If you have a nonadmin security profile and cannot use global view queries, you must
modify the global view queries on IBM®
QRadar® Network Threat Analytics.
About this task
If global view queries fail, QRadar Network Threat Analytics uses
AQL queries until the app is reloaded. Update the global view saved search queries to prevent global
view queries from failing.
Procedure
-
Log in to the nonadmin security profile that you want global view queries to work on.
Note: These steps need to be done only one time per security profile even if the profile has
multiple users.
- Go to the Network Activity tab and go to Saved Searches by clicking
.
- Find the QRadar Network Threat Analytics global view
queries in the list of available saved searches. The following queries need to be modified to use
the global view query function:
- (Admin) Network Threat Analytics Accumulated By IP
- (Admin) Network Threat Analytics Application Counts
- (Admin) Network Threat Analytics Baselined Traffic
- (Admin) Network Threat Analytics Country Traffic
- For each global view query, complete the following steps:
- Click Load, and then click
Search.
- On the results page, click the settings icon in the upper right of the first chart.
Then change chart type to time series.
- Select any column as in the Value to graph
menu.
- Check the Capture time series data checkbox.
- Click Save to make the global view query available in QRadar Network Threat Analytics for that security
profile.