Configuring QRadar Event and Flow Exporter

  1. On the Admin tab, click Apps > Event and Flow Exporter.
  2. Paste the token string into the SEC Token field.
  3. Set the retention policy for how many files to save for each query saved in the app. The default value is 5.
  4. Click Set configuration.
  5. Configure your email server to receive notifications when a query completes:
    1. Enter the email server Host IP and port number.
    2. Enable or disable TLS according to your email server configuration.
    3. Enter the email server administrator email ID and password.
    4. Select an attachment size.
    5. Click Configure email server.
    When you receive an email, you can click the embedded links to open the result files and download them if necessary.
    Important: This process might fail if you can't access IBM QRadar from your current network.
A success message is displayed when the app is successfully configured.
Tip: If the Event and Flow Exporter tab doesn't appear automatically, go to the main menu and select the star next to the app name to add it.
Workflow for using AQL queries to generate results