save it without rerunning the query. For example, if a query doesn't return results, such as when the time period isn't long enough to pick up new events, or if the magnitude or severity value isn't applicable when you run the query, you can save the widget. If you edit the query, you must run the query again before you can save the widget.

Deleting a widget removes it from all of the dashboards it belongs to. If the deleted dashboard contains parameters, the parameters are not deleted.