Use the offense API endpoints as a data source for your widgets.
Before you begin
Your administrator must configure QRadar® Proxy for your account, and you need a
valid authentication token so that you can connect to QRadar.
About this task
Administrators can't create widgets or dashboards for other users, but they can share their own
dashboards with other users.
To query the QRadar
offenses data source (/siem/offenses endpoint), you must have the
Offenses permission. The data that is returned is restricted based on your
security profile.
Procedure
-
Click Configure dashboard.
The Configure dashboard screen displays a library of available widgets,
with details about each widget.
- Click Create new widget.
-
On the New Dashboard Item page, enter a name and a description for the
widget.
-
Select Offense from the data source list in the
Query section, and select the API fields that you want to view in the results
from the Fields list. Use the Filter and
Sort options to fine-tune the results.
For more information about API fields, see the QRadar console API documentation
(https://<ConsoleIPaddress>/api_doc/). The offense API fields are located
in the GET /siem/offenses section.
The following image shows an example of completed API parameters:
Note: In this example, the assigned_to filter must be set to the current user
to retrieve results.
Tip: You can filter by one or more log sources in an offense query. For example, in the
Filter box, enter log_sources CONTAINS (type_name="IBM Trusteer" OR
type_name="CREEvents")
to see only IBM®
Trusteer® or CREEvents log sources.
-
Pick a refresh time for how often you poll the data source.
Choose a refresh rate that is greater than the selected query time. The default refresh
rate is every 5 minutes. The shorter the refresh time, the greater the performance impact on IBM
QRadar.
-
Click Run Query.
When you first create the widget, you can't configure the charts when no data results
are returned. Try making the criteria in the fields less strict and run the query again.
-
Create a view in the Views section.
Because you can create multiple views from the same query, give the view a unique name.
By default, the chart's title and status on the title bar are displayed; to hide them, click the
More options icon and switch the settings to
Off.
-
Select a chart type and complete the corresponding fields for the chart. For use cases to help
you decide which chart type to use, see Widget chart types.
-
Preview how the chart looks and then click Save.
Results
You can edit a widget and save it without rerunning the query. For example, if a
query doesn't return results, such as when the time period isn't long enough to pick up new events,
or if the magnitude or severity value isn't applicable when you run the query, you can save the
widget. If you edit the query, you must run the query again before you can save the widget.
Deleting a widget removes it from all of the dashboards it belongs to. If the deleted dashboard
contains parameters, the parameters are not deleted.