Tips and tricks for optimizing your dashboards

You can make the most of the data available in the IBM® QRadar® Pulse dashboards by using the following tips and tricks.

Open in Network Activity

When you triage data in the dashboards, you can uncover issues that require further investigation. To see the data that populated the visualization, click the three dots icon on the upper right of the widget and select Open in Network Activity.

From the Network Activity results set you can filter and sort the data, edit the AQL query, open flow records, and investigate the data as you normally would.

Figure 1. Open in Network Activity
Screen capture

Widget descriptions

Each widget has a description that explains what data is being displayed and if applicable, provides suggestions about what type of MITRE ATT&CK Tactics and Techniques that you can look for in the data. To view the description, click the edit icon on the upper right of the widget.

Figure 2. Edit dashboard item
Screen capture

Filtering the data displayed in a widget

In QRadar Pulse widgets that have legends, you can filter the data that is displayed by selecting and deselecting items in the legend. When you triage data in a chart, you can remove and add data that you need for your investigation. To filter data for Pie Charts, Bar Charts, Time Series Charts, and Scatter Plots, click the item in the legend that you want to filter.

Figure 3. Most common applications by session count
Screen capture

Improving performance in large deployments

In deployments that are processing large volumes of traffic, the QRadar Pulse dashboards can take multiple minutes to fully populate visualizations while the AQL queries are running. If the dashboards are not loading fast enough for your deployment, you can customize some things on the dashboards to better suit your environment:

  1. Remove any widgets from the dashboard that aren’t populated in your deployment or don’t fit your use cases. See “Move, resizing and deleting widgets”. The performance can improve when you reduce the number of AQL queries that are running.
  2. If you have specific groupings of widgets that you want to see only at certain times, you can remove the widgets from the main dashboards and add them to a new dashboard. Spreading widgets across multiple dashboards can help limit how many AQL queries need to be run when the dashboard is loaded.

Setting the Overview dashboard as the default dashboard

If you find that you often directly go to the QRadar Network Visibility - Overview dashboard when you open QRadar Pulse, set this dashboard as the default. To set the default dashboard, click the three dots icon on the upper right of the dashboard and select Set As Default.

Figure 4. Set as default
Screen capture