Configuring parameters for your QRadar Network Visibility dashboards

Use the parameters section to filter and scope the data that is displayed on your dashboard.

Before you begin

Parameters appear within curly braces, as in the following AQL example:
Curly braces in an AQL statement

Because curly braces are also used in an AQL statement within a quoted string (a string literal between quotation marks), you must use a backward slash (\) as an escape character before the opening curly brace within a quoted string. This syntax ensures that QRadar® Pulse doesn't interpret the quoted string as a parameter and cause incorrect query results. If you have a backward slash in a quoted string, add an extra backward slash as the escape character.

Procedure

  1. From one of the QRadar Network Visibility dashboards, click More options > Manage Parameters.
    The Manage Parameter Values page displays the parameters that are already created in your workspace. If any of the parameters have default values, they're listed in the Default value column. The Number of occurrences column indicates the number of widgets that use each parameter. Hover over the number to see which widgets use the parameter.
  2. To set a default value for a parameter, click the More options icon, enter the default value in the field, and then click Save. Modify the parameters that are described in the following table:
    Parameter Description
    AQL Time Criteria

    All three dashboards use the AQL Time Criteria parameter. This parameter defaults to “LAST 1 HOURS” and is used to scope the time period that the data is retrieved from. This parameter supports both the "START x STOP y" pattern to specify an absolute time period and the “LAST x” pattern for relative time periods. For more information, see Ariel Query Language Guide (ibm.com/docs/en/SS42VS_7.4/com.ibm.qradar.doc/b_qradar_aql.pdf).

    Tip: In some deployments, the default value of “LAST 1 HOURS” might not be the optimal time window to populate data. Depending on your requirements, you can make the default value longer or shorter. A larger time window takes longer for the AQL query to run and a shorter window takes less time.
    Network Filter

    The Overview dashboard uses the Network Filter parameter to scope the data on the dashboard to a particular network from the network hierarchy. This parameter defaults to “all”, which combines data from all networks in the environment into a single overview of your entire network. To use this parameter, enter the Network Name as it appears in the Network Hierarchy.
    Application/Protocol Name

    The Application/Protocol Details dashboard uses the Application/Protocol Name parameter to specify which application or protocol (layer 4 to layer 7) you want to view data for. If you drill down to this dashboard from another dashboard, then this parameter is autofilled with the application or protocol that you drill down on.

    The Application/Protocol Name parameter supports the application names that are seen in the Network Activity tab, layer 4 protocols as provided by the ‘PROTCOLNAME’ AQL function (for example, TCP, UDP, ICMP, and IPv6ICMP). If you have QRadar Network Insights, the layer 5 - 7 protocol values are provided by the “protocol name” field (for example, HTTP or SMB). This parameter supports fuzzy matching; parameters are case-insensitive and support partial name matching.
    IP address

    The IP Details dashboard uses the IP address parameter to specify the IP address you want to investigate further. If you drill down to this dashboard from another dashboard, then this parameter is autofilled with the IP address that you drill down on. This parameter supports only IPv4 addresses and does not support CIDRs.
    Important:
    • This action sets the default value for every widget that uses the parameter, and the Parameters card automatically updates. Alternatively, you can add a value for the parameter in specific widgets.
    • When you change the default value for a parameter, you're changing the value everywhere the parameter is used in your workspace, except in expanded or pinned dashboards and widgets. If you don't set the value as the default value, the updated change applies only to the current session. However, if you set the value as the default, the current session value also uses that value.
    • The predefined SYSTEM:username parameter returns the username of the user who is logged in. System parameters are read only and you cannot change the default value.
    • The predefined SYSTEM:accountId parameter returns the account ID of the user who is logged in. System parameters are read only and you cannot change the default value.
  3. To add a parameter to your workspace, click Add, give the parameter a name and default value, and then click Save.
  4. Before you delete a parameter, check that it doesn't belong to any widgets by hovering over the number to see the names of widgets that use the parameter. After you remove the parameter from those widgets, then you can click Delete.
  5. Click Back to Dashboard to return to the main view and continue your work.

What to do next

QRadar Network Visibility dashboard customization